From 6f88b92591ca129afa61a8ef055bcfb2efa489fc Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 10 Jul 2023 15:30:51 +0200 Subject: [PATCH 001/386] Initial commit --- configuration/common/default.nix | 46 +++++++++++++++++++ configuration/proxmox-vm/default.nix | 9 ++++ .../proxmox-vm/hardware-configuration.nix | 34 ++++++++++++++ flake.lock | 27 +++++++++++ flake.nix | 39 ++++++++++++++++ hosts/coturn/configuration.nix | 15 ++++++ hosts/coturn/coturn.nix | 45 ++++++++++++++++++ hosts/coturn/default.nix | 8 ++++ hosts/coturn/secrets.nix | 11 +++++ hosts/jackett/configuration.nix | 15 ++++++ hosts/jackett/jackett.nix | 6 +++ hosts/netbox/configuration.nix | 15 ++++++ hosts/netbox/netbox.nix | 10 ++++ hosts/nitter/configuration.nix | 15 ++++++ hosts/nitter/default.nix | 8 ++++ hosts/nitter/nginx.nix | 29 ++++++++++++ hosts/nitter/nitter.nix | 19 ++++++++ hosts/tor-relay/configuration.nix | 15 ++++++ hosts/tor-relay/tor.nix | 18 ++++++++ users/yuri/default.nix | 11 +++++ 20 files changed, 395 insertions(+) create mode 100644 configuration/common/default.nix create mode 100644 configuration/proxmox-vm/default.nix create mode 100644 configuration/proxmox-vm/hardware-configuration.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/coturn/configuration.nix create mode 100644 hosts/coturn/coturn.nix create mode 100644 hosts/coturn/default.nix create mode 100644 hosts/coturn/secrets.nix create mode 100644 hosts/jackett/configuration.nix create mode 100644 hosts/jackett/jackett.nix create mode 100644 hosts/netbox/configuration.nix create mode 100644 hosts/netbox/netbox.nix create mode 100644 hosts/nitter/configuration.nix create mode 100644 hosts/nitter/default.nix create mode 100644 hosts/nitter/nginx.nix create mode 100644 hosts/nitter/nitter.nix create mode 100644 hosts/tor-relay/configuration.nix create mode 100644 hosts/tor-relay/tor.nix create mode 100644 users/yuri/default.nix diff --git a/configuration/common/default.nix b/configuration/common/default.nix new file mode 100644 index 0000000..d89f1dc --- /dev/null +++ b/configuration/common/default.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../users/yuri + ]; + + time.timeZone = "Europe/Berlin"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + keyMap = "de-latin1"; + }; + + security.sudo.wheelNeedsPassword = false; + + nix.settings = { + trusted-users = [ "@wheel" ]; + auto-optimise-store = true; + experimental-features = [ "nix-command" "flakes" ]; + }; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + environment.systemPackages = with pkgs; [ + htop + parted + tmux + nano + ]; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + services.fstrim.enable = true; +} diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix new file mode 100644 index 0000000..20d895c --- /dev/null +++ b/configuration/proxmox-vm/default.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + services.qemuGuest.enable = true; +} diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix new file mode 100644 index 0000000..c007292 --- /dev/null +++ b/configuration/proxmox-vm/hardware-configuration.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_blk" ]; + kernelModules = [ ]; + }; + + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + options = [ "x-nixos.autoresize" "x-initrd.mount" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..33a1357 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1688764204, + "narHash": "sha256-FsvK+tIvelCI0tWwlMDKfiyb7P/KfxpGbXMrdCKiT8s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d8bb6c681cf86265fdcf3cc3119f757bbb085835", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..7b641bc --- /dev/null +++ b/flake.nix @@ -0,0 +1,39 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + }; + + outputs = { nixpkgs, ... }: { + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + }; + + nitter = { name, nodes, pkgs, ... }: { + deployment = { + targetHost = "nixos-nitter.vs.grzb.de"; + targetUser = "yuri"; + }; + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/nitter + ]; + }; + + coturn = { name, nodes, pkgs, ... }: { + deployment = { + targetHost = "nixos-coturn.vs.grzb.de"; + targetUser = "yuri"; + }; + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/coturn + ]; + }; + }; + }; +} diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix new file mode 100644 index 0000000..a5df358 --- /dev/null +++ b/hosts/coturn/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + hostName = "coturn"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/coturn/coturn.nix b/hosts/coturn/coturn.nix new file mode 100644 index 0000000..c85dcba --- /dev/null +++ b/hosts/coturn/coturn.nix @@ -0,0 +1,45 @@ +{ ... }: +{ + services.coturn = { + enable = true; + + min-port = 49200; + max-port = 49500; + use-auth-secret = true; + static-auth-secret-file = "/secrets/static-auth-secret.secret"; + realm = "turn.nekover.se"; + cert = "/certs/turn.nekover.se/fullchain.pem"; + pkey = "/certs/turn.nekover.se/key.pem"; + no-tcp-relay = true; + extraConfig = " + external-ip=170.133.2.81/10.202.41.118 + prometheus + syslog + + no-tlsv1 + no-tlsv1_1 + + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + + allowed-peer-ip=10.202.41.118 + + user-quota=12 + total-quota=1200 + "; + }; +} diff --git a/hosts/coturn/default.nix b/hosts/coturn/default.nix new file mode 100644 index 0000000..63c719c --- /dev/null +++ b/hosts/coturn/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./secrets.nix + ./coturn.nix + ]; +} diff --git a/hosts/coturn/secrets.nix b/hosts/coturn/secrets.nix new file mode 100644 index 0000000..415b223 --- /dev/null +++ b/hosts/coturn/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."static-auth-secret.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ]; + destDir = "/secrets"; + user = "turnserver"; + group = "turnserver"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/jackett/configuration.nix b/hosts/jackett/configuration.nix new file mode 100644 index 0000000..72e9795 --- /dev/null +++ b/hosts/jackett/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./jackett.nix + ]; + + networking = { + hostName = "jackett"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/jackett/jackett.nix b/hosts/jackett/jackett.nix new file mode 100644 index 0000000..1b8707e --- /dev/null +++ b/hosts/jackett/jackett.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jackett = { + enable = true; + }; +} diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix new file mode 100644 index 0000000..637244a --- /dev/null +++ b/hosts/netbox/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./tor.nix + ]; + + networking = { + hostName = "tor-relay"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/netbox/netbox.nix b/hosts/netbox/netbox.nix new file mode 100644 index 0000000..07674e6 --- /dev/null +++ b/hosts/netbox/netbox.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + services.netox = { + enable = true; + + settings = { + + }; + }; +} diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix new file mode 100644 index 0000000..9abb412 --- /dev/null +++ b/hosts/nitter/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + hostName = "nitter"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/nitter/default.nix b/hosts/nitter/default.nix new file mode 100644 index 0000000..6aae884 --- /dev/null +++ b/hosts/nitter/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./nitter.nix + ]; +} diff --git a/hosts/nitter/nginx.nix b/hosts/nitter/nginx.nix new file mode 100644 index 0000000..cdec9b4 --- /dev/null +++ b/hosts/nitter/nginx.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + services.nginx = { + enable = true; + enableReload = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "nixos-nitter.vs.grzb.de" = { + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + + locations."/" = { + proxyPass = "http://localhost:8080"; + extraConfig = + "proxy_http_version 1.1;" + + "proxy_set_header Upgrade $http_upgrade;" + + "proxy_set_header Connection \"upgrade\";" + + "proxy_set_header Host $host;" + ; + }; + }; + }; + }; +} diff --git a/hosts/nitter/nitter.nix b/hosts/nitter/nitter.nix new file mode 100644 index 0000000..de780ac --- /dev/null +++ b/hosts/nitter/nitter.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + services.nitter = { + enable = true; + + server = { + title = "Birdsite"; + https = true; + address = "0.0.0.0"; + port = 8080; + }; + + preferences = { + theme = "Mastodon"; + replaceTwitter = "birdsite.nekover.se"; + infiniteScroll = true; + }; + }; +} diff --git a/hosts/tor-relay/configuration.nix b/hosts/tor-relay/configuration.nix new file mode 100644 index 0000000..637244a --- /dev/null +++ b/hosts/tor-relay/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./tor.nix + ]; + + networking = { + hostName = "tor-relay"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/tor-relay/tor.nix b/hosts/tor-relay/tor.nix new file mode 100644 index 0000000..54e9888 --- /dev/null +++ b/hosts/tor-relay/tor.nix @@ -0,0 +1,18 @@ +{ ... }: +{ + services.tor = { + enable = true; + + settings = { + Nickname = "vsm"; + ORPort = 9001; + ExitRelay = false; + SOCKSPort = 0; + ControlSocket = null; + ContactInfo = "admin@grzb.de"; + RelayBandwidthRate = "70 MBits"; + RelayBandwidthBurst = "150 Mbits"; + DirPort = 9030; + }; + }; +} diff --git a/users/yuri/default.nix b/users/yuri/default.nix new file mode 100644 index 0000000..f85b37e --- /dev/null +++ b/users/yuri/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + users.users.yuri = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + ]; + }; +} From e37eae867c185d7838a8ba60679715069d2abd92 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 10 Jul 2023 13:32:24 +0000 Subject: [PATCH 002/386] Add LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c675a23 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 yuri + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From 7259a847a88935b74da13d4586a24378de839621 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 11 Jul 2023 11:34:08 +0200 Subject: [PATCH 003/386] Add .gitlab-ci.yml --- .gitlab-ci.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..e83ee8c --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,30 @@ +default: + image: nixos/nix:2.16.1 + +stages: + - update_flake_lock + - build + - apply + - commit_flake + +update_flake_lock: + stage: update_flake_lock + script: + - nix flake update --extra-experimental-features nix-command --extra-experimental-features flakes + +build: + stage: build + script: + - nix-env --install colmena + - colmena build + +apply: + stage: apply + script: + - nix-env --install colmena + - colmena apply + +commit_flake: + stage: commit_flake + script: + - echo "commit_flake" \ No newline at end of file From 62240918ee63de12ba6aca459611c5a0f80deca5 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 13 Jul 2023 00:28:22 +0200 Subject: [PATCH 004/386] miau --- .gitignore | 1 + .gitlab-ci.yml | 2 +- configuration/common/default.nix | 1 - configuration/proxmox-vm/default.nix | 1 - flake.lock | 6 +++--- users/yuri/default.nix | 1 - 6 files changed, 5 insertions(+), 7 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..722d5e7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vscode diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e83ee8c..2a9bad2 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ apply: stage: apply script: - nix-env --install colmena - - colmena apply + - colmena apply --no-keys commit_flake: stage: commit_flake diff --git a/configuration/common/default.nix b/configuration/common/default.nix index d89f1dc..5150469 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -1,5 +1,4 @@ { config, pkgs, ... }: - { imports = [ ../../users/yuri diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 20d895c..644147a 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -1,5 +1,4 @@ { ... }: - { imports = [ ./hardware-configuration.nix diff --git a/flake.lock b/flake.lock index 33a1357..bfa6a15 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1688764204, - "narHash": "sha256-FsvK+tIvelCI0tWwlMDKfiyb7P/KfxpGbXMrdCKiT8s=", + "lastModified": 1689048911, + "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d8bb6c681cf86265fdcf3cc3119f757bbb085835", + "rev": "8163a64662b43848802092d52015ef60777d6129", "type": "github" }, "original": { diff --git a/users/yuri/default.nix b/users/yuri/default.nix index f85b37e..ff0ac57 100644 --- a/users/yuri/default.nix +++ b/users/yuri/default.nix @@ -1,5 +1,4 @@ { ... }: - { users.users.yuri = { isNormalUser = true; From 5431b79cd3b6d37840ab1ebbee2f3c051a5c365f Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 13 Jul 2023 20:56:30 +0200 Subject: [PATCH 005/386] Add colmena apply stage --- .gitlab-ci.yml | 12 +++++++++++- configuration/common/default.nix | 3 ++- flake.lock | 6 +++--- flake.nix | 4 ++-- users/colmena-deploy/default.nix | 11 +++++++++++ 5 files changed, 29 insertions(+), 7 deletions(-) create mode 100644 users/colmena-deploy/default.nix diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2a9bad2..8a85abe 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,9 +22,19 @@ apply: stage: apply script: - nix-env --install colmena + - eval $(ssh-agent -s) + - chmod 600 "$SSH_PRIVATE_KEY" + - ssh-add "$SSH_PRIVATE_KEY" + - git clone https://oauth2:${ACCESS_TOKEN_KNOWN_HOSTS}@git.grzb.de/yuri/known_hosts.git /root/.ssh - colmena apply --no-keys commit_flake: stage: commit_flake + variables: + GIT_AUTHOR_EMAIL: $GIT_AUTHOR_EMAIL + GIT_AUTHOR_NAME: $GIT_AUTHOR_NAME + GIT_COMMITTER_EMAIL: $GIT_COMMITTER_EMAIL + GIT_COMMITTER_NAME: $GIT_COMMITTER_NAME + ACCESS_TOKEN: $ACCESS_TOKEN script: - - echo "commit_flake" \ No newline at end of file + - nix-env --install git diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 5150469..71f1052 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: { imports = [ + ../../users/colmena-deploy ../../users/yuri ]; @@ -14,7 +15,7 @@ security.sudo.wheelNeedsPassword = false; nix.settings = { - trusted-users = [ "@wheel" ]; + trusted-users = [ "colmena-deploy" ]; auto-optimise-store = true; experimental-features = [ "nix-command" "flakes" ]; }; diff --git a/flake.lock b/flake.lock index bfa6a15..80f0d19 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689048911, - "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=", + "lastModified": 1689209875, + "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8163a64662b43848802092d52015ef60777d6129", + "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7b641bc..c752aaa 100644 --- a/flake.nix +++ b/flake.nix @@ -14,7 +14,7 @@ nitter = { name, nodes, pkgs, ... }: { deployment = { targetHost = "nixos-nitter.vs.grzb.de"; - targetUser = "yuri"; + targetUser = "colmena-deploy"; }; imports = [ ./configuration/common @@ -26,7 +26,7 @@ coturn = { name, nodes, pkgs, ... }: { deployment = { targetHost = "nixos-coturn.vs.grzb.de"; - targetUser = "yuri"; + targetUser = "colmena-deploy"; }; imports = [ ./configuration/common diff --git a/users/colmena-deploy/default.nix b/users/colmena-deploy/default.nix new file mode 100644 index 0000000..bebd6ef --- /dev/null +++ b/users/colmena-deploy/default.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + users.users.colmena-deploy = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPJbR09ZqPnfZkx9JNjCurJDXWa5XtNeNQfkPRU/ZnY colmena-deploy" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + ]; + }; +} From 5b0576ccb30626b8dae17b9a31918e0f812d5b2a Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 13 Jul 2023 21:42:08 +0200 Subject: [PATCH 006/386] Add commit flake stage --- .gitlab-ci.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8a85abe..8cb05b5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,7 +3,6 @@ default: stages: - update_flake_lock - - build - apply - commit_flake @@ -11,12 +10,9 @@ update_flake_lock: stage: update_flake_lock script: - nix flake update --extra-experimental-features nix-command --extra-experimental-features flakes - -build: - stage: build - script: - - nix-env --install colmena - - colmena build + artifacts: + paths: + - ./flake.lock apply: stage: apply @@ -26,7 +22,11 @@ apply: - chmod 600 "$SSH_PRIVATE_KEY" - ssh-add "$SSH_PRIVATE_KEY" - git clone https://oauth2:${ACCESS_TOKEN_KNOWN_HOSTS}@git.grzb.de/yuri/known_hosts.git /root/.ssh + - colmena build - colmena apply --no-keys + artifacts: + paths: + - ./flake.lock commit_flake: stage: commit_flake @@ -37,4 +37,5 @@ commit_flake: GIT_COMMITTER_NAME: $GIT_COMMITTER_NAME ACCESS_TOKEN: $ACCESS_TOKEN script: - - nix-env --install git + - git commit -m "Update flake.lock file" -m "Triggered by scheduled pipeline $CI_PIPELINE_ID at $CI_PIPELINE_CREATED_AT." || failure_code=$? + - if [ "$failure_code" == "" ]; then git push https://gitlab-runner-server:${ACCESS_TOKEN}@${CI_SERVER_HOST}/yuri/nix-infra.git HEAD:$CI_COMMIT_BRANCH; fi From b7798b7f5a2e507e579697e2d93f45652690f835 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 13 Jul 2023 22:46:07 +0200 Subject: [PATCH 007/386] Switch nitter from testing VM to production --- flake.lock | 8 ++++---- flake.nix | 4 ++-- hosts/coturn/configuration.nix | 1 - hosts/nitter/configuration.nix | 1 - hosts/nitter/nitter.nix | 2 ++ 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/flake.lock b/flake.lock index 80f0d19..68d3a4c 100644 --- a/flake.lock +++ b/flake.lock @@ -2,16 +2,16 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689209875, - "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=", + "lastModified": 1689192006, + "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2", + "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index c752aaa..7323fd3 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; }; outputs = { nixpkgs, ... }: { @@ -13,7 +13,7 @@ nitter = { name, nodes, pkgs, ... }: { deployment = { - targetHost = "nixos-nitter.vs.grzb.de"; + targetHost = "nitter.vs.grzb.de"; targetUser = "colmena-deploy"; }; imports = [ diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix index a5df358..d345b75 100644 --- a/hosts/coturn/configuration.nix +++ b/hosts/coturn/configuration.nix @@ -2,7 +2,6 @@ { boot.loader.grub = { enable = true; - version = 2; device = "/dev/vda"; }; diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix index 9abb412..3ca72b4 100644 --- a/hosts/nitter/configuration.nix +++ b/hosts/nitter/configuration.nix @@ -2,7 +2,6 @@ { boot.loader.grub = { enable = true; - version = 2; device = "/dev/vda"; }; diff --git a/hosts/nitter/nitter.nix b/hosts/nitter/nitter.nix index de780ac..301a7ca 100644 --- a/hosts/nitter/nitter.nix +++ b/hosts/nitter/nitter.nix @@ -8,12 +8,14 @@ https = true; address = "0.0.0.0"; port = 8080; + hostname = "birdsite.nekover.se"; }; preferences = { theme = "Mastodon"; replaceTwitter = "birdsite.nekover.se"; infiniteScroll = true; + hlsPlayback = true; }; }; } From 7fabcb4c7e36703dc585f59a7b730bd853682efc Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 15 Jul 2023 21:34:33 +0200 Subject: [PATCH 008/386] Add prometheus node exporter config --- configuration/common/default.nix | 1 + configuration/common/prometheus-node-exporter.nix | 7 +++++++ flake.lock | 6 +++--- 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 configuration/common/prometheus-node-exporter.nix diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 71f1052..78ac470 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: { imports = [ + ./prometheus-node-exporter.nix ../../users/colmena-deploy ../../users/yuri ]; diff --git a/configuration/common/prometheus-node-exporter.nix b/configuration/common/prometheus-node-exporter.nix new file mode 100644 index 0000000..ac2d1ac --- /dev/null +++ b/configuration/common/prometheus-node-exporter.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.prometheus.exporters.node = { + enable = true; + openFirewall = true; + }; +} diff --git a/flake.lock b/flake.lock index 68d3a4c..0648522 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689192006, - "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", + "lastModified": 1689282004, + "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", + "rev": "e74e68449c385db82de3170288a28cd0f608544f", "type": "github" }, "original": { From 682af9276c383102eff12786dc51bf25c8db73e0 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 15 Jul 2023 23:29:19 +0200 Subject: [PATCH 009/386] Add tor-relay config --- flake.nix | 12 ++++++++++++ hosts/coturn/configuration.nix | 2 +- hosts/tor-relay/configuration.nix | 23 +++++++++++++++++------ hosts/tor-relay/default.nix | 7 +++++++ hosts/tor-relay/tor.nix | 4 ++-- 5 files changed, 39 insertions(+), 9 deletions(-) create mode 100644 hosts/tor-relay/default.nix diff --git a/flake.nix b/flake.nix index 7323fd3..8480f96 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,18 @@ ./hosts/coturn ]; }; + + tor-relay = { name, nodes, pkgs, ...}: { + deployment = { + targetHost = "tor-relay.vs.grzb.de"; + targetUser = "colmena-deploy"; + }; + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/tor-relay + ]; + }; }; }; } diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix index d345b75..094f157 100644 --- a/hosts/coturn/configuration.nix +++ b/hosts/coturn/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { boot.loader.grub = { enable = true; diff --git a/hosts/tor-relay/configuration.nix b/hosts/tor-relay/configuration.nix index 637244a..90dbc71 100644 --- a/hosts/tor-relay/configuration.nix +++ b/hosts/tor-relay/configuration.nix @@ -1,12 +1,23 @@ -{ config, pkgs, ... }: - +{ ... }: { - imports = [ - ./hardware-configuration.nix - ./tor.nix - ]; + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; networking = { + interfaces = { + "enp6s18".ipv6.addresses = [{ + address = "2001:470:5429::B3"; + prefixLength = 64; + }]; + }; + + defaultGateway6 = { + address = "2001:470:5429::1"; + interface = "enp6s18"; + }; + hostName = "tor-relay"; firewall.enable = false; }; diff --git a/hosts/tor-relay/default.nix b/hosts/tor-relay/default.nix new file mode 100644 index 0000000..585accc --- /dev/null +++ b/hosts/tor-relay/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./tor.nix + ]; +} diff --git a/hosts/tor-relay/tor.nix b/hosts/tor-relay/tor.nix index 54e9888..58efb89 100644 --- a/hosts/tor-relay/tor.nix +++ b/hosts/tor-relay/tor.nix @@ -10,8 +10,8 @@ SOCKSPort = 0; ControlSocket = null; ContactInfo = "admin@grzb.de"; - RelayBandwidthRate = "70 MBits"; - RelayBandwidthBurst = "150 Mbits"; + RelayBandwidthRate = "40 MBits"; + RelayBandwidthBurst = "50 Mbits"; DirPort = 9030; }; }; From 64d9dbd4b040f153ffb1c11261561d7df6650e32 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 16 Jul 2023 02:00:44 +0200 Subject: [PATCH 010/386] Add jackett config and generate colmena hosts from attribute set --- flake.lock | 6 +- flake.nix | 68 ++++++++----------- hosts/jackett/configuration.nix | 11 ++- hosts/jackett/default.nix | 7 ++ hosts/nitter/configuration.nix | 2 +- .../configuration.nix | 0 hosts/{coturn => nixos-coturn}/coturn.nix | 0 hosts/{coturn => nixos-coturn}/default.nix | 0 hosts/{coturn => nixos-coturn}/secrets.nix | 0 9 files changed, 46 insertions(+), 48 deletions(-) create mode 100644 hosts/jackett/default.nix rename hosts/{coturn => nixos-coturn}/configuration.nix (100%) rename hosts/{coturn => nixos-coturn}/coturn.nix (100%) rename hosts/{coturn => nixos-coturn}/default.nix (100%) rename hosts/{coturn => nixos-coturn}/secrets.nix (100%) diff --git a/flake.lock b/flake.lock index 0648522..e5a7558 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689282004, - "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=", + "lastModified": 1689373857, + "narHash": "sha256-mtBksyvhhT98Zsm9tYHuMKuLwUKDwv+BGTl6K5nOGhY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e74e68449c385db82de3170288a28cd0f608544f", + "rev": "dfdbcc428f365071f0ca3888f6ec8c25c3792885", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8480f96..928ebc4 100644 --- a/flake.nix +++ b/flake.nix @@ -3,49 +3,41 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; }; - outputs = { nixpkgs, ... }: { + outputs = { self, nixpkgs, ... }: { + hosts = { + nitter = { + site = "vs"; + }; + nixos-coturn = { + site = "vs"; + }; + tor-relay = { + site = "vs"; + }; + jackett = { + site = "vs"; + }; + }; + + generateColmenaHost = name: host : { + deployment = { + targetHost = "${name}.${host.site}.grzb.de"; + targetUser = "colmena-deploy"; + }; + + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/${name} + ]; + }; + colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; }; - - nitter = { name, nodes, pkgs, ... }: { - deployment = { - targetHost = "nitter.vs.grzb.de"; - targetUser = "colmena-deploy"; - }; - imports = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/nitter - ]; - }; - - coturn = { name, nodes, pkgs, ... }: { - deployment = { - targetHost = "nixos-coturn.vs.grzb.de"; - targetUser = "colmena-deploy"; - }; - imports = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/coturn - ]; - }; - - tor-relay = { name, nodes, pkgs, ...}: { - deployment = { - targetHost = "tor-relay.vs.grzb.de"; - targetUser = "colmena-deploy"; - }; - imports = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/tor-relay - ]; - }; - }; + } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; }; } diff --git a/hosts/jackett/configuration.nix b/hosts/jackett/configuration.nix index 72e9795..bd9bde9 100644 --- a/hosts/jackett/configuration.nix +++ b/hosts/jackett/configuration.nix @@ -1,10 +1,9 @@ -{ config, pkgs, ... }: - +{ ... }: { - imports = [ - ./hardware-configuration.nix - ./jackett.nix - ]; + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; networking = { hostName = "jackett"; diff --git a/hosts/jackett/default.nix b/hosts/jackett/default.nix new file mode 100644 index 0000000..98e612a --- /dev/null +++ b/hosts/jackett/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./jackett.nix + ]; +} diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix index 3ca72b4..a7002d0 100644 --- a/hosts/nitter/configuration.nix +++ b/hosts/nitter/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { boot.loader.grub = { enable = true; diff --git a/hosts/coturn/configuration.nix b/hosts/nixos-coturn/configuration.nix similarity index 100% rename from hosts/coturn/configuration.nix rename to hosts/nixos-coturn/configuration.nix diff --git a/hosts/coturn/coturn.nix b/hosts/nixos-coturn/coturn.nix similarity index 100% rename from hosts/coturn/coturn.nix rename to hosts/nixos-coturn/coturn.nix diff --git a/hosts/coturn/default.nix b/hosts/nixos-coturn/default.nix similarity index 100% rename from hosts/coturn/default.nix rename to hosts/nixos-coturn/default.nix diff --git a/hosts/coturn/secrets.nix b/hosts/nixos-coturn/secrets.nix similarity index 100% rename from hosts/coturn/secrets.nix rename to hosts/nixos-coturn/secrets.nix From c6f4780ccd5a9f85e018ae62ddef1aef0f4a251b Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 18 Jul 2023 17:23:46 +0200 Subject: [PATCH 011/386] Work on hydra config, fix tor relay config, prepare web-public-2 host --- configuration/common/default.nix | 9 +++++++- configuration/common/nginx.nix | 9 ++++++++ flake.lock | 6 ++--- flake.nix | 31 ++++++++++++++++++++++++++ hosts/hydra/configuration.nix | 14 ++++++++++++ hosts/hydra/default.nix | 10 +++++++++ hosts/hydra/hydra.nix | 14 ++++++++++++ hosts/hydra/nginx.nix | 33 ++++++++++++++++++++++++++++ hosts/hydra/nix-serve.nix | 9 ++++++++ hosts/hydra/secrets.nix | 11 ++++++++++ hosts/netbox/configuration.nix | 2 +- hosts/tor-relay/tor.nix | 10 +++++---- hosts/web-public-2/configuration.nix | 14 ++++++++++++ hosts/web-public-2/default.nix | 7 ++++++ hosts/web-public-2/nginx.nix | 6 +++++ 15 files changed, 176 insertions(+), 9 deletions(-) create mode 100644 configuration/common/nginx.nix create mode 100644 hosts/hydra/configuration.nix create mode 100644 hosts/hydra/default.nix create mode 100644 hosts/hydra/hydra.nix create mode 100644 hosts/hydra/nginx.nix create mode 100644 hosts/hydra/nix-serve.nix create mode 100644 hosts/hydra/secrets.nix create mode 100644 hosts/web-public-2/configuration.nix create mode 100644 hosts/web-public-2/default.nix create mode 100644 hosts/web-public-2/nginx.nix diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 78ac470..b94e91c 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -1,7 +1,8 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { imports = [ ./prometheus-node-exporter.nix + ./nginx.nix ../../users/colmena-deploy ../../users/yuri ]; @@ -36,6 +37,7 @@ services.openssh = { enable = true; + openFirewall = true; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; @@ -43,5 +45,10 @@ }; }; + security.acme = { + defaults.email = "acme@grzb.de"; + acceptTerms = true; + }; + services.fstrim.enable = true; } diff --git a/configuration/common/nginx.nix b/configuration/common/nginx.nix new file mode 100644 index 0000000..60fa3f9 --- /dev/null +++ b/configuration/common/nginx.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.nginx = { + enableReload = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; +} diff --git a/flake.lock b/flake.lock index e5a7558..5ef1dda 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689373857, - "narHash": "sha256-mtBksyvhhT98Zsm9tYHuMKuLwUKDwv+BGTl6K5nOGhY=", + "lastModified": 1689534811, + "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dfdbcc428f365071f0ca3888f6ec8c25c3792885", + "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 928ebc4..bcace6a 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,9 @@ jackett = { site = "vs"; }; + #hydra = { + # site = "vs"; + #}; }; generateColmenaHost = name: host : { @@ -39,5 +42,33 @@ }; }; } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; + + /* generateNixosSystem = { + name, + system ? "x86_64-linux", + group ? null, + modules ? [], + }: + let localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; + in localNixpkgs.lib.nixosSystem { + modules = modules ++ [ + ./configuration/common + ./users/yuri + ./users/colmena-deploy + (./hosts + "/${name}") + ]; + }; */ + + hydraJobs = { + nixConfigurations.nitter = let system = "x86_64-linux"; + in nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/nitter + ]; + }; + }; }; } diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix new file mode 100644 index 0000000..6e602ac --- /dev/null +++ b/hosts/hydra/configuration.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "hydra"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix new file mode 100644 index 0000000..c33a964 --- /dev/null +++ b/hosts/hydra/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./secrets.nix + ./hydra.nix + ./nix-serve.nix + ./nginx.nix + ]; +} diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix new file mode 100644 index 0000000..c8d4c3f --- /dev/null +++ b/hosts/hydra/hydra.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + services.hydra = { + enable = true; + hydraURL = "https://hydra.nekover.se"; + listenHost = "localhost"; + port = 3001; + useSubstitutes = true; + notificationSender = "hydra@robot.grzb.de"; + extraConfig = " + binary_cache_public_uri = https://nix-cache.nekover.se + "; + }; +} diff --git a/hosts/hydra/nginx.nix b/hosts/hydra/nginx.nix new file mode 100644 index 0000000..7756928 --- /dev/null +++ b/hosts/hydra/nginx.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + + "hydra.nekover.se" = { + enableACME = true; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + }]; + locations."/" = { + proxyPass = "http://localhost:3001"; + }; + }; + + "nix-cache.nekover.se" = { + enableACME = true; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + }]; + locations."/" = { + proxyPass = "http://localhost:5005"; + }; + }; + + }; + }; +} diff --git a/hosts/hydra/nix-serve.nix b/hosts/hydra/nix-serve.nix new file mode 100644 index 0000000..75c18cb --- /dev/null +++ b/hosts/hydra/nix-serve.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + services.nix-serve = { + enable = true; + port = 5005; + bindAddress = "localhost"; + secretKeyFile = "/secrets/signing-key.secret"; + }; +} diff --git a/hosts/hydra/secrets.nix b/hosts/hydra/secrets.nix new file mode 100644 index 0000000..7ccf047 --- /dev/null +++ b/hosts/hydra/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."signing-key.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix index 637244a..6040caf 100644 --- a/hosts/netbox/configuration.nix +++ b/hosts/netbox/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ diff --git a/hosts/tor-relay/tor.nix b/hosts/tor-relay/tor.nix index 58efb89..200e1e6 100644 --- a/hosts/tor-relay/tor.nix +++ b/hosts/tor-relay/tor.nix @@ -3,16 +3,18 @@ services.tor = { enable = true; + relay = { + enable = true; + role = "relay"; + }; + settings = { Nickname = "vsm"; ORPort = 9001; - ExitRelay = false; - SOCKSPort = 0; - ControlSocket = null; + DirPort = 9030; ContactInfo = "admin@grzb.de"; RelayBandwidthRate = "40 MBits"; RelayBandwidthBurst = "50 Mbits"; - DirPort = 9030; }; }; } diff --git a/hosts/web-public-2/configuration.nix b/hosts/web-public-2/configuration.nix new file mode 100644 index 0000000..dfeb4b0 --- /dev/null +++ b/hosts/web-public-2/configuration.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-02"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/web-public-2/default.nix b/hosts/web-public-2/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/hosts/web-public-2/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix new file mode 100644 index 0000000..5c7acd6 --- /dev/null +++ b/hosts/web-public-2/nginx.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.nginx = { + enable = true; + }; +} From ade955bdf4772030244a6f394e85ac0f085aa91a Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 20 Jul 2023 06:29:15 +0200 Subject: [PATCH 012/386] Add config for public reverse proxy --- configuration/common/default.nix | 1 + flake.lock | 6 +- flake.nix | 3 + hosts/web-public-2/configuration.nix | 16 +- hosts/web-public-2/nginx.nix | 303 ++++++++++++++++++++++++++- users/colmena-deploy/default.nix | 1 + users/yuri/default.nix | 1 + 7 files changed, 325 insertions(+), 6 deletions(-) diff --git a/configuration/common/default.nix b/configuration/common/default.nix index b94e91c..2136658 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -48,6 +48,7 @@ security.acme = { defaults.email = "acme@grzb.de"; acceptTerms = true; + preliminarySelfsigned = true; }; services.fstrim.enable = true; diff --git a/flake.lock b/flake.lock index 5ef1dda..3f90c88 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689534811, - "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=", + "lastModified": 1689679375, + "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222", + "rev": "684c17c429c42515bafb3ad775d2a710947f3d67", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index bcace6a..820a1dd 100644 --- a/flake.nix +++ b/flake.nix @@ -20,6 +20,9 @@ #hydra = { # site = "vs"; #}; + web-public-2 = { + site = "vs"; + }; }; generateColmenaHost = name: host : { diff --git a/hosts/web-public-2/configuration.nix b/hosts/web-public-2/configuration.nix index dfeb4b0..081ca9a 100644 --- a/hosts/web-public-2/configuration.nix +++ b/hosts/web-public-2/configuration.nix @@ -5,8 +5,20 @@ device = "/dev/vda"; }; - networking = { - hostName = "web-public-02"; + networking = { + interfaces = { + "enp6s18".ipv6.addresses = [{ + address = "2001:470:5429::96"; + prefixLength = 64; + }]; + }; + + defaultGateway6 = { + address = "2001:470:5429::1"; + interface = "enp6s18"; + }; + + hostName = "web-public-2"; firewall.enable = false; }; diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 5c7acd6..8d050aa 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -1,6 +1,307 @@ -{ ... }: +{ pkgs, ... }: { services.nginx = { enable = true; + + streamConfig = '' + map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; + birdsite.nekover.se 127.0.0.1:8443; + element.nekover.se 127.0.0.1:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; + hydra.nekover.se hydra.vs.grzb.de:8443; + matrix.nekover.se 127.0.0.1:8443; + mewtube.nekover.se 127.0.0.1:8443; + nekover.se 127.0.0.1:8443; + nextcloud.grzb.de 127.0.0.1:8443; + nix-cache.nekover.se hydra.vs.grzb.de:8443; + social.nekover.se 127.0.0.1:8443; + } + + server { + listen 0.0.0.0:443; + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; + + virtualHosts = { + "nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/.well-known/matrix/server" = { + return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; + extraConfig = '' + add_header Content-Type application/json; + ''; + }; + locations."/.well-known/matrix/client" = { + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; + }; + + "anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + ''; + }; + + "birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://nitter.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + }; + + "element.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://element.vs.grzb.de"; + recommendedProxySettings = false; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + extraConfig = '' + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + ''; + }; + + "gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + ''; + }; + + "git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + ''; + }; + + "matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://matrix.vs.grzb.de:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 500M; + ''; + }; + }; + + "mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + }; + + "nextcloud.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ { + addr = "0.0.0.0"; + port = 80; + }{ + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; + locations."/" = { + proxyPass = "http://nextcloud.vs.grzb.de:80"; + }; + locations."= /.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + locations."= /.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + extraConfig = '' + proxy_read_timeout 3600; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 4096m; + ''; + }; + + "social.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://mastodon.vs.grzb.de:80"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 80m; + ''; + }; + }; }; } diff --git a/users/colmena-deploy/default.nix b/users/colmena-deploy/default.nix index bebd6ef..1766855 100644 --- a/users/colmena-deploy/default.nix +++ b/users/colmena-deploy/default.nix @@ -6,6 +6,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPJbR09ZqPnfZkx9JNjCurJDXWa5XtNeNQfkPRU/ZnY colmena-deploy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" ]; }; } diff --git a/users/yuri/default.nix b/users/yuri/default.nix index ff0ac57..546de5e 100644 --- a/users/yuri/default.nix +++ b/users/yuri/default.nix @@ -5,6 +5,7 @@ extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" ]; }; } From ecfe325c9cdafc11ae5e121609684949eaf821cc Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 24 Jul 2023 01:12:36 +0200 Subject: [PATCH 013/386] Add janky nginx config with workaround for proxy protocol --- flake.nix | 6 +- hosts/hydra/nginx.nix | 10 + hosts/web-public-2/nginx.nix | 289 +----------------- .../virtualHosts/anisync.grzb.de.nix | 26 ++ .../virtualHosts/birdsite.nekover.se.nix | 26 ++ hosts/web-public-2/virtualHosts/default.nix | 25 ++ .../virtualHosts/element.nekover.se.nix | 33 ++ .../virtualHosts/gameserver.grzb.de.nix | 31 ++ .../web-public-2/virtualHosts/git.grzb.de.nix | 33 ++ .../virtualHosts/matrix.nekover.se.nix | 33 ++ .../virtualHosts/mewtube.nekover.se.nix | 22 ++ .../web-public-2/virtualHosts/nekover.se.nix | 32 ++ .../virtualHosts/nextcloud.grzb.de.nix | 32 ++ .../virtualHosts/social.nekover.se.nix | 26 ++ 14 files changed, 343 insertions(+), 281 deletions(-) create mode 100644 hosts/web-public-2/virtualHosts/anisync.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/default.nix create mode 100644 hosts/web-public-2/virtualHosts/element.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/git.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/matrix.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/social.nekover.se.nix diff --git a/flake.nix b/flake.nix index 820a1dd..7ea666b 100644 --- a/flake.nix +++ b/flake.nix @@ -17,9 +17,9 @@ jackett = { site = "vs"; }; - #hydra = { - # site = "vs"; - #}; + hydra = { + site = "vs"; + }; web-public-2 = { site = "vs"; }; diff --git a/hosts/hydra/nginx.nix b/hosts/hydra/nginx.nix index 7756928..e313c2d 100644 --- a/hosts/hydra/nginx.nix +++ b/hosts/hydra/nginx.nix @@ -5,11 +5,16 @@ virtualHosts = { "hydra.nekover.se" = { + forceSSL = true; enableACME = true; listen = [{ + addr = "127.0.0.1"; + port = 1234; + }{ addr = "0.0.0.0"; port = 8443; ssl = true; + proxyProtocol = true; }]; locations."/" = { proxyPass = "http://localhost:3001"; @@ -17,11 +22,16 @@ }; "nix-cache.nekover.se" = { + forceSSL = true; enableACME = true; listen = [{ + addr = "127.0.0.1"; + port = 1234; + }{ addr = "0.0.0.0"; port = 8443; ssl = true; + proxyProtocol = true; }]; locations."/" = { proxyPass = "http://localhost:5005"; diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 8d050aa..77d48ac 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -1,5 +1,9 @@ -{ pkgs, ... }: +{ ... }: { + imports = [ + ./virtualHosts + ]; + services.nginx = { enable = true; @@ -10,13 +14,14 @@ element.nekover.se 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; - hydra.nekover.se hydra.vs.grzb.de:8443; + hydra.nekover.se 10.202.41.121:8443; matrix.nekover.se 127.0.0.1:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nextcloud.grzb.de 127.0.0.1:8443; - nix-cache.nekover.se hydra.vs.grzb.de:8443; + nix-cache.nekover.se 10.202.41.121:8443; social.nekover.se 127.0.0.1:8443; + test.grzb.de 127.0.0.1:8443; } server { @@ -28,280 +33,8 @@ } ''; - virtualHosts = { - "nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/.well-known/matrix/server" = { - return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; - extraConfig = '' - add_header Content-Type application/json; - ''; - }; - locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - ''; - }; - }; - - "anisync.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://anisync.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - extraConfig = '' - add_header X-Content-Type-Options nosniff; - ''; - }; - - "birdsite.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://nitter.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - }; - - "element.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://element.vs.grzb.de"; - recommendedProxySettings = false; - extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - extraConfig = '' - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - ''; - }; - - "gameserver.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://pterodactyl.vs.grzb.de"; - extraConfig = '' - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Content-Type-Options nosniff; - ''; - }; - - "git.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://gitlab.vs.grzb.de:80"; - extraConfig = '' - gzip off; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - ''; - }; - - "matrix.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - { - addr = "[::]"; - port = 8448; - ssl = true; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://matrix.vs.grzb.de:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size 500M; - ''; - }; - }; - - "mewtube.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://cloudtube.vs.grzb.de:10412"; - }; - }; - - "nextcloud.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ { - addr = "0.0.0.0"; - port = 80; - }{ - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - locations."/" = { - proxyPass = "http://nextcloud.vs.grzb.de:80"; - }; - locations."= /.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - locations."= /.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - extraConfig = '' - proxy_read_timeout 3600; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 4096m; - ''; - }; - - "social.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://mastodon.vs.grzb.de:80"; - proxyWebsockets = true; - }; - extraConfig = '' - client_max_body_size 80m; - ''; - }; - }; + appendHttpConfig = '' + add_header Strict-Transport-Security "max-age=63072000" always; + ''; }; } diff --git a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix new file mode 100644 index 0000000..6ccc410 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx.virtualHosts."anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix new file mode 100644 index 0000000..1bf6ec5 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx.virtualHosts."birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://nitter.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix new file mode 100644 index 0000000..f6aadad --- /dev/null +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -0,0 +1,25 @@ +{ ... }: +{ + imports = [ + ./anisync.grzb.de.nix + ./birdsite.nekover.se.nix + ./element.nekover.se.nix + ./gameserver.grzb.de.nix + ./git.grzb.de.nix + ./matrix.nekover.se.nix + ./mewtube.nekover.se.nix + ./nekover.se.nix + ./nextcloud.grzb.de.nix + ./social.nekover.se.nix + ]; + + services.nginx.virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/hosts/web-public-2/virtualHosts/element.nekover.se.nix new file mode 100644 index 0000000..70385d1 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.virtualHosts."element.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://element.vs.grzb.de"; + recommendedProxySettings = false; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + extraConfig = '' + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix new file mode 100644 index 0000000..ddb1332 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -0,0 +1,31 @@ +{ ... }: +{ + services.nginx.virtualHosts."gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/hosts/web-public-2/virtualHosts/git.grzb.de.nix new file mode 100644 index 0000000..554421a --- /dev/null +++ b/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.virtualHosts."git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix b/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix new file mode 100644 index 0000000..82455bf --- /dev/null +++ b/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.virtualHosts."matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://matrix.vs.grzb.de:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 500M; + ''; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix new file mode 100644 index 0000000..835cb35 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + services.nginx.virtualHosts."mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/nekover.se.nix b/hosts/web-public-2/virtualHosts/nekover.se.nix new file mode 100644 index 0000000..58847cd --- /dev/null +++ b/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -0,0 +1,32 @@ +{ ... }: +{ + services.nginx.virtualHosts."nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/.well-known/matrix/server" = { + return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; + extraConfig = '' + add_header Content-Type application/json; + ''; + }; + locations."/.well-known/matrix/client" = { + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix new file mode 100644 index 0000000..7a3f7d2 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix @@ -0,0 +1,32 @@ +{ ... }: +{ + services.nginx.virtualHosts."nextcloud.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ { + addr = "0.0.0.0"; + port = 80; + }{ + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; + locations."/" = { + proxyPass = "http://nextcloud.vs.grzb.de:80"; + }; + locations."= /.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + locations."= /.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + extraConfig = '' + proxy_read_timeout 3600; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 4096m; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/hosts/web-public-2/virtualHosts/social.nekover.se.nix new file mode 100644 index 0000000..5024b8f --- /dev/null +++ b/hosts/web-public-2/virtualHosts/social.nekover.se.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx.virtualHosts."social.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://mastodon.vs.grzb.de:80"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 80m; + ''; + }; +} From f213e05e46573be7946c3372fb9ec6e093f60007 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 24 Jul 2023 01:48:40 +0200 Subject: [PATCH 014/386] Enable localhost as buld machine for hydra --- hosts/hydra/configuration.nix | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix index 6e602ac..5596bb5 100644 --- a/hosts/hydra/configuration.nix +++ b/hosts/hydra/configuration.nix @@ -1,8 +1,16 @@ { ... }: { - boot.loader.grub = { - enable = true; - device = "/dev/vda"; + boot = { + loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + binfmt.emulatedSystems = [ + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; }; networking = { @@ -10,5 +18,20 @@ firewall.enable = false; }; + nix = { + settings.allowed-uris = "http:// https://"; + buildMachines = [ + { + hostName = "localhost"; + systems = [ + "x86_64-linux" + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; + } + ]; + }; + system.stateVersion = "23.05"; } From 389632748cbd009b2cb4104575fd9eef895d7619 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 25 Jul 2023 22:10:04 +0200 Subject: [PATCH 015/386] Serve element-web directly from web-public-2 --- flake.nix | 16 ----- .../element-web-config/config.json | 48 ++++++++++++++ .../virtualHosts/element.nekover.se.nix | 66 ++++++++++++++++--- 3 files changed, 106 insertions(+), 24 deletions(-) create mode 100644 hosts/web-public-2/virtualHosts/element-web-config/config.json diff --git a/flake.nix b/flake.nix index 7ea666b..95eb8e1 100644 --- a/flake.nix +++ b/flake.nix @@ -46,22 +46,6 @@ }; } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; - /* generateNixosSystem = { - name, - system ? "x86_64-linux", - group ? null, - modules ? [], - }: - let localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; - in localNixpkgs.lib.nixosSystem { - modules = modules ++ [ - ./configuration/common - ./users/yuri - ./users/colmena-deploy - (./hosts + "/${name}") - ]; - }; */ - hydraJobs = { nixConfigurations.nitter = let system = "x86_64-linux"; in nixpkgs.lib.nixosSystem { diff --git a/hosts/web-public-2/virtualHosts/element-web-config/config.json b/hosts/web-public-2/virtualHosts/element-web-config/config.json new file mode 100644 index 0000000..96b6288 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/element-web-config/config.json @@ -0,0 +1,48 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "https://matrix.nekover.se", + "server_name": "Nekoverse" + }, + "m.identity_server": { + "base_url": "https://vector.im" + } + }, + "disable_custom_urls": false, + "disable_guests": false, + "disable_login_language_selector": false, + "disable_3pid_login": false, + "brand": "Element", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_widgets_urls": [ + "https://scalar.vector.im/_matrix/integrations/v1", + "https://scalar.vector.im/api", + "https://scalar-staging.vector.im/_matrix/integrations/v1", + "https://scalar-staging.vector.im/api", + "https://scalar-staging.riot.im/scalar/api" + ], + "bug_report_endpoint_url": "https://element.io/bugreports/submit", + "uisi_autorageshake_app": "element-auto-uisi", + "defaultCountryCode": "DE", + "showLabsSettings": true, + "features": { }, + "default_federate": true, + "default_theme": "dark", + "roomDirectory": { + "servers": [ + "matrix.org" + ] + }, + "piwik": false, + "enable_presence_by_hs_url": { + "https://matrix.org": false, + "https://matrix-client.matrix.org": false + }, + "settingDefaults": { + "breadcrumbs": true + }, + "jitsi": { + "preferredDomain": "meet.element.io" + } +} diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 70385d1..c4fdb27 100644 --- a/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,12 +1,25 @@ -{ ... }: +{ pkgs, ... }: +let + element-web = pkgs.fetchzip { + url = "https://github.com/vector-im/element-web/releases/download/v1.11.36/element-v1.11.36.tar.gz"; + sha256 = "sha256-HbKqfcYH3JWbrAeaYCF/Lg7D7bl5VSgsitxKQdvf+Oc="; + }; +in { services.nginx.virtualHosts."element.nekover.se" = { forceSSL = true; enableACME = true; + root = pkgs.buildEnv { + name = "element-web"; + paths = [ + element-web + ./element-web-config + ]; + }; listen = [ { - addr = "0.0.0.0"; - port = 80; + addr = "localhost"; + port = 1234; } { addr = "localhost"; @@ -15,19 +28,56 @@ proxyProtocol = true; } ]; - locations."/" = { - proxyPass = "http://element.vs.grzb.de"; - recommendedProxySettings = false; + + # Set no-cache for the version, config and index.html + # so that browsers always check for a new copy of Element Web. + # NB http://your-domain/ and http://your-domain/? are also covered by this + + locations."= /index.html" = { extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + add_header Cache-Control "no-cache"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Strict-Transport-Security "max-age=63072000" always; + ''; + }; + locations."= /version" = { + extraConfig = '' + add_header Cache-Control "no-cache"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Strict-Transport-Security "max-age=63072000" always; + ''; + }; + # covers config.json and config.hostname.json requests as it is prefix. + locations."/config" = { + extraConfig = '' + add_header Cache-Control "no-cache"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Strict-Transport-Security "max-age=63072000" always; ''; }; extraConfig = '' + index index.html; + + # Configuration best practices + # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "frame-ancestors 'none'"; + + add_header Strict-Transport-Security "max-age=63072000" always; + + # redirect server error pages to the static page /50x.html + error_page 500 502 503 504 /50x.html; ''; }; } From c4795cdef9624cd47ed9ac450e061b063095fc45 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 26 Jul 2023 01:09:38 +0200 Subject: [PATCH 016/386] Add output for nixos-generators --- .gitignore | 1 + configuration/nixos-generators/default.nix | 14 +++++++ configuration/proxmox-vm/default.nix | 4 -- .../proxmox-vm/hardware-configuration.nix | 2 +- flake.lock | 37 +++++++++++++++++++ flake.nix | 20 +++++++++- 6 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 configuration/nixos-generators/default.nix diff --git a/.gitignore b/.gitignore index 722d5e7..02b9567 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .vscode +result diff --git a/configuration/nixos-generators/default.nix b/configuration/nixos-generators/default.nix new file mode 100644 index 0000000..2cda85e --- /dev/null +++ b/configuration/nixos-generators/default.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "base"; + firewall.enable = true; + }; + + system.stateVersion = "23.05"; +} diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 644147a..65105c0 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -1,8 +1,4 @@ { ... }: { - imports = [ - ./hardware-configuration.nix - ]; - services.qemuGuest.enable = true; } diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix index c007292..5fbbefa 100644 --- a/configuration/proxmox-vm/hardware-configuration.nix +++ b/configuration/proxmox-vm/hardware-configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") diff --git a/flake.lock b/flake.lock index 3f90c88..f4f6d2d 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,41 @@ { "nodes": { + "nixlib": { + "locked": { + "lastModified": 1689469483, + "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690133435, + "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1689679375, @@ -18,6 +54,7 @@ }, "root": { "inputs": { + "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs" } } diff --git a/flake.nix b/flake.nix index 95eb8e1..3fab58a 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,13 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, ... }: { + outputs = { self, nixpkgs, nixos-generators, ... }: { hosts = { nitter = { site = "vs"; @@ -34,6 +38,7 @@ imports = [ ./configuration/common ./configuration/proxmox-vm + ./configuration/proxmox-vm/hardware-configuration.nix ./hosts/${name} ]; }; @@ -57,5 +62,18 @@ ]; }; }; + + # Generate a base VM image for Proxmox with `nix build .#base-proxmox` + packages.x86_64-linux = { + base-proxmox = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + ./configuration/common + ./configuration/nixos-generators + ./configuration/proxmox-vm + ]; + format = "proxmox"; + }; + }; }; } From 10de1e428a8fb2c650273b0e28dbc1a4c010789d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 26 Jul 2023 01:49:39 +0200 Subject: [PATCH 017/386] Add iperf host --- flake.nix | 21 ++++++++++++--------- hosts/iperf/configuration.nix | 14 ++++++++++++++ hosts/iperf/default.nix | 7 +++++++ hosts/iperf/iperf.nix | 7 +++++++ 4 files changed, 40 insertions(+), 9 deletions(-) create mode 100644 hosts/iperf/configuration.nix create mode 100644 hosts/iperf/default.nix create mode 100644 hosts/iperf/iperf.nix diff --git a/flake.nix b/flake.nix index 3fab58a..4b4fdc0 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,15 @@ outputs = { self, nixpkgs, nixos-generators, ... }: { hosts = { + hydra = { + site = "vs"; + }; + iperf = { + site = "vs"; + }; + jackett = { + site = "vs"; + }; nitter = { site = "vs"; }; @@ -18,12 +27,6 @@ tor-relay = { site = "vs"; }; - jackett = { - site = "vs"; - }; - hydra = { - site = "vs"; - }; web-public-2 = { site = "vs"; }; @@ -56,9 +59,9 @@ in nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/nitter + ./configuration/common + ./configuration/proxmox-vm + ./hosts/nitter ]; }; }; diff --git a/hosts/iperf/configuration.nix b/hosts/iperf/configuration.nix new file mode 100644 index 0000000..243344b --- /dev/null +++ b/hosts/iperf/configuration.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "iperf"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/iperf/default.nix b/hosts/iperf/default.nix new file mode 100644 index 0000000..2cb1ecd --- /dev/null +++ b/hosts/iperf/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./iperf.nix + ]; +} diff --git a/hosts/iperf/iperf.nix b/hosts/iperf/iperf.nix new file mode 100644 index 0000000..ae6cd90 --- /dev/null +++ b/hosts/iperf/iperf.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.iperf3 = { + enable = true; + openFirewall = true; + }; +} From c1a2aa1d635ea8c7ef250a7f5362b36f7ed32558 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 27 Jul 2023 21:59:24 +0200 Subject: [PATCH 018/386] Generate hosts for hydra --- flake.lock | 8 +++---- flake.nix | 44 ++++++++++++++++++++++++---------- helper.nix | 25 +++++++++++++++++++ hosts/hydra/default.nix | 1 - hosts/nixos-coturn/default.nix | 1 - 5 files changed, 61 insertions(+), 18 deletions(-) create mode 100644 helper.nix diff --git a/flake.lock b/flake.lock index f4f6d2d..ad39d0d 100644 --- a/flake.lock +++ b/flake.lock @@ -38,16 +38,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1689679375, - "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=", + "lastModified": 1690538549, + "narHash": "sha256-FfScFHxidupVGPw9BrQOHz/SoFLRjoNmVC5ymS+g8xU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "684c17c429c42515bafb3ad775d2a710947f3d67", + "rev": "de5ca86149b0c4ff8bf69782cd25896fff0254e1", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 4b4fdc0..c8ae23e 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,15 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, nixpkgs, nixos-generators, ... }: { + outputs = { self, nixpkgs, nixos-generators, ... }@inputs: let + helper = (import ./helper.nix) inputs; + in { hosts = { hydra = { site = "vs"; @@ -32,7 +34,7 @@ }; }; - generateColmenaHost = name: host : { + generateColmenaHost = name: host: { deployment = { targetHost = "${name}.${host.site}.grzb.de"; targetUser = "colmena-deploy"; @@ -43,7 +45,7 @@ ./configuration/proxmox-vm ./configuration/proxmox-vm/hardware-configuration.nix ./hosts/${name} - ]; + ] ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; }; colmena = { @@ -54,18 +56,35 @@ }; } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; - hydraJobs = { - nixConfigurations.nitter = let system = "x86_64-linux"; - in nixpkgs.lib.nixosSystem { - inherit system; + nixosConfigurations = nixpkgs.lib.mapAttrs (name: config: let + nodeNixpkgs = self.outputs.colmena.meta.nodeNixpkgs.${name} or self.outputs.colmena.meta.nixpkgs; + nodeNixos = import (nodeNixpkgs.path + "/nixos/lib/eval-config.nix"); + in nodeNixos { modules = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/nitter + #self.outputs.colmena.defaults + config + #inputs.colmena.nixosModules.deploymentOptions + { + _module.args.name = nixpkgs.lib.mkForce name; + _module.args.nodes = self.outputs.nixosConfigurations; + #nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + } ]; - }; + inherit (nodeNixpkgs) system; + } + ) (builtins.removeAttrs self.outputs.colmena ["meta" "defaults"]); + + hydraJobs = { + nixosConfigurations = nixpkgs.lib.mapAttrs (_: config: config.config.system.build.toplevel) self.outputs.nixosConfigurations; }; + /* + nixosConfigurations = (builtins.mapAttrs (helper.mapToNixosConfigurations) self.hosts); + hydraJobs = { + nixConfigurations = helper.buildHosts self.nixosConfigurations; + }; + */ + # Generate a base VM image for Proxmox with `nix build .#base-proxmox` packages.x86_64-linux = { base-proxmox = nixos-generators.nixosGenerate { @@ -78,5 +97,6 @@ format = "proxmox"; }; }; + }; } diff --git a/helper.nix b/helper.nix new file mode 100644 index 0000000..07a3e8e --- /dev/null +++ b/helper.nix @@ -0,0 +1,25 @@ +{ nixpkgs, ... }@inputs: +rec { + generateNixosSystem = name: { + system ? "x86_64-linux", + group ? null, + modules ? [], + site + }: let + localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; + in localNixpkgs.lib.nixosSystem { + system = system; + modules = modules ++ [ + ./configuration/common + ./configuration/proxmox-vm + ./configuration/proxmox-vm/hardware-configuration.nix + ./hosts/${name} + ]; + }; + + mapToNixosConfigurations = name: host: generateNixosSystem name host; + + filterUnderscore = hosts: (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") hosts); + + buildHosts = hosts: builtins.mapAttrs (name: host: host.config.system.build.toplevel) (filterUnderscore hosts); +} diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index c33a964..aeffee1 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -2,7 +2,6 @@ { imports = [ ./configuration.nix - ./secrets.nix ./hydra.nix ./nix-serve.nix ./nginx.nix diff --git a/hosts/nixos-coturn/default.nix b/hosts/nixos-coturn/default.nix index 63c719c..1036572 100644 --- a/hosts/nixos-coturn/default.nix +++ b/hosts/nixos-coturn/default.nix @@ -2,7 +2,6 @@ { imports = [ ./configuration.nix - ./secrets.nix ./coturn.nix ]; } From 5856edeb47558d4cd1e448d9ca54cf917e6b7e9d Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 30 Jul 2023 01:38:31 +0200 Subject: [PATCH 019/386] Test host specific nixpkgs --- flake.lock | 25 +++++++++++++--- flake.nix | 85 ++++++++++-------------------------------------------- helper.nix | 45 +++++++++++++++-------------- hosts.nix | 47 ++++++++++++++++++++++++++++++ 4 files changed, 106 insertions(+), 96 deletions(-) create mode 100644 hosts.nix diff --git a/flake.lock b/flake.lock index ad39d0d..5034288 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690538549, - "narHash": "sha256-FfScFHxidupVGPw9BrQOHz/SoFLRjoNmVC5ymS+g8xU=", + "lastModified": 1690630041, + "narHash": "sha256-gbnvqm5goS9DSKAqGFpq3398aOpwejmq4qWikqmQyRo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "de5ca86149b0c4ff8bf69782cd25896fff0254e1", + "rev": "d57e8c535d4cbb07f441c30988ce52eec69db7a8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1690628621, + "narHash": "sha256-fHmW03fQziNt1+tt/Goa0lwObsR8kY8auNEWnv92Sfw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9508c7104d697af158ebc719586d64eb7b64c0d7", "type": "github" }, "original": { @@ -55,7 +71,8 @@ "root": { "inputs": { "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable" } } }, diff --git a/flake.nix b/flake.nix index c8ae23e..92fda46 100644 --- a/flake.nix +++ b/flake.nix @@ -1,90 +1,35 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, nixpkgs, nixos-generators, ... }@inputs: let + outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let + hosts = import ./hosts.nix inputs; helper = (import ./helper.nix) inputs; in { - hosts = { - hydra = { - site = "vs"; - }; - iperf = { - site = "vs"; - }; - jackett = { - site = "vs"; - }; - nitter = { - site = "vs"; - }; - nixos-coturn = { - site = "vs"; - }; - tor-relay = { - site = "vs"; - }; - web-public-2 = { - site = "vs"; - }; - }; - - generateColmenaHost = name: host: { - deployment = { - targetHost = "${name}.${host.site}.grzb.de"; - targetUser = "colmena-deploy"; - }; - - imports = [ - ./configuration/common - ./configuration/proxmox-vm - ./configuration/proxmox-vm/hardware-configuration.nix - ./hosts/${name} - ] ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; - }; - colmena = { meta = { - nixpkgs = import nixpkgs { - system = "x86_64-linux"; - }; + # Set the default pkgs, which is pointless in this case, + # because nodeNixpkgs is overriding it anyway and a default value is generated. + # It is still needed for colmena to run. + nixpkgs = nixpkgs.legacyPackages."x86_64-linux"; + + # Specify nixpkgs to use for each host. + # The default is "nixpkgs" for "x86_64-linux" systems, + # but it is overridden by the host-specific "hostNixpkgs" and "system" attributes. + nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; }; - } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; - - nixosConfigurations = nixpkgs.lib.mapAttrs (name: config: let - nodeNixpkgs = self.outputs.colmena.meta.nodeNixpkgs.${name} or self.outputs.colmena.meta.nixpkgs; - nodeNixos = import (nodeNixpkgs.path + "/nixos/lib/eval-config.nix"); - in nodeNixos { - modules = [ - #self.outputs.colmena.defaults - config - #inputs.colmena.nixosModules.deploymentOptions - { - _module.args.name = nixpkgs.lib.mkForce name; - _module.args.nodes = self.outputs.nixosConfigurations; - #nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; - } - ]; - inherit (nodeNixpkgs) system; - } - ) (builtins.removeAttrs self.outputs.colmena ["meta" "defaults"]); + } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixosConfigurations = nixpkgs.lib.mapAttrs (_: config: config.config.system.build.toplevel) self.outputs.nixosConfigurations; + nixConfigurations = builtins.mapAttrs (helper.generateNixConfiguration) hosts; }; - /* - nixosConfigurations = (builtins.mapAttrs (helper.mapToNixosConfigurations) self.hosts); - hydraJobs = { - nixConfigurations = helper.buildHosts self.nixosConfigurations; - }; - */ - # Generate a base VM image for Proxmox with `nix build .#base-proxmox` packages.x86_64-linux = { base-proxmox = nixos-generators.nixosGenerate { diff --git a/helper.nix b/helper.nix index 07a3e8e..fc91e4e 100644 --- a/helper.nix +++ b/helper.nix @@ -1,25 +1,26 @@ -{ nixpkgs, ... }@inputs: -rec { - generateNixosSystem = name: { - system ? "x86_64-linux", - group ? null, - modules ? [], - site - }: let - localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; - in localNixpkgs.lib.nixosSystem { - system = system; - modules = modules ++ [ - ./configuration/common - ./configuration/proxmox-vm - ./configuration/proxmox-vm/hardware-configuration.nix - ./hosts/${name} - ]; +{ nixpkgs, ... }: +{ + generateColmenaHost = name: { + site, + modules, + ... + }: { + deployment = { + targetHost = "${name}.${site}.grzb.de"; + targetUser = "colmena-deploy"; + }; + + # Set imports and optionally import colmena secrets configuration + imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; }; - mapToNixosConfigurations = name: host: generateNixosSystem name host; - - filterUnderscore = hosts: (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") hosts); - - buildHosts = hosts: builtins.mapAttrs (name: host: host.config.system.build.toplevel) (filterUnderscore hosts); + generateNixConfiguration = name: { + hostNixpkgs, + system, + modules, + ... + }: + (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") (hostNixpkgs.lib.nixosSystem { + inherit system modules; + })).config.system.build.toplevel; } diff --git a/hosts.nix b/hosts.nix new file mode 100644 index 0000000..083d5b8 --- /dev/null +++ b/hosts.nix @@ -0,0 +1,47 @@ +{ nixpkgs, nixpkgs-unstable, ... }: +let + environments = { + "proxmox" = [ + ./configuration/proxmox-vm + ./configuration/proxmox-vm/hardware-configuration.nix + ]; + }; + generateDefaults = hosts: builtins.mapAttrs (name: { + hostNixpkgs ? nixpkgs, + system ? "x86_64-linux", + pkgs ? hostNixpkgs.legacyPackages.${system}, + environment ? "proxmox", + site + }: { + inherit hostNixpkgs system pkgs environment site; + modules = [ + ./configuration/common + ./hosts/${name} + ] ++ (if environments ? ${environment} then environments.${environment} else []); + }) hosts; +in + generateDefaults { + hydra = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + }; + iperf = { + site = "vs"; + }; + jackett = { + site = "vs"; + }; + nitter = { + site = "vs"; + }; + nixos-coturn = { + site = "vs"; + }; + tor-relay = { + site = "vs"; + }; + web-public-2 = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + }; + } From 59a7e36838b6ba4e70af6805f3b1544f558a8b4d Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 31 Jul 2023 15:03:52 +0200 Subject: [PATCH 020/386] Generate colmena and hydraJobs outputs from the same hosts attribute set --- flake.nix | 2 +- helper.nix | 13 +++++++++---- hosts.nix | 6 +++++- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/flake.nix b/flake.nix index 92fda46..3615c48 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let hosts = import ./hosts.nix inputs; - helper = (import ./helper.nix) inputs; + helper = import ./helper.nix inputs; in { colmena = { meta = { diff --git a/helper.nix b/helper.nix index fc91e4e..2188959 100644 --- a/helper.nix +++ b/helper.nix @@ -19,8 +19,13 @@ system, modules, ... - }: - (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") (hostNixpkgs.lib.nixosSystem { - inherit system modules; - })).config.system.build.toplevel; + }: + let + # Filter attritubes starting with _ to avoid infinite recursion when building with hydra + # TODO: Why does this happen? + filter = name: host: (builtins.substring 0 1 name) != "_"; + in + (nixpkgs.lib.filterAttrs filter (hostNixpkgs.lib.nixosSystem { + inherit system modules; + })).config.system.build.toplevel; # Builds the entire NixOS system, see: https://nixos.org/manual/nixos/stable/#sec-building-parts } diff --git a/hosts.nix b/hosts.nix index 083d5b8..2ba24de 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,23 +1,27 @@ { nixpkgs, nixpkgs-unstable, ... }: let + # Set of environment specific modules environments = { "proxmox" = [ ./configuration/proxmox-vm ./configuration/proxmox-vm/hardware-configuration.nix ]; }; + # generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, system ? "x86_64-linux", + # pkgs is explicitly defined so that overlays for each host can easily be created pkgs ? hostNixpkgs.legacyPackages.${system}, environment ? "proxmox", site }: { inherit hostNixpkgs system pkgs environment site; + # define common and host modules and additionally add environment specific modules modules = [ ./configuration/common ./hosts/${name} - ] ++ (if environments ? ${environment} then environments.${environment} else []); + ] ++ environments.${environment}; }) hosts; in generateDefaults { From d9f6e2f51c5b0feeced78ba45b5e18db851d8d71 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 31 Jul 2023 15:07:41 +0200 Subject: [PATCH 021/386] Bump flake.lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 5034288..7668670 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690630041, - "narHash": "sha256-gbnvqm5goS9DSKAqGFpq3398aOpwejmq4qWikqmQyRo=", + "lastModified": 1690726002, + "narHash": "sha256-cACz6jCJZtsZHGCJAN4vMobxzH5s6FCOTZHMrh/Hu0M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d57e8c535d4cbb07f441c30988ce52eec69db7a8", + "rev": "391e8db1f06c3f74c2d313a73135515023af3993", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1690628621, - "narHash": "sha256-fHmW03fQziNt1+tt/Goa0lwObsR8kY8auNEWnv92Sfw=", + "lastModified": 1690738238, + "narHash": "sha256-yUFU7PGQzOEDX2Y64QV7xNHkn3RjkOTqvZ5oW5gbgGY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9508c7104d697af158ebc719586d64eb7b64c0d7", + "rev": "6376df481833e5f2e83eade8d8f2d04beed007d0", "type": "github" }, "original": { From 2c23fb92c9ae3b8e70b5fa9bdfb32c898d5fc65d Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 31 Jul 2023 15:38:08 +0200 Subject: [PATCH 022/386] Set binary cache hint --- flake.nix | 9 +++++++++ hosts/netbox/configuration.nix | 15 --------------- hosts/netbox/netbox.nix | 10 ---------- 3 files changed, 9 insertions(+), 25 deletions(-) delete mode 100644 hosts/netbox/configuration.nix delete mode 100644 hosts/netbox/netbox.nix diff --git a/flake.nix b/flake.nix index 3615c48..90ed283 100644 --- a/flake.nix +++ b/flake.nix @@ -43,5 +43,14 @@ }; }; + # Binary cache hint + nixConfig = { + extra-substituters = [ + "https://nix-cache.nekover.se" + ]; + extra-trusted-public-keys = [ + "nix-cache.nekover.se:f/VfGqC5lctLzOa6pLLDmEkihcip4WYpYShlW3rivLU=" + ]; + }; }; } diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix deleted file mode 100644 index 6040caf..0000000 --- a/hosts/netbox/configuration.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: - -{ - imports = [ - ./hardware-configuration.nix - ./tor.nix - ]; - - networking = { - hostName = "tor-relay"; - firewall.enable = false; - }; - - system.stateVersion = "23.05"; -} diff --git a/hosts/netbox/netbox.nix b/hosts/netbox/netbox.nix deleted file mode 100644 index 07674e6..0000000 --- a/hosts/netbox/netbox.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: -{ - services.netox = { - enable = true; - - settings = { - - }; - }; -} From 6885c40c108c6b881d2506d6d6a8b4b1726b15f0 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 31 Jul 2023 16:43:30 +0200 Subject: [PATCH 023/386] Use hacky workaround for enableACME check with a proxyProtocol listener --- hosts/web-public-2/virtualHosts/anisync.grzb.de.nix | 8 ++++---- .../web-public-2/virtualHosts/birdsite.nekover.se.nix | 8 ++++---- hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix | 8 ++++---- hosts/web-public-2/virtualHosts/git.grzb.de.nix | 8 ++++---- hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix | 8 ++++---- hosts/web-public-2/virtualHosts/nekover.se.nix | 8 ++++---- hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix | 10 ++++++---- hosts/web-public-2/virtualHosts/social.nekover.se.nix | 8 ++++---- 9 files changed, 36 insertions(+), 34 deletions(-) diff --git a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix index 6ccc410..b628ef7 100644 --- a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix index 1bf6ec5..a043d8e 100644 --- a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/hosts/web-public-2/virtualHosts/element.nekover.se.nix index c4fdb27..de1665b 100644 --- a/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -17,10 +17,10 @@ in ]; }; listen = [ - { + { addr = "localhost"; port = 1234; - } + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix index ddb1332..5070a0b 100644 --- a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/hosts/web-public-2/virtualHosts/git.grzb.de.nix index 554421a..fb156d8 100644 --- a/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix index 835cb35..fbc64fa 100644 --- a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/nekover.se.nix b/hosts/web-public-2/virtualHosts/nekover.se.nix index 58847cd..743135d 100644 --- a/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix index 7a3f7d2..87fcc68 100644 --- a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix @@ -3,10 +3,12 @@ services.nginx.virtualHosts."nextcloud.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ { - addr = "0.0.0.0"; - port = 80; - }{ + listen = [ + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check + { addr = "localhost"; port = 8443; ssl = true; diff --git a/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/hosts/web-public-2/virtualHosts/social.nekover.se.nix index 5024b8f..2c44a16 100644 --- a/hosts/web-public-2/virtualHosts/social.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/social.nekover.se.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; From 8a16dd0af2c550da600f30ed147f60f0174f26c5 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 1 Aug 2023 14:21:06 +0200 Subject: [PATCH 024/386] Enable console on serial port and print public ssh host key when booting --- configuration/common/default.nix | 18 ++++++++++++++++++ configuration/proxmox-vm/default.nix | 6 ++++++ hosts.nix | 1 - 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 2136658..1b2b085 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -51,5 +51,23 @@ preliminarySelfsigned = true; }; + # Print the ed25519 public ssh host key to console when booting + systemd.units."print-public-ssh-host-key.service" = { + enable = true; + text = '' + [Unit] + Description=print-public-ssh-host-key.service + Before=getty@tty1.service + + [Service] + Type=oneshot + ExecStart=/run/current-system/sw/bin/bash -c "/run/current-system/sw/bin/echo ----- ED25519 PUBLIC SSH HOST KEY -----\ + && /run/current-system/sw/bin/cut -d ' ' -f 1-2 /etc/ssh/ssh_host_ed25519_key.pub" + RemainAfterExit=no + StandardOutput=tty + ''; + wantedBy = [ "multi-user.target" ]; + }; + services.fstrim.enable = true; } diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 65105c0..47ed7df 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -1,4 +1,10 @@ { ... }: { + # Enable console output on TTY1 and serial console + boot.kernelParams = [ + "console=tty1" + "console=ttyS0,115200" + ]; + services.qemuGuest.enable = true; } diff --git a/hosts.nix b/hosts.nix index 2ba24de..133f155 100644 --- a/hosts.nix +++ b/hosts.nix @@ -7,7 +7,6 @@ let ./configuration/proxmox-vm/hardware-configuration.nix ]; }; - # generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, system ? "x86_64-linux", From 693c6da88afafad4b088934b0858303677850755 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 1 Aug 2023 23:02:11 +0200 Subject: [PATCH 025/386] Add jellyfin host --- hosts.nix | 3 + hosts/jellyfin/configuration.nix | 17 +++++ hosts/jellyfin/default.nix | 10 +++ hosts/jellyfin/hardware-configuration.nix | 16 +++++ hosts/jellyfin/jellyfin.nix | 6 ++ hosts/jellyfin/nginx.nix | 65 +++++++++++++++++++ hosts/jellyfin/secrets.nix | 11 ++++ .../virtualHosts/acme-challenge.nix | 12 ++++ hosts/web-public-2/virtualHosts/default.nix | 1 + 9 files changed, 141 insertions(+) create mode 100644 hosts/jellyfin/configuration.nix create mode 100644 hosts/jellyfin/default.nix create mode 100644 hosts/jellyfin/hardware-configuration.nix create mode 100644 hosts/jellyfin/jellyfin.nix create mode 100644 hosts/jellyfin/nginx.nix create mode 100644 hosts/jellyfin/secrets.nix create mode 100644 hosts/web-public-2/virtualHosts/acme-challenge.nix diff --git a/hosts.nix b/hosts.nix index 133f155..4cac023 100644 --- a/hosts.nix +++ b/hosts.nix @@ -34,6 +34,9 @@ in jackett = { site = "vs"; }; + jellyfin = { + site = "vs"; + }; nitter = { site = "vs"; }; diff --git a/hosts/jellyfin/configuration.nix b/hosts/jellyfin/configuration.nix new file mode 100644 index 0000000..7d058cd --- /dev/null +++ b/hosts/jellyfin/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "jellyfin"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/jellyfin/default.nix b/hosts/jellyfin/default.nix new file mode 100644 index 0000000..9c80166 --- /dev/null +++ b/hosts/jellyfin/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./secrets.nix + ./jellyfin.nix + ./nginx.nix + ]; +} diff --git a/hosts/jellyfin/hardware-configuration.nix b/hosts/jellyfin/hardware-configuration.nix new file mode 100644 index 0000000..764a903 --- /dev/null +++ b/hosts/jellyfin/hardware-configuration.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + fileSystems."/mnt/media" = { + device = "//10.202.46.5/media"; + fsType = "cifs"; + options = [ + "username=jellyfin" + "credentials=/secrets/samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=jellyfin" + "gid=jellyfin" + "_netdev" + ]; + }; +} diff --git a/hosts/jellyfin/jellyfin.nix b/hosts/jellyfin/jellyfin.nix new file mode 100644 index 0000000..89deaaa --- /dev/null +++ b/hosts/jellyfin/jellyfin.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jellyfin = { + enable = true; + }; +} diff --git a/hosts/jellyfin/nginx.nix b/hosts/jellyfin/nginx.nix new file mode 100644 index 0000000..7d70066 --- /dev/null +++ b/hosts/jellyfin/nginx.nix @@ -0,0 +1,65 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts."jellyfin.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."= /" = { + return = "302 https://$host/web/"; + }; + locations."/" = { + proxyPass = "http://localhost:8096/"; + extraConfig = '' + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + ''; + }; + locations."= /web/" = { + proxyPass = "http://localhost:8096/web/index.html"; + }; + locations."/socket" = { + proxyPass = "http://localhost:8096/socket"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 20M; + + # Security / XSS Mitigation Headers + # NOTE: X-Frame-Options may cause issues with the webOS app + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + # COOP/COEP. Disable if you use external plugins/images/assets + add_header Cross-Origin-Opener-Policy "same-origin" always; + add_header Cross-Origin-Embedder-Policy "require-corp" always; + add_header Cross-Origin-Resource-Policy "same-origin" always; + + # Permissions policy. May cause issues on some clients + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + + # Tell browsers to use per-origin process isolation + add_header Origin-Agent-Cluster "?1" always; + + # Content Security Policy + # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + # Enforces https content and restricts JS/CSS to origin + # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. + # NOTE: The default CSP headers may cause issues with the webOS app + #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; + ''; + }; + }; +} diff --git a/hosts/jellyfin/secrets.nix b/hosts/jellyfin/secrets.nix new file mode 100644 index 0000000..c1c22c6 --- /dev/null +++ b/hosts/jellyfin/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."samba-credentials.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix new file mode 100644 index 0000000..d16de8f --- /dev/null +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.nginx.virtualHosts."jellyfin.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://jellyfin.vs.grzb.de:80"; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix index f6aadad..c5ec5ef 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -1,6 +1,7 @@ { ... }: { imports = [ + ./acme-challenge.nix ./anisync.grzb.de.nix ./birdsite.nekover.se.nix ./element.nekover.se.nix From 5c63b5d1a3cb4c2c2c58e914ab9aa51adcba3983 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 2 Aug 2023 22:46:07 +0200 Subject: [PATCH 026/386] Enable firewall and migrate Jellyfin to NixOS --- hosts.nix | 5 ++++ hosts/hydra/configuration.nix | 5 +++- hosts/iperf/configuration.nix | 2 +- hosts/jellyfin/configuration.nix | 2 +- hosts/jellyfin/nginx.nix | 6 ++++ hosts/tor-relay/configuration.nix | 5 +++- .../configuration.nix | 17 +++++++++++ hosts/web-nonpublic-linuxcrewd/default.nix | 7 +++++ hosts/web-nonpublic-linuxcrewd/nginx.nix | 29 +++++++++++++++++++ hosts/web-public-2/configuration.nix | 5 +++- 10 files changed, 78 insertions(+), 5 deletions(-) create mode 100644 hosts/web-nonpublic-linuxcrewd/configuration.nix create mode 100644 hosts/web-nonpublic-linuxcrewd/default.nix create mode 100644 hosts/web-nonpublic-linuxcrewd/nginx.nix diff --git a/hosts.nix b/hosts.nix index 4cac023..6118252 100644 --- a/hosts.nix +++ b/hosts.nix @@ -35,6 +35,7 @@ in site = "vs"; }; jellyfin = { + hostNixpkgs = nixpkgs-unstable; site = "vs"; }; nitter = { @@ -50,4 +51,8 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + web-nonpublic-linuxcrewd = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + }; } diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix index 5596bb5..53a26b0 100644 --- a/hosts/hydra/configuration.nix +++ b/hosts/hydra/configuration.nix @@ -15,7 +15,10 @@ networking = { hostName = "hydra"; - firewall.enable = false; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; }; nix = { diff --git a/hosts/iperf/configuration.nix b/hosts/iperf/configuration.nix index 243344b..b46a7ce 100644 --- a/hosts/iperf/configuration.nix +++ b/hosts/iperf/configuration.nix @@ -7,7 +7,7 @@ networking = { hostName = "iperf"; - firewall.enable = false; + firewall.enable = true; }; system.stateVersion = "23.05"; diff --git a/hosts/jellyfin/configuration.nix b/hosts/jellyfin/configuration.nix index 7d058cd..98624e0 100644 --- a/hosts/jellyfin/configuration.nix +++ b/hosts/jellyfin/configuration.nix @@ -9,7 +9,7 @@ hostName = "jellyfin"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ 80 443 8443 ]; }; }; diff --git a/hosts/jellyfin/nginx.nix b/hosts/jellyfin/nginx.nix index 7d70066..04431d5 100644 --- a/hosts/jellyfin/nginx.nix +++ b/hosts/jellyfin/nginx.nix @@ -15,6 +15,12 @@ port = 443; ssl = true; } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } ]; locations."= /" = { return = "302 https://$host/web/"; diff --git a/hosts/tor-relay/configuration.nix b/hosts/tor-relay/configuration.nix index 90dbc71..7c2eb84 100644 --- a/hosts/tor-relay/configuration.nix +++ b/hosts/tor-relay/configuration.nix @@ -19,7 +19,10 @@ }; hostName = "tor-relay"; - firewall.enable = false; + firewall = { + enable = true; + allowedTCPPorts = [ 9001 9030 ]; + }; }; system.stateVersion = "23.05"; diff --git a/hosts/web-nonpublic-linuxcrewd/configuration.nix b/hosts/web-nonpublic-linuxcrewd/configuration.nix new file mode 100644 index 0000000..56a3254 --- /dev/null +++ b/hosts/web-nonpublic-linuxcrewd/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-2"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/web-nonpublic-linuxcrewd/default.nix b/hosts/web-nonpublic-linuxcrewd/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/hosts/web-nonpublic-linuxcrewd/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/hosts/web-nonpublic-linuxcrewd/nginx.nix b/hosts/web-nonpublic-linuxcrewd/nginx.nix new file mode 100644 index 0000000..7d1a420 --- /dev/null +++ b/hosts/web-nonpublic-linuxcrewd/nginx.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + services.nginx = { + enable = true; + + virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + + streamConfig = '' + map $ssl_preread_server_name $address { + jellyfin.grzb.de 10.202.46.101:8443; + } + + server { + listen 0.0.0.0:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; + }; +} diff --git a/hosts/web-public-2/configuration.nix b/hosts/web-public-2/configuration.nix index 081ca9a..94e74b6 100644 --- a/hosts/web-public-2/configuration.nix +++ b/hosts/web-public-2/configuration.nix @@ -19,7 +19,10 @@ }; hostName = "web-public-2"; - firewall.enable = false; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 5000 8448 ]; + }; }; system.stateVersion = "23.05"; From 093a44edf433afbc4a2833fd527a700f75d3d644 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 3 Aug 2023 01:32:50 +0200 Subject: [PATCH 027/386] Remove secret.nix from jellyfin imports --- hosts/jellyfin/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/jellyfin/default.nix b/hosts/jellyfin/default.nix index 9c80166..33e2290 100644 --- a/hosts/jellyfin/default.nix +++ b/hosts/jellyfin/default.nix @@ -3,7 +3,6 @@ imports = [ ./configuration.nix ./hardware-configuration.nix - ./secrets.nix ./jellyfin.nix ./nginx.nix ]; From 0a5d07077370dd8f4e8329f7661a693921065153 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 3 Aug 2023 15:51:21 +0200 Subject: [PATCH 028/386] Add nextcloud host --- hosts.nix | 4 ++ hosts/nextcloud/configuration.nix | 17 +++++++++ hosts/nextcloud/default.nix | 7 ++++ hosts/nextcloud/nextcloud.nix | 38 +++++++++++++++++++ hosts/nextcloud/secrets.nix | 11 ++++++ hosts/web-public-2/nginx.nix | 2 +- .../virtualHosts/nextcloud.grzb.de.nix | 2 +- 7 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 hosts/nextcloud/configuration.nix create mode 100644 hosts/nextcloud/default.nix create mode 100644 hosts/nextcloud/nextcloud.nix create mode 100644 hosts/nextcloud/secrets.nix diff --git a/hosts.nix b/hosts.nix index 6118252..1116370 100644 --- a/hosts.nix +++ b/hosts.nix @@ -38,6 +38,10 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + nextcloud = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + }; nitter = { site = "vs"; }; diff --git a/hosts/nextcloud/configuration.nix b/hosts/nextcloud/configuration.nix new file mode 100644 index 0000000..da63943 --- /dev/null +++ b/hosts/nextcloud/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "nextcloud"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 8443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/nextcloud/default.nix b/hosts/nextcloud/default.nix new file mode 100644 index 0000000..81ddd9a --- /dev/null +++ b/hosts/nextcloud/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nextcloud.nix + ]; +} diff --git a/hosts/nextcloud/nextcloud.nix b/hosts/nextcloud/nextcloud.nix new file mode 100644 index 0000000..88aa605 --- /dev/null +++ b/hosts/nextcloud/nextcloud.nix @@ -0,0 +1,38 @@ +{ pkgs, config, ... }: +{ + services.nextcloud = { + enable = true; + package = pkgs.nextcloud27; + hostName = "cloud.nekover.se"; + https = true; + config = { + dbtype = "pgsql"; + adminpassFile = "/secrets/nextcloud-adminpass.secret"; + defaultPhoneRegion = "DE"; + }; + database.createLocally = true; + configureRedis = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + inherit bookmarks contacts calendar tasks twofactor_webauthn; + }; + maxUploadSize = "16G"; + }; + + services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + }; +} diff --git a/hosts/nextcloud/secrets.nix b/hosts/nextcloud/secrets.nix new file mode 100644 index 0000000..785e179 --- /dev/null +++ b/hosts/nextcloud/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."nextcloud-adminpass.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; + destDir = "/secrets"; + user = "nextcloud"; + group = "nextcloud"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 77d48ac..a72db45 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -11,6 +11,7 @@ map $ssl_preread_server_name $address { anisync.grzb.de 127.0.0.1:8443; birdsite.nekover.se 127.0.0.1:8443; + cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; @@ -21,7 +22,6 @@ nextcloud.grzb.de 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; social.nekover.se 127.0.0.1:8443; - test.grzb.de 127.0.0.1:8443; } server { diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix index 87fcc68..8cbdcc9 100644 --- a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix @@ -15,7 +15,7 @@ proxyProtocol = true; }]; locations."/" = { - proxyPass = "http://nextcloud.vs.grzb.de:80"; + proxyPass = "http://nextcloud-grzb.vs.grzb.de:80"; }; locations."= /.well-known/carddav" = { return = "301 $scheme://$host/remote.php/dav"; From aed6df2954b341621c303ef84fc6e7df10a99815 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 4 Aug 2023 01:38:49 +0200 Subject: [PATCH 029/386] Improve Proxmox backup image generation --- configuration/common/default.nix | 5 +++-- configuration/nixos-generators/default.nix | 21 +++++++++++++++++++ configuration/proxmox-vm/default.nix | 4 ++++ .../proxmox-vm/hardware-configuration.nix | 3 +++ flake.lock | 12 +++++------ hosts.nix | 1 - 6 files changed, 37 insertions(+), 9 deletions(-) diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 1b2b085..e28c38a 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -58,11 +58,12 @@ [Unit] Description=print-public-ssh-host-key.service Before=getty@tty1.service + After=sshd.service [Service] Type=oneshot - ExecStart=/run/current-system/sw/bin/bash -c "/run/current-system/sw/bin/echo ----- ED25519 PUBLIC SSH HOST KEY -----\ - && /run/current-system/sw/bin/cut -d ' ' -f 1-2 /etc/ssh/ssh_host_ed25519_key.pub" + ExecStart=/run/current-system/sw/bin/bash -c "/run/current-system/sw/bin/echo -e \"----- ED25519 PUBLIC SSH HOST KEY -----\ + \n$(/run/current-system/sw/bin/cut -d ' ' -f 1-2 /etc/ssh/ssh_host_ed25519_key.pub)\"" RemainAfterExit=no StandardOutput=tty ''; diff --git a/configuration/nixos-generators/default.nix b/configuration/nixos-generators/default.nix index 2cda85e..e392d53 100644 --- a/configuration/nixos-generators/default.nix +++ b/configuration/nixos-generators/default.nix @@ -10,5 +10,26 @@ firewall.enable = true; }; + proxmox = { + qemuConf = { + ostype = "l26"; + cores = 2; + memory = 1024; + bios = "seabios"; + # Option not available in 23.05 + # diskSize = "8096"; + virtio0 = "local-zfs:base-disk-0,discard=on"; + boot = "order=virtio0"; + net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; + agent = true; + }; + qemuExtraConf = { + cpu = "cputype=host,flags=+aes"; + onboot = 1; + machine = "q35"; + template = 1; + }; + }; + system.stateVersion = "23.05"; } diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 47ed7df..4c5bc6e 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -1,5 +1,9 @@ { ... }: { + imports = [ + ./hardware-configuration.nix + ]; + # Enable console output on TTY1 and serial console boot.kernelParams = [ "console=tty1" diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix index 5fbbefa..0d9fa83 100644 --- a/configuration/proxmox-vm/hardware-configuration.nix +++ b/configuration/proxmox-vm/hardware-configuration.nix @@ -1,11 +1,14 @@ { config, lib, modulesPath, ... }: { + # hardware-configuration.nix copied and adapted from the default configuration generated by nixos-generators + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot = { initrd = { + # To use the VirtIO SCSI disks, add the "virtio_scsi" kernel module to availableKernelModules availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_blk" ]; kernelModules = [ ]; }; diff --git a/flake.lock b/flake.lock index 7668670..61c7311 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690726002, - "narHash": "sha256-cACz6jCJZtsZHGCJAN4vMobxzH5s6FCOTZHMrh/Hu0M=", + "lastModified": 1691016377, + "narHash": "sha256-Vvi49vIL2CzX5bsfE3qovcmzJpkfMo/Mx/coCbu5Jeo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "391e8db1f06c3f74c2d313a73135515023af3993", + "rev": "ad73028def6716978adaec5b0b7706edc611a83e", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1690738238, - "narHash": "sha256-yUFU7PGQzOEDX2Y64QV7xNHkn3RjkOTqvZ5oW5gbgGY=", + "lastModified": 1691071044, + "narHash": "sha256-bYBWtupK/NO/diSpye8TP1E0IC7wj29y2q6blD0FtPk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6376df481833e5f2e83eade8d8f2d04beed007d0", + "rev": "2a1f1797be6e4125ade0be6ac32bb70106ff7245", "type": "github" }, "original": { diff --git a/hosts.nix b/hosts.nix index 1116370..ab1de0e 100644 --- a/hosts.nix +++ b/hosts.nix @@ -4,7 +4,6 @@ let environments = { "proxmox" = [ ./configuration/proxmox-vm - ./configuration/proxmox-vm/hardware-configuration.nix ]; }; generateDefaults = hosts: builtins.mapAttrs (name: { From 3f9cdc09436fe33a40afdcd15367dbe1fc058914 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 4 Aug 2023 02:30:57 +0200 Subject: [PATCH 030/386] Set boot.growPartition = true --- configuration/proxmox-vm/default.nix | 6 ------ configuration/proxmox-vm/hardware-configuration.nix | 10 +++++++++- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 4c5bc6e..42fc9c9 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -4,11 +4,5 @@ ./hardware-configuration.nix ]; - # Enable console output on TTY1 and serial console - boot.kernelParams = [ - "console=tty1" - "console=ttyS0,115200" - ]; - services.qemuGuest.enable = true; } diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix index 0d9fa83..3d4a237 100644 --- a/configuration/proxmox-vm/hardware-configuration.nix +++ b/configuration/proxmox-vm/hardware-configuration.nix @@ -15,12 +15,20 @@ kernelModules = [ "kvm-amd" ]; extraModulePackages = [ ]; + + # Enable console output on TTY1 and serial console + kernelParams = [ + "console=tty1" + "console=ttyS0,115200" + ]; + + growPartition = true; }; fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; - options = [ "x-nixos.autoresize" "x-initrd.mount" ]; + autoResize = true; }; swapDevices = [ ]; From c1bd4e35296b4a7df009345159d49894654770dd Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 4 Aug 2023 03:32:06 +0200 Subject: [PATCH 031/386] Add SMTP configuration to nextcloud and use an additional disk for the data --- hosts/nextcloud/default.nix | 1 + hosts/nextcloud/hardware-configuration.nix | 10 +++++ hosts/nextcloud/nextcloud.nix | 49 +++++++++++++++------- hosts/nextcloud/secrets.nix | 24 +++++++---- 4 files changed, 62 insertions(+), 22 deletions(-) create mode 100644 hosts/nextcloud/hardware-configuration.nix diff --git a/hosts/nextcloud/default.nix b/hosts/nextcloud/default.nix index 81ddd9a..9677aef 100644 --- a/hosts/nextcloud/default.nix +++ b/hosts/nextcloud/default.nix @@ -2,6 +2,7 @@ { imports = [ ./configuration.nix + ./hardware-configuration.nix ./nextcloud.nix ]; } diff --git a/hosts/nextcloud/hardware-configuration.nix b/hosts/nextcloud/hardware-configuration.nix new file mode 100644 index 0000000..89fc191 --- /dev/null +++ b/hosts/nextcloud/hardware-configuration.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + fileSystems."/var/lib/nextcloud/data" = { + device = "/dev/vdb"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + options = [ "X-mount.owner=nextcloud" "X-mount.group=nextcloud" ]; + }; +} diff --git a/hosts/nextcloud/nextcloud.nix b/hosts/nextcloud/nextcloud.nix index 88aa605..e6cb567 100644 --- a/hosts/nextcloud/nextcloud.nix +++ b/hosts/nextcloud/nextcloud.nix @@ -17,22 +17,41 @@ inherit bookmarks contacts calendar tasks twofactor_webauthn; }; maxUploadSize = "16G"; + extraOptions = { + mail_smtpmode = "smtp"; + mail_sendmailmode = "smtp"; + mail_smtpsecure = "ssl"; + mail_from_address = "cloud"; + mail_domain = "nekover.se"; + mail_smtpauthtype = "LOGIN"; + mail_smtpauth = 1; + mail_smtphost = "mail.grzb.de"; + mail_smtpport = 465; + mail_smtpname = "nextcloud"; + }; + secretFile = "/secrets/nextcloud-secretfile.secret"; }; - services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + services.nginx = { + virtualHosts.${config.services.nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; }; } diff --git a/hosts/nextcloud/secrets.nix b/hosts/nextcloud/secrets.nix index 785e179..c4a91b9 100644 --- a/hosts/nextcloud/secrets.nix +++ b/hosts/nextcloud/secrets.nix @@ -1,11 +1,21 @@ { ... }: { - deployment.keys."nextcloud-adminpass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; - destDir = "/secrets"; - user = "nextcloud"; - group = "nextcloud"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "nextcloud-adminpass.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; + destDir = "/secrets"; + user = "nextcloud"; + group = "nextcloud"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "nextcloud-secretfile.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/secretfile" ]; + destDir = "/secrets"; + user = "nextcloud"; + group = "nextcloud"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } From ad208c1870fc00bcb1624a1e33c1b02b988886cb Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 4 Aug 2023 21:59:25 +0200 Subject: [PATCH 032/386] Restrict allowedTCPPorts to port 8443 --- hosts/nextcloud/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nextcloud/configuration.nix b/hosts/nextcloud/configuration.nix index da63943..737eeae 100644 --- a/hosts/nextcloud/configuration.nix +++ b/hosts/nextcloud/configuration.nix @@ -9,7 +9,7 @@ hostName = "nextcloud"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 8443 ]; + allowedTCPPorts = [ 8443 ]; }; }; From 61f2d8f07ee84d217869ab12ae11b710edc1aab4 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 4 Aug 2023 22:51:16 +0200 Subject: [PATCH 033/386] Fix hostname --- hosts/web-nonpublic-linuxcrewd/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/web-nonpublic-linuxcrewd/configuration.nix b/hosts/web-nonpublic-linuxcrewd/configuration.nix index 56a3254..7f9396b 100644 --- a/hosts/web-nonpublic-linuxcrewd/configuration.nix +++ b/hosts/web-nonpublic-linuxcrewd/configuration.nix @@ -6,7 +6,7 @@ }; networking = { - hostName = "web-public-2"; + hostName = "web-nonpublic-linuxcrewd"; firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; From a4f3e68aac63da0523a5e3f7034b8b863f56141b Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 5 Aug 2023 04:47:14 +0200 Subject: [PATCH 034/386] Add netbox host --- hosts.nix | 3 ++ hosts/netbox/configuration.nix | 17 +++++++++++ hosts/netbox/default.nix | 8 +++++ hosts/netbox/netbox.nix | 7 +++++ hosts/netbox/nginx.nix | 29 +++++++++++++++++++ hosts/netbox/secrets.nix | 11 +++++++ .../virtualHosts/acme-challenge.nix | 9 ++++++ 7 files changed, 84 insertions(+) create mode 100644 hosts/netbox/configuration.nix create mode 100644 hosts/netbox/default.nix create mode 100644 hosts/netbox/netbox.nix create mode 100644 hosts/netbox/nginx.nix create mode 100644 hosts/netbox/secrets.nix diff --git a/hosts.nix b/hosts.nix index ab1de0e..9c83870 100644 --- a/hosts.nix +++ b/hosts.nix @@ -37,6 +37,9 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + netbox = { + site = "vs"; + }; nextcloud = { hostNixpkgs = nixpkgs-unstable; site = "vs"; diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix new file mode 100644 index 0000000..5bf8422 --- /dev/null +++ b/hosts/netbox/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "netbox"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/netbox/default.nix b/hosts/netbox/default.nix new file mode 100644 index 0000000..5dd147b --- /dev/null +++ b/hosts/netbox/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./netbox.nix + ./nginx.nix + ]; +} diff --git a/hosts/netbox/netbox.nix b/hosts/netbox/netbox.nix new file mode 100644 index 0000000..32e37e4 --- /dev/null +++ b/hosts/netbox/netbox.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.netbox = { + enable = true; + secretKeyFile = "/secrets/netbox-secret-key.secret"; + }; +} diff --git a/hosts/netbox/nginx.nix b/hosts/netbox/nginx.nix new file mode 100644 index 0000000..a2d1782 --- /dev/null +++ b/hosts/netbox/nginx.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + clientMaxBodySize = "25m"; + user = "netbox"; + virtualHosts."netbox.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/static/" = { + alias = "${config.services.netbox.dataDir}/static/"; + }; + locations."/" = { + proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; + }; + }; + }; +} diff --git a/hosts/netbox/secrets.nix b/hosts/netbox/secrets.nix new file mode 100644 index 0000000..e31c666 --- /dev/null +++ b/hosts/netbox/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."netbox-secret-key.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "netbox/secret-key" ]; + destDir = "/secrets"; + user = "netbox"; + group = "netbox"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index d16de8f..9dc3b4b 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -9,4 +9,13 @@ proxyPass = "http://jellyfin.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."netbox.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://netbox.vs.grzb.de:80"; + }; + }; } From 70eb8625bc894409b139b222c1a6f491c08cb06d Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 5 Aug 2023 06:49:48 +0200 Subject: [PATCH 035/386] Enable proxyprotocol for nitter host --- hosts.nix | 1 + hosts/nitter/configuration.nix | 5 ++- hosts/nitter/nginx.nix | 44 +++++++++---------- hosts/nitter/nitter.nix | 2 +- hosts/web-public-2/nginx.nix | 2 +- .../virtualHosts/birdsite.nekover.se.nix | 26 ----------- hosts/web-public-2/virtualHosts/default.nix | 1 - 7 files changed, 29 insertions(+), 52 deletions(-) delete mode 100644 hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix diff --git a/hosts.nix b/hosts.nix index 9c83870..8a451d1 100644 --- a/hosts.nix +++ b/hosts.nix @@ -45,6 +45,7 @@ in site = "vs"; }; nitter = { + hostNixpkgs = nixpkgs-unstable; site = "vs"; }; nixos-coturn = { diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix index a7002d0..bc54db7 100644 --- a/hosts/nitter/configuration.nix +++ b/hosts/nitter/configuration.nix @@ -7,7 +7,10 @@ networking = { hostName = "nitter"; - firewall.enable = false; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; }; system.stateVersion = "23.05"; diff --git a/hosts/nitter/nginx.nix b/hosts/nitter/nginx.nix index cdec9b4..d0f47ed 100644 --- a/hosts/nitter/nginx.nix +++ b/hosts/nitter/nginx.nix @@ -1,28 +1,28 @@ -{ ... }: +{ config, ... }: { services.nginx = { enable = true; - enableReload = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - virtualHosts = { - "nixos-nitter.vs.grzb.de" = { - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - - locations."/" = { - proxyPass = "http://localhost:8080"; - extraConfig = - "proxy_http_version 1.1;" + - "proxy_set_header Upgrade $http_upgrade;" + - "proxy_set_header Connection \"upgrade\";" + - "proxy_set_header Host $host;" - ; - }; + virtualHosts."birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + locations."/" = { + proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; + proxyWebsockets = true; }; }; }; diff --git a/hosts/nitter/nitter.nix b/hosts/nitter/nitter.nix index 301a7ca..94165c4 100644 --- a/hosts/nitter/nitter.nix +++ b/hosts/nitter/nitter.nix @@ -6,7 +6,7 @@ server = { title = "Birdsite"; https = true; - address = "0.0.0.0"; + address = "127.0.0.1"; port = 8080; hostname = "birdsite.nekover.se"; }; diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index a72db45..713a09d 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -10,7 +10,7 @@ streamConfig = '' map $ssl_preread_server_name $address { anisync.grzb.de 127.0.0.1:8443; - birdsite.nekover.se 127.0.0.1:8443; + birdsite.nekover.se 10.202.41.107:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443; diff --git a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix deleted file mode 100644 index a043d8e..0000000 --- a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."birdsite.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://nitter.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - }; -} diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix index c5ec5ef..06d0bfd 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -3,7 +3,6 @@ imports = [ ./acme-challenge.nix ./anisync.grzb.de.nix - ./birdsite.nekover.se.nix ./element.nekover.se.nix ./gameserver.grzb.de.nix ./git.grzb.de.nix From 0fa4ca752161620651c446fcc5ee41c90b4f907f Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 5 Aug 2023 20:36:14 +0200 Subject: [PATCH 036/386] Increase opcache.interned_strings_buffer PHP option --- hosts/nextcloud/nextcloud.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/nextcloud/nextcloud.nix b/hosts/nextcloud/nextcloud.nix index e6cb567..d09b0fb 100644 --- a/hosts/nextcloud/nextcloud.nix +++ b/hosts/nextcloud/nextcloud.nix @@ -29,7 +29,12 @@ mail_smtpport = 465; mail_smtpname = "nextcloud"; }; + # Only contains mail_smtppassword secretFile = "/secrets/nextcloud-secretfile.secret"; + phpOptions = { + # The amount of memory for interned strings in Mbytes + "opcache.interned_strings_buffer" = "64"; + }; }; services.nginx = { From b7bae9e9de68523fff380c111a958ad8a4a49db7 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 6 Aug 2023 17:53:50 +0200 Subject: [PATCH 037/386] WIP grafana --- hosts.nix | 3 ++ hosts/metrics/configuration.nix | 17 +++++++++++ hosts/metrics/default.nix | 9 ++++++ hosts/metrics/grafana.nix | 28 +++++++++++++++++++ hosts/metrics/nginx.nix | 26 +++++++++++++++++ hosts/metrics/prometheus.nix | 6 ++++ hosts/metrics/secrets.nix | 19 +++++++++++++ .../virtualHosts/acme-challenge.nix | 9 ++++++ 8 files changed, 117 insertions(+) create mode 100644 hosts/metrics/configuration.nix create mode 100644 hosts/metrics/default.nix create mode 100644 hosts/metrics/grafana.nix create mode 100644 hosts/metrics/nginx.nix create mode 100644 hosts/metrics/prometheus.nix create mode 100644 hosts/metrics/secrets.nix diff --git a/hosts.nix b/hosts.nix index 8a451d1..cb5887a 100644 --- a/hosts.nix +++ b/hosts.nix @@ -37,6 +37,9 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + metrics = { + site = "vs"; + }; netbox = { site = "vs"; }; diff --git a/hosts/metrics/configuration.nix b/hosts/metrics/configuration.nix new file mode 100644 index 0000000..c051c2d --- /dev/null +++ b/hosts/metrics/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "metrics"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/metrics/default.nix b/hosts/metrics/default.nix new file mode 100644 index 0000000..ef5c25c --- /dev/null +++ b/hosts/metrics/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./grafana.nix + ./prometheus.nix + ./nginx.nix + ]; +} diff --git a/hosts/metrics/grafana.nix b/hosts/metrics/grafana.nix new file mode 100644 index 0000000..c3ca63f --- /dev/null +++ b/hosts/metrics/grafana.nix @@ -0,0 +1,28 @@ +{ ... }: +{ + services.grafana = { + enable = true; + settings = { + server = { + domain = "grafana2.grzb.de"; + root_url = "https://grafana2.grzb.de"; + }; + security = { + cookie_secure = true; + cookie_samesite = "strict"; + admin_user = "yuri"; + admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}"; + admin_email = "yuri@nekover.se"; + }; + smtp = { + enabled = true; + host = "mail.grzb.de:465"; + user = "grafana"; + password = "$__file{/secrets/metrics-grafana-smtp-password.secret}"; + from_address = "grafana@robot.grzb.de"; + from_name = "Grafana"; + startTLS_policy = "NoStartTLS"; + }; + }; + }; +} diff --git a/hosts/metrics/nginx.nix b/hosts/metrics/nginx.nix new file mode 100644 index 0000000..660d06c --- /dev/null +++ b/hosts/metrics/nginx.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + "grafana2.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + }; + }; + }; + }; +} diff --git a/hosts/metrics/prometheus.nix b/hosts/metrics/prometheus.nix new file mode 100644 index 0000000..5c0d6a5 --- /dev/null +++ b/hosts/metrics/prometheus.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.prometheus = { + enable = true; + }; +} diff --git a/hosts/metrics/secrets.nix b/hosts/metrics/secrets.nix new file mode 100644 index 0000000..43b06b3 --- /dev/null +++ b/hosts/metrics/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."metrics-grafana-admin-password.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."metrics-grafana-smtp-password.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index 9dc3b4b..2edecfd 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -18,4 +18,13 @@ proxyPass = "http://netbox.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."grafana2.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://metrics.vs.grzb.de:80"; + }; + }; } From d625f3f8871774c641426acd88dc0acb63c5eb92 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 7 Aug 2023 00:58:45 +0200 Subject: [PATCH 038/386] Add metrics host with Grafana and Prometheus --- flake.nix | 8 ++++++-- helper.nix | 4 ++-- hosts/metrics/grafana.nix | 14 +++++++++++--- hosts/metrics/nginx.nix | 3 ++- hosts/metrics/prometheus.nix | 15 ++++++++++++++- .../web-public-2/virtualHosts/acme-challenge.nix | 2 +- 6 files changed, 36 insertions(+), 10 deletions(-) diff --git a/flake.nix b/flake.nix index 90ed283..2e5abe8 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let hosts = import ./hosts.nix inputs; - helper = import ./helper.nix inputs; + helper = import ./helper.nix inputs; in { colmena = { meta = { @@ -23,11 +23,15 @@ # The default is "nixpkgs" for "x86_64-linux" systems, # but it is overridden by the host-specific "hostNixpkgs" and "system" attributes. nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; + + specialArgs = { + inherit hosts; + }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs (helper.generateNixConfiguration) hosts; + nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts; }) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` diff --git a/helper.nix b/helper.nix index 2188959..360b356 100644 --- a/helper.nix +++ b/helper.nix @@ -14,7 +14,7 @@ imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; }; - generateNixConfiguration = name: { + generateNixConfiguration = name: specialArgs: { hostNixpkgs, system, modules, @@ -26,6 +26,6 @@ filter = name: host: (builtins.substring 0 1 name) != "_"; in (nixpkgs.lib.filterAttrs filter (hostNixpkgs.lib.nixosSystem { - inherit system modules; + inherit system modules specialArgs; })).config.system.build.toplevel; # Builds the entire NixOS system, see: https://nixos.org/manual/nixos/stable/#sec-building-parts } diff --git a/hosts/metrics/grafana.nix b/hosts/metrics/grafana.nix index c3ca63f..7cf4dcf 100644 --- a/hosts/metrics/grafana.nix +++ b/hosts/metrics/grafana.nix @@ -1,11 +1,11 @@ -{ ... }: +{ config, ... }: { services.grafana = { enable = true; settings = { server = { - domain = "grafana2.grzb.de"; - root_url = "https://grafana2.grzb.de"; + domain = "grafana.grzb.de"; + root_url = "https://${config.services.grafana.settings.server.domain}"; }; security = { cookie_secure = true; @@ -24,5 +24,13 @@ startTLS_policy = "NoStartTLS"; }; }; + provision.datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:${builtins.toString config.services.prometheus.port}"; + isDefault = true; + } + ]; }; } diff --git a/hosts/metrics/nginx.nix b/hosts/metrics/nginx.nix index 660d06c..9e31454 100644 --- a/hosts/metrics/nginx.nix +++ b/hosts/metrics/nginx.nix @@ -3,7 +3,7 @@ services.nginx = { enable = true; virtualHosts = { - "grafana2.grzb.de" = { + ${config.services.grafana.settings.server.domain} = { forceSSL = true; enableACME = true; listen = [ @@ -19,6 +19,7 @@ ]; locations."/" = { proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; }; }; }; diff --git a/hosts/metrics/prometheus.nix b/hosts/metrics/prometheus.nix index 5c0d6a5..c4b45b1 100644 --- a/hosts/metrics/prometheus.nix +++ b/hosts/metrics/prometheus.nix @@ -1,6 +1,19 @@ -{ ... }: +{ hosts, ... }: { services.prometheus = { enable = true; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = builtins.map (name: { + targets = [ + "${name}.${hosts.${name}.site}.grzb.de:9100" + ]; + labels = { + host = "${name}.${hosts.${name}.site}.grzb.de"; + }; + }) (builtins.attrNames hosts); + } + ]; }; } diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index 2edecfd..82540d8 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -18,7 +18,7 @@ proxyPass = "http://netbox.vs.grzb.de:80"; }; }; - services.nginx.virtualHosts."grafana2.grzb.de" = { + services.nginx.virtualHosts."grafana.grzb.de" = { listen = [{ addr = "0.0.0.0"; port = 80; From 8b6d09def836537089a7f43a1864a483f67d52c9 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 7 Aug 2023 22:12:36 +0200 Subject: [PATCH 039/386] Rename nixos-coturn to coturn and finish config --- hosts.nix | 2 +- hosts/coturn/acme.nix | 10 +++++++++ hosts/coturn/configuration.nix | 22 +++++++++++++++++++ hosts/{nixos-coturn => coturn}/coturn.nix | 12 +++++----- hosts/{nixos-coturn => coturn}/default.nix | 1 + hosts/{nixos-coturn => coturn}/secrets.nix | 0 hosts/nixos-coturn/configuration.nix | 14 ------------ .../virtualHosts/acme-challenge.nix | 9 ++++++++ 8 files changed, 49 insertions(+), 21 deletions(-) create mode 100644 hosts/coturn/acme.nix create mode 100644 hosts/coturn/configuration.nix rename hosts/{nixos-coturn => coturn}/coturn.nix (82%) rename hosts/{nixos-coturn => coturn}/default.nix (82%) rename hosts/{nixos-coturn => coturn}/secrets.nix (100%) delete mode 100644 hosts/nixos-coturn/configuration.nix diff --git a/hosts.nix b/hosts.nix index cb5887a..ff6d3f3 100644 --- a/hosts.nix +++ b/hosts.nix @@ -51,7 +51,7 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; - nixos-coturn = { + coturn = { site = "vs"; }; tor-relay = { diff --git a/hosts/coturn/acme.nix b/hosts/coturn/acme.nix new file mode 100644 index 0000000..69fe89d --- /dev/null +++ b/hosts/coturn/acme.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + security.acme.certs = { + "turn.nekover.se" = { + listenHTTP = ":80"; + group = "turnserver"; + reloadServices = [ "coturn.service" ]; + }; + }; +} diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix new file mode 100644 index 0000000..cb59fb9 --- /dev/null +++ b/hosts/coturn/configuration.nix @@ -0,0 +1,22 @@ +{ config, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "coturn"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 3478 5349 ]; + allowedUDPPorts = [ 3478 5349 ]; + allowedUDPPortRanges = [{ + from = config.services.coturn.min-port; + to = config.services.coturn.max-port; + }]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/nixos-coturn/coturn.nix b/hosts/coturn/coturn.nix similarity index 82% rename from hosts/nixos-coturn/coturn.nix rename to hosts/coturn/coturn.nix index c85dcba..719c872 100644 --- a/hosts/nixos-coturn/coturn.nix +++ b/hosts/coturn/coturn.nix @@ -1,17 +1,17 @@ -{ ... }: +{ config, ... }: { services.coturn = { enable = true; - min-port = 49200; max-port = 49500; use-auth-secret = true; static-auth-secret-file = "/secrets/static-auth-secret.secret"; realm = "turn.nekover.se"; - cert = "/certs/turn.nekover.se/fullchain.pem"; - pkey = "/certs/turn.nekover.se/key.pem"; + cert = "${config.security.acme.certs."turn.nekover.se".directory}/fullchain.pem"; + pkey = "${config.security.acme.certs."turn.nekover.se".directory}/key.pem"; no-tcp-relay = true; - extraConfig = " + no-cli = true; + extraConfig = '' external-ip=170.133.2.81/10.202.41.118 prometheus syslog @@ -40,6 +40,6 @@ user-quota=12 total-quota=1200 - "; + ''; }; } diff --git a/hosts/nixos-coturn/default.nix b/hosts/coturn/default.nix similarity index 82% rename from hosts/nixos-coturn/default.nix rename to hosts/coturn/default.nix index 1036572..bc32a3d 100644 --- a/hosts/nixos-coturn/default.nix +++ b/hosts/coturn/default.nix @@ -2,6 +2,7 @@ { imports = [ ./configuration.nix + ./acme.nix ./coturn.nix ]; } diff --git a/hosts/nixos-coturn/secrets.nix b/hosts/coturn/secrets.nix similarity index 100% rename from hosts/nixos-coturn/secrets.nix rename to hosts/coturn/secrets.nix diff --git a/hosts/nixos-coturn/configuration.nix b/hosts/nixos-coturn/configuration.nix deleted file mode 100644 index 094f157..0000000 --- a/hosts/nixos-coturn/configuration.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "coturn"; - firewall.enable = false; - }; - - system.stateVersion = "23.05"; -} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index 82540d8..6ec8d36 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -27,4 +27,13 @@ proxyPass = "http://metrics.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."turn.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://coturn.vs.grzb.de:80"; + }; + }; } From 1ab6eb6c94ef50d355e7be8827f8219ada7d4076 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 7 Aug 2023 22:24:29 +0200 Subject: [PATCH 040/386] Bump flake.lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 61c7311..8c5ec2a 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1691016377, - "narHash": "sha256-Vvi49vIL2CzX5bsfE3qovcmzJpkfMo/Mx/coCbu5Jeo=", + "lastModified": 1691406141, + "narHash": "sha256-5GME9kMEiPix0R383spkuYYvtmnYHxS1/0Q+ki6W8Gs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ad73028def6716978adaec5b0b7706edc611a83e", + "rev": "9ba5e0b04727309ed8583079a3eaefd0290c7a2b", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1691071044, - "narHash": "sha256-bYBWtupK/NO/diSpye8TP1E0IC7wj29y2q6blD0FtPk=", + "lastModified": 1691420187, + "narHash": "sha256-FTrMlGQqHViHbOPkI0JCNxMysxnPw1UA0+SiL4+Wafc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2a1f1797be6e4125ade0be6ac32bb70106ff7245", + "rev": "b367b9cf872c8de59d2379330dfe4f541f3ba5cc", "type": "github" }, "original": { From b7864a679856a67fb51ba4e90d2bcb6bdfd4a417 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 7 Aug 2023 22:24:43 +0200 Subject: [PATCH 041/386] Only run pipeline when specific RUN_JOB variable value is set --- .gitlab-ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8cb05b5..4c519b6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,6 +8,8 @@ stages: update_flake_lock: stage: update_flake_lock + rules: + - if: $RUN_JOB == "update_flake_lock" script: - nix flake update --extra-experimental-features nix-command --extra-experimental-features flakes artifacts: @@ -16,6 +18,8 @@ update_flake_lock: apply: stage: apply + rules: + - if: $RUN_JOB == "deploy" script: - nix-env --install colmena - eval $(ssh-agent -s) @@ -30,6 +34,8 @@ apply: commit_flake: stage: commit_flake + rules: + - if: $RUN_JOB == "update_flake_lock" variables: GIT_AUTHOR_EMAIL: $GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME: $GIT_AUTHOR_NAME From e93c605ebb885975cb891ee21a7fcd7fc00357d8 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 29 Aug 2023 16:10:22 +0200 Subject: [PATCH 042/386] Add matrix-synapse host --- flake.lock | 12 +++---- hosts.nix | 3 ++ hosts/matrix/configuration.nix | 17 +++++++++ hosts/matrix/default.nix | 10 ++++++ hosts/matrix/hardware-configuration.nix | 21 +++++++++++ hosts/matrix/matrix-synapse.nix | 36 +++++++++++++++++++ hosts/matrix/nginx.nix | 35 ++++++++++++++++++ hosts/matrix/postgresql.nix | 13 +++++++ hosts/matrix/secrets.nix | 35 ++++++++++++++++++ hosts/web-public-2/nginx.nix | 2 +- .../virtualHosts/acme-challenge.nix | 9 +++++ hosts/web-public-2/virtualHosts/default.nix | 1 - .../virtualHosts/matrix.nekover.se.nix | 33 ----------------- 13 files changed, 186 insertions(+), 41 deletions(-) create mode 100644 hosts/matrix/configuration.nix create mode 100644 hosts/matrix/default.nix create mode 100644 hosts/matrix/hardware-configuration.nix create mode 100644 hosts/matrix/matrix-synapse.nix create mode 100644 hosts/matrix/nginx.nix create mode 100644 hosts/matrix/postgresql.nix create mode 100644 hosts/matrix/secrets.nix delete mode 100644 hosts/web-public-2/virtualHosts/matrix.nekover.se.nix diff --git a/flake.lock b/flake.lock index 8c5ec2a..61995d3 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1691406141, - "narHash": "sha256-5GME9kMEiPix0R383spkuYYvtmnYHxS1/0Q+ki6W8Gs=", + "lastModified": 1693183237, + "narHash": "sha256-c7OtyBkZ/vZE/WosBpRGRtkbWZjDHGJP7fg1FyB9Dsc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9ba5e0b04727309ed8583079a3eaefd0290c7a2b", + "rev": "ea5234e7073d5f44728c499192544a84244bf35a", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1691420187, - "narHash": "sha256-FTrMlGQqHViHbOPkI0JCNxMysxnPw1UA0+SiL4+Wafc=", + "lastModified": 1693184707, + "narHash": "sha256-MqCT/wuRKC79QJKlYhdfkUNerPcm63vZLd6P7lZGC0M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b367b9cf872c8de59d2379330dfe4f541f3ba5cc", + "rev": "48516a891d020801bc5304375739d2604400c741", "type": "github" }, "original": { diff --git a/hosts.nix b/hosts.nix index ff6d3f3..d608e79 100644 --- a/hosts.nix +++ b/hosts.nix @@ -37,6 +37,9 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + matrix = { + site = "vs"; + }; metrics = { site = "vs"; }; diff --git a/hosts/matrix/configuration.nix b/hosts/matrix/configuration.nix new file mode 100644 index 0000000..9ffa4c6 --- /dev/null +++ b/hosts/matrix/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "matrix"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 8443 8448 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix new file mode 100644 index 0000000..27528b7 --- /dev/null +++ b/hosts/matrix/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./postgresql.nix + ./matrix-synapse.nix + ./nginx.nix + ]; +} diff --git a/hosts/matrix/hardware-configuration.nix b/hosts/matrix/hardware-configuration.nix new file mode 100644 index 0000000..d014f39 --- /dev/null +++ b/hosts/matrix/hardware-configuration.nix @@ -0,0 +1,21 @@ +{ config, ... }: +{ + fileSystems."/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + }; + fileSystems."/var/lib/matrix-synapse/media_store" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/media_store"; + fsType = "none"; + options = [ "bind" "X-mount.owner=matrix-synapse" "X-mount.group=matrix-synapse" ]; + }; + fileSystems."/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/database"; + fsType = "none"; + options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ]; + }; +} diff --git a/hosts/matrix/matrix-synapse.nix b/hosts/matrix/matrix-synapse.nix new file mode 100644 index 0000000..e4f508e --- /dev/null +++ b/hosts/matrix/matrix-synapse.nix @@ -0,0 +1,36 @@ +{ ... }: +{ + services.matrix-synapse = { + enable = true; + settings = { + server_name = "nekover.se"; + public_baseurl = "https://matrix.nekover.se"; + database = { + name = "psycopg2"; + args.password = "synapse"; + }; + email = { + smtp_host = "mail.grzb.de"; + smtp_port = 465; + smtp_user = "matrix"; + force_tls = true; + notif_from = "Nekoverse Matrix Server "; + }; + max_upload_size = "500M"; + signing_key_path = "/secrets/matrix-homeserver-signing-key.secret"; + admin_contact = "mailto:admin@nekover.se"; + web_client_location = "https://element.nekover.se"; + turn_uris = [ + "turns:turn.nekover.se?transport=udp" + "turns:turn.nekover.se?transport=tcp" + ]; + turn_user_lifetime = 86400000; + turn_allow_guests = true; + }; + extraConfigFiles = [ + "/secrets/matrix-registration-shared-secret.secret" + "/secrets/matrix-turn-shared-secret.secret" + "/secrets/matrix-email-smtp-pass.secret" + ]; + }; +} diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix new file mode 100644 index 0000000..de8f332 --- /dev/null +++ b/hosts/matrix/nginx.nix @@ -0,0 +1,35 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + ]; + locations."~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://localhost:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/hosts/matrix/postgresql.nix b/hosts/matrix/postgresql.nix new file mode 100644 index 0000000..03b753a --- /dev/null +++ b/hosts/matrix/postgresql.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +{ + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; +} diff --git a/hosts/matrix/secrets.nix b/hosts/matrix/secrets.nix new file mode 100644 index 0000000..24329ea --- /dev/null +++ b/hosts/matrix/secrets.nix @@ -0,0 +1,35 @@ +{ ... }: +{ + deployment.keys."matrix-registration-shared-secret.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."matrix-turn-shared-secret.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."matrix-email-smtp-pass.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."matrix-homeserver-signing-key.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 713a09d..52acd48 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -16,7 +16,7 @@ gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; hydra.nekover.se 10.202.41.121:8443; - matrix.nekover.se 127.0.0.1:8443; + matrix.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nextcloud.grzb.de 127.0.0.1:8443; diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index 6ec8d36..c04b2e8 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -9,6 +9,15 @@ proxyPass = "http://jellyfin.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."matrix.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://matrix.vs.grzb.de:80"; + }; + }; services.nginx.virtualHosts."netbox.grzb.de" = { listen = [{ addr = "0.0.0.0"; diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix index 06d0bfd..7df558e 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -6,7 +6,6 @@ ./element.nekover.se.nix ./gameserver.grzb.de.nix ./git.grzb.de.nix - ./matrix.nekover.se.nix ./mewtube.nekover.se.nix ./nekover.se.nix ./nextcloud.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix b/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix deleted file mode 100644 index 82455bf..0000000 --- a/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."matrix.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - { - addr = "[::]"; - port = 8448; - ssl = true; - } - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://matrix.vs.grzb.de:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size 500M; - ''; - }; - }; -} From 5f61e963a890b8829a9734f788a541b0d67a72fa Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 29 Aug 2023 16:11:51 +0200 Subject: [PATCH 043/386] Bump flake.lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 61995d3..a011349 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693183237, - "narHash": "sha256-c7OtyBkZ/vZE/WosBpRGRtkbWZjDHGJP7fg1FyB9Dsc=", + "lastModified": 1693231525, + "narHash": "sha256-Zmh8m0HHcgGBDth6jdJPmc4UAAP0L4jQmqIztywF1Iw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ea5234e7073d5f44728c499192544a84244bf35a", + "rev": "c540061ac8d72d6e6d99345bd2d590c82b2f58c1", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1693184707, - "narHash": "sha256-MqCT/wuRKC79QJKlYhdfkUNerPcm63vZLd6P7lZGC0M=", + "lastModified": 1693282374, + "narHash": "sha256-QZUxjv/MsWjradxgHlQFkP1ynR4BAuedY/Hs+gMyss8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "48516a891d020801bc5304375739d2604400c741", + "rev": "3d958404528cd939451ca2ed30473c3d7ae4d746", "type": "github" }, "original": { From cc93674cc4218887ec6e3aa20a95417e4ea55059 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 3 Sep 2023 16:56:05 +0200 Subject: [PATCH 044/386] Bump element-web to v1.11.40 --- hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/hosts/web-public-2/virtualHosts/element.nekover.se.nix index de1665b..ba220c7 100644 --- a/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,8 +1,8 @@ { pkgs, ... }: let element-web = pkgs.fetchzip { - url = "https://github.com/vector-im/element-web/releases/download/v1.11.36/element-v1.11.36.tar.gz"; - sha256 = "sha256-HbKqfcYH3JWbrAeaYCF/Lg7D7bl5VSgsitxKQdvf+Oc="; + url = "https://github.com/vector-im/element-web/releases/download/v1.11.40/element-v1.11.40.tar.gz"; + sha256 = "sha256-IZ1FjT9fAv6wDfgLcCLBHwg6iXGXC4E0/2/67hArD4w="; }; in { From 1d8697b70a83665ed4bcfd706be4b722bace3fee Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 3 Sep 2023 17:43:41 +0200 Subject: [PATCH 045/386] Just do the nginx proxy_protocol listen in extraConfig and use stable packages --- hosts.nix | 3 --- hosts/hydra/nginx.nix | 31 +++++++++++++++---------------- hosts/nextcloud/nextcloud.nix | 14 ++------------ hosts/nitter/nginx.nix | 18 ++++++------------ 4 files changed, 23 insertions(+), 43 deletions(-) diff --git a/hosts.nix b/hosts.nix index d608e79..177da2d 100644 --- a/hosts.nix +++ b/hosts.nix @@ -24,7 +24,6 @@ let in generateDefaults { hydra = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; }; iperf = { @@ -47,11 +46,9 @@ in site = "vs"; }; nextcloud = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; }; nitter = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; }; coturn = { diff --git a/hosts/hydra/nginx.nix b/hosts/hydra/nginx.nix index e313c2d..5a15fe1 100644 --- a/hosts/hydra/nginx.nix +++ b/hosts/hydra/nginx.nix @@ -3,41 +3,40 @@ services.nginx = { enable = true; virtualHosts = { - "hydra.nekover.se" = { forceSSL = true; enableACME = true; listen = [{ - addr = "127.0.0.1"; - port = 1234; - }{ addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; + port = 80; }]; locations."/" = { proxyPass = "http://localhost:3001"; }; - }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; "nix-cache.nekover.se" = { forceSSL = true; enableACME = true; - listen = [{ - addr = "127.0.0.1"; - port = 1234; - }{ + listen = [ { addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; + port = 80; }]; locations."/" = { proxyPass = "http://localhost:5005"; }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; }; - }; }; } diff --git a/hosts/nextcloud/nextcloud.nix b/hosts/nextcloud/nextcloud.nix index d09b0fb..dd3a328 100644 --- a/hosts/nextcloud/nextcloud.nix +++ b/hosts/nextcloud/nextcloud.nix @@ -41,19 +41,9 @@ virtualHosts.${config.services.nextcloud.hostName} = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; diff --git a/hosts/nitter/nginx.nix b/hosts/nitter/nginx.nix index d0f47ed..862405c 100644 --- a/hosts/nitter/nginx.nix +++ b/hosts/nitter/nginx.nix @@ -5,18 +5,6 @@ virtualHosts."birdsite.nekover.se" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; locations."/robots.txt" = { return = "200 \"User-agent: *\\nDisallow: /\\n\""; }; @@ -24,6 +12,12 @@ proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; proxyWebsockets = true; }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; }; }; } From 4c382e629d211b2109c4c454468fcc499df33f50 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 3 Sep 2023 19:23:56 +0200 Subject: [PATCH 046/386] Update flake.lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index a011349..4b4607e 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693231525, - "narHash": "sha256-Zmh8m0HHcgGBDth6jdJPmc4UAAP0L4jQmqIztywF1Iw=", + "lastModified": 1693725722, + "narHash": "sha256-PJFNgOpNqrsafMgNuca8olo6ugxIFeQOBBiNtyq2FXA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c540061ac8d72d6e6d99345bd2d590c82b2f58c1", + "rev": "00cc1bbf20f8eb85b537f9f10b41a311f0e01e3e", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1693282374, - "narHash": "sha256-QZUxjv/MsWjradxgHlQFkP1ynR4BAuedY/Hs+gMyss8=", + "lastModified": 1693723626, + "narHash": "sha256-e6DnUnRT5aykzhme6wLUzYmSPw2G8j+RYwXluys2VJc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3d958404528cd939451ca2ed30473c3d7ae4d746", + "rev": "5e9ff98d1dccbb391a9769b5dc660a5f6e39c18b", "type": "github" }, "original": { From ba93d164cf1b5181122f71c9a40d67123006e3ec Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 14 Sep 2023 14:43:49 +0200 Subject: [PATCH 047/386] Setup mail server and restructure some things --- {configuration => config}/common/default.nix | 4 +- {configuration => config}/common/nginx.nix | 0 .../common/prometheus-node-exporter.nix | 4 +- .../environments}/proxmox-vm/default.nix | 0 .../proxmox-vm/hardware-configuration.nix | 0 {hosts => config/hosts}/coturn/acme.nix | 0 .../hosts}/coturn/configuration.nix | 0 {hosts => config/hosts}/coturn/coturn.nix | 0 {hosts => config/hosts}/coturn/default.nix | 0 {hosts => config/hosts}/coturn/secrets.nix | 0 .../hosts}/hydra/configuration.nix | 0 {hosts => config/hosts}/hydra/default.nix | 0 {hosts => config/hosts}/hydra/hydra.nix | 0 {hosts => config/hosts}/hydra/nginx.nix | 0 {hosts => config/hosts}/hydra/nix-serve.nix | 0 {hosts => config/hosts}/hydra/secrets.nix | 0 .../hosts}/iperf/configuration.nix | 0 {hosts => config/hosts}/iperf/default.nix | 0 {hosts => config/hosts}/iperf/iperf.nix | 0 .../hosts}/jackett/configuration.nix | 0 {hosts => config/hosts}/jackett/default.nix | 0 {hosts => config/hosts}/jackett/jackett.nix | 0 .../hosts}/jellyfin/configuration.nix | 0 {hosts => config/hosts}/jellyfin/default.nix | 0 .../jellyfin/hardware-configuration.nix | 0 {hosts => config/hosts}/jellyfin/jellyfin.nix | 0 {hosts => config/hosts}/jellyfin/nginx.nix | 0 {hosts => config/hosts}/jellyfin/secrets.nix | 0 config/hosts/lifeline/configuration.nix | 69 +++++++++ config/hosts/lifeline/default.nix | 7 + .../hosts/lifeline/hardware-configuration.nix | 16 ++ config/hosts/lifeline/secrets.nix | 19 +++ config/hosts/mail-1/configuration.nix | 61 ++++++++ config/hosts/mail-1/default.nix | 7 + config/hosts/mail-1/secrets.nix | 85 ++++++++++ .../hosts/mail-1/simple-nixos-mailserver.nix | 66 ++++++++ .../hosts}/matrix/configuration.nix | 0 {hosts => config/hosts}/matrix/default.nix | 0 .../hosts}/matrix/hardware-configuration.nix | 0 .../hosts}/matrix/matrix-synapse.nix | 0 {hosts => config/hosts}/matrix/nginx.nix | 0 {hosts => config/hosts}/matrix/postgresql.nix | 0 {hosts => config/hosts}/matrix/secrets.nix | 0 .../hosts}/metrics/configuration.nix | 0 {hosts => config/hosts}/metrics/default.nix | 0 {hosts => config/hosts}/metrics/grafana.nix | 0 {hosts => config/hosts}/metrics/nginx.nix | 0 .../hosts}/metrics/prometheus.nix | 0 {hosts => config/hosts}/metrics/secrets.nix | 0 .../hosts}/netbox/configuration.nix | 0 {hosts => config/hosts}/netbox/default.nix | 0 {hosts => config/hosts}/netbox/netbox.nix | 0 {hosts => config/hosts}/netbox/nginx.nix | 0 {hosts => config/hosts}/netbox/secrets.nix | 0 .../hosts}/nextcloud/configuration.nix | 0 {hosts => config/hosts}/nextcloud/default.nix | 0 .../nextcloud/hardware-configuration.nix | 0 .../hosts}/nextcloud/nextcloud.nix | 0 {hosts => config/hosts}/nextcloud/secrets.nix | 0 .../hosts}/nitter/configuration.nix | 0 {hosts => config/hosts}/nitter/default.nix | 0 {hosts => config/hosts}/nitter/nginx.nix | 0 {hosts => config/hosts}/nitter/nitter.nix | 0 .../hosts}/tor-relay/configuration.nix | 0 {hosts => config/hosts}/tor-relay/default.nix | 0 {hosts => config/hosts}/tor-relay/tor.nix | 0 .../configuration.nix | 0 .../web-nonpublic-linuxcrewd/default.nix | 0 .../hosts}/web-nonpublic-linuxcrewd/nginx.nix | 0 .../hosts}/web-public-2/configuration.nix | 0 .../hosts}/web-public-2/default.nix | 0 .../hosts}/web-public-2/nginx.nix | 0 .../virtualHosts/acme-challenge.nix | 9 ++ .../virtualHosts/anisync.grzb.de.nix | 0 .../web-public-2/virtualHosts/default.nix | 1 - .../element-web-config/config.json | 0 .../virtualHosts/element.nekover.se.nix | 0 .../virtualHosts/gameserver.grzb.de.nix | 0 .../web-public-2/virtualHosts/git.grzb.de.nix | 0 .../virtualHosts/mewtube.nekover.se.nix | 0 .../web-public-2/virtualHosts/nekover.se.nix | 0 .../virtualHosts/social.nekover.se.nix | 0 .../nixos-generators/default.nix | 0 .../users}/colmena-deploy/default.nix | 0 {users => config/users}/yuri/default.nix | 0 flake.lock | 145 ++++++++++++++++-- flake.nix | 13 +- helper.nix | 2 +- hosts.nix | 36 ++++- .../virtualHosts/nextcloud.grzb.de.nix | 34 ---- 90 files changed, 512 insertions(+), 66 deletions(-) rename {configuration => config}/common/default.nix (96%) rename {configuration => config}/common/nginx.nix (100%) rename {configuration => config}/common/prometheus-node-exporter.nix (61%) rename {configuration => config/environments}/proxmox-vm/default.nix (100%) rename {configuration => config/environments}/proxmox-vm/hardware-configuration.nix (100%) rename {hosts => config/hosts}/coturn/acme.nix (100%) rename {hosts => config/hosts}/coturn/configuration.nix (100%) rename {hosts => config/hosts}/coturn/coturn.nix (100%) rename {hosts => config/hosts}/coturn/default.nix (100%) rename {hosts => config/hosts}/coturn/secrets.nix (100%) rename {hosts => config/hosts}/hydra/configuration.nix (100%) rename {hosts => config/hosts}/hydra/default.nix (100%) rename {hosts => config/hosts}/hydra/hydra.nix (100%) rename {hosts => config/hosts}/hydra/nginx.nix (100%) rename {hosts => config/hosts}/hydra/nix-serve.nix (100%) rename {hosts => config/hosts}/hydra/secrets.nix (100%) rename {hosts => config/hosts}/iperf/configuration.nix (100%) rename {hosts => config/hosts}/iperf/default.nix (100%) rename {hosts => config/hosts}/iperf/iperf.nix (100%) rename {hosts => config/hosts}/jackett/configuration.nix (100%) rename {hosts => config/hosts}/jackett/default.nix (100%) rename {hosts => config/hosts}/jackett/jackett.nix (100%) rename {hosts => config/hosts}/jellyfin/configuration.nix (100%) rename {hosts => config/hosts}/jellyfin/default.nix (100%) rename {hosts => config/hosts}/jellyfin/hardware-configuration.nix (100%) rename {hosts => config/hosts}/jellyfin/jellyfin.nix (100%) rename {hosts => config/hosts}/jellyfin/nginx.nix (100%) rename {hosts => config/hosts}/jellyfin/secrets.nix (100%) create mode 100644 config/hosts/lifeline/configuration.nix create mode 100644 config/hosts/lifeline/default.nix create mode 100644 config/hosts/lifeline/hardware-configuration.nix create mode 100644 config/hosts/lifeline/secrets.nix create mode 100644 config/hosts/mail-1/configuration.nix create mode 100644 config/hosts/mail-1/default.nix create mode 100644 config/hosts/mail-1/secrets.nix create mode 100644 config/hosts/mail-1/simple-nixos-mailserver.nix rename {hosts => config/hosts}/matrix/configuration.nix (100%) rename {hosts => config/hosts}/matrix/default.nix (100%) rename {hosts => config/hosts}/matrix/hardware-configuration.nix (100%) rename {hosts => config/hosts}/matrix/matrix-synapse.nix (100%) rename {hosts => config/hosts}/matrix/nginx.nix (100%) rename {hosts => config/hosts}/matrix/postgresql.nix (100%) rename {hosts => config/hosts}/matrix/secrets.nix (100%) rename {hosts => config/hosts}/metrics/configuration.nix (100%) rename {hosts => config/hosts}/metrics/default.nix (100%) rename {hosts => config/hosts}/metrics/grafana.nix (100%) rename {hosts => config/hosts}/metrics/nginx.nix (100%) rename {hosts => config/hosts}/metrics/prometheus.nix (100%) rename {hosts => config/hosts}/metrics/secrets.nix (100%) rename {hosts => config/hosts}/netbox/configuration.nix (100%) rename {hosts => config/hosts}/netbox/default.nix (100%) rename {hosts => config/hosts}/netbox/netbox.nix (100%) rename {hosts => config/hosts}/netbox/nginx.nix (100%) rename {hosts => config/hosts}/netbox/secrets.nix (100%) rename {hosts => config/hosts}/nextcloud/configuration.nix (100%) rename {hosts => config/hosts}/nextcloud/default.nix (100%) rename {hosts => config/hosts}/nextcloud/hardware-configuration.nix (100%) rename {hosts => config/hosts}/nextcloud/nextcloud.nix (100%) rename {hosts => config/hosts}/nextcloud/secrets.nix (100%) rename {hosts => config/hosts}/nitter/configuration.nix (100%) rename {hosts => config/hosts}/nitter/default.nix (100%) rename {hosts => config/hosts}/nitter/nginx.nix (100%) rename {hosts => config/hosts}/nitter/nitter.nix (100%) rename {hosts => config/hosts}/tor-relay/configuration.nix (100%) rename {hosts => config/hosts}/tor-relay/default.nix (100%) rename {hosts => config/hosts}/tor-relay/tor.nix (100%) rename {hosts => config/hosts}/web-nonpublic-linuxcrewd/configuration.nix (100%) rename {hosts => config/hosts}/web-nonpublic-linuxcrewd/default.nix (100%) rename {hosts => config/hosts}/web-nonpublic-linuxcrewd/nginx.nix (100%) rename {hosts => config/hosts}/web-public-2/configuration.nix (100%) rename {hosts => config/hosts}/web-public-2/default.nix (100%) rename {hosts => config/hosts}/web-public-2/nginx.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/acme-challenge.nix (83%) rename {hosts => config/hosts}/web-public-2/virtualHosts/anisync.grzb.de.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/default.nix (93%) rename {hosts => config/hosts}/web-public-2/virtualHosts/element-web-config/config.json (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/element.nekover.se.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/gameserver.grzb.de.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/git.grzb.de.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/mewtube.nekover.se.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/nekover.se.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/social.nekover.se.nix (100%) rename {configuration => config}/nixos-generators/default.nix (100%) rename {users => config/users}/colmena-deploy/default.nix (100%) rename {users => config/users}/yuri/default.nix (100%) delete mode 100644 hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix diff --git a/configuration/common/default.nix b/config/common/default.nix similarity index 96% rename from configuration/common/default.nix rename to config/common/default.nix index e28c38a..8634acf 100644 --- a/configuration/common/default.nix +++ b/config/common/default.nix @@ -3,8 +3,8 @@ imports = [ ./prometheus-node-exporter.nix ./nginx.nix - ../../users/colmena-deploy - ../../users/yuri + ../users/colmena-deploy + ../users/yuri ]; time.timeZone = "Europe/Berlin"; diff --git a/configuration/common/nginx.nix b/config/common/nginx.nix similarity index 100% rename from configuration/common/nginx.nix rename to config/common/nginx.nix diff --git a/configuration/common/prometheus-node-exporter.nix b/config/common/prometheus-node-exporter.nix similarity index 61% rename from configuration/common/prometheus-node-exporter.nix rename to config/common/prometheus-node-exporter.nix index ac2d1ac..71f9baa 100644 --- a/configuration/common/prometheus-node-exporter.nix +++ b/config/common/prometheus-node-exporter.nix @@ -1,7 +1,7 @@ -{ ... }: +{ lib, ... }: { services.prometheus.exporters.node = { - enable = true; + enable = lib.mkDefault true; openFirewall = true; }; } diff --git a/configuration/proxmox-vm/default.nix b/config/environments/proxmox-vm/default.nix similarity index 100% rename from configuration/proxmox-vm/default.nix rename to config/environments/proxmox-vm/default.nix diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/config/environments/proxmox-vm/hardware-configuration.nix similarity index 100% rename from configuration/proxmox-vm/hardware-configuration.nix rename to config/environments/proxmox-vm/hardware-configuration.nix diff --git a/hosts/coturn/acme.nix b/config/hosts/coturn/acme.nix similarity index 100% rename from hosts/coturn/acme.nix rename to config/hosts/coturn/acme.nix diff --git a/hosts/coturn/configuration.nix b/config/hosts/coturn/configuration.nix similarity index 100% rename from hosts/coturn/configuration.nix rename to config/hosts/coturn/configuration.nix diff --git a/hosts/coturn/coturn.nix b/config/hosts/coturn/coturn.nix similarity index 100% rename from hosts/coturn/coturn.nix rename to config/hosts/coturn/coturn.nix diff --git a/hosts/coturn/default.nix b/config/hosts/coturn/default.nix similarity index 100% rename from hosts/coturn/default.nix rename to config/hosts/coturn/default.nix diff --git a/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix similarity index 100% rename from hosts/coturn/secrets.nix rename to config/hosts/coturn/secrets.nix diff --git a/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix similarity index 100% rename from hosts/hydra/configuration.nix rename to config/hosts/hydra/configuration.nix diff --git a/hosts/hydra/default.nix b/config/hosts/hydra/default.nix similarity index 100% rename from hosts/hydra/default.nix rename to config/hosts/hydra/default.nix diff --git a/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix similarity index 100% rename from hosts/hydra/hydra.nix rename to config/hosts/hydra/hydra.nix diff --git a/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix similarity index 100% rename from hosts/hydra/nginx.nix rename to config/hosts/hydra/nginx.nix diff --git a/hosts/hydra/nix-serve.nix b/config/hosts/hydra/nix-serve.nix similarity index 100% rename from hosts/hydra/nix-serve.nix rename to config/hosts/hydra/nix-serve.nix diff --git a/hosts/hydra/secrets.nix b/config/hosts/hydra/secrets.nix similarity index 100% rename from hosts/hydra/secrets.nix rename to config/hosts/hydra/secrets.nix diff --git a/hosts/iperf/configuration.nix b/config/hosts/iperf/configuration.nix similarity index 100% rename from hosts/iperf/configuration.nix rename to config/hosts/iperf/configuration.nix diff --git a/hosts/iperf/default.nix b/config/hosts/iperf/default.nix similarity index 100% rename from hosts/iperf/default.nix rename to config/hosts/iperf/default.nix diff --git a/hosts/iperf/iperf.nix b/config/hosts/iperf/iperf.nix similarity index 100% rename from hosts/iperf/iperf.nix rename to config/hosts/iperf/iperf.nix diff --git a/hosts/jackett/configuration.nix b/config/hosts/jackett/configuration.nix similarity index 100% rename from hosts/jackett/configuration.nix rename to config/hosts/jackett/configuration.nix diff --git a/hosts/jackett/default.nix b/config/hosts/jackett/default.nix similarity index 100% rename from hosts/jackett/default.nix rename to config/hosts/jackett/default.nix diff --git a/hosts/jackett/jackett.nix b/config/hosts/jackett/jackett.nix similarity index 100% rename from hosts/jackett/jackett.nix rename to config/hosts/jackett/jackett.nix diff --git a/hosts/jellyfin/configuration.nix b/config/hosts/jellyfin/configuration.nix similarity index 100% rename from hosts/jellyfin/configuration.nix rename to config/hosts/jellyfin/configuration.nix diff --git a/hosts/jellyfin/default.nix b/config/hosts/jellyfin/default.nix similarity index 100% rename from hosts/jellyfin/default.nix rename to config/hosts/jellyfin/default.nix diff --git a/hosts/jellyfin/hardware-configuration.nix b/config/hosts/jellyfin/hardware-configuration.nix similarity index 100% rename from hosts/jellyfin/hardware-configuration.nix rename to config/hosts/jellyfin/hardware-configuration.nix diff --git a/hosts/jellyfin/jellyfin.nix b/config/hosts/jellyfin/jellyfin.nix similarity index 100% rename from hosts/jellyfin/jellyfin.nix rename to config/hosts/jellyfin/jellyfin.nix diff --git a/hosts/jellyfin/nginx.nix b/config/hosts/jellyfin/nginx.nix similarity index 100% rename from hosts/jellyfin/nginx.nix rename to config/hosts/jellyfin/nginx.nix diff --git a/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix similarity index 100% rename from hosts/jellyfin/secrets.nix rename to config/hosts/jellyfin/secrets.nix diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix new file mode 100644 index 0000000..2930c69 --- /dev/null +++ b/config/hosts/lifeline/configuration.nix @@ -0,0 +1,69 @@ +{ pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; + + networking = { + hostName = "lifeline"; + useDHCP = true; + wireguard = { + enable = true; + interfaces.wg0 = { + privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret"; + listenPort = 51820; + ips = [ + "172.16.50.1/24" + ]; + peers = [ + { + name = "mail-1"; + publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret"; + allowedIPs = [ "172.16.50.2/32" ]; + } + ]; + postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + }; + }; + nat = { + enable = true; + internalInterfaces = [ "wg0" ]; + externalInterface = "ens6"; + forwardPorts = [ + { + destination = "172.16.50.2:25"; + proto = "tcp"; + sourcePort = 25; + } + { + destination = "172.16.50.2:465"; + proto = "tcp"; + sourcePort = 465; + } + { + destination = "172.16.50.2:993"; + proto = "tcp"; + sourcePort = 993; + } + ]; + }; + firewall = { + allowedUDPPorts = [ 51820 ]; + }; + }; + + services.prometheus.exporters.node.enable = false; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/lifeline/default.nix b/config/hosts/lifeline/default.nix new file mode 100644 index 0000000..9d284a8 --- /dev/null +++ b/config/hosts/lifeline/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ]; +} diff --git a/config/hosts/lifeline/hardware-configuration.nix b/config/hosts/lifeline/hardware-configuration.nix new file mode 100644 index 0000000..85d6d9a --- /dev/null +++ b/config/hosts/lifeline/hardware-configuration.nix @@ -0,0 +1,16 @@ +{ modulesPath, ... }: +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd = { + availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + kernelModules = [ "nvme" ]; + }; + + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; +} diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix new file mode 100644 index 0000000..90f3f12 --- /dev/null +++ b/config/hosts/lifeline/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix new file mode 100644 index 0000000..4638917 --- /dev/null +++ b/config/hosts/mail-1/configuration.nix @@ -0,0 +1,61 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "mail-1"; + useDHCP = true; + defaultGateway = { + address = "172.16.50.1"; + interface = "wg0"; + }; + interfaces.enp6s18.ipv4 = { + routes = [ + { + address = "10.201.0.0"; + prefixLength = 16; + via = "10.202.41.1"; + } + { + address = "10.202.0.0"; + prefixLength = 16; + via = "10.202.41.1"; + } + { + address = "172.21.87.0"; # management VPN + prefixLength = 24; + via = "10.202.41.1"; + } + { + address = "217.160.117.160"; # + prefixLength = 32; + via = "10.202.41.1"; + } + ]; + }; + wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ + "172.16.50.2/24" + ]; + peers = [ + { + name = "lifeline"; + publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY="; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret"; + endpoint = "lifeline.io.grzb.de:51820"; + allowedIPs = [ "0.0.0.0/0" ]; + persistentKeepalive = 25; + } + ]; + privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret"; + }; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mail-1/default.nix b/config/hosts/mail-1/default.nix new file mode 100644 index 0000000..5537841 --- /dev/null +++ b/config/hosts/mail-1/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./simple-nixos-mailserver.nix + ]; +} diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix new file mode 100644 index 0000000..3352cee --- /dev/null +++ b/config/hosts/mail-1/secrets.nix @@ -0,0 +1,85 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "wireguard-valkyrie-mail-1-mail-1-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-mail-1-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-fiona-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-yuri-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-mio-vs-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-fubuki-wg-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-cloud-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-status-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-matrix-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-social-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix new file mode 100644 index 0000000..81fa130 --- /dev/null +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -0,0 +1,66 @@ +{ simple-nixos-mailserver, ... }: +{ + imports = [ + simple-nixos-mailserver.nixosModule { + mailserver = { + enable = true; + openFirewall = true; + fqdn = "mail-1.grzb.de"; + enableImap = false; + enableImapSsl = true; + enableSubmission = false; + enableSubmissionSsl = true; + lmtpSaveToDetailMailbox = "no"; + domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; + loginAccounts = { + "fiona@grzb.de" = { + hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret"; + aliases = [ "@grzb.de" ]; + catchAll = [ "grzb.de" ]; + }; + "yuri@nekover.se" = { + hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret"; + aliases = [ "@nekover.se" ]; + catchAll = [ "nekover.se" ]; + }; + "mio@vs.grzb.de" = { + hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret"; + sendOnly = true; + aliases = [ "root@vs.grzb.de" ]; + }; + "fubuki@wg.grzb.de" = { + hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret"; + sendOnly = true; + aliases = [ "root@wg.grzb.de" ]; + }; + "cloud@nekover.se" = { + hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret"; + sendOnly = true; + }; + "status@nekover.se" = { + hashedPasswordFile = "/secrets/mail-status-nekover-se.secret"; + sendOnly = true; + }; + "matrix@nekover.se" = { + hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; + "social@nekover.se" = { + hashedPasswordFile = "/secrets/mail-social-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; + }; + certificateScheme = "acme-nginx"; + }; + } + ]; + + services.postfix = { + transport = "relay:[mail-2.grzb.de]"; + extraConfig = '' + proxy_interfaces = 212.53.203.19 + ''; + }; +} diff --git a/hosts/matrix/configuration.nix b/config/hosts/matrix/configuration.nix similarity index 100% rename from hosts/matrix/configuration.nix rename to config/hosts/matrix/configuration.nix diff --git a/hosts/matrix/default.nix b/config/hosts/matrix/default.nix similarity index 100% rename from hosts/matrix/default.nix rename to config/hosts/matrix/default.nix diff --git a/hosts/matrix/hardware-configuration.nix b/config/hosts/matrix/hardware-configuration.nix similarity index 100% rename from hosts/matrix/hardware-configuration.nix rename to config/hosts/matrix/hardware-configuration.nix diff --git a/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix similarity index 100% rename from hosts/matrix/matrix-synapse.nix rename to config/hosts/matrix/matrix-synapse.nix diff --git a/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix similarity index 100% rename from hosts/matrix/nginx.nix rename to config/hosts/matrix/nginx.nix diff --git a/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix similarity index 100% rename from hosts/matrix/postgresql.nix rename to config/hosts/matrix/postgresql.nix diff --git a/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix similarity index 100% rename from hosts/matrix/secrets.nix rename to config/hosts/matrix/secrets.nix diff --git a/hosts/metrics/configuration.nix b/config/hosts/metrics/configuration.nix similarity index 100% rename from hosts/metrics/configuration.nix rename to config/hosts/metrics/configuration.nix diff --git a/hosts/metrics/default.nix b/config/hosts/metrics/default.nix similarity index 100% rename from hosts/metrics/default.nix rename to config/hosts/metrics/default.nix diff --git a/hosts/metrics/grafana.nix b/config/hosts/metrics/grafana.nix similarity index 100% rename from hosts/metrics/grafana.nix rename to config/hosts/metrics/grafana.nix diff --git a/hosts/metrics/nginx.nix b/config/hosts/metrics/nginx.nix similarity index 100% rename from hosts/metrics/nginx.nix rename to config/hosts/metrics/nginx.nix diff --git a/hosts/metrics/prometheus.nix b/config/hosts/metrics/prometheus.nix similarity index 100% rename from hosts/metrics/prometheus.nix rename to config/hosts/metrics/prometheus.nix diff --git a/hosts/metrics/secrets.nix b/config/hosts/metrics/secrets.nix similarity index 100% rename from hosts/metrics/secrets.nix rename to config/hosts/metrics/secrets.nix diff --git a/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix similarity index 100% rename from hosts/netbox/configuration.nix rename to config/hosts/netbox/configuration.nix diff --git a/hosts/netbox/default.nix b/config/hosts/netbox/default.nix similarity index 100% rename from hosts/netbox/default.nix rename to config/hosts/netbox/default.nix diff --git a/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix similarity index 100% rename from hosts/netbox/netbox.nix rename to config/hosts/netbox/netbox.nix diff --git a/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix similarity index 100% rename from hosts/netbox/nginx.nix rename to config/hosts/netbox/nginx.nix diff --git a/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix similarity index 100% rename from hosts/netbox/secrets.nix rename to config/hosts/netbox/secrets.nix diff --git a/hosts/nextcloud/configuration.nix b/config/hosts/nextcloud/configuration.nix similarity index 100% rename from hosts/nextcloud/configuration.nix rename to config/hosts/nextcloud/configuration.nix diff --git a/hosts/nextcloud/default.nix b/config/hosts/nextcloud/default.nix similarity index 100% rename from hosts/nextcloud/default.nix rename to config/hosts/nextcloud/default.nix diff --git a/hosts/nextcloud/hardware-configuration.nix b/config/hosts/nextcloud/hardware-configuration.nix similarity index 100% rename from hosts/nextcloud/hardware-configuration.nix rename to config/hosts/nextcloud/hardware-configuration.nix diff --git a/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix similarity index 100% rename from hosts/nextcloud/nextcloud.nix rename to config/hosts/nextcloud/nextcloud.nix diff --git a/hosts/nextcloud/secrets.nix b/config/hosts/nextcloud/secrets.nix similarity index 100% rename from hosts/nextcloud/secrets.nix rename to config/hosts/nextcloud/secrets.nix diff --git a/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix similarity index 100% rename from hosts/nitter/configuration.nix rename to config/hosts/nitter/configuration.nix diff --git a/hosts/nitter/default.nix b/config/hosts/nitter/default.nix similarity index 100% rename from hosts/nitter/default.nix rename to config/hosts/nitter/default.nix diff --git a/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix similarity index 100% rename from hosts/nitter/nginx.nix rename to config/hosts/nitter/nginx.nix diff --git a/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix similarity index 100% rename from hosts/nitter/nitter.nix rename to config/hosts/nitter/nitter.nix diff --git a/hosts/tor-relay/configuration.nix b/config/hosts/tor-relay/configuration.nix similarity index 100% rename from hosts/tor-relay/configuration.nix rename to config/hosts/tor-relay/configuration.nix diff --git a/hosts/tor-relay/default.nix b/config/hosts/tor-relay/default.nix similarity index 100% rename from hosts/tor-relay/default.nix rename to config/hosts/tor-relay/default.nix diff --git a/hosts/tor-relay/tor.nix b/config/hosts/tor-relay/tor.nix similarity index 100% rename from hosts/tor-relay/tor.nix rename to config/hosts/tor-relay/tor.nix diff --git a/hosts/web-nonpublic-linuxcrewd/configuration.nix b/config/hosts/web-nonpublic-linuxcrewd/configuration.nix similarity index 100% rename from hosts/web-nonpublic-linuxcrewd/configuration.nix rename to config/hosts/web-nonpublic-linuxcrewd/configuration.nix diff --git a/hosts/web-nonpublic-linuxcrewd/default.nix b/config/hosts/web-nonpublic-linuxcrewd/default.nix similarity index 100% rename from hosts/web-nonpublic-linuxcrewd/default.nix rename to config/hosts/web-nonpublic-linuxcrewd/default.nix diff --git a/hosts/web-nonpublic-linuxcrewd/nginx.nix b/config/hosts/web-nonpublic-linuxcrewd/nginx.nix similarity index 100% rename from hosts/web-nonpublic-linuxcrewd/nginx.nix rename to config/hosts/web-nonpublic-linuxcrewd/nginx.nix diff --git a/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix similarity index 100% rename from hosts/web-public-2/configuration.nix rename to config/hosts/web-public-2/configuration.nix diff --git a/hosts/web-public-2/default.nix b/config/hosts/web-public-2/default.nix similarity index 100% rename from hosts/web-public-2/default.nix rename to config/hosts/web-public-2/default.nix diff --git a/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix similarity index 100% rename from hosts/web-public-2/nginx.nix rename to config/hosts/web-public-2/nginx.nix diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix similarity index 83% rename from hosts/web-public-2/virtualHosts/acme-challenge.nix rename to config/hosts/web-public-2/virtualHosts/acme-challenge.nix index c04b2e8..f5adeea 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -9,6 +9,15 @@ proxyPass = "http://jellyfin.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."mail-1.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://mail-1.vs.grzb.de:80"; + }; + }; services.nginx.virtualHosts."matrix.nekover.se" = { listen = [{ addr = "0.0.0.0"; diff --git a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/anisync.grzb.de.nix rename to config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix similarity index 93% rename from hosts/web-public-2/virtualHosts/default.nix rename to config/hosts/web-public-2/virtualHosts/default.nix index 7df558e..6a5c3bb 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -8,7 +8,6 @@ ./git.grzb.de.nix ./mewtube.nekover.se.nix ./nekover.se.nix - ./nextcloud.grzb.de.nix ./social.nekover.se.nix ]; diff --git a/hosts/web-public-2/virtualHosts/element-web-config/config.json b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json similarity index 100% rename from hosts/web-public-2/virtualHosts/element-web-config/config.json rename to config/hosts/web-public-2/virtualHosts/element-web-config/config.json diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/element.nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/element.nekover.se.nix diff --git a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix rename to config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/git.grzb.de.nix rename to config/hosts/web-public-2/virtualHosts/git.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix diff --git a/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/nekover.se.nix diff --git a/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/social.nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/social.nekover.se.nix diff --git a/configuration/nixos-generators/default.nix b/config/nixos-generators/default.nix similarity index 100% rename from configuration/nixos-generators/default.nix rename to config/nixos-generators/default.nix diff --git a/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix similarity index 100% rename from users/colmena-deploy/default.nix rename to config/users/colmena-deploy/default.nix diff --git a/users/yuri/default.nix b/config/users/yuri/default.nix similarity index 100% rename from users/yuri/default.nix rename to config/users/yuri/default.nix diff --git a/flake.lock b/flake.lock index 4b4607e..3d6c071 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,44 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "nixlib": { "locked": { - "lastModified": 1689469483, - "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=", + "lastModified": 1693701915, + "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c", + "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", "type": "github" }, "original": { @@ -23,11 +55,11 @@ ] }, "locked": { - "lastModified": 1690133435, - "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=", + "lastModified": 1693791338, + "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586", + "rev": "8ee78470029e641cddbd8721496da1316b47d3b4", "type": "github" }, "original": { @@ -38,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693725722, - "narHash": "sha256-PJFNgOpNqrsafMgNuca8olo6ugxIFeQOBBiNtyq2FXA=", + "lastModified": 1694493899, + "narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "00cc1bbf20f8eb85b537f9f10b41a311f0e01e3e", + "rev": "c5167858ca4870e933da123762eb55363ccefe2b", "type": "github" }, "original": { @@ -52,13 +84,43 @@ "type": "github" } }, - "nixpkgs-unstable": { + "nixpkgs-22_11": { "locked": { - "lastModified": 1693723626, - "narHash": "sha256-e6DnUnRT5aykzhme6wLUzYmSPw2G8j+RYwXluys2VJc=", + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e9ff98d1dccbb391a9769b5dc660a5f6e39c18b", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1694502577, + "narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72", "type": "github" }, "original": { @@ -68,11 +130,66 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1670751203, + "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1687462267, + "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "24128c3052090311688b09a400aa408ba61c6ee5", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-23.05", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 2e5abe8..2a78e5b 100644 --- a/flake.nix +++ b/flake.nix @@ -6,9 +6,10 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let + outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; in { @@ -25,13 +26,13 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit hosts; + inherit hosts simple-nixos-mailserver; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts; }) hosts; + nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` @@ -39,9 +40,9 @@ base-proxmox = nixos-generators.nixosGenerate { system = "x86_64-linux"; modules = [ - ./configuration/common - ./configuration/nixos-generators - ./configuration/proxmox-vm + ./config/common + ./config/nixos-generators + ./config/environments/proxmox-vm ]; format = "proxmox"; }; diff --git a/helper.nix b/helper.nix index 360b356..c59a44c 100644 --- a/helper.nix +++ b/helper.nix @@ -11,7 +11,7 @@ }; # Set imports and optionally import colmena secrets configuration - imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; + imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./config/hosts/${name}/secrets.nix) ./config/hosts/${name}/secrets.nix; }; generateNixConfiguration = name: specialArgs: { diff --git a/hosts.nix b/hosts.nix index 177da2d..6d496d4 100644 --- a/hosts.nix +++ b/hosts.nix @@ -3,66 +3,90 @@ let # Set of environment specific modules environments = { "proxmox" = [ - ./configuration/proxmox-vm - ]; + ./config/environments/proxmox-vm + ]; }; generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, system ? "x86_64-linux", # pkgs is explicitly defined so that overlays for each host can easily be created pkgs ? hostNixpkgs.legacyPackages.${system}, - environment ? "proxmox", + environment ? "", site }: { inherit hostNixpkgs system pkgs environment site; # define common and host modules and additionally add environment specific modules modules = [ - ./configuration/common - ./hosts/${name} - ] ++ environments.${environment}; + ./config/common + ./config/hosts/${name} + ] ++ (if environment != "" then environments.${environment} else []); }) hosts; in generateDefaults { + #fee = { + # site = "wg"; + # environment = "bare-metal"; + #}; hydra = { site = "vs"; + environment = "proxmox"; }; iperf = { site = "vs"; + environment = "proxmox"; }; jackett = { site = "vs"; + environment = "proxmox"; }; jellyfin = { hostNixpkgs = nixpkgs-unstable; site = "vs"; + environment = "proxmox"; + }; + lifeline = { + site = "io"; + }; + mail-1 = { + site = "vs"; + environment = "proxmox"; }; matrix = { site = "vs"; + environment = "proxmox"; }; metrics = { site = "vs"; + environment = "proxmox"; }; netbox = { site = "vs"; + environment = "proxmox"; }; nextcloud = { site = "vs"; + environment = "proxmox"; }; nitter = { site = "vs"; + environment = "proxmox"; }; coturn = { site = "vs"; + environment = "proxmox"; }; tor-relay = { site = "vs"; + environment = "proxmox"; }; web-public-2 = { hostNixpkgs = nixpkgs-unstable; site = "vs"; + environment = "proxmox"; }; web-nonpublic-linuxcrewd = { hostNixpkgs = nixpkgs-unstable; site = "vs"; + environment = "proxmox"; }; } diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix deleted file mode 100644 index 8cbdcc9..0000000 --- a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."nextcloud.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - locations."/" = { - proxyPass = "http://nextcloud-grzb.vs.grzb.de:80"; - }; - locations."= /.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - locations."= /.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - extraConfig = '' - proxy_read_timeout 3600; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 4096m; - ''; - }; -} From 9cf5bd04690edd7042016111c44b70f9bb724e40 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 14 Sep 2023 15:34:58 +0200 Subject: [PATCH 048/386] Enable firewall --- config/hosts/lifeline/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index 2930c69..b26eb44 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -59,6 +59,7 @@ ]; }; firewall = { + enable = true; allowedUDPPorts = [ 51820 ]; }; }; From 667b1c256b76dd9393305f7a4f869e3caa0ee43a Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 16 Sep 2023 20:05:33 +0200 Subject: [PATCH 049/386] Add valkyrie host --- config/common/default.nix | 4 +- config/environments/openstack-vm/default.nix | 8 +++ .../openstack-vm/hardware-configuration.nix | 24 +++++++++ config/hosts/valkyrie/configuration.nix | 51 +++++++++++++++++++ .../containers/uptime-kuma/default.nix | 14 +++++ config/hosts/valkyrie/default.nix | 8 +++ config/hosts/valkyrie/nginx.nix | 25 +++++++++ config/hosts/valkyrie/secrets.nix | 35 +++++++++++++ config/nixos-generators/default.nix | 21 -------- config/nixos-generators/proxmox.nix | 23 +++++++++ flake.nix | 16 +++++- hosts.nix | 8 ++- 12 files changed, 211 insertions(+), 26 deletions(-) create mode 100644 config/environments/openstack-vm/default.nix create mode 100644 config/environments/openstack-vm/hardware-configuration.nix create mode 100644 config/hosts/valkyrie/configuration.nix create mode 100644 config/hosts/valkyrie/containers/uptime-kuma/default.nix create mode 100644 config/hosts/valkyrie/default.nix create mode 100644 config/hosts/valkyrie/nginx.nix create mode 100644 config/hosts/valkyrie/secrets.nix create mode 100644 config/nixos-generators/proxmox.nix diff --git a/config/common/default.nix b/config/common/default.nix index 8634acf..ea3ccf2 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: { imports = [ ./prometheus-node-exporter.nix @@ -41,7 +41,7 @@ settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; - PermitRootLogin = "no"; + PermitRootLogin = lib.mkForce "no"; }; }; diff --git a/config/environments/openstack-vm/default.nix b/config/environments/openstack-vm/default.nix new file mode 100644 index 0000000..8edb909 --- /dev/null +++ b/config/environments/openstack-vm/default.nix @@ -0,0 +1,8 @@ +{ lib, ... }: +{ + imports = [ + ./hardware-configuration.nix + ]; + + users.users.root.initialPassword = lib.mkForce null; +} diff --git a/config/environments/openstack-vm/hardware-configuration.nix b/config/environments/openstack-vm/hardware-configuration.nix new file mode 100644 index 0000000..cf5fdd0 --- /dev/null +++ b/config/environments/openstack-vm/hardware-configuration.nix @@ -0,0 +1,24 @@ +{ ... }: +{ + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + autoResize = true; + }; + + boot = { + growPartition = true; + kernelParams = [ "console=tty1" ]; + loader.grub = { + enable = true; + device = "/dev/vda"; + extraConfig = '' + serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1 + terminal_output console serial + terminal_input console serial + ''; + }; + }; + + systemd.services."serial-getty@tty1".enable = true; +} diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix new file mode 100644 index 0000000..1d73f92 --- /dev/null +++ b/config/hosts/valkyrie/configuration.nix @@ -0,0 +1,51 @@ +{ ... }: +{ + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; + + networking = { + hostName = "valkyrie"; + nftables.enable = true; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 51820 51827 51828 ]; + }; + wireguard = { + enable = true; + interfaces.wg0 = { + listenPort = 51820; + ips = [ + "10.203.10.3/24" + ]; + peers = [ + { + name = "site1-grzb"; + publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; + endpoint = "site1.grzb.de:51826"; + allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; + } + { + name = "site2-grzb"; + publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; + endpoint = "site2.grzb.de:51826"; + allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; + } + { + name = "site2-jsts"; + publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; + endpoint = "site1.jsts.xyz:51823"; + allowedIPs = [ "10.203.10.4/32" ]; + } + ]; + privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + }; + }; + }; + + services.prometheus.exporters.node.enable = false; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix new file mode 100644 index 0000000..2939abd --- /dev/null +++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix @@ -0,0 +1,14 @@ +{ nixpkgs-unstable, ... }: +{ + containers.uptime-kuma = { + nixpkgs = nixpkgs-unstable; + autoStart = true; + config = { ... }: { + services.uptime-kuma = { + enable = true; + }; + + system.stateVersion = "23.05"; + }; + }; +} diff --git a/config/hosts/valkyrie/default.nix b/config/hosts/valkyrie/default.nix new file mode 100644 index 0000000..b8c16ea --- /dev/null +++ b/config/hosts/valkyrie/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./containers/uptime-kuma + ]; +} diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix new file mode 100644 index 0000000..ada3379 --- /dev/null +++ b/config/hosts/valkyrie/nginx.nix @@ -0,0 +1,25 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts."status.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix new file mode 100644 index 0000000..7e7512c --- /dev/null +++ b/config/hosts/valkyrie/secrets.nix @@ -0,0 +1,35 @@ +{ ... }: +{ + deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/nixos-generators/default.nix b/config/nixos-generators/default.nix index e392d53..2cda85e 100644 --- a/config/nixos-generators/default.nix +++ b/config/nixos-generators/default.nix @@ -10,26 +10,5 @@ firewall.enable = true; }; - proxmox = { - qemuConf = { - ostype = "l26"; - cores = 2; - memory = 1024; - bios = "seabios"; - # Option not available in 23.05 - # diskSize = "8096"; - virtio0 = "local-zfs:base-disk-0,discard=on"; - boot = "order=virtio0"; - net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; - agent = true; - }; - qemuExtraConf = { - cpu = "cputype=host,flags=+aes"; - onboot = 1; - machine = "q35"; - template = 1; - }; - }; - system.stateVersion = "23.05"; } diff --git a/config/nixos-generators/proxmox.nix b/config/nixos-generators/proxmox.nix new file mode 100644 index 0000000..196f802 --- /dev/null +++ b/config/nixos-generators/proxmox.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + proxmox = { + qemuConf = { + ostype = "l26"; + cores = 2; + memory = 1024; + bios = "seabios"; + # Option not available in 23.05 + # diskSize = "8096"; + virtio0 = "local-zfs:base-disk-0,discard=on"; + boot = "order=virtio0"; + net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; + agent = true; + }; + qemuExtraConf = { + cpu = "cputype=host,flags=+aes"; + onboot = 1; + machine = "q35"; + template = 1; + }; + }; +} diff --git a/flake.nix b/flake.nix index 2a78e5b..4b25dcb 100644 --- a/flake.nix +++ b/flake.nix @@ -26,13 +26,15 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit hosts simple-nixos-mailserver; + inherit nixpkgs-unstable hosts simple-nixos-mailserver; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts; + nixConfigurations = builtins.mapAttrs ( + host: helper.generateNixConfiguration host { inherit nixpkgs-unstable hosts simple-nixos-mailserver; } + ) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` @@ -42,10 +44,20 @@ modules = [ ./config/common ./config/nixos-generators + ./config/nixos-generators/proxmox.nix ./config/environments/proxmox-vm ]; format = "proxmox"; }; + base-openstack = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + ./config/common + ./config/nixos-generators + ./config/environments/openstack-vm + ]; + format = "openstack"; + }; }; # Binary cache hint diff --git a/hosts.nix b/hosts.nix index 6d496d4..472ac92 100644 --- a/hosts.nix +++ b/hosts.nix @@ -5,6 +5,9 @@ let "proxmox" = [ ./config/environments/proxmox-vm ]; + "openstack" = [ + ./config/environments/openstack-vm + ]; }; generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, @@ -25,7 +28,6 @@ in generateDefaults { #fee = { # site = "wg"; - # environment = "bare-metal"; #}; hydra = { site = "vs"; @@ -79,6 +81,10 @@ in site = "vs"; environment = "proxmox"; }; + valkyrie = { + site = "af"; + environment = "openstack"; + }; web-public-2 = { hostNixpkgs = nixpkgs-unstable; site = "vs"; From 299d04142f2470c4c073679e366d927af9ec1aa1 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 17 Sep 2023 04:50:07 +0200 Subject: [PATCH 050/386] Add wireguard-nat-nftables python script --- config/hosts/valkyrie/default.nix | 1 + config/hosts/valkyrie/services.nix | 30 ++++++ flake.nix | 9 +- pkgs/wireguard-nat-nftables/default.nix | 17 ++++ pkgs/wireguard-nat-nftables/src/setup.py | 7 ++ .../src/wireguard-nat-nftables.py | 92 +++++++++++++++++++ 6 files changed, 152 insertions(+), 4 deletions(-) create mode 100644 config/hosts/valkyrie/services.nix create mode 100644 pkgs/wireguard-nat-nftables/default.nix create mode 100644 pkgs/wireguard-nat-nftables/src/setup.py create mode 100644 pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py diff --git a/config/hosts/valkyrie/default.nix b/config/hosts/valkyrie/default.nix index b8c16ea..68a1b85 100644 --- a/config/hosts/valkyrie/default.nix +++ b/config/hosts/valkyrie/default.nix @@ -4,5 +4,6 @@ ./configuration.nix ./nginx.nix ./containers/uptime-kuma + ./services.nix ]; } diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix new file mode 100644 index 0000000..895865c --- /dev/null +++ b/config/hosts/valkyrie/services.nix @@ -0,0 +1,30 @@ +{ pkgs, ... }: +let + wireguard-nat-nftables = import ../../../pkgs/wireguard-nat-nftables pkgs; + config = pkgs.writeText "wireguard-nat-nftables-config" (builtins.toJSON { + interface = "ens3"; + wg_interface = "wg0"; + pubkey_port_mapping = { + "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=" = [ 51827 51829 ]; + "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=" = [ 51828 51830 ]; + "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=" = [ 51821 51824 ]; + }; + }); +in +{ + systemd.services.wireguard-nat-nftables = { + description = "A python script to update nftable dnat rules based on WireGuard peer IPs"; + requires = [ "wireguard-wg0.service" ]; + after = [ "wireguard-wg0.service" ]; + + script = '' + ${wireguard-nat-nftables}/bin/wireguard-nat-nftables.py ${config} + ''; + + serviceConfig = { + Type = "simple"; + User = "root"; + Group = "root"; + }; + }; +} diff --git a/flake.nix b/flake.nix index 4b25dcb..a9af2db 100644 --- a/flake.nix +++ b/flake.nix @@ -9,7 +9,8 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: let + outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: + let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; in { @@ -32,9 +33,9 @@ } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs ( - host: helper.generateNixConfiguration host { inherit nixpkgs-unstable hosts simple-nixos-mailserver; } - ) hosts; + nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { + inherit nixpkgs-unstable hosts simple-nixos-mailserver; + }) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` diff --git a/pkgs/wireguard-nat-nftables/default.nix b/pkgs/wireguard-nat-nftables/default.nix new file mode 100644 index 0000000..4a75703 --- /dev/null +++ b/pkgs/wireguard-nat-nftables/default.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: +let + nftablesWithPythonOverlay = final: prev: { + nftables = (prev.nftables.override { withPython = true; }); + }; + pkgs-overlay = pkgs.extend nftablesWithPythonOverlay; +in +pkgs-overlay.python310Packages.buildPythonApplication { + pname = "wireguard-nat-nftables"; + version = "0.0.1"; + + propagatedBuildInputs = with pkgs-overlay; [ + python310Packages.nftables + ]; + + src = ./src; +} diff --git a/pkgs/wireguard-nat-nftables/src/setup.py b/pkgs/wireguard-nat-nftables/src/setup.py new file mode 100644 index 0000000..4bcc53c --- /dev/null +++ b/pkgs/wireguard-nat-nftables/src/setup.py @@ -0,0 +1,7 @@ +from distutils.core import setup + +setup( + name='wireguard-nat-nftables', + version='0.0.1', + scripts=['wireguard-nat-nftables.py'] +) diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py new file mode 100644 index 0000000..a1c09c0 --- /dev/null +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -0,0 +1,92 @@ +#!/usr/bin/env python3 + +import nftables +import json +import subprocess +import time +import sys + +def main(): + f = open(sys.argv[1], "r") + config = json.loads(f.read()) + f.close() + + interface = config["interface"] + wg_interface = config["wg_interface"] + pubkey_port_mapping = config["pubkey_port_mapping"] + + nft = nftables.Nftables() + nft.set_json_output(True) + nft.set_handle_output(True) + + # add nat table rules for dnat and snat masquerade + nft.cmd("add table nat") + nft.cmd("add chain nat prerouting { type nat hook prerouting priority -100; }") + nft.cmd("add chain nat postrouting { type nat hook postrouting priority 100; }") + + # load current nftables rules + rc, output, error = nft.cmd("list ruleset") + if error: + print(error, file=sys.stderr) + nftables_output = json.loads(output) + + add_masquerade = True + for item in nftables_output["nftables"]: + if ("rule" in item + and item["rule"]["family"] == "ip" + and item["rule"]["table"] == "nat" + and item["rule"]["chain"] == "postrouting" + and "masquerade" in item["rule"]["expr"][0] + ): + add_masquerade = False + break + if add_masquerade: + nft.cmd("add rule nat postrouting masquerade") + + while True: + # list WireGuard peer endpoint addresses of WireGuard VPN connection + process = subprocess.Popen(["wg", "show", wg_interface, "endpoints"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = process.communicate() + lines = stdout.decode().split("\n")[:-1] + if stderr: + print("{}: {}".format(wg_interface, stderr.decode()), file=sys.stderr) + else: + # map destination port to IP + port_ip_mapping = {} + for line in lines: + pubkey = line.split("\t")[0] + ip = line.split("\t")[1].split(":")[0] # probably only works for IPv4 + for port in pubkey_port_mapping[pubkey]: + port_ip_mapping[port] = ip + + # load current nftables rules + rc, output, error = nft.cmd("list ruleset") + if error: + print(error, file=sys.stderr) + nftables_output = json.loads(output) + + # update existing nftable dnat rules, if the remote IP mismatches + for item in nftables_output["nftables"]: + if "rule" in item and item["rule"]["family"] == "ip" and item["rule"]["table"] == "nat" and item["rule"]["chain"] == "prerouting": + handle = item["rule"]["handle"] + ip = item["rule"]["expr"][2]["dnat"]["addr"] + port = item["rule"]["expr"][1]["match"]["right"] + if not ip == port_ip_mapping[port]: + rc, output, error = nft.cmd("replace rule nat prerouting handle {} iif {} udp dport {} dnat to {}".format(handle, interface, port, port_ip_mapping[port])) + if error: + eprint(error) + else: + print("Changed dnat address from {} to {} for UDP port {}".format(ip, port_ip_mapping[port], port)) + port_ip_mapping.pop(port) + + # loop through all remaining ports and add needed dnat rules + for port in port_ip_mapping: + rc, output, error = nft.cmd("add rule nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port])) + if error: + print(error, file=sys.stderr) + else: + print("Added dnat rule from UDP port {} to address {}".format(port, port_ip_mapping[port])) + time.sleep(10) + +if __name__ == "__main__": + main() From de66b5931ce7e836477a03aad6fb2a2a4db13e70 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 17 Sep 2023 21:03:18 +0200 Subject: [PATCH 051/386] Pass libnftables.so.1 path into python script --- config/hosts/valkyrie/services.nix | 2 +- pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index 895865c..c9b65f2 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -18,7 +18,7 @@ in after = [ "wireguard-wg0.service" ]; script = '' - ${wireguard-nat-nftables}/bin/wireguard-nat-nftables.py ${config} + ${wireguard-nat-nftables}/bin/wireguard-nat-nftables.py ${config} ${pkgs.nftables}/lib ''; serviceConfig = { diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py index a1c09c0..3bc8e96 100644 --- a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -15,7 +15,7 @@ def main(): wg_interface = config["wg_interface"] pubkey_port_mapping = config["pubkey_port_mapping"] - nft = nftables.Nftables() + nft = nftables.Nftables(sys.argv[2] + "/libnftables.so.1") nft.set_json_output(True) nft.set_handle_output(True) From ef036a6a18f73ef0f264a9dd232dacbc8b370266 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 17 Sep 2023 21:04:22 +0200 Subject: [PATCH 052/386] Add missing wireguard-tools dependency --- config/environments/openstack-vm/default.nix | 4 +- .../openstack-vm/hardware-configuration.nix | 24 ---- config/hosts/lifeline/configuration.nix | 50 +------- config/hosts/mail-1/configuration.nix | 12 +- config/hosts/valkyrie/configuration.nix | 111 +++++++++++++----- config/hosts/valkyrie/secrets.nix | 16 +++ pkgs/wireguard-nat-nftables/default.nix | 3 +- 7 files changed, 107 insertions(+), 113 deletions(-) delete mode 100644 config/environments/openstack-vm/hardware-configuration.nix diff --git a/config/environments/openstack-vm/default.nix b/config/environments/openstack-vm/default.nix index 8edb909..a2124f4 100644 --- a/config/environments/openstack-vm/default.nix +++ b/config/environments/openstack-vm/default.nix @@ -1,7 +1,7 @@ -{ lib, ... }: +{ lib, modulesPath, ... }: { imports = [ - ./hardware-configuration.nix + "${modulesPath}/virtualisation/openstack-config.nix" ]; users.users.root.initialPassword = lib.mkForce null; diff --git a/config/environments/openstack-vm/hardware-configuration.nix b/config/environments/openstack-vm/hardware-configuration.nix deleted file mode 100644 index cf5fdd0..0000000 --- a/config/environments/openstack-vm/hardware-configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ ... }: -{ - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - autoResize = true; - }; - - boot = { - growPartition = true; - kernelParams = [ "console=tty1" ]; - loader.grub = { - enable = true; - device = "/dev/vda"; - extraConfig = '' - serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1 - terminal_output console serial - terminal_input console serial - ''; - }; - }; - - systemd.services."serial-getty@tty1".enable = true; -} diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index b26eb44..d31ab0a 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ ... }: { boot.loader.grub = { enable = true; @@ -10,54 +10,6 @@ networking = { hostName = "lifeline"; useDHCP = true; - wireguard = { - enable = true; - interfaces.wg0 = { - privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret"; - listenPort = 51820; - ips = [ - "172.16.50.1/24" - ]; - peers = [ - { - name = "mail-1"; - publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; - presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret"; - allowedIPs = [ "172.16.50.2/32" ]; - } - ]; - postSetup = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE - ''; - postShutdown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE - ''; - }; - }; - nat = { - enable = true; - internalInterfaces = [ "wg0" ]; - externalInterface = "ens6"; - forwardPorts = [ - { - destination = "172.16.50.2:25"; - proto = "tcp"; - sourcePort = 25; - } - { - destination = "172.16.50.2:465"; - proto = "tcp"; - sourcePort = 465; - } - { - destination = "172.16.50.2:993"; - proto = "tcp"; - sourcePort = 993; - } - ]; - }; firewall = { enable = true; allowedUDPPorts = [ 51820 ]; diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index 4638917..b66124e 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -30,7 +30,7 @@ via = "10.202.41.1"; } { - address = "217.160.117.160"; # + address = "212.53.203.19"; # valkyrie.af.grzb.de prefixLength = 32; via = "10.202.41.1"; } @@ -44,15 +44,15 @@ ]; peers = [ { - name = "lifeline"; - publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY="; - presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret"; - endpoint = "lifeline.io.grzb.de:51820"; + name = "valkyrie"; + publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; + presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; + endpoint = "212.53.203.19:51821"; allowedIPs = [ "0.0.0.0/0" ]; persistentKeepalive = 25; } ]; - privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret"; + privateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; }; }; }; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 1d73f92..f6de52a 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; @@ -8,41 +8,90 @@ firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 51820 51827 51828 ]; + allowedUDPPorts = [ 51820 51821 51827 51828 ]; }; wireguard = { enable = true; - interfaces.wg0 = { - listenPort = 51820; - ips = [ - "10.203.10.3/24" - ]; - peers = [ - { - name = "site1-grzb"; - publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; - endpoint = "site1.grzb.de:51826"; - allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; - } - { - name = "site2-grzb"; - publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; - endpoint = "site2.grzb.de:51826"; - allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; - } - { - name = "site2-jsts"; - publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; - endpoint = "site1.jsts.xyz:51823"; - allowedIPs = [ "10.203.10.4/32" ]; - } - ]; - privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + interfaces = { + # Site-to-site WireGuard setup also used for nftables dnat IP refresh thingy + wg0 = { + listenPort = 51820; + ips = [ + "10.203.10.3/24" + ]; + peers = [ + { + name = "site1-grzb"; + publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; + endpoint = "site1.grzb.de:51826"; + allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; + } + { + name = "site2-grzb"; + publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; + endpoint = "site2.grzb.de:51826"; + allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; + } + { + name = "site2-jsts"; + publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; + endpoint = "site1.jsts.xyz:51823"; + allowedIPs = [ "10.203.10.4/32" ]; + } + ]; + privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + }; + # mail-1 VPN + wg1 = { + listenPort = 51821; + ips = [ + "172.16.50.1/24" + ]; + peers = [ + { + name = "mail-1"; + publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; + presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; + allowedIPs = [ "172.16.50.2/32" ]; + } + ]; + postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; + }; }; }; + nat = { + enable = true; + internalInterfaces = [ "wg1" ]; + externalInterface = "ens3"; + forwardPorts = [ + { + destination = "172.16.50.2:25"; + proto = "tcp"; + sourcePort = 25; + } + { + destination = "172.16.50.2:465"; + proto = "tcp"; + sourcePort = 465; + } + { + destination = "172.16.50.2:993"; + proto = "tcp"; + sourcePort = 993; + } + ]; + }; }; services.prometheus.exporters.node.enable = false; diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix index 7e7512c..4395a6d 100644 --- a/config/hosts/valkyrie/secrets.nix +++ b/config/hosts/valkyrie/secrets.nix @@ -32,4 +32,20 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; } diff --git a/pkgs/wireguard-nat-nftables/default.nix b/pkgs/wireguard-nat-nftables/default.nix index 4a75703..e687cee 100644 --- a/pkgs/wireguard-nat-nftables/default.nix +++ b/pkgs/wireguard-nat-nftables/default.nix @@ -4,12 +4,13 @@ let nftables = (prev.nftables.override { withPython = true; }); }; pkgs-overlay = pkgs.extend nftablesWithPythonOverlay; -in +in pkgs-overlay.python310Packages.buildPythonApplication { pname = "wireguard-nat-nftables"; version = "0.0.1"; propagatedBuildInputs = with pkgs-overlay; [ + wireguard-tools python310Packages.nftables ]; From a30fd6d36131115b1fbf8523f029a404eaba9124 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 18 Sep 2023 02:40:09 +0200 Subject: [PATCH 053/386] Use host resolv.conf in container --- config/hosts/valkyrie/containers/uptime-kuma/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix index 2939abd..78d3437 100644 --- a/config/hosts/valkyrie/containers/uptime-kuma/default.nix +++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix @@ -4,6 +4,8 @@ nixpkgs = nixpkgs-unstable; autoStart = true; config = { ... }: { + networking.useHostResolvConf = true; + services.uptime-kuma = { enable = true; }; From f67a75b07d042ef78ce0d6cc18fe2f4b39883727 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 18 Sep 2023 03:05:53 +0200 Subject: [PATCH 054/386] Change mail-1 wireguard port as it is already used for STS setup --- config/hosts/mail-1/configuration.nix | 4 ++-- config/hosts/valkyrie/configuration.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index b66124e..d9b4fa6 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ hosts, ... }: { boot.loader.grub = { enable = true; @@ -47,7 +47,7 @@ name = "valkyrie"; publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; - endpoint = "212.53.203.19:51821"; + endpoint = "212.53.203.19:51822"; allowedIPs = [ "0.0.0.0/0" ]; persistentKeepalive = 25; } diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index f6de52a..8751e09 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -8,7 +8,7 @@ firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 51820 51821 51827 51828 ]; + allowedUDPPorts = [ 51820 51821 51822 51827 51828 ]; }; wireguard = { enable = true; @@ -46,7 +46,7 @@ }; # mail-1 VPN wg1 = { - listenPort = 51821; + listenPort = 51822; ips = [ "172.16.50.1/24" ]; From e7fe3707ee61ce391da613cf219b0b5435d8c6b1 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 18 Sep 2023 03:38:09 +0200 Subject: [PATCH 055/386] Fix WireGuard nat rules --- config/hosts/lifeline/configuration.nix | 39 +++++- config/hosts/lifeline/secrets.nix | 8 +- config/hosts/mail-1/configuration.nix | 120 +++++++++++------- .../hosts/mail-1/simple-nixos-mailserver.nix | 3 + config/hosts/mail-2/configuration.nix | 91 +++++++++++++ config/hosts/mail-2/default.nix | 7 + config/hosts/mail-2/postfix.nix | 17 +++ config/hosts/mail-2/secrets.nix | 19 +++ config/hosts/valkyrie/configuration.nix | 10 +- flake.lock | 12 +- hosts.nix | 4 + 11 files changed, 269 insertions(+), 61 deletions(-) create mode 100644 config/hosts/mail-2/configuration.nix create mode 100644 config/hosts/mail-2/default.nix create mode 100644 config/hosts/mail-2/postfix.nix create mode 100644 config/hosts/mail-2/secrets.nix diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index d31ab0a..1f53208 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { boot.loader.grub = { enable = true; @@ -14,6 +14,43 @@ enable = true; allowedUDPPorts = [ 51820 ]; }; + # mail-2 VPN + wireguard = { + enable = true; + interfaces.wg0 = { + listenPort = 51820; + ips = [ + "172.16.50.1/24" + ]; + peers = [ + { + name = "mail-2"; + publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM="; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret"; + allowedIPs = [ "172.16.50.2/32" ]; + } + ]; + postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret"; + }; + }; + nat = { + enable = true; + internalInterfaces = [ "wg0" ]; + externalInterface = "ens6"; + forwardPorts = [{ + destination = "172.16.50.2:25"; + proto = "tcp"; + sourcePort = 25; + }]; + }; }; services.prometheus.exporters.node.enable = false; diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix index 90f3f12..b14e281 100644 --- a/config/hosts/lifeline/secrets.nix +++ b/config/hosts/lifeline/secrets.nix @@ -1,15 +1,15 @@ { ... }: { - deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ]; + deployment.keys."wireguard-lifeline-wg0-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-wg0-privatekey" ]; destDir = "/secrets"; user = "root"; group = "root"; permissions = "0640"; uploadAt = "pre-activation"; }; - deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ]; + deployment.keys."wireguard-lifeline-mail-2-lifeline-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; destDir = "/secrets"; user = "root"; group = "root"; diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index d9b4fa6..c34643d 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -1,61 +1,91 @@ -{ hosts, ... }: +{ pkgs, ... }: { boot.loader.grub = { enable = true; device = "/dev/vda"; }; - networking = { - hostName = "mail-1"; - useDHCP = true; - defaultGateway = { - address = "172.16.50.1"; - interface = "wg0"; - }; - interfaces.enp6s18.ipv4 = { - routes = [ - { - address = "10.201.0.0"; - prefixLength = 16; - via = "10.202.41.1"; - } - { - address = "10.202.0.0"; - prefixLength = 16; - via = "10.202.41.1"; - } - { - address = "172.21.87.0"; # management VPN - prefixLength = 24; - via = "10.202.41.1"; - } - { - address = "212.53.203.19"; # valkyrie.af.grzb.de - prefixLength = 32; - via = "10.202.41.1"; - } - ]; - }; - wireguard = { - enable = true; - interfaces.wg0 = { - ips = [ - "172.16.50.2/24" + systemd.network = { + enable = true; + networks = { + "enp6s18" = { + matchConfig.Name = "enp6s18"; + address = [ + "10.202.41.123/24" ]; - peers = [ + routes = [ { - name = "valkyrie"; - publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; - presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; - endpoint = "212.53.203.19:51822"; - allowedIPs = [ "0.0.0.0/0" ]; - persistentKeepalive = 25; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.201.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.202.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "172.21.87.0/24"; + }; + } + { + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "212.53.203.19/32"; + }; } ]; - privateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; + linkConfig.RequiredForOnline = "routable"; + }; + "wg0" = { + matchConfig.Name = "wg0"; + address = [ + "172.16.50.2/24" + ]; + DHCP = "no"; + gateway = [ + "172.16.50.1" + ]; + }; + }; + netdevs = { + "wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; + PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; + Endpoint = "212.53.203.19:51822"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; + }]; }; }; }; + networking = { + hostName = "mail-1"; + useDHCP = false; + firewall = { + enable = true; + allowedTCPPorts = [ 25 465 993 ]; + }; + }; + + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + system.stateVersion = "23.05"; } diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 81fa130..63a0e3a 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -59,8 +59,11 @@ services.postfix = { transport = "relay:[mail-2.grzb.de]"; +<<<<<<< HEAD extraConfig = '' proxy_interfaces = 212.53.203.19 ''; +======= +>>>>>>> 0e55e66 (Use systemd-networkd on mail servers) }; } diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix new file mode 100644 index 0000000..38384cb --- /dev/null +++ b/config/hosts/mail-2/configuration.nix @@ -0,0 +1,91 @@ +{ pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + systemd.network = { + enable = true; + networks = { + "enp6s18" = { + matchConfig.Name = "enp6s18"; + address = [ + "10.201.41.100/24" + ]; + routes = [ + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.201.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.202.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "172.21.87.0/24"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "217.160.117.160/32"; + }; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + "wg0" = { + matchConfig.Name = "wg0"; + address = [ + "172.16.50.2/24" + ]; + DHCP = "no"; + gateway = [ + "172.16.50.1" + ]; + }; + }; + netdevs = { + "wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4="; + PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret"; + Endpoint = "217.160.117.160:51820"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; + }]; + }; + }; + }; + + networking = { + hostName = "mail-2"; + useDHCP = false; + firewall = { + enable = true; + allowedTCPPorts = [ 25 ]; + }; + }; + + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mail-2/default.nix b/config/hosts/mail-2/default.nix new file mode 100644 index 0000000..471f0d6 --- /dev/null +++ b/config/hosts/mail-2/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./postfix.nix + ]; +} diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix new file mode 100644 index 0000000..d81e999 --- /dev/null +++ b/config/hosts/mail-2/postfix.nix @@ -0,0 +1,17 @@ +{ ... }: { + # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup + services.postfix = { + enable = true; + hostname = "mail-2.grzb.de"; + relayDomains = [ + "grzb.de" + "nekover.se" + ]; + extraConfig = '' + message_size_limit = 20971520 + smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination + proxy_interfaces = 217.160.117.160 + relay_recipient_maps = + ''; + }; +} diff --git a/config/hosts/mail-2/secrets.nix b/config/hosts/mail-2/secrets.nix new file mode 100644 index 0000000..70606af --- /dev/null +++ b/config/hosts/mail-2/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 8751e09..008ead2 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -35,7 +35,7 @@ allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; } { - name = "site2-jsts"; + name = "site1-jsts"; publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; endpoint = "site1.jsts.xyz:51823"; @@ -59,12 +59,12 @@ } ]; postSetup = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE ''; postShutdown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE ''; privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; }; diff --git a/flake.lock b/flake.lock index 3d6c071..1f29fe8 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694493899, - "narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=", + "lastModified": 1695011647, + "narHash": "sha256-A0iKkey2LBlKCvwMR0HDXSs7ubdFP3ly8YE3m2zS/L4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c5167858ca4870e933da123762eb55363ccefe2b", + "rev": "4d2bff6897a5434eef9bd958c7e89c96dec569e0", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1694502577, - "narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=", + "lastModified": 1694928810, + "narHash": "sha256-M/3+pRQmM+FeBeSKRp0b01pncbNiiC2ggJE4Wpi7c1Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72", + "rev": "948e8754755a9f27587d5bd109af2cfad313add8", "type": "github" }, "original": { diff --git a/hosts.nix b/hosts.nix index 472ac92..195a247 100644 --- a/hosts.nix +++ b/hosts.nix @@ -53,6 +53,10 @@ in site = "vs"; environment = "proxmox"; }; + mail-2 = { + site = "wg"; + environment = "proxmox"; + }; matrix = { site = "vs"; environment = "proxmox"; From 4538bfb3751706f5221506a80114c08fa8e66ada Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Sep 2023 00:06:12 +0200 Subject: [PATCH 056/386] Add tcpdump to default packages --- config/common/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/common/default.nix b/config/common/default.nix index ea3ccf2..0aee917 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -33,6 +33,7 @@ parted tmux nano + tcpdump ]; services.openssh = { From e3b6c9a2bcfad87d93bc9d3732742c9a172dcb4b Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Sep 2023 00:07:23 +0200 Subject: [PATCH 057/386] Use another subnet for WireGuard tunnel as is conflicts with the openstack internal subnet --- config/hosts/lifeline/configuration.nix | 10 +++++----- config/hosts/mail-1/configuration.nix | 4 ++-- config/hosts/mail-1/simple-nixos-mailserver.nix | 3 --- config/hosts/mail-2/configuration.nix | 4 ++-- config/hosts/valkyrie/configuration.nix | 14 +++++++------- 5 files changed, 16 insertions(+), 19 deletions(-) diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index 1f53208..207e1ad 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -20,23 +20,23 @@ interfaces.wg0 = { listenPort = 51820; ips = [ - "172.16.50.1/24" + "172.18.50.1/24" ]; peers = [ { name = "mail-2"; publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM="; presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret"; - allowedIPs = [ "172.16.50.2/32" ]; + allowedIPs = [ "172.18.50.2/32" ]; } ]; postSetup = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE ''; privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret"; }; @@ -46,7 +46,7 @@ internalInterfaces = [ "wg0" ]; externalInterface = "ens6"; forwardPorts = [{ - destination = "172.16.50.2:25"; + destination = "172.18.50.2:25"; proto = "tcp"; sourcePort = 25; }]; diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index c34643d..2418afc 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -44,11 +44,11 @@ "wg0" = { matchConfig.Name = "wg0"; address = [ - "172.16.50.2/24" + "172.18.50.2/24" ]; DHCP = "no"; gateway = [ - "172.16.50.1" + "172.18.50.1" ]; }; }; diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 63a0e3a..81fa130 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -59,11 +59,8 @@ services.postfix = { transport = "relay:[mail-2.grzb.de]"; -<<<<<<< HEAD extraConfig = '' proxy_interfaces = 212.53.203.19 ''; -======= ->>>>>>> 0e55e66 (Use systemd-networkd on mail servers) }; } diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix index 38384cb..1b622c7 100644 --- a/config/hosts/mail-2/configuration.nix +++ b/config/hosts/mail-2/configuration.nix @@ -44,11 +44,11 @@ "wg0" = { matchConfig.Name = "wg0"; address = [ - "172.16.50.2/24" + "172.18.50.2/24" ]; DHCP = "no"; gateway = [ - "172.16.50.1" + "172.18.50.1" ]; }; }; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 008ead2..116e57d 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -48,23 +48,23 @@ wg1 = { listenPort = 51822; ips = [ - "172.16.50.1/24" + "172.18.50.1/24" ]; peers = [ { name = "mail-1"; publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; - allowedIPs = [ "172.16.50.2/32" ]; + allowedIPs = [ "172.18.50.2/32" ]; } ]; postSetup = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE ''; privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; }; @@ -76,17 +76,17 @@ externalInterface = "ens3"; forwardPorts = [ { - destination = "172.16.50.2:25"; + destination = "172.18.50.2:25"; proto = "tcp"; sourcePort = 25; } { - destination = "172.16.50.2:465"; + destination = "172.18.50.2:465"; proto = "tcp"; sourcePort = 465; } { - destination = "172.16.50.2:993"; + destination = "172.18.50.2:993"; proto = "tcp"; sourcePort = 993; } From 0d820c58afa1450b9ffe742d4926438c4e3ed50d Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Sep 2023 00:09:41 +0200 Subject: [PATCH 058/386] Use a less generic nftables table name --- .../src/wireguard-nat-nftables.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py index 3bc8e96..c72869d 100644 --- a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -20,9 +20,9 @@ def main(): nft.set_handle_output(True) # add nat table rules for dnat and snat masquerade - nft.cmd("add table nat") - nft.cmd("add chain nat prerouting { type nat hook prerouting priority -100; }") - nft.cmd("add chain nat postrouting { type nat hook postrouting priority 100; }") + nft.cmd("add table wireguard-nat") + nft.cmd("add chain wireguard-nat prerouting { type nat hook prerouting priority -100; }") + nft.cmd("add chain wireguard-nat postrouting { type nat hook postrouting priority 100; }") # load current nftables rules rc, output, error = nft.cmd("list ruleset") @@ -34,14 +34,14 @@ def main(): for item in nftables_output["nftables"]: if ("rule" in item and item["rule"]["family"] == "ip" - and item["rule"]["table"] == "nat" + and item["rule"]["table"] == "wireguard-nat" and item["rule"]["chain"] == "postrouting" and "masquerade" in item["rule"]["expr"][0] ): add_masquerade = False break if add_masquerade: - nft.cmd("add rule nat postrouting masquerade") + nft.cmd("add rule wireguard-nat postrouting masquerade") while True: # list WireGuard peer endpoint addresses of WireGuard VPN connection @@ -67,12 +67,12 @@ def main(): # update existing nftable dnat rules, if the remote IP mismatches for item in nftables_output["nftables"]: - if "rule" in item and item["rule"]["family"] == "ip" and item["rule"]["table"] == "nat" and item["rule"]["chain"] == "prerouting": + if "rule" in item and item["rule"]["family"] == "ip" and item["rule"]["table"] == "wireguard-nat" and item["rule"]["chain"] == "prerouting": handle = item["rule"]["handle"] ip = item["rule"]["expr"][2]["dnat"]["addr"] port = item["rule"]["expr"][1]["match"]["right"] if not ip == port_ip_mapping[port]: - rc, output, error = nft.cmd("replace rule nat prerouting handle {} iif {} udp dport {} dnat to {}".format(handle, interface, port, port_ip_mapping[port])) + rc, output, error = nft.cmd("replace rule wireguard-nat prerouting handle {} iif {} udp dport {} dnat to {}".format(handle, interface, port, port_ip_mapping[port])) if error: eprint(error) else: @@ -81,7 +81,7 @@ def main(): # loop through all remaining ports and add needed dnat rules for port in port_ip_mapping: - rc, output, error = nft.cmd("add rule nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port])) + rc, output, error = nft.cmd("add rule wireguard-nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port])) if error: print(error, file=sys.stderr) else: From 215065aa6c813ab7d1cf5f99b276c83380932e8e Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Sep 2023 15:58:42 +0200 Subject: [PATCH 059/386] Use snat rule instead if masquerade for wireguard nat --- config/hosts/valkyrie/configuration.nix | 2 +- config/hosts/valkyrie/services.nix | 1 + .../src/wireguard-nat-nftables.py | 20 +++++-------------- 3 files changed, 7 insertions(+), 16 deletions(-) diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 116e57d..f4e2db5 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -8,7 +8,7 @@ firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 51820 51821 51822 51827 51828 ]; + allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ]; }; wireguard = { enable = true; diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index c9b65f2..602c80c 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -3,6 +3,7 @@ let wireguard-nat-nftables = import ../../../pkgs/wireguard-nat-nftables pkgs; config = pkgs.writeText "wireguard-nat-nftables-config" (builtins.toJSON { interface = "ens3"; + interface_address = "172.16.4.180"; wg_interface = "wg0"; pubkey_port_mapping = { "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=" = [ 51827 51829 ]; diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py index c72869d..c49b4b7 100644 --- a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -12,6 +12,7 @@ def main(): f.close() interface = config["interface"] + interface_address = config["interface_address"] wg_interface = config["wg_interface"] pubkey_port_mapping = config["pubkey_port_mapping"] @@ -19,30 +20,19 @@ def main(): nft.set_json_output(True) nft.set_handle_output(True) - # add nat table rules for dnat and snat masquerade + # add nat table rules for dnat and snat nft.cmd("add table wireguard-nat") + nft.cmd("flush table wireguard-nat") nft.cmd("add chain wireguard-nat prerouting { type nat hook prerouting priority -100; }") nft.cmd("add chain wireguard-nat postrouting { type nat hook postrouting priority 100; }") - + nft.cmd("add rule wireguard-nat postrouting oifname {} snat to {}".format(interface, interface_address)) + # load current nftables rules rc, output, error = nft.cmd("list ruleset") if error: print(error, file=sys.stderr) nftables_output = json.loads(output) - add_masquerade = True - for item in nftables_output["nftables"]: - if ("rule" in item - and item["rule"]["family"] == "ip" - and item["rule"]["table"] == "wireguard-nat" - and item["rule"]["chain"] == "postrouting" - and "masquerade" in item["rule"]["expr"][0] - ): - add_masquerade = False - break - if add_masquerade: - nft.cmd("add rule wireguard-nat postrouting masquerade") - while True: # list WireGuard peer endpoint addresses of WireGuard VPN connection process = subprocess.Popen(["wg", "show", wg_interface, "endpoints"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) From 91bd9f3c1d5798b2007b51f8da56fa1799a0e07f Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Sep 2023 16:48:17 +0200 Subject: [PATCH 060/386] Forward port 80 to mail servers for the http acme challange --- config/hosts/lifeline/configuration.nix | 11 +++++++++-- config/hosts/valkyrie/configuration.nix | 5 +++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index 207e1ad..500c407 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -45,11 +45,18 @@ enable = true; internalInterfaces = [ "wg0" ]; externalInterface = "ens6"; - forwardPorts = [{ + forwardPorts = [ + { destination = "172.18.50.2:25"; proto = "tcp"; sourcePort = 25; - }]; + } + { + destination = "172.18.50.2:80"; + proto = "tcp"; + sourcePort = 80; + } + ]; }; }; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index f4e2db5..fd3cd45 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -80,6 +80,11 @@ proto = "tcp"; sourcePort = 25; } + { + destination = "172.18.50.2:80"; + proto = "tcp"; + sourcePort = 80; + } { destination = "172.18.50.2:465"; proto = "tcp"; From 9815afffdbf121f7583a2485be9d964111910d5f Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Sep 2023 16:49:00 +0200 Subject: [PATCH 061/386] Enable TLS on mail relay --- config/hosts/mail-2/acme.nix | 9 +++++++++ config/hosts/mail-2/configuration.nix | 2 +- config/hosts/mail-2/default.nix | 1 + config/hosts/mail-2/postfix.nix | 5 ++++- 4 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 config/hosts/mail-2/acme.nix diff --git a/config/hosts/mail-2/acme.nix b/config/hosts/mail-2/acme.nix new file mode 100644 index 0000000..c6a353c --- /dev/null +++ b/config/hosts/mail-2/acme.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + security.acme.certs = { + "mail-2.grzb.de" = { + listenHTTP = ":80"; + reloadServices = [ "postfix.service" ]; + }; + }; +} diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix index 1b622c7..b4a7192 100644 --- a/config/hosts/mail-2/configuration.nix +++ b/config/hosts/mail-2/configuration.nix @@ -79,7 +79,7 @@ useDHCP = false; firewall = { enable = true; - allowedTCPPorts = [ 25 ]; + allowedTCPPorts = [ 25 80 ]; }; }; diff --git a/config/hosts/mail-2/default.nix b/config/hosts/mail-2/default.nix index 471f0d6..ab5c757 100644 --- a/config/hosts/mail-2/default.nix +++ b/config/hosts/mail-2/default.nix @@ -3,5 +3,6 @@ imports = [ ./configuration.nix ./postfix.nix + ./acme.nix ]; } diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix index d81e999..eb88cdf 100644 --- a/config/hosts/mail-2/postfix.nix +++ b/config/hosts/mail-2/postfix.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ config, ... }: +{ # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup services.postfix = { enable = true; @@ -7,6 +8,8 @@ "grzb.de" "nekover.se" ]; + sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem"; + sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem"; extraConfig = '' message_size_limit = 20971520 smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination From d036d4a167eace51741f44e39633050117710fca Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Sep 2023 17:13:36 +0200 Subject: [PATCH 062/386] Configure TLS settings on mail relay --- config/hosts/mail-2/postfix.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix index eb88cdf..b7e54f3 100644 --- a/config/hosts/mail-2/postfix.nix +++ b/config/hosts/mail-2/postfix.nix @@ -15,6 +15,23 @@ smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination proxy_interfaces = 217.160.117.160 relay_recipient_maps = + smtp_tls_ciphers = high + smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtp_tls_mandatory_ciphers = high + smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtpd_tls_auth_only = yes + smtpd_tls_ciphers = high + smtpd_tls_eecdh_grade = ultra + smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtpd_tls_loglevel = 1 + smtpd_tls_mandatory_ciphers = high + smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + tls_preempt_cipherlist = yes + tls_random_source = dev:/dev/urandom ''; }; } From 440251d2fcdc1ced987a3bb3c4e4362ed418c701 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Sep 2023 17:56:36 +0200 Subject: [PATCH 063/386] Use only snake case for element-web config since camel case is deprecated --- config/hosts/mail-1/simple-nixos-mailserver.nix | 3 +++ config/hosts/matrix/matrix-synapse.nix | 4 ++-- config/hosts/nextcloud/nextcloud.nix | 4 ++-- .../virtualHosts/element-web-config/config.json | 10 +++++----- .../web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- flake.lock | 12 ++++++------ 6 files changed, 20 insertions(+), 17 deletions(-) diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 81fa130..126b0dc 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -10,7 +10,10 @@ enableImapSsl = true; enableSubmission = false; enableSubmissionSsl = true; +<<<<<<< HEAD lmtpSaveToDetailMailbox = "no"; +======= +>>>>>>> 634557c (Change mail config of services to use new mail server) domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; loginAccounts = { "fiona@grzb.de" = { diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index e4f508e..19f8824 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -10,9 +10,9 @@ args.password = "synapse"; }; email = { - smtp_host = "mail.grzb.de"; + smtp_host = "mail-1.grzb.de"; smtp_port = 465; - smtp_user = "matrix"; + smtp_user = "matrix@nekover.se"; force_tls = true; notif_from = "Nekoverse Matrix Server "; }; diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index dd3a328..22f456e 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -25,9 +25,9 @@ mail_domain = "nekover.se"; mail_smtpauthtype = "LOGIN"; mail_smtpauth = 1; - mail_smtphost = "mail.grzb.de"; + mail_smtphost = "mail-1.grzb.de"; mail_smtpport = 465; - mail_smtpname = "nextcloud"; + mail_smtpname = "cloud@nekover.se"; }; # Only contains mail_smtppassword secretFile = "/secrets/nextcloud-secretfile.secret"; diff --git a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json index 96b6288..7344ce4 100644 --- a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json +++ b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json @@ -24,12 +24,12 @@ ], "bug_report_endpoint_url": "https://element.io/bugreports/submit", "uisi_autorageshake_app": "element-auto-uisi", - "defaultCountryCode": "DE", - "showLabsSettings": true, - "features": { }, + "default_country_code": "DE", + "show_labs_settings": true, + "features": {}, "default_federate": true, "default_theme": "dark", - "roomDirectory": { + "room_directory": { "servers": [ "matrix.org" ] @@ -39,7 +39,7 @@ "https://matrix.org": false, "https://matrix-client.matrix.org": false }, - "settingDefaults": { + "setting_defaults": { "breadcrumbs": true }, "jitsi": { diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index ba220c7..9e6bbf9 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,8 +1,8 @@ { pkgs, ... }: let element-web = pkgs.fetchzip { - url = "https://github.com/vector-im/element-web/releases/download/v1.11.40/element-v1.11.40.tar.gz"; - sha256 = "sha256-IZ1FjT9fAv6wDfgLcCLBHwg6iXGXC4E0/2/67hArD4w="; + url = "https://github.com/vector-im/element-web/releases/download/v1.11.43/element-v1.11.43.tar.gz"; + sha256 = "sha256-MxUu5dFf4RL0crQol4hG6gNE+9Qu5/vBWdpf0ENaFV0="; }; in { diff --git a/flake.lock b/flake.lock index 1f29fe8..ca1b1d6 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1695011647, - "narHash": "sha256-A0iKkey2LBlKCvwMR0HDXSs7ubdFP3ly8YE3m2zS/L4=", + "lastModified": 1695106126, + "narHash": "sha256-5BDOEo5miK+46ByqhooW32viYzDUmHrw++UK8zkMbPg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4d2bff6897a5434eef9bd958c7e89c96dec569e0", + "rev": "53d337b63c8f9d7e0f8709cae0008a9655bee33e", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1694928810, - "narHash": "sha256-M/3+pRQmM+FeBeSKRp0b01pncbNiiC2ggJE4Wpi7c1Q=", + "lastModified": 1695043561, + "narHash": "sha256-ajrDIUJA5RB6Y2I1G4suDhiDMJuwg1WarNuasshRobE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "948e8754755a9f27587d5bd109af2cfad313add8", + "rev": "089313d7c7c864b21648d78fb8700062dafab1f2", "type": "github" }, "original": { From a2855162eb3c70325f00a81cc849b24507a37891 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 21 Sep 2023 23:14:19 +0200 Subject: [PATCH 064/386] Set resolv.conf file manually for uptime-kuma container due to a bug --- config/hosts/valkyrie/containers/uptime-kuma/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix index 78d3437..ca36384 100644 --- a/config/hosts/valkyrie/containers/uptime-kuma/default.nix +++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix @@ -10,6 +10,13 @@ enable = true; }; + # The resolv.conf file doesn't seem to be copied from host after the first start of the container after reboot + # See: https://nixos.wiki/wiki/NixOS_Containers#Troubleshooting + environment.etc."resolv.conf".text = '' + nameserver 172.16.0.2 + nameserver 172.16.0.3 + ''; + system.stateVersion = "23.05"; }; }; From c1e74a4494914514ebcec98842b9f8f85925e264 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 25 Sep 2023 01:35:11 +0200 Subject: [PATCH 065/386] Setup paperless host and reverse proxy for acme http challange --- .../hosts/mail-1/simple-nixos-mailserver.nix | 3 -- config/hosts/paperless/configuration.nix | 17 ++++++++++ config/hosts/paperless/default.nix | 9 ++++++ .../paperless/hardware-configuration.nix | 30 ++++++++++++++++++ config/hosts/paperless/nginx.nix | 31 +++++++++++++++++++ config/hosts/paperless/paperless.nix | 8 +++++ config/hosts/paperless/secrets.nix | 19 ++++++++++++ config/hosts/web-public-1/configuration.nix | 17 ++++++++++ config/hosts/web-public-1/default.nix | 7 +++++ config/hosts/web-public-1/nginx.nix | 10 ++++++ .../virtualHosts/acme-challenge.nix | 12 +++++++ .../web-public-1/virtualHosts/default.nix | 16 ++++++++++ hosts.nix | 8 +++++ 13 files changed, 184 insertions(+), 3 deletions(-) create mode 100644 config/hosts/paperless/configuration.nix create mode 100644 config/hosts/paperless/default.nix create mode 100644 config/hosts/paperless/hardware-configuration.nix create mode 100644 config/hosts/paperless/nginx.nix create mode 100644 config/hosts/paperless/paperless.nix create mode 100644 config/hosts/paperless/secrets.nix create mode 100644 config/hosts/web-public-1/configuration.nix create mode 100644 config/hosts/web-public-1/default.nix create mode 100644 config/hosts/web-public-1/nginx.nix create mode 100644 config/hosts/web-public-1/virtualHosts/acme-challenge.nix create mode 100644 config/hosts/web-public-1/virtualHosts/default.nix diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 126b0dc..81fa130 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -10,10 +10,7 @@ enableImapSsl = true; enableSubmission = false; enableSubmissionSsl = true; -<<<<<<< HEAD lmtpSaveToDetailMailbox = "no"; -======= ->>>>>>> 634557c (Change mail config of services to use new mail server) domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; loginAccounts = { "fiona@grzb.de" = { diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix new file mode 100644 index 0000000..494f08c --- /dev/null +++ b/config/hosts/paperless/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "paperless"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix new file mode 100644 index 0000000..e6ebeed --- /dev/null +++ b/config/hosts/paperless/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./nginx.nix + ./paperless.nix + ]; +} diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix new file mode 100644 index 0000000..69684c1 --- /dev/null +++ b/config/hosts/paperless/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + fileSystems = { + "/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + }; + "/mnt/paperless-consume" = { + device = "//10.201.40.10/paperless-consume"; + fsType = "cifs"; + options = [ + "username=paperless" + "credentials=/secrets/paperless-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=paperless" + "gid=paperless" + "_netdev" + ]; + }; + "/var/lib/paperless" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/paperless"; + fsType = "none"; + options = [ "bind" "X-mount.owner=paperless" "X-mount.group=paperless" ]; + }; + }; +} diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix new file mode 100644 index 0000000..e4a2131 --- /dev/null +++ b/config/hosts/paperless/nginx.nix @@ -0,0 +1,31 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."paperless.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}"; + proxyWebsockets = true; + extraConfig = '' + add_header Referrer-Policy "strict-origin-when-cross-origin"; + ''; + }; + extraConfig = '' + client_max_body_size 100M; + ''; + }; + }; +} diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix new file mode 100644 index 0000000..1def83d --- /dev/null +++ b/config/hosts/paperless/paperless.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.paperless = { + enable = true; + consumptionDir = "/mnt/paperless-consume"; + passwordFile = "/secrets/paperless-admin-password.secret"; + }; +} diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix new file mode 100644 index 0000000..92a8b1d --- /dev/null +++ b/config/hosts/paperless/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."paperless-admin-password.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ]; + destDir = "/secrets"; + user = "paperless"; + group = "paperless"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."paperless-samba-credentials.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix new file mode 100644 index 0000000..7f3b8fa --- /dev/null +++ b/config/hosts/web-public-1/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-1"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/config/hosts/web-public-1/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix new file mode 100644 index 0000000..0453a73 --- /dev/null +++ b/config/hosts/web-public-1/nginx.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./virtualHosts + ]; + + services.nginx = { + enable = true; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix new file mode 100644 index 0000000..fd1e474 --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.nginx.virtualHosts."paperless.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://paperless.wg.grzb.de:80"; + }; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix new file mode 100644 index 0000000..e191a9c --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/default.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + imports = [ + ./acme-challenge.nix + ]; + + services.nginx.virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; +} diff --git a/hosts.nix b/hosts.nix index 195a247..ab78a2d 100644 --- a/hosts.nix +++ b/hosts.nix @@ -77,6 +77,10 @@ in site = "vs"; environment = "proxmox"; }; + paperless = { + site = "wg"; + environment = "proxmox"; + }; coturn = { site = "vs"; environment = "proxmox"; @@ -89,6 +93,10 @@ in site = "af"; environment = "openstack"; }; + web-public-1 = { + site = "wg"; + environment = "proxmox"; + }; web-public-2 = { hostNixpkgs = nixpkgs-unstable; site = "vs"; From e8427dc81dc3c86e77d86a8f0b7ad994bb47fd8a Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 28 Sep 2023 04:57:17 +0200 Subject: [PATCH 066/386] Set real IP from local proxy --- config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix | 3 +++ config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 3 +++ config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix | 3 +++ config/hosts/web-public-2/virtualHosts/git.grzb.de.nix | 3 +++ config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix | 4 ++++ config/hosts/web-public-2/virtualHosts/nekover.se.nix | 4 ++++ config/hosts/web-public-2/virtualHosts/social.nekover.se.nix | 3 +++ 7 files changed, 23 insertions(+) diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix index b628ef7..381294e 100644 --- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -21,6 +21,9 @@ }; extraConfig = '' add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 9e6bbf9..8e9b555 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -78,6 +78,9 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix index 5070a0b..4efedd4 100644 --- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -26,6 +26,9 @@ extraConfig = '' client_max_body_size 1024m; add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix index fb156d8..03b1a96 100644 --- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -28,6 +28,9 @@ client_max_body_size 1024m; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix index fbc64fa..3a297e8 100644 --- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -18,5 +18,9 @@ locations."/" = { proxyPass = "http://cloudtube.vs.grzb.de:10412"; }; + extraConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 743135d..7ea6e2c 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -28,5 +28,9 @@ add_header Access-Control-Allow-Origin *; ''; }; + extraConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix index 2c44a16..174e360 100644 --- a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix @@ -21,6 +21,9 @@ }; extraConfig = '' client_max_body_size 80m; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } From 35119a2a8e78df40a943984790a4634ad846312b Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 28 Sep 2023 04:58:38 +0200 Subject: [PATCH 067/386] Change Content-Security-Policy "frame-ancestors" from "none" to "self" Fixes downloads in element-web --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 8e9b555..47c2735 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -72,7 +72,7 @@ in add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Content-Security-Policy "frame-ancestors 'self'"; add_header Strict-Transport-Security "max-age=63072000" always; From ab8a9c39dc07a2c44d209675b9dcab94d66ddcd9 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 28 Sep 2023 05:03:41 +0200 Subject: [PATCH 068/386] Enable dehydrated device feature for element-web client --- .../web-public-2/virtualHosts/element-web-config/config.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json index 7344ce4..9877940 100644 --- a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json +++ b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json @@ -26,7 +26,9 @@ "uisi_autorageshake_app": "element-auto-uisi", "default_country_code": "DE", "show_labs_settings": true, - "features": {}, + "features": { + "feature_dehydration": true + }, "default_federate": true, "default_theme": "dark", "room_directory": { From 9a640123931c4e8bf995b8b41e1dc66e3f231afc Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 5 Oct 2023 23:35:00 +0200 Subject: [PATCH 069/386] Also listen on "::1" --- config/hosts/matrix/matrix-synapse.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 19f8824..893cfb2 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -3,6 +3,26 @@ services.matrix-synapse = { enable = true; settings = { + listeners = [{ + port = 8008; + bind_addresses = [ + "::1" + "127.0.0.1" + ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + compress = true; + names = [ "client" ]; + } + { + compress = false; + names = [ "federation" ]; + } + ]; + }]; server_name = "nekover.se"; public_baseurl = "https://matrix.nekover.se"; database = { From c55d5da5c641cff5b3bacee5f8c050d2cb9b3dab Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 7 Oct 2023 01:39:07 +0200 Subject: [PATCH 070/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/8ee78470029e641cddbd8721496da1316b47d3b4' (2023-09-04) → 'github:nix-community/nixos-generators/150f38bd1e09e20987feacb1b0d5991357532fb5' (2023-09-30) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/53d337b63c8f9d7e0f8709cae0008a9655bee33e' (2023-09-19) → 'github:NixOS/nixpkgs/ef8e9997fcb37d5c8372dc1349185bd0d31752a6' (2023-10-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/089313d7c7c864b21648d78fb8700062dafab1f2' (2023-09-18) → 'github:NixOS/nixpkgs/e462c9172c685f0839baaa54bb5b49276a23dab7' (2023-10-06) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index ca1b1d6..40c9232 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1693791338, - "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=", + "lastModified": 1696058303, + "narHash": "sha256-eNqKWpF5zG0SrgbbtljFOrRgFgRzCc4++TMFADBMLnc=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "8ee78470029e641cddbd8721496da1316b47d3b4", + "rev": "150f38bd1e09e20987feacb1b0d5991357532fb5", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1695106126, - "narHash": "sha256-5BDOEo5miK+46ByqhooW32viYzDUmHrw++UK8zkMbPg=", + "lastModified": 1696524703, + "narHash": "sha256-KqzFNzhq0GpT09h1w2r2h7NxYvxDnzU3qOWYbfbAqyw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "53d337b63c8f9d7e0f8709cae0008a9655bee33e", + "rev": "ef8e9997fcb37d5c8372dc1349185bd0d31752a6", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1695043561, - "narHash": "sha256-ajrDIUJA5RB6Y2I1G4suDhiDMJuwg1WarNuasshRobE=", + "lastModified": 1696589439, + "narHash": "sha256-Ye+flokLfswVz9PZEyJ5yGJ1VqmJe3bDgwWt9Z4MuqQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "089313d7c7c864b21648d78fb8700062dafab1f2", + "rev": "e462c9172c685f0839baaa54bb5b49276a23dab7", "type": "github" }, "original": { From c273c7184cb75c57af855d00fba111185064d61e Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 7 Oct 2023 01:40:56 +0200 Subject: [PATCH 071/386] Enable sliding-sync for matrix-synapse --- config/hosts/matrix/matrix-synapse.nix | 9 ++++++++- config/hosts/matrix/nginx.nix | 19 ++++++++++++------- config/hosts/matrix/secrets.nix | 8 ++++++++ .../web-public-2/virtualHosts/nekover.se.nix | 2 +- 4 files changed, 29 insertions(+), 9 deletions(-) diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 893cfb2..1a4fb12 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { services.matrix-synapse = { enable = true; @@ -47,6 +47,13 @@ turn_user_lifetime = 86400000; turn_allow_guests = true; }; + sliding-sync = { + enable = true; + settings = { + SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; + }; + environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; + }; extraConfigFiles = [ "/secrets/matrix-registration-shared-secret.secret" "/secrets/matrix-turn-shared-secret.secret" diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index de8f332..234362d 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -16,13 +16,18 @@ ssl = true; } ]; - locations."~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://localhost:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; - ''; + locations = { + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://127.0.0.1:8009"; + }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 24329ea..7024f35 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -32,4 +32,12 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + deployment.keys."matrix-SYNCV3_SECRET.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/SYNCV3_SECRET" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; } diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 7ea6e2c..91c131d 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -22,7 +22,7 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; From 16ec762847f5b459707862eb7ad1b5f30d49bc32 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 7 Oct 2023 02:42:00 +0200 Subject: [PATCH 072/386] Set locations priority for matrix reverse proxy --- config/hosts/matrix/nginx.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index 234362d..1b28649 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -17,6 +17,10 @@ } ]; locations = { + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://127.0.0.1:8009"; + priority = 999; + }; "~ ^(/_matrix|/_synapse/client)" = { proxyPass = "http://127.0.0.1:8008"; extraConfig = '' @@ -25,9 +29,6 @@ client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; ''; }; - "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { - proxyPass = "http://127.0.0.1:8009"; - }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; From 8f8860390e6e613736f36277cfd333124bffa747 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 7 Oct 2023 02:42:26 +0200 Subject: [PATCH 073/386] Increase worker_connections and set worker_processes to auto --- config/hosts/web-public-2/nginx.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 52acd48..82c4b8f 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -7,6 +7,10 @@ services.nginx = { enable = true; + eventsConfig = '' + worker_connections 1024; + ''; + streamConfig = '' map $ssl_preread_server_name $address { anisync.grzb.de 127.0.0.1:8443; @@ -33,6 +37,10 @@ } ''; + appendConfig = '' + worker_processes auto; + ''; + appendHttpConfig = '' add_header Strict-Transport-Security "max-age=63072000" always; ''; From 52d59ef8140a93882e40a983d7150358d667f128 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 5 Oct 2023 23:38:17 +0200 Subject: [PATCH 074/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/8ee78470029e641cddbd8721496da1316b47d3b4' (2023-09-04) → 'github:nix-community/nixos-generators/150f38bd1e09e20987feacb1b0d5991357532fb5' (2023-09-30) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/ce210c81d3677233bedc9b70c70ab6d3e7f828f8' (2023-09-29) → 'github:NixOS/nixpkgs/e49c28b3baa3a93bdadb8966dd128f9985ea0a09' (2023-10-04) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/cdd726e1deb44c031ee8975528d6b283ed8cf021' (2023-09-29) → 'github:NixOS/nixpkgs/349bdd9653c42f1793d338b43aefe08883c5ebee' (2023-10-04) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 40c9232..0a0404b 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696524703, - "narHash": "sha256-KqzFNzhq0GpT09h1w2r2h7NxYvxDnzU3qOWYbfbAqyw=", + "lastModified": 1696435587, + "narHash": "sha256-otsVJPs+YMXjTJFEJ3ZzvaJ1e3Q74aStE2MSb2dxuZM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ef8e9997fcb37d5c8372dc1349185bd0d31752a6", + "rev": "e49c28b3baa3a93bdadb8966dd128f9985ea0a09", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696589439, - "narHash": "sha256-Ye+flokLfswVz9PZEyJ5yGJ1VqmJe3bDgwWt9Z4MuqQ=", + "lastModified": 1696434248, + "narHash": "sha256-qivb3b3b5Cxe5/8qwCJ4CJCw/ENtim5zlhDItGR0p1I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e462c9172c685f0839baaa54bb5b49276a23dab7", + "rev": "349bdd9653c42f1793d338b43aefe08883c5ebee", "type": "github" }, "original": { From 705592784860ea0b1eae79c99696dd925dbd389f Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 8 Oct 2023 00:36:36 +0200 Subject: [PATCH 075/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/e49c28b3baa3a93bdadb8966dd128f9985ea0a09' (2023-10-04) → 'github:NixOS/nixpkgs/de9b8eb55b195f318eb839351b83b3560a990169' (2023-10-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/349bdd9653c42f1793d338b43aefe08883c5ebee' (2023-10-04) → 'github:NixOS/nixpkgs/b7a3aaae3859cd1ffd4c4fd850bf45d0304f9033' (2023-10-07) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 0a0404b..6400156 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696435587, - "narHash": "sha256-otsVJPs+YMXjTJFEJ3ZzvaJ1e3Q74aStE2MSb2dxuZM=", + "lastModified": 1696692673, + "narHash": "sha256-Voskclky52BKbqSE4z0Lv30bn0WOsRfim7uk0aN2A7w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e49c28b3baa3a93bdadb8966dd128f9985ea0a09", + "rev": "de9b8eb55b195f318eb839351b83b3560a990169", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696434248, - "narHash": "sha256-qivb3b3b5Cxe5/8qwCJ4CJCw/ENtim5zlhDItGR0p1I=", + "lastModified": 1696653406, + "narHash": "sha256-0K9FEM+vwIctSy0FlmLube6C0PW4CBeRVm2dd85mozI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "349bdd9653c42f1793d338b43aefe08883c5ebee", + "rev": "b7a3aaae3859cd1ffd4c4fd850bf45d0304f9033", "type": "github" }, "original": { From c347478e961c95761af3940b6513529db3d6337a Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Oct 2023 04:14:29 +0200 Subject: [PATCH 076/386] Migrate Mastodon to NixOS --- config/hosts/mastodon/configuration.nix | 43 +++++++ config/hosts/mastodon/default.nix | 9 ++ config/hosts/mastodon/mastodon.nix | 51 +++++++++ config/hosts/mastodon/nginx.nix | 48 ++++++++ config/hosts/mastodon/opensearch.nix | 5 + config/hosts/mastodon/secrets.nix | 37 ++++++ config/hosts/web-public-2/nginx.nix | 2 +- .../virtualHosts/acme-challenge.nix | 105 ++++++++++-------- .../web-public-2/virtualHosts/default.nix | 1 - .../virtualHosts/social.nekover.se.nix | 29 ----- hosts.nix | 4 + 11 files changed, 256 insertions(+), 78 deletions(-) create mode 100644 config/hosts/mastodon/configuration.nix create mode 100644 config/hosts/mastodon/default.nix create mode 100644 config/hosts/mastodon/mastodon.nix create mode 100644 config/hosts/mastodon/nginx.nix create mode 100644 config/hosts/mastodon/opensearch.nix create mode 100644 config/hosts/mastodon/secrets.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/social.nekover.se.nix diff --git a/config/hosts/mastodon/configuration.nix b/config/hosts/mastodon/configuration.nix new file mode 100644 index 0000000..aad67b7 --- /dev/null +++ b/config/hosts/mastodon/configuration.nix @@ -0,0 +1,43 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "mastodon"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 8443 ]; + }; + }; + + fileSystems = { + "/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoResize = true; + }; + "/var/lib/mastodon/public-system" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/mastodon"; + fsType = "none"; + options = [ "bind" "X-mount.owner=mastodon" "X-mount.group=mastodon" ]; + }; + "/var/lib/postgresql" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/postgresql"; + fsType = "none"; + options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ]; + }; + "/var/lib/private/opensearch/data" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/opensearch"; + fsType = "none"; + options = [ "bind" "X-mount.owner=opensearch" "X-mount.group=opensearch" ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix new file mode 100644 index 0000000..5651eb8 --- /dev/null +++ b/config/hosts/mastodon/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./mastodon.nix + ./opensearch.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix new file mode 100644 index 0000000..620e6c2 --- /dev/null +++ b/config/hosts/mastodon/mastodon.nix @@ -0,0 +1,51 @@ +{ pkgs, ... }: +let + mastodonNekoversePatches = pkgs.fetchgit { + url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; + hash = "sha256-+HoE3rXiJUpAUYiXj4BaOL68cCG1tN8p+TI7vRxrA1Y="; + }; + mastodonNekoverseOverlay = final: prev: { + mastodon = (prev.mastodon.override rec { + version = "4.1.9"; + srcOverride = final.applyPatches { + src = final.fetchgit { + url = "https://github.com/mastodon/mastodon.git"; + rev = "v${version}"; + sha256 = "sha256-xpE/mg2AeioW6NThUjLS+SBxGavG4w1xtp3BOMADfYo="; + }; + patches = [ + "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" + "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" + "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" + "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" + "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" + "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" + ]; + }; + }); + }; + pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; +in +{ + services.mastodon = { + enable = true; + package = pkgs-overlay.mastodon; + localDomain = "social.nekover.se"; + secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; + otpSecretFile = "/secrets/mastodon-otp-secret.secret"; + vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; + smtp = { + authenticate = true; + host = "mail-1.grzb.de"; + port = 465; + user = "social@nekover.se"; + passwordFile = "/secrets/mastodon-email-smtp-pass.secret"; + fromAddress = "Nekoverse "; + }; + extraConfig = { + SMTP_TLS = "true"; + ES_PRESET = "single_node_cluster"; + }; + elasticsearch.host = "127.0.0.1"; + }; +} diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix new file mode 100644 index 0000000..f9d541f --- /dev/null +++ b/config/hosts/mastodon/nginx.nix @@ -0,0 +1,48 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + group = "mastodon"; + virtualHosts."social.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + + root = "${config.services.mastodon.package}/public/"; + + locations = { + "/" = { + tryFiles = "$uri @proxy"; + }; + + "/system/".alias = "/var/lib/mastodon/public-system/"; + + "^~ /api/v1/streaming" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + }; + + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/mastodon/opensearch.nix b/config/hosts/mastodon/opensearch.nix new file mode 100644 index 0000000..b787d77 --- /dev/null +++ b/config/hosts/mastodon/opensearch.nix @@ -0,0 +1,5 @@ +{ ... }: { + services.opensearch = { + enable = true; + }; +} diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix new file mode 100644 index 0000000..b6a827c --- /dev/null +++ b/config/hosts/mastodon/secrets.nix @@ -0,0 +1,37 @@ +{ ... }: +{ + deployment.keys = { + "mastodon-secret-key-base.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/secret-key-base" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-otp-secret.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/otp-secret" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-vapid-private-key.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/vapid-private-key" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-email-smtp-pass.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/email-smtp-pass" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 82c4b8f..ea0732c 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -25,7 +25,7 @@ nekover.se 127.0.0.1:8443; nextcloud.grzb.de 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; - social.nekover.se 127.0.0.1:8443; + social.nekover.se 10.202.41.104:8443; } server { diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index f5adeea..7e0190e 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -1,57 +1,68 @@ { ... }: { - services.nginx.virtualHosts."jellyfin.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://jellyfin.vs.grzb.de:80"; + services.nginx.virtualHosts = { + "jellyfin.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://jellyfin.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."mail-1.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://mail-1.vs.grzb.de:80"; + "mail-1.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://mail-1.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."matrix.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://matrix.vs.grzb.de:80"; + "mastodon.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://mastodon.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."netbox.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://netbox.vs.grzb.de:80"; + "matrix.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://matrix.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."grafana.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://metrics.vs.grzb.de:80"; + "netbox.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://netbox.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."turn.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://coturn.vs.grzb.de:80"; + "grafana.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://metrics.vs.grzb.de:80"; + }; + }; + "turn.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://coturn.vs.grzb.de:80"; + }; }; }; } diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index 6a5c3bb..53294f7 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -8,7 +8,6 @@ ./git.grzb.de.nix ./mewtube.nekover.se.nix ./nekover.se.nix - ./social.nekover.se.nix ]; services.nginx.virtualHosts."_" = { diff --git a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix deleted file mode 100644 index 174e360..0000000 --- a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."social.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://mastodon.vs.grzb.de:80"; - proxyWebsockets = true; - }; - extraConfig = '' - client_max_body_size 80m; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/hosts.nix b/hosts.nix index ab78a2d..fc2716d 100644 --- a/hosts.nix +++ b/hosts.nix @@ -57,6 +57,10 @@ in site = "wg"; environment = "proxmox"; }; + mastodon = { + site = "vs"; + environment = "proxmox"; + }; matrix = { site = "vs"; environment = "proxmox"; From 09a6abcae6c85dd4ec3839694e2c7e4369923f5d Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Oct 2023 04:16:27 +0200 Subject: [PATCH 077/386] Remove nextcloud.grzb.de mapping --- config/hosts/web-public-2/nginx.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index ea0732c..46a711c 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -23,7 +23,6 @@ matrix.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; - nextcloud.grzb.de 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; social.nekover.se 10.202.41.104:8443; } From 406a23a01ffce54df274f78b54a7c2b5909b3b03 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Oct 2023 04:19:46 +0200 Subject: [PATCH 078/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/de9b8eb55b195f318eb839351b83b3560a990169' (2023-10-07) → 'github:NixOS/nixpkgs/8be69c1764f58e07099e4a24b926f49bbada8c7f' (2023-10-09) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/b7a3aaae3859cd1ffd4c4fd850bf45d0304f9033' (2023-10-07) → 'github:NixOS/nixpkgs/5a9c737c587d2c34d63c5b3cb53c6ab0705bdf4f' (2023-10-09) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 6400156..922fe2e 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696692673, - "narHash": "sha256-Voskclky52BKbqSE4z0Lv30bn0WOsRfim7uk0aN2A7w=", + "lastModified": 1696815342, + "narHash": "sha256-MHA0Ye0PaFF6pay6tP9yMgwWvuqRraa9bH45U88RwC4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "de9b8eb55b195f318eb839351b83b3560a990169", + "rev": "8be69c1764f58e07099e4a24b926f49bbada8c7f", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696653406, - "narHash": "sha256-0K9FEM+vwIctSy0FlmLube6C0PW4CBeRVm2dd85mozI=", + "lastModified": 1696826630, + "narHash": "sha256-oGU94vo6pkzGbaSsPHjpHtOUg6b7nL8v3xATnrcw3cQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b7a3aaae3859cd1ffd4c4fd850bf45d0304f9033", + "rev": "5a9c737c587d2c34d63c5b3cb53c6ab0705bdf4f", "type": "github" }, "original": { From 15963fd37e72ba23b6ac6b2d6de3dc39162ef1b3 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Oct 2023 14:19:35 +0200 Subject: [PATCH 079/386] Update element-web and clean up configuration --- .../virtualHosts/element.nekover.se.nix | 65 +++++++------------ 1 file changed, 23 insertions(+), 42 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 47c2735..f9b78d1 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,20 @@ { pkgs, ... }: let + elementWebVersion = "1.11.46"; element-web = pkgs.fetchzip { - url = "https://github.com/vector-im/element-web/releases/download/v1.11.43/element-v1.11.43.tar.gz"; - sha256 = "sha256-MxUu5dFf4RL0crQol4hG6gNE+9Qu5/vBWdpf0ENaFV0="; + url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; + sha256 = "sha256-EQ6a8WK8ILYidbS+0FGzI4XQbZFh+M6Y7eZ28YcsIrg="; }; + elementWebSecurityHeaders = '' + # Configuration best practices + # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'self'"; + + add_header Strict-Transport-Security "max-age=63072000" always; + ''; in { services.nginx.virtualHosts."element.nekover.se" = { @@ -16,66 +27,36 @@ in ./element-web-config ]; }; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; # Set no-cache for the version, config and index.html # so that browsers always check for a new copy of Element Web. # NB http://your-domain/ and http://your-domain/? are also covered by this locations."= /index.html" = { - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' add_header Cache-Control "no-cache"; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - add_header Strict-Transport-Security "max-age=63072000" always; ''; }; locations."= /version" = { - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' add_header Cache-Control "no-cache"; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - add_header Strict-Transport-Security "max-age=63072000" always; ''; }; # covers config.json and config.hostname.json requests as it is prefix. locations."/config" = { - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' add_header Cache-Control "no-cache"; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - add_header Strict-Transport-Security "max-age=63072000" always; ''; }; - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' index index.html; - # Configuration best practices - # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'self'"; - - add_header Strict-Transport-Security "max-age=63072000" always; - # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; From 8f63afc43b1d5c1ce344c8f75888dbc10964f8dd Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Oct 2023 15:21:16 +0200 Subject: [PATCH 080/386] Use stable channel and use helper function for acme challenge proxy --- config/hosts/coturn/secrets.nix | 4 +- config/hosts/hydra/secrets.nix | 4 +- config/hosts/jellyfin/secrets.nix | 4 +- config/hosts/lifeline/secrets.nix | 34 ++++--- config/hosts/mail-2/secrets.nix | 34 ++++--- config/hosts/mastodon/secrets.nix | 10 +- config/hosts/matrix/secrets.nix | 82 ++++++++-------- config/hosts/metrics/secrets.nix | 34 ++++--- config/hosts/netbox/secrets.nix | 4 +- config/hosts/nextcloud/secrets.nix | 6 +- config/hosts/paperless/secrets.nix | 34 ++++--- config/hosts/valkyrie/secrets.nix | 98 ++++++++++--------- config/hosts/web-public-2/nginx.nix | 49 +++++----- .../virtualHosts/acme-challenge.nix | 85 ++++------------ .../virtualHosts/anisync.grzb.de.nix | 18 ++-- .../virtualHosts/gameserver.grzb.de.nix | 18 ++-- .../web-public-2/virtualHosts/git.grzb.de.nix | 18 ++-- .../virtualHosts/mewtube.nekover.se.nix | 18 ++-- .../web-public-2/virtualHosts/nekover.se.nix | 18 ++-- flake.nix | 3 + hosts.nix | 1 - 21 files changed, 257 insertions(+), 319 deletions(-) diff --git a/config/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix index 415b223..48fd211 100644 --- a/config/hosts/coturn/secrets.nix +++ b/config/hosts/coturn/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv,... }: { deployment.keys."static-auth-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ]; + keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ]; destDir = "/secrets"; user = "turnserver"; group = "turnserver"; diff --git a/config/hosts/hydra/secrets.nix b/config/hosts/hydra/secrets.nix index 7ccf047..43329f7 100644 --- a/config/hosts/hydra/secrets.nix +++ b/config/hosts/hydra/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys."signing-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ]; + keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ]; destDir = "/secrets"; user = "root"; group = "root"; diff --git a/config/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix index c1c22c6..922d4c4 100644 --- a/config/hosts/jellyfin/secrets.nix +++ b/config/hosts/jellyfin/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys."samba-credentials.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ]; + keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ]; destDir = "/secrets"; user = "root"; group = "root"; diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix index b14e281..f2b6e23 100644 --- a/config/hosts/lifeline/secrets.nix +++ b/config/hosts/lifeline/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."wireguard-lifeline-wg0-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-lifeline-mail-2-lifeline-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "wireguard-lifeline-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-lifeline-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mail-2/secrets.nix b/config/hosts/mail-2/secrets.nix index 70606af..67beb5b 100644 --- a/config/hosts/mail-2/secrets.nix +++ b/config/hosts/mail-2/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "wireguard-mail-2-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-mail-2-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index b6a827c..42f7489 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -1,8 +1,8 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys = { "mastodon-secret-key-base.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/secret-key-base" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; @@ -10,7 +10,7 @@ uploadAt = "pre-activation"; }; "mastodon-otp-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/otp-secret" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; @@ -18,7 +18,7 @@ uploadAt = "pre-activation"; }; "mastodon-vapid-private-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/vapid-private-key" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; @@ -26,7 +26,7 @@ uploadAt = "pre-activation"; }; "mastodon-email-smtp-pass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/email-smtp-pass" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 7024f35..dac6301 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -1,43 +1,45 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."matrix-registration-shared-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-turn-shared-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-email-smtp-pass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-homeserver-signing-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-SYNCV3_SECRET.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/SYNCV3_SECRET" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "matrix-registration-shared-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-turn-shared-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-email-smtp-pass.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-homeserver-signing-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-SYNCV3_SECRET.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/SYNCV3_SECRET" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/metrics/secrets.nix b/config/hosts/metrics/secrets.nix index 43b06b3..fcf9baa 100644 --- a/config/hosts/metrics/secrets.nix +++ b/config/hosts/metrics/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."metrics-grafana-admin-password.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."metrics-grafana-smtp-password.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "metrics-grafana-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "metrics-grafana-smtp-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix index e31c666..216aca4 100644 --- a/config/hosts/netbox/secrets.nix +++ b/config/hosts/netbox/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys."netbox-secret-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "netbox/secret-key" ]; + keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; destDir = "/secrets"; user = "netbox"; group = "netbox"; diff --git a/config/hosts/nextcloud/secrets.nix b/config/hosts/nextcloud/secrets.nix index c4a91b9..b344d78 100644 --- a/config/hosts/nextcloud/secrets.nix +++ b/config/hosts/nextcloud/secrets.nix @@ -1,8 +1,8 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys = { "nextcloud-adminpass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; + keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ]; destDir = "/secrets"; user = "nextcloud"; group = "nextcloud"; @@ -10,7 +10,7 @@ uploadAt = "pre-activation"; }; "nextcloud-secretfile.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/secretfile" ]; + keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ]; destDir = "/secrets"; user = "nextcloud"; group = "nextcloud"; diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix index 92a8b1d..6726881 100644 --- a/config/hosts/paperless/secrets.nix +++ b/config/hosts/paperless/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."paperless-admin-password.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ]; - destDir = "/secrets"; - user = "paperless"; - group = "paperless"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."paperless-samba-credentials.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "paperless-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; + destDir = "/secrets"; + user = "paperless"; + group = "paperless"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "paperless-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix index 4395a6d..3acc555 100644 --- a/config/hosts/valkyrie/secrets.nix +++ b/config/hosts/valkyrie/secrets.nix @@ -1,51 +1,53 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "wireguard-valkyrie-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site1-grzb-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site2-grzb-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site1-jsts-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-wg1-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 46a711c..122a4b2 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -11,33 +11,32 @@ worker_connections 1024; ''; - streamConfig = '' - map $ssl_preread_server_name $address { - anisync.grzb.de 127.0.0.1:8443; - birdsite.nekover.se 10.202.41.107:8443; - cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 127.0.0.1:8443; - gameserver.grzb.de 127.0.0.1:8443; - git.grzb.de 127.0.0.1:8443; - hydra.nekover.se 10.202.41.121:8443; - matrix.nekover.se 10.202.41.112:8443; - mewtube.nekover.se 127.0.0.1:8443; - nekover.se 127.0.0.1:8443; - nix-cache.nekover.se 10.202.41.121:8443; - social.nekover.se 10.202.41.104:8443; - } - - server { - listen 0.0.0.0:443; - listen [::]:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - ''; - appendConfig = '' worker_processes auto; + + stream { + map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; + birdsite.nekover.se 10.202.41.107:8443; + cloud.nekover.se 10.202.41.122:8443; + element.nekover.se 127.0.0.1:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; + hydra.nekover.se 10.202.41.121:8443; + matrix.nekover.se 10.202.41.112:8443; + mewtube.nekover.se 127.0.0.1:8443; + nekover.se 127.0.0.1:8443; + nix-cache.nekover.se 10.202.41.121:8443; + social.nekover.se 10.202.41.104:8443; + } + server { + listen 0.0.0.0:443; + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + } ''; appendHttpConfig = '' diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 7e0190e..9cd0be4 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -1,68 +1,23 @@ { ... }: -{ - services.nginx.virtualHosts = { - "jellyfin.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://jellyfin.vs.grzb.de:80"; - }; - }; - "mail-1.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://mail-1.vs.grzb.de:80"; - }; - }; - "mastodon.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://mastodon.vs.grzb.de:80"; - }; - }; - "matrix.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://matrix.vs.grzb.de:80"; - }; - }; - "netbox.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://netbox.vs.grzb.de:80"; - }; - }; - "grafana.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://metrics.vs.grzb.de:80"; - }; - }; - "turn.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://coturn.vs.grzb.de:80"; - }; - }; +let + acmeDomainMap = { + "jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; + "mail-1.grzb.de" = "mail-1.vs.grzb.de"; + "social.nekover.se" = "mastodon.vs.grzb.de"; + "matrix.nekover.se" = "matrix.vs.grzb.de"; + "netbox.grzb.de" = "netbox.vs.grzb.de"; + "grafana.grzb.de" = "metrics.vs.grzb.de"; + "turn.nekover.se" = "coturn.vs.grzb.de"; }; +in +{ + services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://${target}:80"; + }; + }) acmeDomainMap); } diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix index 381294e..9a3950a 100644 --- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."anisync.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://anisync.vs.grzb.de:8080"; proxyWebsockets = true; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix index 4efedd4..c746f3d 100644 --- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."gameserver.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://pterodactyl.vs.grzb.de"; extraConfig = '' diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix index 03b1a96..ac9eefb 100644 --- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."git.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://gitlab.vs.grzb.de:80"; extraConfig = '' diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix index 3a297e8..1ab842a 100644 --- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."mewtube.nekover.se" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://cloudtube.vs.grzb.de:10412"; }; diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 91c131d..7c95ec5 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."nekover.se" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/.well-known/matrix/server" = { return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; extraConfig = '' diff --git a/flake.nix b/flake.nix index a9af2db..d2341f7 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,9 @@ specialArgs = { inherit nixpkgs-unstable hosts simple-nixos-mailserver; + + # Provide environment for secret key command + keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; diff --git a/hosts.nix b/hosts.nix index fc2716d..4f00d17 100644 --- a/hosts.nix +++ b/hosts.nix @@ -102,7 +102,6 @@ in environment = "proxmox"; }; web-public-2 = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; From 578abdf26e1505cb467a6d2d22bbd94952dfc8d0 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Oct 2023 16:05:47 +0200 Subject: [PATCH 081/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8be69c1764f58e07099e4a24b926f49bbada8c7f' (2023-10-09) → 'github:NixOS/nixpkgs/22723a1d7deab53e5c1022906089e4247a5d3e77' (2023-10-09) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/5a9c737c587d2c34d63c5b3cb53c6ab0705bdf4f' (2023-10-09) → 'github:NixOS/nixpkgs/38aa96fc39c9719994f08100f791c27d31ee7892' (2023-10-09) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 922fe2e..0bf2fe5 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696815342, - "narHash": "sha256-MHA0Ye0PaFF6pay6tP9yMgwWvuqRraa9bH45U88RwC4=", + "lastModified": 1696874073, + "narHash": "sha256-HNcQddEVmBVbMeH0I4LUEKFyZNvGfIYeXvyMYBvXjZ0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8be69c1764f58e07099e4a24b926f49bbada8c7f", + "rev": "22723a1d7deab53e5c1022906089e4247a5d3e77", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696826630, - "narHash": "sha256-oGU94vo6pkzGbaSsPHjpHtOUg6b7nL8v3xATnrcw3cQ=", + "lastModified": 1696874314, + "narHash": "sha256-Tdq3pVF1We5rX5sI6IsyFmh0pHQmpS6GQBdaBdH0FkY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5a9c737c587d2c34d63c5b3cb53c6ab0705bdf4f", + "rev": "38aa96fc39c9719994f08100f791c27d31ee7892", "type": "github" }, "original": { From 3708003da680162da810ec9d32c68cfeddfc69a1 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Oct 2023 16:43:51 +0200 Subject: [PATCH 082/386] Use OpenSSH config from CCCHH nix-infra repo --- config/common/default.nix | 13 ++---------- config/common/openssh.nix | 42 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 11 deletions(-) create mode 100644 config/common/openssh.nix diff --git a/config/common/default.nix b/config/common/default.nix index 0aee917..c57eaba 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -1,8 +1,9 @@ -{ pkgs, lib, ... }: +{ pkgs, ... }: { imports = [ ./prometheus-node-exporter.nix ./nginx.nix + ./openssh.nix ../users/colmena-deploy ../users/yuri ]; @@ -36,16 +37,6 @@ tcpdump ]; - services.openssh = { - enable = true; - openFirewall = true; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = lib.mkForce "no"; - }; - }; - security.acme = { defaults.email = "acme@grzb.de"; acceptTerms = true; diff --git a/config/common/openssh.nix b/config/common/openssh.nix new file mode 100644 index 0000000..e706571 --- /dev/null +++ b/config/common/openssh.nix @@ -0,0 +1,42 @@ +# Common SSH configuration. +# Sources for this configuration: +# - https://nixos.org/manual/nixos/stable/#sec-ssh +# - https://infosec.mozilla.org/guidelines/openssh +# - Julians deploy_ssh_server_config Ansible role + +{ lib, ... }: +{ + services.openssh = { + enable = true; + openFirewall = true; + + settings = { + # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09. + # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09. + + # X11 Forwarding shouldn't be needed. + X11Forwarding = false; + + # Don't allow root login. + PermitRootLogin = lib.mkForce "no"; + + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + + # Set this according to Mozilla Modern guideline as of 2023-09-09. + # The guidelines description: + # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a + # clear audit track of which key was using to log in. + LogLevel = "VERBOSE"; + }; + + # Set those according to Mozilla Modern guideline as of 2023-09-09. + # The guidelines description: + # Log sftp level file access (read/write/etc.) that would not be easily + # logged otherwise. + sftpFlags = [ + "-f AUTHPRIV" + "-l INFO" + ]; + }; +} From 967c771b3ee095a7ae28ed43ef9314c2397a8ad3 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 16 Oct 2023 11:22:48 +0200 Subject: [PATCH 083/386] Add searx host --- config/hosts/searx/configuration.nix | 17 +++++++++++ config/hosts/searx/default.nix | 8 +++++ config/hosts/searx/nginx.nix | 29 +++++++++++++++++++ config/hosts/searx/searx.nix | 29 +++++++++++++++++++ config/hosts/searx/secrets.nix | 11 +++++++ config/hosts/web-public-2/nginx.nix | 1 + .../virtualHosts/acme-challenge.nix | 1 + hosts.nix | 5 ++++ 8 files changed, 101 insertions(+) create mode 100644 config/hosts/searx/configuration.nix create mode 100644 config/hosts/searx/default.nix create mode 100644 config/hosts/searx/nginx.nix create mode 100644 config/hosts/searx/searx.nix create mode 100644 config/hosts/searx/secrets.nix diff --git a/config/hosts/searx/configuration.nix b/config/hosts/searx/configuration.nix new file mode 100644 index 0000000..1216183 --- /dev/null +++ b/config/hosts/searx/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "searx"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 8443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/searx/default.nix b/config/hosts/searx/default.nix new file mode 100644 index 0000000..ee2a678 --- /dev/null +++ b/config/hosts/searx/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./searx.nix + ]; +} diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix new file mode 100644 index 0000000..a84c171 --- /dev/null +++ b/config/hosts/searx/nginx.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."searx.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; + }; + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/searx/searx.nix b/config/hosts/searx/searx.nix new file mode 100644 index 0000000..cdb9940 --- /dev/null +++ b/config/hosts/searx/searx.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: +{ + services.searx = { + enable = true; + package = pkgs.searxng; + redisCreateLocally = true; + settings = { + general = { + debug = false; + instance_name = "SearXNG"; + }; + server = { + bind_address = "127.0.0.1"; + port = 8080; + base_url = "https://searx.nekover.se"; + limiter = true; + image_proxy = true; + secret_key = "@SEARX_SECRET_KEY@"; + }; + search = { + safe_search = 0; + autocomplete = "duckduckgo"; + }; + ui.static_use_hash = true; + enabled_plugins = [ "Hash plugin" "Self Informations" "Tracker URL remover" "Ahmia blacklist" ]; + }; + environmentFile = "/secrets/searx-secret-key.secret"; + }; +} diff --git a/config/hosts/searx/secrets.nix b/config/hosts/searx/secrets.nix new file mode 100644 index 0000000..38231fc --- /dev/null +++ b/config/hosts/searx/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."searx-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "searx/secret-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 122a4b2..907cdb8 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -27,6 +27,7 @@ mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; + searx.nekover.se 10.202.41.105:8443; social.nekover.se 10.202.41.104:8443; } server { diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 9cd0be4..eaf7188 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -7,6 +7,7 @@ let "matrix.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; + "searx.nekover.se" = "searx.vs.grzb.de"; "turn.nekover.se" = "coturn.vs.grzb.de"; }; in diff --git a/hosts.nix b/hosts.nix index 4f00d17..194cc45 100644 --- a/hosts.nix +++ b/hosts.nix @@ -89,6 +89,11 @@ in site = "vs"; environment = "proxmox"; }; + searx = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + environment = "proxmox"; + }; tor-relay = { site = "vs"; environment = "proxmox"; From 5ecf001ccf0776a1f6db342eb658d0a286e958e2 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 16 Oct 2023 11:25:02 +0200 Subject: [PATCH 084/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/22723a1d7deab53e5c1022906089e4247a5d3e77' (2023-10-09) → 'github:NixOS/nixpkgs/0e1cff585c1a85aeab059d3109f66134a8f76935' (2023-10-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/38aa96fc39c9719994f08100f791c27d31ee7892' (2023-10-09) → 'github:NixOS/nixpkgs/982b24c40e743793c966b47b3bb3699881489ae0' (2023-10-15) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 0bf2fe5..10b69cb 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696874073, - "narHash": "sha256-HNcQddEVmBVbMeH0I4LUEKFyZNvGfIYeXvyMYBvXjZ0=", + "lastModified": 1697332183, + "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "22723a1d7deab53e5c1022906089e4247a5d3e77", + "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696874314, - "narHash": "sha256-Tdq3pVF1We5rX5sI6IsyFmh0pHQmpS6GQBdaBdH0FkY=", + "lastModified": 1697343899, + "narHash": "sha256-66Dosy7YYVhkesbHXB4xxZZ+2NOi9CmFDyHOI1ZTAbQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "38aa96fc39c9719994f08100f791c27d31ee7892", + "rev": "982b24c40e743793c966b47b3bb3699881489ae0", "type": "github" }, "original": { From 3277d6048faad5f14141807d482f5d2690e0bdaf Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 25 Oct 2023 14:11:03 +0200 Subject: [PATCH 085/386] Bump element-web to v1.11.47 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index f9b78d1..4810df6 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.46"; + elementWebVersion = "1.11.47"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-EQ6a8WK8ILYidbS+0FGzI4XQbZFh+M6Y7eZ28YcsIrg="; + sha256 = "sha256-iHhwiqRtssRQZltKj0mXgYLezgyO1Zkh9mfBLaX9xtk="; }; elementWebSecurityHeaders = '' # Configuration best practices From 222f49d574fe9931089acabdc478cf68186d365c Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 25 Oct 2023 14:12:09 +0200 Subject: [PATCH 086/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/0e1cff585c1a85aeab059d3109f66134a8f76935' (2023-10-15) → 'github:NixOS/nixpkgs/21443a102b1a2f037d02e1d22e3e0ffdda2dbff9' (2023-10-21) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/982b24c40e743793c966b47b3bb3699881489ae0' (2023-10-15) → 'github:NixOS/nixpkgs/8dfad603247387df1df4826b8bea58efc5d012d8' (2023-10-22) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 10b69cb..d96f7fd 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1697332183, - "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=", + "lastModified": 1697912416, + "narHash": "sha256-2MLnJ9vLbiSyfA+mYHPdN76qAOfacJw/dX/sSiYdo2o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935", + "rev": "21443a102b1a2f037d02e1d22e3e0ffdda2dbff9", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1697343899, - "narHash": "sha256-66Dosy7YYVhkesbHXB4xxZZ+2NOi9CmFDyHOI1ZTAbQ=", + "lastModified": 1697935353, + "narHash": "sha256-dDwl5ziD24Gs0feke2seFXoQibHafb5XeNDWlUZxCbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "982b24c40e743793c966b47b3bb3699881489ae0", + "rev": "8dfad603247387df1df4826b8bea58efc5d012d8", "type": "github" }, "original": { From aabf304cbfe203f48e6f0a3323c56ee661f8cb86 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 31 Oct 2023 00:42:50 +0100 Subject: [PATCH 087/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/21443a102b1a2f037d02e1d22e3e0ffdda2dbff9' (2023-10-21) → 'github:NixOS/nixpkgs/5896110a4e861bf2e675a3c3d8a171793fce2599' (2023-10-29) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/8dfad603247387df1df4826b8bea58efc5d012d8' (2023-10-22) → 'github:NixOS/nixpkgs/4e43dd49630303b00120c11d00d4fb01bb40188d' (2023-10-29) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index d96f7fd..4a18ddd 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1697912416, - "narHash": "sha256-2MLnJ9vLbiSyfA+mYHPdN76qAOfacJw/dX/sSiYdo2o=", + "lastModified": 1698607745, + "narHash": "sha256-J5QPuWxE17nO/UZJKEbupEM6Zx1wXIo/C+iP+44Hvl0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "21443a102b1a2f037d02e1d22e3e0ffdda2dbff9", + "rev": "5896110a4e861bf2e675a3c3d8a171793fce2599", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1697935353, - "narHash": "sha256-dDwl5ziD24Gs0feke2seFXoQibHafb5XeNDWlUZxCbg=", + "lastModified": 1698610559, + "narHash": "sha256-i8vFNXJz9VcH05oNe/3Jm5f+CtE3g5uOUvF/dobTMUQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8dfad603247387df1df4826b8bea58efc5d012d8", + "rev": "4e43dd49630303b00120c11d00d4fb01bb40188d", "type": "github" }, "original": { From 2c369c1c8ce1bb509aec38b0fe306ef091c6acf8 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 31 Oct 2023 01:00:49 +0100 Subject: [PATCH 088/386] Update mastodon-nekoverse-patches --- config/hosts/mastodon/mastodon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 620e6c2..620e379 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,7 +2,7 @@ let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-+HoE3rXiJUpAUYiXj4BaOL68cCG1tN8p+TI7vRxrA1Y="; + hash = "sha256-6YXWc8LTPdZzP1TWBmVp00CyZXUIzZbMX85cwrIcAks="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { From a859d62dbb290ac8fbf00d6ebde5929ef99075aa Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 9 Nov 2023 23:28:59 +0100 Subject: [PATCH 089/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/5896110a4e861bf2e675a3c3d8a171793fce2599' (2023-10-29) → 'github:NixOS/nixpkgs/33e938c7823e47a787ad4f76003d14ff92ad96dd' (2023-11-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/4e43dd49630303b00120c11d00d4fb01bb40188d' (2023-10-29) → 'github:NixOS/nixpkgs/cfbb29d76949ae53c457f152c52c173ea4bdd862' (2023-11-07) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4a18ddd..ae8fff0 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1698607745, - "narHash": "sha256-J5QPuWxE17nO/UZJKEbupEM6Zx1wXIo/C+iP+44Hvl0=", + "lastModified": 1699351105, + "narHash": "sha256-jNgFflP+Z7PzQav2TtuLBGEXF9GsBq2s8aBH18vmldM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5896110a4e861bf2e675a3c3d8a171793fce2599", + "rev": "33e938c7823e47a787ad4f76003d14ff92ad96dd", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1698610559, - "narHash": "sha256-i8vFNXJz9VcH05oNe/3Jm5f+CtE3g5uOUvF/dobTMUQ=", + "lastModified": 1699354722, + "narHash": "sha256-abmqUReg4PsyQSwv4d0zjcWpMHrd3IFJiTb2tZpfF04=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4e43dd49630303b00120c11d00d4fb01bb40188d", + "rev": "cfbb29d76949ae53c457f152c52c173ea4bdd862", "type": "github" }, "original": { From d43bec3320dac643143a56fe2dbf5fec6803d7b4 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 11 Nov 2023 23:33:39 +0100 Subject: [PATCH 090/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/33e938c7823e47a787ad4f76003d14ff92ad96dd' (2023-11-07) → 'github:NixOS/nixpkgs/1d55765508b8316798429875712dc1ef5e62a2fa' (2023-11-10) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/cfbb29d76949ae53c457f152c52c173ea4bdd862' (2023-11-07) → 'github:NixOS/nixpkgs/714e527a726c9613fca8e13586a1b19198d68d9b' (2023-11-10) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index ae8fff0..4b92509 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699351105, - "narHash": "sha256-jNgFflP+Z7PzQav2TtuLBGEXF9GsBq2s8aBH18vmldM=", + "lastModified": 1699646590, + "narHash": "sha256-f81xS0qN6H1ULTyArpZgdjsly4FY0BnvPXdmSb7hq+o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "33e938c7823e47a787ad4f76003d14ff92ad96dd", + "rev": "1d55765508b8316798429875712dc1ef5e62a2fa", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1699354722, - "narHash": "sha256-abmqUReg4PsyQSwv4d0zjcWpMHrd3IFJiTb2tZpfF04=", + "lastModified": 1699625425, + "narHash": "sha256-WTqlROYtFucqwiRGxUE2MIpWNPUoua+rIJqKX0oi8DU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cfbb29d76949ae53c457f152c52c173ea4bdd862", + "rev": "714e527a726c9613fca8e13586a1b19198d68d9b", "type": "github" }, "original": { From 687ba97c6e420e336907321731ff006be6ed81a5 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 15 Nov 2023 11:54:11 +0100 Subject: [PATCH 091/386] Open firewall for jellyfin http port --- config/hosts/jellyfin/jellyfin.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/jellyfin/jellyfin.nix b/config/hosts/jellyfin/jellyfin.nix index 89deaaa..cea5f69 100644 --- a/config/hosts/jellyfin/jellyfin.nix +++ b/config/hosts/jellyfin/jellyfin.nix @@ -2,5 +2,6 @@ { services.jellyfin = { enable = true; + openFirewall = true; }; } From a689aae65617cb63ab13f491386b90ce5a17e11c Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 15 Nov 2023 12:18:23 +0100 Subject: [PATCH 092/386] Add vapid public key --- config/hosts/mastodon/mastodon.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 620e379..921208c 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -25,6 +25,7 @@ let }); }; pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; + vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { services.mastodon = { @@ -33,6 +34,7 @@ in localDomain = "social.nekover.se"; secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; otpSecretFile = "/secrets/mastodon-otp-secret.secret"; + vapidPublicKeyFile = "${vapidPublicKey}"; vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; smtp = { authenticate = true; From c86c75d368e621fedff8193c6ddf2e27d547ea5e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 15 Nov 2023 12:19:19 +0100 Subject: [PATCH 093/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1d55765508b8316798429875712dc1ef5e62a2fa' (2023-11-10) → 'github:NixOS/nixpkgs/d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8' (2023-11-14) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/714e527a726c9613fca8e13586a1b19198d68d9b' (2023-11-10) → 'github:NixOS/nixpkgs/3298a053090d4bc6a7315588f786b6c96114970f' (2023-11-14) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4b92509..3cf3fad 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699646590, - "narHash": "sha256-f81xS0qN6H1ULTyArpZgdjsly4FY0BnvPXdmSb7hq+o=", + "lastModified": 1699994397, + "narHash": "sha256-xxNeIcMNMXH2EA9IAX6Cny+50mvY22LhIBiGZV363gc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1d55765508b8316798429875712dc1ef5e62a2fa", + "rev": "d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1699625425, - "narHash": "sha256-WTqlROYtFucqwiRGxUE2MIpWNPUoua+rIJqKX0oi8DU=", + "lastModified": 1699998596, + "narHash": "sha256-ktbY9CLmp9afb55TTNVuPLj90Sgbbqp4PwzxSJJb17o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "714e527a726c9613fca8e13586a1b19198d68d9b", + "rev": "3298a053090d4bc6a7315588f786b6c96114970f", "type": "github" }, "original": { From 079da1272cb970102371007c2b8f7fc9994fa351 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 15 Nov 2023 12:31:28 +0100 Subject: [PATCH 094/386] Update mastodon to 4.1.10 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 921208c..7dcf2ff 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.1.9"; + version = "4.1.10"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-xpE/mg2AeioW6NThUjLS+SBxGavG4w1xtp3BOMADfYo="; + sha256 = "sha256-22AhrI4wk/FhVJeRfhiI10MeYOJFoS0dwg3fWuWltoM="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From d6ac95efc8562a88de38d553b85b9fee677164eb Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 15 Nov 2023 12:31:47 +0100 Subject: [PATCH 095/386] Update element-web to 1.11.49 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 4810df6..b98e9e5 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.47"; + elementWebVersion = "1.11.49"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-iHhwiqRtssRQZltKj0mXgYLezgyO1Zkh9mfBLaX9xtk="; + sha256 = "sha256-0w503Y4hgG6eFMuMMQyHjuMhyc+T4Rq1a5VDZN3POQc="; }; elementWebSecurityHeaders = '' # Configuration best practices From 8245e1cc52bebb5348c460aadd0fd77cabbb7f9c Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 16 Nov 2023 20:24:10 +0100 Subject: [PATCH 096/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8' (2023-11-14) → 'github:NixOS/nixpkgs/9fb122519e9cd465d532f736a98c1e1eb541ef6f' (2023-11-16) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/3298a053090d4bc6a7315588f786b6c96114970f' (2023-11-14) → 'github:NixOS/nixpkgs/9008bc4eb62c878d0812105ea1b34255d651df88' (2023-11-15) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 3cf3fad..319f4b6 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699994397, - "narHash": "sha256-xxNeIcMNMXH2EA9IAX6Cny+50mvY22LhIBiGZV363gc=", + "lastModified": 1700097215, + "narHash": "sha256-ODQ3gBTv1iHd7lG21H+ErVISB5wVeOhd/dEogOqHs/I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8", + "rev": "9fb122519e9cd465d532f736a98c1e1eb541ef6f", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1699998596, - "narHash": "sha256-ktbY9CLmp9afb55TTNVuPLj90Sgbbqp4PwzxSJJb17o=", + "lastModified": 1700083842, + "narHash": "sha256-uC5v4VyUPgC5L3zv7e9q6+TRCm+eiA+Ow5vcH67ef/I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3298a053090d4bc6a7315588f786b6c96114970f", + "rev": "9008bc4eb62c878d0812105ea1b34255d651df88", "type": "github" }, "original": { From a89f984c0fa1298ed84a588c1d8a920e33a99ead Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 17 Nov 2023 21:02:54 +0100 Subject: [PATCH 097/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/9fb122519e9cd465d532f736a98c1e1eb541ef6f' (2023-11-16) → 'github:NixOS/nixpkgs/d7afe436f89670fb74eb0dcff2496f0ec530be48' (2023-11-16) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/9008bc4eb62c878d0812105ea1b34255d651df88' (2023-11-15) → 'github:NixOS/nixpkgs/7bea27b7ef1c23c7433e52327d81a01702d34272' (2023-11-16) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 319f4b6..28da249 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700097215, - "narHash": "sha256-ODQ3gBTv1iHd7lG21H+ErVISB5wVeOhd/dEogOqHs/I=", + "lastModified": 1700144580, + "narHash": "sha256-JSH+kxJ40pgyuVy7r/HF9IDFxAcuzwJBHZJH4g9+3vA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9fb122519e9cd465d532f736a98c1e1eb541ef6f", + "rev": "d7afe436f89670fb74eb0dcff2496f0ec530be48", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700083842, - "narHash": "sha256-uC5v4VyUPgC5L3zv7e9q6+TRCm+eiA+Ow5vcH67ef/I=", + "lastModified": 1700169889, + "narHash": "sha256-AnqotTs1cIpx7Rc0ML3cnQwGJGSmlaLQZ2xzbjLU3XQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9008bc4eb62c878d0812105ea1b34255d651df88", + "rev": "7bea27b7ef1c23c7433e52327d81a01702d34272", "type": "github" }, "original": { From a40ff4193de74daffae80de93297f0b1c5bd3bf5 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 20 Nov 2023 23:16:20 +0100 Subject: [PATCH 098/386] Update mastodon to v4.2.1 --- config/hosts/mastodon/mastodon.nix | 20 ++++++++++++++------ config/hosts/mastodon/nginx.nix | 18 +++++++++++++++++- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 7dcf2ff..a05107e 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,33 +1,40 @@ -{ pkgs, ... }: +{ pkgs, nixpkgs-unstable, ... }: let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-6YXWc8LTPdZzP1TWBmVp00CyZXUIzZbMX85cwrIcAks="; + hash = "sha256-HZP9UndsOcBhFV5T70R1HlYrCL+cqViZVJxHptxZKB8="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.1.10"; + version = "4.2.1"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-22AhrI4wk/FhVJeRfhiI10MeYOJFoS0dwg3fWuWltoM="; + sha256 = "sha256-SM9WdD+xpxo+gfBft9DARV6QjwNbF2Y9McVrrdDT3fw="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" - "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" + #"${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" ]; }; + yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; }); }; - pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; + pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { + disabledModules = [ "services/web-apps/mastodon.nix" ]; + + imports = [ + "${nixpkgs-unstable}/nixos/modules/services/web-apps/mastodon.nix" + ]; + services.mastodon = { enable = true; package = pkgs-overlay.mastodon; @@ -44,6 +51,7 @@ in passwordFile = "/secrets/mastodon-email-smtp-pass.secret"; fromAddress = "Nekoverse "; }; + streamingProcesses = 3; extraConfig = { SMTP_TLS = "true"; ES_PRESET = "single_node_cluster"; diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index f9d541f..f195089 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -3,6 +3,22 @@ services.nginx = { enable = true; group = "mastodon"; + upstreams.streaming = { + extraConfig = '' + least_conn; + ''; + servers = { + "unix:/run/mastodon-streaming/streaming-1.socket" = { + fail_timeout = "0"; + }; + "unix:/run/mastodon-streaming/streaming-2.socket" = { + fail_timeout = "0"; + }; + "unix:/run/mastodon-streaming/streaming-3.socket" = { + fail_timeout = "0"; + }; + }; + }; virtualHosts."social.nekover.se" = { forceSSL = true; enableACME = true; @@ -29,7 +45,7 @@ "/system/".alias = "/var/lib/mastodon/public-system/"; "^~ /api/v1/streaming" = { - proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyPass = "http://streaming"; proxyWebsockets = true; }; From b0257625e56e63abea4978388659a805b6a4b3ea Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 23 Nov 2023 18:45:34 +0100 Subject: [PATCH 099/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d7afe436f89670fb74eb0dcff2496f0ec530be48' (2023-11-16) → 'github:NixOS/nixpkgs/9ba29e2346bc542e9909d1021e8fd7d4b3f64db0' (2023-11-23) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7bea27b7ef1c23c7433e52327d81a01702d34272' (2023-11-16) → 'github:NixOS/nixpkgs/da41de71f62bf7fb989a04e39629b8adbf8aa8b5' (2023-11-22) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 28da249..a141dcd 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700144580, - "narHash": "sha256-JSH+kxJ40pgyuVy7r/HF9IDFxAcuzwJBHZJH4g9+3vA=", + "lastModified": 1700748986, + "narHash": "sha256-/nqLrNU297h3PCw4QyDpZKZEUHmialJdZW2ceYFobds=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d7afe436f89670fb74eb0dcff2496f0ec530be48", + "rev": "9ba29e2346bc542e9909d1021e8fd7d4b3f64db0", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700169889, - "narHash": "sha256-AnqotTs1cIpx7Rc0ML3cnQwGJGSmlaLQZ2xzbjLU3XQ=", + "lastModified": 1700641131, + "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7bea27b7ef1c23c7433e52327d81a01702d34272", + "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", "type": "github" }, "original": { From 218ab2e7108aadbcb3c8967f665400c3eacabd65 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 25 Nov 2023 20:55:08 +0100 Subject: [PATCH 100/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/9ba29e2346bc542e9909d1021e8fd7d4b3f64db0' (2023-11-23) → 'github:NixOS/nixpkgs/cbd3f3722ac41a200c1655141e021cf12c3ba4e6' (2023-11-24) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/da41de71f62bf7fb989a04e39629b8adbf8aa8b5' (2023-11-22) → 'github:NixOS/nixpkgs/1b99d72c8b7468def0c633635c469bf828db33a0' (2023-11-24) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index a141dcd..a1c74f0 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700748986, - "narHash": "sha256-/nqLrNU297h3PCw4QyDpZKZEUHmialJdZW2ceYFobds=", + "lastModified": 1700854570, + "narHash": "sha256-GiwMS5sWSgF/CyZYbm+G5EcgG1VOEyvcsP5lE1L97Aw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9ba29e2346bc542e9909d1021e8fd7d4b3f64db0", + "rev": "cbd3f3722ac41a200c1655141e021cf12c3ba4e6", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700641131, - "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", + "lastModified": 1700867874, + "narHash": "sha256-0Dk63BLiG9rmfBf8LxFpz8KgpUkepehVzhhVDgfxWSo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", + "rev": "1b99d72c8b7468def0c633635c469bf828db33a0", "type": "github" }, "original": { From 733f09d7af5901a863a59ca6dcc874870dc24c73 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 25 Nov 2023 21:29:55 +0100 Subject: [PATCH 101/386] Fix http acme challange for status.nekover.se --- config/hosts/valkyrie/configuration.nix | 5 --- config/hosts/valkyrie/nginx.nix | 42 ++++++++++++++++--------- 2 files changed, 27 insertions(+), 20 deletions(-) diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index fd3cd45..f4e2db5 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -80,11 +80,6 @@ proto = "tcp"; sourcePort = 25; } - { - destination = "172.18.50.2:80"; - proto = "tcp"; - sourcePort = 80; - } { destination = "172.18.50.2:465"; proto = "tcp"; diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index ada3379..fae78f0 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -2,23 +2,35 @@ { services.nginx = { enable = true; - virtualHosts."status.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { + virtualHosts = { + "mail-1.grzb.de" = { + listen = [{ addr = "0.0.0.0"; port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; + }]; + locations."/" = { + # proxy port 80 to mail server nginx for acme http challange + proxyPass = "http://172.18.50.2:80"; + }; + }; + "status.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; }; }; }; From fe24805b4922befe35669283a96f472c17115f56 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 25 Nov 2023 21:31:08 +0100 Subject: [PATCH 102/386] Update element-web to 1.11.50 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index b98e9e5..c67ca9c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.49"; + elementWebVersion = "1.11.50"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-0w503Y4hgG6eFMuMMQyHjuMhyc+T4Rq1a5VDZN3POQc="; + sha256 = "sha256-NdETOxGqY6xae8oQcz9NoXbDuLc0F/YaW0Ql5dxUEks="; }; elementWebSecurityHeaders = '' # Configuration best practices From e6710cc8d9d3c0d5e305c199b455fad8719cc779 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 25 Nov 2023 21:31:41 +0100 Subject: [PATCH 103/386] Use postgresql service from unstable --- config/hosts/mastodon/mastodon.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index a05107e..29a9560 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -29,9 +29,13 @@ let vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { - disabledModules = [ "services/web-apps/mastodon.nix" ]; + disabledModules = [ + "services/databases/postgresql.nix" + "services/web-apps/mastodon.nix" + ]; imports = [ + "${nixpkgs-unstable}/nixos/modules/services/databases/postgresql.nix" "${nixpkgs-unstable}/nixos/modules/services/web-apps/mastodon.nix" ]; From 7cd261f8504e2ef41750739dfc3c81878e312ea7 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 26 Nov 2023 00:19:00 +0100 Subject: [PATCH 104/386] Add navidrome host --- config/hosts/navidrome/configuration.nix | 33 +++++++++++++++++++ config/hosts/navidrome/default.nix | 7 ++++ config/hosts/navidrome/navidrome.nix | 9 +++++ config/hosts/navidrome/nginx.nix | 24 ++++++++++++++ config/hosts/navidrome/secrets.nix | 13 ++++++++ .../virtualHosts/acme-challenge.nix | 12 +++++-- hosts.nix | 5 +++ 7 files changed, 100 insertions(+), 3 deletions(-) create mode 100644 config/hosts/navidrome/configuration.nix create mode 100644 config/hosts/navidrome/default.nix create mode 100644 config/hosts/navidrome/navidrome.nix create mode 100644 config/hosts/navidrome/nginx.nix create mode 100644 config/hosts/navidrome/secrets.nix diff --git a/config/hosts/navidrome/configuration.nix b/config/hosts/navidrome/configuration.nix new file mode 100644 index 0000000..581a631 --- /dev/null +++ b/config/hosts/navidrome/configuration.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "navidrome"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + fileSystems = { + "/mnt/music" = { + device = "//10.202.40.5/music-ro"; + fsType = "cifs"; + options = [ + "username=navidrome" + "credentials=/secrets/navidrome-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=navidrome" + "gid=navidrome" + "_netdev" + ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/navidrome/default.nix b/config/hosts/navidrome/default.nix new file mode 100644 index 0000000..00d4a90 --- /dev/null +++ b/config/hosts/navidrome/default.nix @@ -0,0 +1,7 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./navidrome.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/navidrome/navidrome.nix b/config/hosts/navidrome/navidrome.nix new file mode 100644 index 0000000..74e3a1d --- /dev/null +++ b/config/hosts/navidrome/navidrome.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.navidrome = { + enable = true; + settings = { + Address = "unix:/run/navidrome/navidrome.socket"; + MusicFolder = "/mnt/music"; + }; + }; +} diff --git a/config/hosts/navidrome/nginx.nix b/config/hosts/navidrome/nginx.nix new file mode 100644 index 0000000..eef60dd --- /dev/null +++ b/config/hosts/navidrome/nginx.nix @@ -0,0 +1,24 @@ +{ ... }: { + services.nginx = { + enable = true; + user = "navidrome"; + virtualHosts."navidrome.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://unix:/run/navidrome/navidrome.socket"; + }; + }; + }; +} diff --git a/config/hosts/navidrome/secrets.nix b/config/hosts/navidrome/secrets.nix new file mode 100644 index 0000000..a11e957 --- /dev/null +++ b/config/hosts/navidrome/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "navidrome-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix index fd1e474..c9b7e61 100644 --- a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix @@ -1,12 +1,18 @@ { ... }: +let + acmeDomainMap = { + "paperless.grzb.de" = "paperless.wg.grzb.de"; + "navidrome.grzb.de" = "navidrome.wg.grzb.de"; + }; +in { - services.nginx.virtualHosts."paperless.grzb.de" = { + services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { listen = [{ addr = "0.0.0.0"; port = 80; }]; locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://paperless.wg.grzb.de:80"; + proxyPass = "http://${target}:80"; }; - }; + }) acmeDomainMap); } diff --git a/hosts.nix b/hosts.nix index 194cc45..afdbc03 100644 --- a/hosts.nix +++ b/hosts.nix @@ -69,6 +69,11 @@ in site = "vs"; environment = "proxmox"; }; + navidrome = { + hostNixpkgs = nixpkgs-unstable; + site = "wg"; + environment = "proxmox"; + }; netbox = { site = "vs"; environment = "proxmox"; From 0beec4baf5de2d037d875a87fb553654d4cbc113 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 4 Dec 2023 23:33:15 +0100 Subject: [PATCH 105/386] Use 23.11 as default nixpkgs --- flake.lock | 25 +++++++++++++++++++++---- flake.nix | 5 +++-- hosts.nix | 4 +++- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index a1c74f0..6dffdd8 100644 --- a/flake.lock +++ b/flake.lock @@ -70,16 +70,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700854570, - "narHash": "sha256-GiwMS5sWSgF/CyZYbm+G5EcgG1VOEyvcsP5lE1L97Aw=", + "lastModified": 1701592216, + "narHash": "sha256-OVEAu1YBi3i8eB2f5uxR0Yws/uXgj2yHj/I963e6jxU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cbd3f3722ac41a200c1655141e021cf12c3ba4e6", + "rev": "f8a9aa9ca646691f9e192a62624b1548367b5dd9", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05-small", + "ref": "nixos-23.11-small", "repo": "nixpkgs", "type": "github" } @@ -99,6 +99,22 @@ "type": "indirect" } }, + "nixpkgs-23-05": { + "locked": { + "lastModified": 1701699333, + "narHash": "sha256-ePa4oynwTNXuc4bqbi5ZMrO72yGuTPukptuMmgXPM5k=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "42499b9f6515dbca54cec1cae78165fd4e5eccfe", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-23_05": { "locked": { "lastModified": 1684782344, @@ -149,6 +165,7 @@ "inputs": { "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", + "nixpkgs-23-05": "nixpkgs-23-05", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index d2341f7..337bdfa 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,8 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; @@ -9,7 +10,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; diff --git a/hosts.nix b/hosts.nix index afdbc03..2214fed 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,4 +1,4 @@ -{ nixpkgs, nixpkgs-unstable, ... }: +{ nixpkgs, nixpkgs-unstable, nixpkgs-23-05, ... }: let # Set of environment specific modules environments = { @@ -50,10 +50,12 @@ in site = "io"; }; mail-1 = { + hostNixpkgs = nixpkgs-23-05; site = "vs"; environment = "proxmox"; }; mail-2 = { + hostNixpkgs = nixpkgs-23-05; site = "wg"; environment = "proxmox"; }; From ba4f03efc0cbe764e5117c066f64bb2621636b27 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 4 Dec 2023 23:33:37 +0100 Subject: [PATCH 106/386] Set netbox package to package from 23.11 --- config/hosts/netbox/netbox.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix index 32e37e4..b9ba2ad 100644 --- a/config/hosts/netbox/netbox.nix +++ b/config/hosts/netbox/netbox.nix @@ -1,7 +1,8 @@ -{ ... }: +{ pkgs, ... }: { services.netbox = { enable = true; + package = pkgs.netbox; secretKeyFile = "/secrets/netbox-secret-key.secret"; }; } From a5093559915ef9d085992318ef85e19aceb0095d Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 4 Dec 2023 23:33:59 +0100 Subject: [PATCH 107/386] Update mastodon to 4.2.2 and add 008_increase_profile_metadata_limit patch --- config/hosts/mastodon/mastodon.nix | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 29a9560..f2d7304 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,16 +2,16 @@ let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-HZP9UndsOcBhFV5T70R1HlYrCL+cqViZVJxHptxZKB8="; + hash = "sha256-2ZTwgcApKrXnO6isJFZk2oLaFB8hm1OAlPxftxXL25g="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.1"; + version = "4.2.2"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-SM9WdD+xpxo+gfBft9DARV6QjwNbF2Y9McVrrdDT3fw="; + sha256 = "sha256-D3qIrxj6mHtepMAYHq6USOM+ukMF7J/y20/y+CUh5RU="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" @@ -20,6 +20,7 @@ let "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" + "${mastodonNekoversePatches}/patches/008_increase_profile_metadata_limit.patch" ]; }; yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; @@ -29,16 +30,6 @@ let vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { - disabledModules = [ - "services/databases/postgresql.nix" - "services/web-apps/mastodon.nix" - ]; - - imports = [ - "${nixpkgs-unstable}/nixos/modules/services/databases/postgresql.nix" - "${nixpkgs-unstable}/nixos/modules/services/web-apps/mastodon.nix" - ]; - services.mastodon = { enable = true; package = pkgs-overlay.mastodon; From 86b0a97d1222de0f73d94cd08926bd0a40a9c94d Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 5 Dec 2023 02:23:12 +0100 Subject: [PATCH 108/386] Fix mastodon vm not booting due to mount options --- config/hosts/mastodon/configuration.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/mastodon/configuration.nix b/config/hosts/mastodon/configuration.nix index aad67b7..6ca384d 100644 --- a/config/hosts/mastodon/configuration.nix +++ b/config/hosts/mastodon/configuration.nix @@ -23,19 +23,19 @@ depends = [ "/mnt/data" ]; device = "/mnt/data/mastodon"; fsType = "none"; - options = [ "bind" "X-mount.owner=mastodon" "X-mount.group=mastodon" ]; + options = [ "bind" ]; }; "/var/lib/postgresql" = { depends = [ "/mnt/data" ]; device = "/mnt/data/postgresql"; fsType = "none"; - options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ]; + options = [ "bind" ]; }; "/var/lib/private/opensearch/data" = { depends = [ "/mnt/data" ]; device = "/mnt/data/opensearch"; fsType = "none"; - options = [ "bind" "X-mount.owner=opensearch" "X-mount.group=opensearch" ]; + options = [ "bind" ]; }; }; From 47496662ae8404c9fae6573a0e2514693fb25f6a Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 5 Dec 2023 02:24:50 +0100 Subject: [PATCH 109/386] Set nixos-generators proxmox disk size --- config/nixos-generators/proxmox.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/nixos-generators/proxmox.nix b/config/nixos-generators/proxmox.nix index 196f802..d199137 100644 --- a/config/nixos-generators/proxmox.nix +++ b/config/nixos-generators/proxmox.nix @@ -6,8 +6,7 @@ cores = 2; memory = 1024; bios = "seabios"; - # Option not available in 23.05 - # diskSize = "8096"; + diskSize = "8192"; virtio0 = "local-zfs:base-disk-0,discard=on"; boot = "order=virtio0"; net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; From 2fd35881d31455c9389f654d3627e9bf9b8173d7 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 5 Dec 2023 04:15:32 +0100 Subject: [PATCH 110/386] Keep valkyrie at 23.05 until I fix wireguard-nat-nftables pkg --- hosts.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts.nix b/hosts.nix index 2214fed..f5ee33c 100644 --- a/hosts.nix +++ b/hosts.nix @@ -106,6 +106,7 @@ in environment = "proxmox"; }; valkyrie = { + hostNixpkgs = nixpkgs-23-05; site = "af"; environment = "openstack"; }; From 150fe9f106616cd71b70e0a1000af3f89c2f823f Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 5 Dec 2023 04:16:44 +0100 Subject: [PATCH 111/386] Fix matrix vm not booting due to mount options --- config/hosts/matrix/hardware-configuration.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/matrix/hardware-configuration.nix b/config/hosts/matrix/hardware-configuration.nix index d014f39..fbc56c9 100644 --- a/config/hosts/matrix/hardware-configuration.nix +++ b/config/hosts/matrix/hardware-configuration.nix @@ -10,12 +10,12 @@ depends = [ "/mnt/data" ]; device = "/mnt/data/media_store"; fsType = "none"; - options = [ "bind" "X-mount.owner=matrix-synapse" "X-mount.group=matrix-synapse" ]; + options = [ "bind" ]; }; fileSystems."/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" = { depends = [ "/mnt/data" ]; device = "/mnt/data/database"; fsType = "none"; - options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ]; + options = [ "bind" ]; }; } From 0e9d702f80efe94b1327e91c559a4c00ccda8082 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 5 Dec 2023 04:17:09 +0100 Subject: [PATCH 112/386] Fix paperless vm not booting due to mount options --- config/hosts/paperless/hardware-configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix index 69684c1..17b9b66 100644 --- a/config/hosts/paperless/hardware-configuration.nix +++ b/config/hosts/paperless/hardware-configuration.nix @@ -24,7 +24,7 @@ depends = [ "/mnt/data" ]; device = "/mnt/data/paperless"; fsType = "none"; - options = [ "bind" "X-mount.owner=paperless" "X-mount.group=paperless" ]; + options = [ "bind" ]; }; }; } From 09e47042b6b216fa7ad649c7b3f3481b11424500 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 5 Dec 2023 04:18:23 +0100 Subject: [PATCH 113/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/150f38bd1e09e20987feacb1b0d5991357532fb5' (2023-09-30) → 'github:nix-community/nixos-generators/246219bc21b943c6f6812bb7744218ba0df08600' (2023-12-04) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/f8a9aa9ca646691f9e192a62624b1548367b5dd9' (2023-12-03) → 'github:NixOS/nixpkgs/71bb3aaf2222f5ac691edb7de046d74c6cfe466b' (2023-12-03) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/1b99d72c8b7468def0c633635c469bf828db33a0' (2023-11-24) → 'github:NixOS/nixpkgs/d08f6384a5d8e5cf28ab243752cd83eed2a5d700' (2023-12-04) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 6dffdd8..19028cb 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1696058303, - "narHash": "sha256-eNqKWpF5zG0SrgbbtljFOrRgFgRzCc4++TMFADBMLnc=", + "lastModified": 1701689616, + "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "150f38bd1e09e20987feacb1b0d5991357532fb5", + "rev": "246219bc21b943c6f6812bb7744218ba0df08600", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1701592216, - "narHash": "sha256-OVEAu1YBi3i8eB2f5uxR0Yws/uXgj2yHj/I963e6jxU=", + "lastModified": 1701641412, + "narHash": "sha256-8tIujWeoxRnkTjaQK4uzBxvhm0MxHilAi2VjlenQoBg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f8a9aa9ca646691f9e192a62624b1548367b5dd9", + "rev": "71bb3aaf2222f5ac691edb7de046d74c6cfe466b", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700867874, - "narHash": "sha256-0Dk63BLiG9rmfBf8LxFpz8KgpUkepehVzhhVDgfxWSo=", + "lastModified": 1701653742, + "narHash": "sha256-9bLa7tsNtFSsXZDC+XVHyT6auJxUY+gObkvnEgSV7TM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1b99d72c8b7468def0c633635c469bf828db33a0", + "rev": "d08f6384a5d8e5cf28ab243752cd83eed2a5d700", "type": "github" }, "original": { From 2085dfb7838b4a7af5845a2a83f63868c4a57aa7 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 12 Dec 2023 15:56:41 +0100 Subject: [PATCH 114/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/71bb3aaf2222f5ac691edb7de046d74c6cfe466b' (2023-12-03) → 'github:NixOS/nixpkgs/eb48fb87884618b6808a945c9b0561f376996466' (2023-12-11) • Updated input 'nixpkgs-23-05': 'github:NixOS/nixpkgs/42499b9f6515dbca54cec1cae78165fd4e5eccfe' (2023-12-04) → 'github:NixOS/nixpkgs/f3a9ecde534fa67c6fd5426083304463218875b6' (2023-12-11) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/d08f6384a5d8e5cf28ab243752cd83eed2a5d700' (2023-12-04) → 'github:NixOS/nixpkgs/120a26f8ce32ac2bdc0e49a9fed830b7446416b4' (2023-12-11) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 19028cb..9c780b5 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1701641412, - "narHash": "sha256-8tIujWeoxRnkTjaQK4uzBxvhm0MxHilAi2VjlenQoBg=", + "lastModified": 1702283490, + "narHash": "sha256-QB/77RvJSDvmaJ9VBAtSingT3x673q3F9VLfOhn2j9A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "71bb3aaf2222f5ac691edb7de046d74c6cfe466b", + "rev": "eb48fb87884618b6808a945c9b0561f376996466", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-23-05": { "locked": { - "lastModified": 1701699333, - "narHash": "sha256-ePa4oynwTNXuc4bqbi5ZMrO72yGuTPukptuMmgXPM5k=", + "lastModified": 1702278230, + "narHash": "sha256-9kiZPvAw5zQfKu5ozmIRlgpVAfC16xlMADuXNvklPF4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "42499b9f6515dbca54cec1cae78165fd4e5eccfe", + "rev": "f3a9ecde534fa67c6fd5426083304463218875b6", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1701653742, - "narHash": "sha256-9bLa7tsNtFSsXZDC+XVHyT6auJxUY+gObkvnEgSV7TM=", + "lastModified": 1702310776, + "narHash": "sha256-T2KJpsNjAytMsP6+xrhXfAb2KTG6Yt2D4hTTugpsJFo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d08f6384a5d8e5cf28ab243752cd83eed2a5d700", + "rev": "120a26f8ce32ac2bdc0e49a9fed830b7446416b4", "type": "github" }, "original": { From 2733d28a9941ee320e0ea55c26e6a9985f3eed9f Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 16 Dec 2023 00:22:34 +0100 Subject: [PATCH 115/386] Setup radarr and sonarr on torrent host --- config/hosts/torrent/configuration.nix | 29 +++++++ config/hosts/torrent/default.nix | 11 +++ config/hosts/torrent/jackett.nix | 6 ++ config/hosts/torrent/nginx.nix | 80 +++++++++++++++++++ .../hosts/torrent/qbittorrent-nox/default.nix | 8 ++ .../hosts/torrent/qbittorrent-nox/nginx.nix | 51 ++++++++++++ .../torrent/qbittorrent-nox/services.nix | 13 +++ .../hosts/torrent/qbittorrent-nox/users.nix | 9 +++ config/hosts/torrent/radarr.nix | 8 ++ config/hosts/torrent/secrets.nix | 13 +++ config/hosts/torrent/sonarr.nix | 8 ++ .../virtualHosts/acme-challenge.nix | 6 +- hosts.nix | 4 + 13 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 config/hosts/torrent/configuration.nix create mode 100644 config/hosts/torrent/default.nix create mode 100644 config/hosts/torrent/jackett.nix create mode 100644 config/hosts/torrent/nginx.nix create mode 100644 config/hosts/torrent/qbittorrent-nox/default.nix create mode 100644 config/hosts/torrent/qbittorrent-nox/nginx.nix create mode 100644 config/hosts/torrent/qbittorrent-nox/services.nix create mode 100644 config/hosts/torrent/qbittorrent-nox/users.nix create mode 100644 config/hosts/torrent/radarr.nix create mode 100644 config/hosts/torrent/secrets.nix create mode 100644 config/hosts/torrent/sonarr.nix diff --git a/config/hosts/torrent/configuration.nix b/config/hosts/torrent/configuration.nix new file mode 100644 index 0000000..610fde4 --- /dev/null +++ b/config/hosts/torrent/configuration.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "torrent"; + }; + + fileSystems = { + "/mnt/media" = { + device = "//10.202.100.5/media"; + fsType = "cifs"; + options = [ + "username=torrent" + "credentials=/secrets/torrent-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=torrent" + "gid=torrent" + "_netdev" + ]; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/torrent/default.nix b/config/hosts/torrent/default.nix new file mode 100644 index 0000000..dc6a854 --- /dev/null +++ b/config/hosts/torrent/default.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./jackett.nix + ./qbittorrent-nox + ./radarr.nix + ./sonarr.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/torrent/jackett.nix b/config/hosts/torrent/jackett.nix new file mode 100644 index 0000000..1b8707e --- /dev/null +++ b/config/hosts/torrent/jackett.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jackett = { + enable = true; + }; +} diff --git a/config/hosts/torrent/nginx.nix b/config/hosts/torrent/nginx.nix new file mode 100644 index 0000000..3366a25 --- /dev/null +++ b/config/hosts/torrent/nginx.nix @@ -0,0 +1,80 @@ +{ ... }: +{ + services.nginx = { + enable = true; + + virtualHosts = { + "jackett.grzb.de" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:9117"; + proxyWebsockets = true; + }; + }; + }; + "radarr.grzb.de" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:7878"; + proxyWebsockets = true; + }; + }; + }; + "sonarr.grzb.de" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8989"; + proxyWebsockets = true; + }; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/config/hosts/torrent/qbittorrent-nox/default.nix b/config/hosts/torrent/qbittorrent-nox/default.nix new file mode 100644 index 0000000..0afc08c --- /dev/null +++ b/config/hosts/torrent/qbittorrent-nox/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./nginx.nix + ./services.nix + ./users.nix + ]; +} diff --git a/config/hosts/torrent/qbittorrent-nox/nginx.nix b/config/hosts/torrent/qbittorrent-nox/nginx.nix new file mode 100644 index 0000000..712c856 --- /dev/null +++ b/config/hosts/torrent/qbittorrent-nox/nginx.nix @@ -0,0 +1,51 @@ +# Sources for this configuration: +# - https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI +# - https://github.com/qbittorrent/qBittorrent/wiki/Linux-WebUI-HTTPS-with-Let's-Encrypt-certificates-and-NGINX-SSL-reverse-proxy + +{ ... }: +{ + services.nginx = { + enable = true; + + virtualHosts."torrent.grzb.de" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + extraConfig = '' + proxy_http_version 1.1; + + client_max_body_size 100M; + + # From: + # https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI + # + # Since v4.2.2, is possible to configure qBittorrent + # to set the "Secure" flag for the session cookie automatically. + # However, that option does nothing unless using qBittorrent's built-in HTTPS functionality. + # For this use case, where qBittorrent itself is using plain HTTP + # (and regardless of whether or not the external website uses HTTPS), + # the flag must be set here, in the proxy configuration itself. + # Note: If this flag is set while the external website uses only HTTP, this will cause + # the login mechanism to not work without any apparent errors in console/network resulting in "auth loops". + proxy_cookie_path / "/; Secure"; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/config/hosts/torrent/qbittorrent-nox/services.nix b/config/hosts/torrent/qbittorrent-nox/services.nix new file mode 100644 index 0000000..4050e15 --- /dev/null +++ b/config/hosts/torrent/qbittorrent-nox/services.nix @@ -0,0 +1,13 @@ +# Sources for this configuration: +# - https://github.com/NixOS/nixpkgs/issues/236736#issuecomment-1704670598 +# - https://nixos.org/manual/nixos/stable/#sect-nixos-systemd-nixos + +{ pkgs, ... }: +{ + systemd.packages = [ pkgs.qbittorrent-nox ]; + + systemd.services."qbittorrent-nox@torrent" = { + overrideStrategy = "asDropin"; + wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/config/hosts/torrent/qbittorrent-nox/users.nix b/config/hosts/torrent/qbittorrent-nox/users.nix new file mode 100644 index 0000000..6e184c9 --- /dev/null +++ b/config/hosts/torrent/qbittorrent-nox/users.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + users.users.torrent = { + isNormalUser = true; + group = "torrent"; + }; + + users.groups.torrent = {}; +} diff --git a/config/hosts/torrent/radarr.nix b/config/hosts/torrent/radarr.nix new file mode 100644 index 0000000..2a28c46 --- /dev/null +++ b/config/hosts/torrent/radarr.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.radarr = { + enable = true; + user = "torrent"; + group = "torrent"; + }; +} diff --git a/config/hosts/torrent/secrets.nix b/config/hosts/torrent/secrets.nix new file mode 100644 index 0000000..289778a --- /dev/null +++ b/config/hosts/torrent/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "torrent-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "torrent/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/torrent/sonarr.nix b/config/hosts/torrent/sonarr.nix new file mode 100644 index 0000000..fb0186a --- /dev/null +++ b/config/hosts/torrent/sonarr.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.sonarr = { + enable = true; + user = "torrent"; + group = "torrent"; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index eaf7188..4cc28af 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -3,11 +3,15 @@ let acmeDomainMap = { "jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; "mail-1.grzb.de" = "mail-1.vs.grzb.de"; - "social.nekover.se" = "mastodon.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; + "jackett.grzb.de" = "torrent.vs.grzb.de"; + "radarr.grzb.de" = "torrent.vs.grzb.de"; "searx.nekover.se" = "searx.vs.grzb.de"; + "social.nekover.se" = "mastodon.vs.grzb.de"; + "sonarr.grzb.de" = "torrent.vs.grzb.de"; + "torrent.grzb.de" = "torrent.vs.grzb.de"; "turn.nekover.se" = "coturn.vs.grzb.de"; }; in diff --git a/hosts.nix b/hosts.nix index f5ee33c..98e423a 100644 --- a/hosts.nix +++ b/hosts.nix @@ -101,6 +101,10 @@ in site = "vs"; environment = "proxmox"; }; + torrent = { + site = "vs"; + environment = "proxmox"; + }; tor-relay = { site = "vs"; environment = "proxmox"; From 28690501c68d47462a5ae878914f629391cc311f Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 16 Dec 2023 00:22:59 +0100 Subject: [PATCH 116/386] update mastodon to 4.2.3 and enable disable image processing patch --- config/hosts/mastodon/mastodon.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index f2d7304..94b890a 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,16 +6,16 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.2"; + version = "4.2.3"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-D3qIrxj6mHtepMAYHq6USOM+ukMF7J/y20/y+CUh5RU="; + sha256 = "sha256-e8O4kxsrHf+wEtl4S57xIL1VEvhUSjyCbmz4r9p8Zhw="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" - #"${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" + "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" From 596b156e0571e9b5d62eaf5e7782624f6de14e2c Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 16 Dec 2023 00:23:46 +0100 Subject: [PATCH 117/386] update element-web to 1.11.51 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index c67ca9c..5f38313 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.50"; + elementWebVersion = "1.11.51"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-NdETOxGqY6xae8oQcz9NoXbDuLc0F/YaW0Ql5dxUEks="; + sha256 = "sha256-axHYI83PIF8rpFCULQKqGB2kPIlz88yg2Xoah93ox/A="; }; elementWebSecurityHeaders = '' # Configuration best practices From 12e630f9ea0e70b2e961856b93c56c317cc482bc Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 16 Dec 2023 00:25:46 +0100 Subject: [PATCH 118/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/eb48fb87884618b6808a945c9b0561f376996466' (2023-12-11) → 'github:NixOS/nixpkgs/dff64d4ba6e9dc3f0a4ef8737f372a528d5bc8d1' (2023-12-15) • Updated input 'nixpkgs-23-05': 'github:NixOS/nixpkgs/f3a9ecde534fa67c6fd5426083304463218875b6' (2023-12-11) → 'github:NixOS/nixpkgs/9f617c1533ee1222531c66aa4b80295f89cb7bec' (2023-12-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/120a26f8ce32ac2bdc0e49a9fed830b7446416b4' (2023-12-11) → 'github:NixOS/nixpkgs/02357adddd0889782362d999628de9d309d202dc' (2023-12-15) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 9c780b5..fa2e7d6 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1702283490, - "narHash": "sha256-QB/77RvJSDvmaJ9VBAtSingT3x673q3F9VLfOhn2j9A=", + "lastModified": 1702601832, + "narHash": "sha256-z+GyetKtwj7ZVZrRcI73N8Xy1B3JGAqDyPniBFRpIgo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "eb48fb87884618b6808a945c9b0561f376996466", + "rev": "dff64d4ba6e9dc3f0a4ef8737f372a528d5bc8d1", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-23-05": { "locked": { - "lastModified": 1702278230, - "narHash": "sha256-9kiZPvAw5zQfKu5ozmIRlgpVAfC16xlMADuXNvklPF4=", + "lastModified": 1702635902, + "narHash": "sha256-p2G/kv6/0LTR6B9saAlCwuFkPgeAkuZTGtsyp0waU3M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f3a9ecde534fa67c6fd5426083304463218875b6", + "rev": "9f617c1533ee1222531c66aa4b80295f89cb7bec", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1702310776, - "narHash": "sha256-T2KJpsNjAytMsP6+xrhXfAb2KTG6Yt2D4hTTugpsJFo=", + "lastModified": 1702635820, + "narHash": "sha256-rClms9NTmSL/WIN5VmEccVhUExMkjCrRNswxU9QGNNo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "120a26f8ce32ac2bdc0e49a9fed830b7446416b4", + "rev": "02357adddd0889782362d999628de9d309d202dc", "type": "github" }, "original": { From 835d653d854e99450fc0a17d08899e855f737de5 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 17 Dec 2023 03:04:39 +0100 Subject: [PATCH 119/386] remove jackett host --- config/hosts/jackett/configuration.nix | 14 -------------- config/hosts/jackett/default.nix | 7 ------- config/hosts/jackett/jackett.nix | 6 ------ hosts.nix | 4 ---- 4 files changed, 31 deletions(-) delete mode 100644 config/hosts/jackett/configuration.nix delete mode 100644 config/hosts/jackett/default.nix delete mode 100644 config/hosts/jackett/jackett.nix diff --git a/config/hosts/jackett/configuration.nix b/config/hosts/jackett/configuration.nix deleted file mode 100644 index bd9bde9..0000000 --- a/config/hosts/jackett/configuration.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "jackett"; - firewall.enable = false; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/jackett/default.nix b/config/hosts/jackett/default.nix deleted file mode 100644 index 98e612a..0000000 --- a/config/hosts/jackett/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./jackett.nix - ]; -} diff --git a/config/hosts/jackett/jackett.nix b/config/hosts/jackett/jackett.nix deleted file mode 100644 index 1b8707e..0000000 --- a/config/hosts/jackett/jackett.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - services.jackett = { - enable = true; - }; -} diff --git a/hosts.nix b/hosts.nix index 98e423a..e1b5201 100644 --- a/hosts.nix +++ b/hosts.nix @@ -37,10 +37,6 @@ in site = "vs"; environment = "proxmox"; }; - jackett = { - site = "vs"; - environment = "proxmox"; - }; jellyfin = { hostNixpkgs = nixpkgs-unstable; site = "vs"; From ba18a69829dac6ecc12eda73d89eee48c7d7b751 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Dec 2023 02:53:39 +0100 Subject: [PATCH 120/386] name public keys for wireguard-nat-nftables script --- config/hosts/valkyrie/services.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index 602c80c..5af708c 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -6,9 +6,12 @@ let interface_address = "172.16.4.180"; wg_interface = "wg0"; pubkey_port_mapping = { + # okayu "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=" = [ 51827 51829 ]; + # korone "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=" = [ 51828 51830 ]; - "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=" = [ 51821 51824 ]; + # june + "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=" = [ 51821 ]; }; }); in From 02a862be612c31b138e25adcbac377a8dab19557 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 19 Dec 2023 02:54:44 +0100 Subject: [PATCH 121/386] correct confusing comment in wireguard-nat-nftables script --- pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py index c49b4b7..d4c914e 100644 --- a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -69,7 +69,7 @@ def main(): print("Changed dnat address from {} to {} for UDP port {}".format(ip, port_ip_mapping[port], port)) port_ip_mapping.pop(port) - # loop through all remaining ports and add needed dnat rules + # loop through all ports and add needed dnat rules for port in port_ip_mapping: rc, output, error = nft.cmd("add rule wireguard-nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port])) if error: From 88aa8a2a0f0586715e22a9115f30d6d5a7b807c9 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 4 Jan 2024 01:18:21 +0100 Subject: [PATCH 122/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/dff64d4ba6e9dc3f0a4ef8737f372a528d5bc8d1' (2023-12-15) → 'github:NixOS/nixpkgs/3da785eeaad3d604ee3bccc0a3f07bfd11cb355a' (2024-01-02) • Updated input 'nixpkgs-23-05': 'github:NixOS/nixpkgs/9f617c1533ee1222531c66aa4b80295f89cb7bec' (2023-12-15) → 'github:NixOS/nixpkgs/2c9c58e98243930f8cb70387934daa4bc8b00373' (2023-12-31) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/02357adddd0889782362d999628de9d309d202dc' (2023-12-15) → 'github:NixOS/nixpkgs/e2e36d8af3b7c465311f11913b7dedd209633c84' (2024-01-02) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index fa2e7d6..ebca7d6 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1702601832, - "narHash": "sha256-z+GyetKtwj7ZVZrRcI73N8Xy1B3JGAqDyPniBFRpIgo=", + "lastModified": 1704172037, + "narHash": "sha256-+IkG0mfxwmaqCd3cGM5zZ2g7wZnPG8mwOQHXCsKhc5s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dff64d4ba6e9dc3f0a4ef8737f372a528d5bc8d1", + "rev": "3da785eeaad3d604ee3bccc0a3f07bfd11cb355a", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-23-05": { "locked": { - "lastModified": 1702635902, - "narHash": "sha256-p2G/kv6/0LTR6B9saAlCwuFkPgeAkuZTGtsyp0waU3M=", + "lastModified": 1704018918, + "narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9f617c1533ee1222531c66aa4b80295f89cb7bec", + "rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1702635820, - "narHash": "sha256-rClms9NTmSL/WIN5VmEccVhUExMkjCrRNswxU9QGNNo=", + "lastModified": 1704177376, + "narHash": "sha256-6AV8TWX/juwV8delRDtlbUzi1X8irrtCfrtcYByVhCs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "02357adddd0889782362d999628de9d309d202dc", + "rev": "e2e36d8af3b7c465311f11913b7dedd209633c84", "type": "github" }, "original": { From dfb7957217a22e9cbd1e092c0fedcca221afa5b4 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 4 Jan 2024 04:35:30 +0100 Subject: [PATCH 123/386] Update element-web to 1.11.52 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 5f38313..b3cadb2 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.51"; + elementWebVersion = "1.11.52"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-axHYI83PIF8rpFCULQKqGB2kPIlz88yg2Xoah93ox/A="; + sha256 = ""; }; elementWebSecurityHeaders = '' # Configuration best practices From 8effa34dce380421e3006e9870d5fcef801f90e7 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 14 Jan 2024 00:22:58 +0100 Subject: [PATCH 124/386] Add jellyseerr host --- config/hosts/jellyseerr/configuration.nix | 22 ++++++++++++++++ config/hosts/jellyseerr/default.nix | 8 ++++++ config/hosts/jellyseerr/jellyseerr.nix | 6 +++++ config/hosts/jellyseerr/nginx.nix | 26 +++++++++++++++++++ .../virtualHosts/acme-challenge.nix | 1 + hosts.nix | 4 +++ 6 files changed, 67 insertions(+) create mode 100644 config/hosts/jellyseerr/configuration.nix create mode 100644 config/hosts/jellyseerr/default.nix create mode 100644 config/hosts/jellyseerr/jellyseerr.nix create mode 100644 config/hosts/jellyseerr/nginx.nix diff --git a/config/hosts/jellyseerr/configuration.nix b/config/hosts/jellyseerr/configuration.nix new file mode 100644 index 0000000..05b8f3f --- /dev/null +++ b/config/hosts/jellyseerr/configuration.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "jellyseerr"; + firewall = { + allowedTCPPorts = [ 80 443 ]; + }; + extraHosts = + '' + 10.202.46.101 jellyfin.grzb.de + 10.202.100.102 radarr.grzb.de + 10.202.100.102 sonarr.grzb.de + ''; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/jellyseerr/default.nix b/config/hosts/jellyseerr/default.nix new file mode 100644 index 0000000..4a92a1b --- /dev/null +++ b/config/hosts/jellyseerr/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./jellyseerr.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/jellyseerr/jellyseerr.nix b/config/hosts/jellyseerr/jellyseerr.nix new file mode 100644 index 0000000..bd473b0 --- /dev/null +++ b/config/hosts/jellyseerr/jellyseerr.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jellyseerr = { + enable = true; + }; +} diff --git a/config/hosts/jellyseerr/nginx.nix b/config/hosts/jellyseerr/nginx.nix new file mode 100644 index 0000000..139b870 --- /dev/null +++ b/config/hosts/jellyseerr/nginx.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + + virtualHosts."jellyseerr.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.jellyseerr.port}"; + }; + }; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 4cc28af..9350a30 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -7,6 +7,7 @@ let "netbox.grzb.de" = "netbox.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; "jackett.grzb.de" = "torrent.vs.grzb.de"; + "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de"; "radarr.grzb.de" = "torrent.vs.grzb.de"; "searx.nekover.se" = "searx.vs.grzb.de"; "social.nekover.se" = "mastodon.vs.grzb.de"; diff --git a/hosts.nix b/hosts.nix index e1b5201..90e1143 100644 --- a/hosts.nix +++ b/hosts.nix @@ -42,6 +42,10 @@ in site = "vs"; environment = "proxmox"; }; + jellyseerr = { + site = "vs"; + environment = "proxmox"; + }; lifeline = { site = "io"; }; From f40dbd3cf074eca60a53a73d9a37c2c94b7a7504 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 14 Jan 2024 00:23:23 +0100 Subject: [PATCH 125/386] Update element-web to 1.11.53 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index b3cadb2..12a2abb 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.52"; + elementWebVersion = "1.11.53"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = ""; + sha256 = "sha256-asgx8g9xswBxdQCVnwaeQ2ycqNlfQzBiKc3Uk9GEWCM="; }; elementWebSecurityHeaders = '' # Configuration best practices From 6b699c74cbb72879a060ca5ba958d75e264f9c07 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 14 Jan 2024 00:25:48 +0100 Subject: [PATCH 126/386] Add builder user to hydra for remote building --- config/hosts/hydra/configuration.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix index 53a26b0..eff89d1 100644 --- a/config/hosts/hydra/configuration.nix +++ b/config/hosts/hydra/configuration.nix @@ -21,8 +21,18 @@ }; }; + users.users.builder = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara" + ]; + }; + nix = { - settings.allowed-uris = "http:// https://"; + settings = { + trusted-users = [ "builder" ]; + allowed-uris = "http:// https://"; + }; buildMachines = [ { hostName = "localhost"; From 8e1071f4aaab35b1a3a2d8ed88a2594c906cfa3c Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 14 Jan 2024 00:28:30 +0100 Subject: [PATCH 127/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/3da785eeaad3d604ee3bccc0a3f07bfd11cb355a' (2024-01-02) → 'github:NixOS/nixpkgs/76fc2dd7efd18cb4251db2f35ab6655ee746e961' (2024-01-12) • Updated input 'nixpkgs-23-05': 'github:NixOS/nixpkgs/2c9c58e98243930f8cb70387934daa4bc8b00373' (2023-12-31) → 'github:NixOS/nixpkgs/a1982c92d8980a0114372973cbdfe0a307f1bdea' (2024-01-12) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/e2e36d8af3b7c465311f11913b7dedd209633c84' (2024-01-02) → 'github:NixOS/nixpkgs/a3ada00f8a297a06617b2882a0943c26c8f3f424' (2024-01-13) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index ebca7d6..8f5a50e 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704172037, - "narHash": "sha256-+IkG0mfxwmaqCd3cGM5zZ2g7wZnPG8mwOQHXCsKhc5s=", + "lastModified": 1705044370, + "narHash": "sha256-QmzSiphBSOCvhzMNUzhtZT/HpK4VyXqWEYRRPNtIfMQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3da785eeaad3d604ee3bccc0a3f07bfd11cb355a", + "rev": "76fc2dd7efd18cb4251db2f35ab6655ee746e961", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-23-05": { "locked": { - "lastModified": 1704018918, - "narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", + "lastModified": 1705033721, + "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", + "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1704177376, - "narHash": "sha256-6AV8TWX/juwV8delRDtlbUzi1X8irrtCfrtcYByVhCs=", + "lastModified": 1705157111, + "narHash": "sha256-zMphhlAFOlFgnZLNTsqIqUHfAhw2hCh7uO0Hy0H87Rk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e2e36d8af3b7c465311f11913b7dedd209633c84", + "rev": "a3ada00f8a297a06617b2882a0943c26c8f3f424", "type": "github" }, "original": { From 94afad9214ad789cc3163311a24f4cd9acfd30fb Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 14 Jan 2024 01:18:56 +0100 Subject: [PATCH 128/386] Change jellyfin host to stable nixpkgs --- hosts.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts.nix b/hosts.nix index 90e1143..72e0f2b 100644 --- a/hosts.nix +++ b/hosts.nix @@ -38,7 +38,6 @@ in environment = "proxmox"; }; jellyfin = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; From a16230d4a6f989572e568f986087cbe77bb9cedc Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 15 Jan 2024 22:53:45 +0100 Subject: [PATCH 129/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/76fc2dd7efd18cb4251db2f35ab6655ee746e961' (2024-01-12) → 'github:NixOS/nixpkgs/d71f20967da064275ce084dd823cbd2bd31d5cba' (2024-01-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/a3ada00f8a297a06617b2882a0943c26c8f3f424' (2024-01-13) → 'github:NixOS/nixpkgs/715fac4e39626ca0d24481f3d1fdd54dbeeaced8' (2024-01-15) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 8f5a50e..9b8fd01 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705044370, - "narHash": "sha256-QmzSiphBSOCvhzMNUzhtZT/HpK4VyXqWEYRRPNtIfMQ=", + "lastModified": 1705277981, + "narHash": "sha256-N5oh7sam7MTXCLajzgcIlM8lQK0c50/4ndU5x5aoMG8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "76fc2dd7efd18cb4251db2f35ab6655ee746e961", + "rev": "d71f20967da064275ce084dd823cbd2bd31d5cba", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705157111, - "narHash": "sha256-zMphhlAFOlFgnZLNTsqIqUHfAhw2hCh7uO0Hy0H87Rk=", + "lastModified": 1705293701, + "narHash": "sha256-yJs738MxB+RsxGETqESof15lRJ5za6s3NmhjbXt8Kt4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a3ada00f8a297a06617b2882a0943c26c8f3f424", + "rev": "715fac4e39626ca0d24481f3d1fdd54dbeeaced8", "type": "github" }, "original": { From 5e7a1185272040ae994ec5f2baf72cc9491e3b92 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 19 Jan 2024 12:15:00 +0100 Subject: [PATCH 130/386] Add keycloak host --- config/hosts/keycloak/configuration.nix | 16 +++ config/hosts/keycloak/default.nix | 8 ++ config/hosts/keycloak/keycloak.nix | 15 +++ config/hosts/keycloak/nginx.nix | 109 ++++++++++++++++++ config/hosts/keycloak/secrets.nix | 13 +++ config/hosts/mail-1/secrets.nix | 8 ++ .../hosts/mail-1/simple-nixos-mailserver.nix | 5 + config/hosts/web-public-2/nginx.nix | 1 + .../virtualHosts/acme-challenge.nix | 1 + hosts.nix | 4 + 10 files changed, 180 insertions(+) create mode 100644 config/hosts/keycloak/configuration.nix create mode 100644 config/hosts/keycloak/default.nix create mode 100644 config/hosts/keycloak/keycloak.nix create mode 100644 config/hosts/keycloak/nginx.nix create mode 100644 config/hosts/keycloak/secrets.nix diff --git a/config/hosts/keycloak/configuration.nix b/config/hosts/keycloak/configuration.nix new file mode 100644 index 0000000..2a80a98 --- /dev/null +++ b/config/hosts/keycloak/configuration.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "keycloak"; + firewall = { + allowedTCPPorts = [ 80 443 8443 ]; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/keycloak/default.nix b/config/hosts/keycloak/default.nix new file mode 100644 index 0000000..6289ce6 --- /dev/null +++ b/config/hosts/keycloak/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./keycloak.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix new file mode 100644 index 0000000..79e9a96 --- /dev/null +++ b/config/hosts/keycloak/keycloak.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + services.keycloak = { + enable = true; + settings = { + hostname = "id.nekover.se"; + hostname-admin = "keycloak-admin.nekover.se"; + hostname-strict-backchannel = true; + proxy = "edge"; + http-host = "127.0.0.1"; + http-port = 8080; + }; + database.passwordFile = "/secrets/keycloak-database-password.secret"; + }; +} diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix new file mode 100644 index 0000000..0c83ea0 --- /dev/null +++ b/config/hosts/keycloak/nginx.nix @@ -0,0 +1,109 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + "id.nekover.se" = { + forceSSL = true; + enableACME = true; + locations = { + # Redirect a user opening any not set location on id.nekover.se to the account management page. + "^~ /" = { + return = "307 https://id.nekover.se/realms/nekoverse/account/"; + }; + "/js/" = { + proxyPass = "http://127.0.0.1:8080/js/"; + }; + "/realms/" = { + proxyPass = "http://127.0.0.1:8080/realms/"; + }; + "/resources/" = { + proxyPass = "http://127.0.0.1:8080/resources/"; + }; + "/robots.txt" = { + proxyPass = "http://127.0.0.1:8080/robots.txt"; + }; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + + add_header Strict-Transport-Security "max-age=63072000" always; + + # To not have 502s sometimes when logging through PVE use bigger buffer_sizes. + # The error seemed to occur after logging in and out and in. Maybe related + # to Keycloak logout settings, but probably not. + # See: + # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate + # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size + proxy_buffer_size 128k; + proxy_buffers 8 128k; + + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + ''; + }; + "keycloak-admin.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations = { + # Redirect a user opening any not set location on id.nekover.se to the account management page. + "^~ /" = { + return = "307 https://keycloak-admin.nekover.se/admin/master/console/"; + }; + "/js/" = { + proxyPass = "http://127.0.0.1:8080/js/"; + }; + "/realms/" = { + proxyPass = "http://127.0.0.1:8080/realms/"; + }; + "/resources/" = { + proxyPass = "http://127.0.0.1:8080/resources/"; + }; + "/robots.txt" = { + proxyPass = "http://127.0.0.1:8080/robots.txt"; + }; + "/admin/" = { + proxyPass = "http://127.0.0.1:8080/admin/"; + }; + }; + extraConfig = '' + add_header Strict-Transport-Security "max-age=63072000" always; + + # To not have 502s sometimes when logging through PVE use bigger buffer_sizes. + # The error seemed to occur after logging in and out and in. Maybe related + # to Keycloak logout settings, but probably not. + # See: + # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate + # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size + proxy_buffer_size 128k; + proxy_buffers 8 128k; + + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + ''; + }; + }; + }; +} diff --git a/config/hosts/keycloak/secrets.nix b/config/hosts/keycloak/secrets.nix new file mode 100644 index 0000000..984e9ad --- /dev/null +++ b/config/hosts/keycloak/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "keycloak-database-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix index 3352cee..abf9863 100644 --- a/config/hosts/mail-1/secrets.nix +++ b/config/hosts/mail-1/secrets.nix @@ -81,5 +81,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mail-id-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/id-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 81fa130..61066e9 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -51,6 +51,11 @@ sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; + "id@nekover.se" = { + hashedPasswordFile = "/secrets/mail-id-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; }; certificateScheme = "acme-nginx"; }; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 907cdb8..dead4b7 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -23,6 +23,7 @@ gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; hydra.nekover.se 10.202.41.121:8443; + id.nekover.se 10.202.41.124:8443; matrix.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 9350a30..d910998 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -8,6 +8,7 @@ let "grafana.grzb.de" = "metrics.vs.grzb.de"; "jackett.grzb.de" = "torrent.vs.grzb.de"; "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de"; + "keycloak-admin.nekover.se" = "keycloak.vs.grzb.de"; "radarr.grzb.de" = "torrent.vs.grzb.de"; "searx.nekover.se" = "searx.vs.grzb.de"; "social.nekover.se" = "mastodon.vs.grzb.de"; diff --git a/hosts.nix b/hosts.nix index 72e0f2b..4dde06c 100644 --- a/hosts.nix +++ b/hosts.nix @@ -45,6 +45,10 @@ in site = "vs"; environment = "proxmox"; }; + keycloak = { + site = "vs"; + environment = "proxmox"; + }; lifeline = { site = "io"; }; From 7c6589464647ef5b8dc11a4421e62fe2bd220f08 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 19 Jan 2024 12:15:50 +0100 Subject: [PATCH 131/386] Add unifi-controller host --- .../hosts/unifi-controller/configuration.nix | 23 +++++++++++++++++++ config/hosts/unifi-controller/default.nix | 7 ++++++ config/hosts/unifi-controller/unifi.nix | 12 ++++++++++ hosts.nix | 4 ++++ 4 files changed, 46 insertions(+) create mode 100644 config/hosts/unifi-controller/configuration.nix create mode 100644 config/hosts/unifi-controller/default.nix create mode 100644 config/hosts/unifi-controller/unifi.nix diff --git a/config/hosts/unifi-controller/configuration.nix b/config/hosts/unifi-controller/configuration.nix new file mode 100644 index 0000000..565cdf7 --- /dev/null +++ b/config/hosts/unifi-controller/configuration.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "unifi-controller"; + firewall = { + allowedTCPPorts = [ 53 8080 8443 8880 8843 6789 27117 ]; + allowedUDPPorts = [ 53 3478 5514 10001 1900 123 ]; + allowedUDPPortRanges = [ + { + from = 5656; + to = 5699; + } + ]; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/unifi-controller/default.nix b/config/hosts/unifi-controller/default.nix new file mode 100644 index 0000000..f66e094 --- /dev/null +++ b/config/hosts/unifi-controller/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./unifi.nix + ]; +} diff --git a/config/hosts/unifi-controller/unifi.nix b/config/hosts/unifi-controller/unifi.nix new file mode 100644 index 0000000..75a7094 --- /dev/null +++ b/config/hosts/unifi-controller/unifi.nix @@ -0,0 +1,12 @@ +{ pkgs, lib, ... }: +{ + services.unifi = { + enable = true; + unifiPackage = pkgs.unifi; + }; + + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "unifi-controller" + "mongodb" + ]; +} diff --git a/hosts.nix b/hosts.nix index 4dde06c..aee856e 100644 --- a/hosts.nix +++ b/hosts.nix @@ -112,6 +112,10 @@ in site = "vs"; environment = "proxmox"; }; + unifi-controller = { + site = "wg"; + environment = "proxmox"; + }; valkyrie = { hostNixpkgs = nixpkgs-23-05; site = "af"; From f11b1bd89370a1971e88dab6bd9224f55fd0de0d Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 19 Jan 2024 12:16:03 +0100 Subject: [PATCH 132/386] Add user_oidc app to nextcloud --- config/hosts/nextcloud/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 22f456e..369b2df 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -14,7 +14,7 @@ configureRedis = true; extraAppsEnable = true; extraApps = with config.services.nextcloud.package.packages.apps; { - inherit bookmarks contacts calendar tasks twofactor_webauthn; + inherit bookmarks contacts calendar tasks twofactor_webauthn user_oidc; }; maxUploadSize = "16G"; extraOptions = { From d055069c44e73a945919eeb5b8f815897cb923f0 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 19 Jan 2024 12:16:42 +0100 Subject: [PATCH 133/386] Enable SSO with keycloak for mastodon --- config/hosts/mastodon/mastodon.nix | 14 ++++++++++++++ config/hosts/mastodon/secrets.nix | 8 ++++++++ 2 files changed, 22 insertions(+) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 94b890a..79c0da0 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -50,7 +50,21 @@ in extraConfig = { SMTP_TLS = "true"; ES_PRESET = "single_node_cluster"; + OIDC_CLIENT_ID = "mastodon"; + OIDC_ENABLED = "true"; + OMNIAUTH_ONLY = "false"; + OIDC_DISPLAY_NAME = "Login with Nekoverse ID"; + OIDC_ISSUER = "https://id.nekover.se/realms/nekoverse"; + OIDC_DISCOVERY = "true"; + OIDC_SCOPE = "openid,profile,email"; + OIDC_UID_FIELD = "preferred_username"; + OIDC_REDIRECT_URI = "https://social.nekover.se/auth/auth/openid_connect/callback"; + OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; + OIDC_END_SESSION_ENDPOINT = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/logout"; }; + extraEnvFiles = [ + "/secrets/mastodon-keycloak-client-secret.secret" + ]; elasticsearch.host = "127.0.0.1"; }; } diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 42f7489..f1f9457 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -33,5 +33,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-keycloak-client-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } From eac0f3a8f52071d6f6a5b8191afa13890d34f26c Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 19 Jan 2024 12:18:21 +0100 Subject: [PATCH 134/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/246219bc21b943c6f6812bb7744218ba0df08600' (2023-12-04) → 'github:nix-community/nixos-generators/521fb4cdd8a2e1a00d1adf0fea7135d1faf04234' (2024-01-16) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d71f20967da064275ce084dd823cbd2bd31d5cba' (2024-01-15) → 'github:NixOS/nixpkgs/8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0' (2024-01-18) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/715fac4e39626ca0d24481f3d1fdd54dbeeaced8' (2024-01-15) → 'github:NixOS/nixpkgs/7f10f172110477ea263d63b6c793ebd8637eed63' (2024-01-18) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 9b8fd01..3ac7c91 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1701689616, - "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=", + "lastModified": 1705400161, + "narHash": "sha256-0MFaNIwwpVWB1N9m7cfHAM2pSVtYESQ7tlHxnDTOhM4=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "246219bc21b943c6f6812bb7744218ba0df08600", + "rev": "521fb4cdd8a2e1a00d1adf0fea7135d1faf04234", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705277981, - "narHash": "sha256-N5oh7sam7MTXCLajzgcIlM8lQK0c50/4ndU5x5aoMG8=", + "lastModified": 1705596992, + "narHash": "sha256-35rXLgkJS050C8O8hj/zdoJq2zaglyBklGWWuyJ2YsU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d71f20967da064275ce084dd823cbd2bd31d5cba", + "rev": "8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705293701, - "narHash": "sha256-yJs738MxB+RsxGETqESof15lRJ5za6s3NmhjbXt8Kt4=", + "lastModified": 1705604756, + "narHash": "sha256-/yf1XDVcuGbUOE1bZkFJlQc91QcPJbu6PFLN4fHjdNQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "715fac4e39626ca0d24481f3d1fdd54dbeeaced8", + "rev": "7f10f172110477ea263d63b6c793ebd8637eed63", "type": "github" }, "original": { From a4cc341098d042f7080f76e05e9c9b0d7d49c803 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 21 Jan 2024 21:47:18 +0100 Subject: [PATCH 135/386] Enable Keycloak SSO for matrix --- config/hosts/matrix/matrix-synapse.nix | 2 ++ config/hosts/matrix/secrets.nix | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 1a4fb12..6527503 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -54,10 +54,12 @@ }; environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; }; + extras = [ "oidc" ]; extraConfigFiles = [ "/secrets/matrix-registration-shared-secret.secret" "/secrets/matrix-turn-shared-secret.secret" "/secrets/matrix-email-smtp-pass.secret" + "/secrets/matrix-keycloak-client-secret.secret" ]; }; } diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index dac6301..68e4771 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -41,5 +41,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "matrix-keycloak-client-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } From 11c81817f7099fb9e464ab903a0b6242c455be19 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 21 Jan 2024 21:48:56 +0100 Subject: [PATCH 136/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0' (2024-01-18) → 'github:NixOS/nixpkgs/c5b6c179f7b7adce1ee234df23e5cb9f1a78f87b' (2024-01-20) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7f10f172110477ea263d63b6c793ebd8637eed63' (2024-01-18) → 'github:NixOS/nixpkgs/7da66b359bcffc532b67035b54b49c25b0c0480c' (2024-01-21) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 3ac7c91..38a4303 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705596992, - "narHash": "sha256-35rXLgkJS050C8O8hj/zdoJq2zaglyBklGWWuyJ2YsU=", + "lastModified": 1705781397, + "narHash": "sha256-pOlDs1paCIAhr84QjFG72iv4iBsr0pIQyItxRHJhevE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0", + "rev": "c5b6c179f7b7adce1ee234df23e5cb9f1a78f87b", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705604756, - "narHash": "sha256-/yf1XDVcuGbUOE1bZkFJlQc91QcPJbu6PFLN4fHjdNQ=", + "lastModified": 1705847418, + "narHash": "sha256-I0EzjhMl5D/PI54DYhL/9iXmFmNb75M7PJ8/yrU5Z1A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f10f172110477ea263d63b6c793ebd8637eed63", + "rev": "7da66b359bcffc532b67035b54b49c25b0c0480c", "type": "github" }, "original": { From 4b034e004261986b0966eb0b173698b6dc0bf02d Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 21 Jan 2024 23:41:57 +0100 Subject: [PATCH 137/386] Update Nextcloud to nextcloud28 --- config/hosts/nextcloud/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 369b2df..839d15d 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -2,7 +2,7 @@ { services.nextcloud = { enable = true; - package = pkgs.nextcloud27; + package = pkgs.nextcloud28; hostName = "cloud.nekover.se"; https = true; config = { From 0f665588dfec23cee46493ff691ff3891f1e43ec Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 21 Jan 2024 23:42:47 +0100 Subject: [PATCH 138/386] Update mail servers to NixOS 23.11 --- flake.lock | 24 ++++++++++++++++++++---- flake.nix | 2 +- hosts.nix | 2 -- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 38a4303..818a43f 100644 --- a/flake.lock +++ b/flake.lock @@ -130,6 +130,21 @@ "type": "indirect" } }, + "nixpkgs-23_11": { + "locked": { + "lastModified": 1705774713, + "narHash": "sha256-j6ADaDH9XiumUzkTPlFyCBcoWYhO83lfgiSqEJF2zcs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1b64fc1287991a9cce717a01c1973ef86cb1af0b", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.11", + "type": "indirect" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1705847418, @@ -177,19 +192,20 @@ "nixpkgs": "nixpkgs_2", "nixpkgs-22_11": "nixpkgs-22_11", "nixpkgs-23_05": "nixpkgs-23_05", + "nixpkgs-23_11": "nixpkgs-23_11", "utils": "utils" }, "locked": { - "lastModified": 1687462267, - "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=", + "lastModified": 1703023684, + "narHash": "sha256-XQU4OaacV0F2tf9cNAvIMqlC0HBIrAtvb0MLjIHt+7M=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "24128c3052090311688b09a400aa408ba61c6ee5", + "rev": "4bfb8eb058f098302c97b909df2d019926e11220", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixos-mailserver", "type": "gitlab" } diff --git a/flake.nix b/flake.nix index 337bdfa..585b96e 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; }; outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: diff --git a/hosts.nix b/hosts.nix index aee856e..dd86f1c 100644 --- a/hosts.nix +++ b/hosts.nix @@ -53,12 +53,10 @@ in site = "io"; }; mail-1 = { - hostNixpkgs = nixpkgs-23-05; site = "vs"; environment = "proxmox"; }; mail-2 = { - hostNixpkgs = nixpkgs-23-05; site = "wg"; environment = "proxmox"; }; From d82f9a8803e2832ac53de5b02f77f5d0248aa682 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 28 Jan 2024 03:31:28 +0100 Subject: [PATCH 139/386] Add forgejo host --- config/hosts/forgejo/configuration.nix | 16 +++++ config/hosts/forgejo/default.nix | 9 +++ config/hosts/forgejo/forgejo.nix | 60 +++++++++++++++++++ config/hosts/forgejo/nginx.nix | 37 ++++++++++++ config/hosts/forgejo/redis.nix | 12 ++++ config/hosts/forgejo/secrets.nix | 13 ++++ config/hosts/mail-1/secrets.nix | 8 +++ .../hosts/mail-1/simple-nixos-mailserver.nix | 5 ++ config/hosts/web-public-2/nginx.nix | 1 + .../virtualHosts/acme-challenge.nix | 1 + hosts.nix | 4 ++ 11 files changed, 166 insertions(+) create mode 100644 config/hosts/forgejo/configuration.nix create mode 100644 config/hosts/forgejo/default.nix create mode 100644 config/hosts/forgejo/forgejo.nix create mode 100644 config/hosts/forgejo/nginx.nix create mode 100644 config/hosts/forgejo/redis.nix create mode 100644 config/hosts/forgejo/secrets.nix diff --git a/config/hosts/forgejo/configuration.nix b/config/hosts/forgejo/configuration.nix new file mode 100644 index 0000000..66a5736 --- /dev/null +++ b/config/hosts/forgejo/configuration.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "forgejo"; + firewall = { + allowedTCPPorts = [ 80 8443 ]; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/forgejo/default.nix b/config/hosts/forgejo/default.nix new file mode 100644 index 0000000..d71bcad --- /dev/null +++ b/config/hosts/forgejo/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./forgejo.nix + ./redis.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix new file mode 100644 index 0000000..d9f4a36 --- /dev/null +++ b/config/hosts/forgejo/forgejo.nix @@ -0,0 +1,60 @@ +{ ... }: +{ + services.forgejo = { + enable = true; + database.type = "postgres"; + mailerPasswordFile = "/secrets/forgejo-mailer-password.secret"; + + settings = { + DEFAULT = { + APP_NAME = "Nekoverse Git"; + }; + server = { + DOMAIN = "git.nekover.se"; + PROTOCOL = "http"; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 3000; + ROOT_URL = "https://git.nekover.se/"; + # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. + # Doesn't need to be set. + }; + admin = { + DISABLE_REGULAR_ORG_CREATION = false; + }; + session = { + COOKIE_SECURE = true; + }; + "ui.meta" = { + AUTHOR = "Nekoverse Git"; + DESCRIPTION = "Git instance of the Nekoverse."; + KEYWORDS = "git,forge,forgejo,nekoverse"; + }; + service = { + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + DEFAULT_USER_VISIBILITY = "limited"; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + ENABLE_BASIC_AUTHENTICATION = false; + }; + repo = { + DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; + }; + actions = { + ENABLED = true; + ARTIFACT_RETENTION_DAYS = 30; + }; + mailer = { + ENABLED = true; + FROM = "nyareply@nekover.se"; + PROTOCOL = "smtps"; + SMTP_ADDR = "mail-1.grzb.de"; + SMTP_PORT = 465; + USER = "forgejo@nekover.se"; + }; + cache = { + ENABLED = true; + ADAPTER = "redis"; + HOST = "redis+socket:///run/redis-forgejo/redis.sock"; + }; + }; + }; +} diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix new file mode 100644 index 0000000..6df90b1 --- /dev/null +++ b/config/hosts/forgejo/nginx.nix @@ -0,0 +1,37 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."git.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + + locations."/" = { + proxyPass = "${config.services.forgejo.settings.server.PROTOCOL}://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + + # Disallow crawling archives to save disk space. + # See: https://forgejo.org/docs/latest/admin/search-engines-indexation/ + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\""; + }; + + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/forgejo/redis.nix b/config/hosts/forgejo/redis.nix new file mode 100644 index 0000000..f1533bc --- /dev/null +++ b/config/hosts/forgejo/redis.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.redis.servers.forgejo = { + enable = true; + user = "forgejo"; + }; + + systemd.services.forgejo = { + after = [ "redis-forgejo.service" ]; + requires = [ "redis-forgejo.service" ]; + }; +} diff --git a/config/hosts/forgejo/secrets.nix b/config/hosts/forgejo/secrets.nix new file mode 100644 index 0000000..5c23295 --- /dev/null +++ b/config/hosts/forgejo/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "forgejo-mailer-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ]; + destDir = "/secrets"; + user = "forgejo"; + group = "forgejo"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix index abf9863..581461f 100644 --- a/config/hosts/mail-1/secrets.nix +++ b/config/hosts/mail-1/secrets.nix @@ -89,5 +89,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mail-forgejo-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 61066e9..a4b426a 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -56,6 +56,11 @@ sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; + "forgejo@nekover.se" = { + hashedPasswordFile = "/secrets/mail-forgejo-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; }; certificateScheme = "acme-nginx"; }; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index dead4b7..8debb31 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -22,6 +22,7 @@ element.nekover.se 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; + git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; matrix.nekover.se 10.202.41.112:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index d910998..558aa95 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -5,6 +5,7 @@ let "mail-1.grzb.de" = "mail-1.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; + "git.nekover.se" = "forgejo.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; "jackett.grzb.de" = "torrent.vs.grzb.de"; "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de"; diff --git a/hosts.nix b/hosts.nix index dd86f1c..80145ea 100644 --- a/hosts.nix +++ b/hosts.nix @@ -45,6 +45,10 @@ in site = "vs"; environment = "proxmox"; }; + forgejo = { + site = "vs"; + environment = "proxmox"; + }; keycloak = { site = "vs"; environment = "proxmox"; From 54ae773ee4593922d764ed4d65de16d2b3573cf2 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 28 Jan 2024 03:33:04 +0100 Subject: [PATCH 140/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/521fb4cdd8a2e1a00d1adf0fea7135d1faf04234' (2024-01-16) → 'github:nix-community/nixos-generators/896f6589db5b25023b812bbb6c1f5d3a499b1132' (2024-01-24) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/c5b6c179f7b7adce1ee234df23e5cb9f1a78f87b' (2024-01-20) → 'github:NixOS/nixpkgs/11d4781721d16e949fbd61f67bc6b09341b7bfc6' (2024-01-26) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7da66b359bcffc532b67035b54b49c25b0c0480c' (2024-01-21) → 'github:NixOS/nixpkgs/7ac72b3ee2af9bab80d66addd9b237277cc975c5' (2024-01-26) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/4bfb8eb058f098302c97b909df2d019926e11220' (2023-12-19) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/e47f3719f1db3e0961a4358d4cb234a0acaa7baf' (2024-01-25) • Updated input 'simple-nixos-mailserver/nixpkgs': 'github:NixOS/nixpkgs/64e0bf055f9d25928c31fb12924e59ff8ce71e60' (2022-12-11) → 'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21) • Removed input 'simple-nixos-mailserver/nixpkgs-22_11' • Updated input 'simple-nixos-mailserver/nixpkgs-23_05': 'github:NixOS/nixpkgs/8966c43feba2c701ed624302b6a935f97bcbdf88' (2023-05-22) → 'github:NixOS/nixpkgs/70bdadeb94ffc8806c0570eb5c2695ad29f0e421' (2024-01-03) • Updated input 'simple-nixos-mailserver/nixpkgs-23_11': 'github:NixOS/nixpkgs/1b64fc1287991a9cce717a01c1973ef86cb1af0b' (2024-01-20) → 'github:NixOS/nixpkgs/a77ab169a83a4175169d78684ddd2e54486ac651' (2024-01-24) --- flake.lock | 58 ++++++++++++++++++++---------------------------------- 1 file changed, 21 insertions(+), 37 deletions(-) diff --git a/flake.lock b/flake.lock index 818a43f..29dfa51 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1705400161, - "narHash": "sha256-0MFaNIwwpVWB1N9m7cfHAM2pSVtYESQ7tlHxnDTOhM4=", + "lastModified": 1706085261, + "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "521fb4cdd8a2e1a00d1adf0fea7135d1faf04234", + "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705781397, - "narHash": "sha256-pOlDs1paCIAhr84QjFG72iv4iBsr0pIQyItxRHJhevE=", + "lastModified": 1706306662, + "narHash": "sha256-CVeZHdqbJ63Z+2l9FNcje6AfTdG4Y3WbFHuEn0RFUl0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c5b6c179f7b7adce1ee234df23e5cb9f1a78f87b", + "rev": "11d4781721d16e949fbd61f67bc6b09341b7bfc6", "type": "github" }, "original": { @@ -84,21 +84,6 @@ "type": "github" } }, - "nixpkgs-22_11": { - "locked": { - "lastModified": 1669558522, - "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-22.11", - "type": "indirect" - } - }, "nixpkgs-23-05": { "locked": { "lastModified": 1705033721, @@ -117,11 +102,11 @@ }, "nixpkgs-23_05": { "locked": { - "lastModified": 1684782344, - "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "type": "github" }, "original": { @@ -132,11 +117,11 @@ }, "nixpkgs-23_11": { "locked": { - "lastModified": 1705774713, - "narHash": "sha256-j6ADaDH9XiumUzkTPlFyCBcoWYhO83lfgiSqEJF2zcs=", + "lastModified": 1706098335, + "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1b64fc1287991a9cce717a01c1973ef86cb1af0b", + "rev": "a77ab169a83a4175169d78684ddd2e54486ac651", "type": "github" }, "original": { @@ -147,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705847418, - "narHash": "sha256-I0EzjhMl5D/PI54DYhL/9iXmFmNb75M7PJ8/yrU5Z1A=", + "lastModified": 1706275741, + "narHash": "sha256-53O2JHFdDTWHzTfLkZRAZVAk9ntChFhcTTnAtj6bJKE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7da66b359bcffc532b67035b54b49c25b0c0480c", + "rev": "7ac72b3ee2af9bab80d66addd9b237277cc975c5", "type": "github" }, "original": { @@ -163,11 +148,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1670751203, - "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "lastModified": 1705856552, + "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", "type": "github" }, "original": { @@ -190,17 +175,16 @@ "blobs": "blobs", "flake-compat": "flake-compat", "nixpkgs": "nixpkgs_2", - "nixpkgs-22_11": "nixpkgs-22_11", "nixpkgs-23_05": "nixpkgs-23_05", "nixpkgs-23_11": "nixpkgs-23_11", "utils": "utils" }, "locked": { - "lastModified": 1703023684, - "narHash": "sha256-XQU4OaacV0F2tf9cNAvIMqlC0HBIrAtvb0MLjIHt+7M=", + "lastModified": 1706219574, + "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "4bfb8eb058f098302c97b909df2d019926e11220", + "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf", "type": "gitlab" }, "original": { From af0b1679e64a176dbed6279dd575b40acbf7a627 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 28 Jan 2024 04:45:56 +0100 Subject: [PATCH 141/386] Use jackett packge from unstable to work around faulty test --- config/hosts/torrent/jackett.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config/hosts/torrent/jackett.nix b/config/hosts/torrent/jackett.nix index 1b8707e..6aa6e5e 100644 --- a/config/hosts/torrent/jackett.nix +++ b/config/hosts/torrent/jackett.nix @@ -1,6 +1,8 @@ -{ ... }: +{ nixpkgs-unstable, ... }: { services.jackett = { enable = true; + # use package from unstable to work around faulty test in older jackett version + package = nixpkgs-unstable.legacyPackages."x86_64-linux".jackett; }; } From 7aaaddc0516d6b199c113db2b0c7bc0a0fa41528 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 28 Jan 2024 04:46:35 +0100 Subject: [PATCH 142/386] Update mastodon to 4.2.4 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 79c0da0..4bb680c 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.3"; + version = "4.2.4"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-e8O4kxsrHf+wEtl4S57xIL1VEvhUSjyCbmz4r9p8Zhw="; + sha256 = "sha256-YPGOe9wywRls26PqEbqFeQRg7rcnRBO2NyiNW1fssts="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From 758a8ed83cb61989ea578a8ac991ec7a1022e67f Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 28 Jan 2024 04:46:51 +0100 Subject: [PATCH 143/386] Update element-web to 1.11.55 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 12a2abb..4d5e3b9 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.53"; + elementWebVersion = "1.11.55"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-asgx8g9xswBxdQCVnwaeQ2ycqNlfQzBiKc3Uk9GEWCM="; + sha256 = "sha256-lM1P23MTqAgrw3vjNSzDswmn0n8SRY6dBD0aELmoqsQ="; }; elementWebSecurityHeaders = '' # Configuration best practices From abeda4e49c4ff623777b86aa39ac5c77581d9649 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 1 Feb 2024 18:05:58 +0100 Subject: [PATCH 144/386] Update mastodon to 4.2.5 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 4bb680c..7822faa 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.4"; + version = "4.2.5"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-YPGOe9wywRls26PqEbqFeQRg7rcnRBO2NyiNW1fssts="; + sha256 = "sha256-dgC5V/CVE9F1ORTjPWUWc/JVcWCEj/pb4eWpDV0WliY="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From c798b39d8a0f1957ae42aae3e7e61720b37135c2 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 1 Feb 2024 18:06:17 +0100 Subject: [PATCH 145/386] Enable new Element calls in element-web --- .../virtualHosts/element-web-config/config.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json index 9877940..1da5a3e 100644 --- a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json +++ b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json @@ -27,7 +27,10 @@ "default_country_code": "DE", "show_labs_settings": true, "features": { - "feature_dehydration": true + "feature_dehydration": true, + "feature_video_rooms": true, + "feature_element_call_video_rooms": true, + "feature_group_calls": true }, "default_federate": true, "default_theme": "dark", @@ -47,4 +50,4 @@ "jitsi": { "preferredDomain": "meet.element.io" } -} +} \ No newline at end of file From c1ff0907478b81551144199349a64bda58eef142 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 8 Mar 2024 00:27:23 +0100 Subject: [PATCH 146/386] Bump element-web to 1.11.58 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 4d5e3b9..876a25e 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.55"; + elementWebVersion = "1.11.58"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-lM1P23MTqAgrw3vjNSzDswmn0n8SRY6dBD0aELmoqsQ="; + sha256 = "sha256-986R9DIGD0twoVXAVHyeO33uLz4CZsajgv5Gn2vd2gE="; }; elementWebSecurityHeaders = '' # Configuration best practices From ae4c4b717a321e55cd9fd5f4672719e0001d496a Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 8 Mar 2024 00:27:55 +0100 Subject: [PATCH 147/386] Bump mastodon to 4.2.8 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 7822faa..7c055e6 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.5"; + version = "4.2.8"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-dgC5V/CVE9F1ORTjPWUWc/JVcWCEj/pb4eWpDV0WliY="; + sha256 = "sha256-7/E7iHqJxmYSorXYti7h8EbP7wcOAaD04ToLeU2I/nY="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From 9a5551ed215bd50dba4b1fb74e0ab4941590d28a Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 8 Mar 2024 00:28:42 +0100 Subject: [PATCH 148/386] Add nixpkgs master channel --- flake.lock | 43 ++++++++++++++++++++++++++++++------------- flake.nix | 7 ++++--- 2 files changed, 34 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index 29dfa51..05eff3a 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1693701915, - "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", + "lastModified": 1708821942, + "narHash": "sha256-jd+E1SD59qty65pwqad2mftzkT6vW5nNFWVuvayh4Zw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", + "rev": "479831ed8b3c9c7b80533999f880c7d0bf6a491b", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1706085261, - "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=", + "lastModified": 1708940320, + "narHash": "sha256-QOWRJlqT5FRESiaO42/QV/GbSRNKSa4XUDs3cNQsoWI=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132", + "rev": "5b7772406956f95e8a0e1f27218b1e7cf6e9164a", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706306662, - "narHash": "sha256-CVeZHdqbJ63Z+2l9FNcje6AfTdG4Y3WbFHuEn0RFUl0=", + "lastModified": 1708905176, + "narHash": "sha256-pphkt8iO8CV/TugI7bsPOvFzi5mRSifkEQiwqYBK28s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "11d4781721d16e949fbd61f67bc6b09341b7bfc6", + "rev": "227a4c47bef2390a7925693c51489e84169b1957", "type": "github" }, "original": { @@ -130,13 +130,29 @@ "type": "indirect" } }, - "nixpkgs-unstable": { + "nixpkgs-master": { "locked": { - "lastModified": 1706275741, - "narHash": "sha256-53O2JHFdDTWHzTfLkZRAZVAk9ntChFhcTTnAtj6bJKE=", + "lastModified": 1708963602, + "narHash": "sha256-ODloNfAj9CUN44L1VEvjh5nwV6pseDUZ3/lI6IgYUeo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7ac72b3ee2af9bab80d66addd9b237277cc975c5", + "rev": "cd2ec848a90ffdbe716c8829e6c4f75406c5b1a3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1708954320, + "narHash": "sha256-n3LXNMlz7ORCjfIrIUo19a844Fec2+yg7k6NspdVCxs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "94cda73bf2fd675de987db7c3ac81e861b892266", "type": "github" }, "original": { @@ -166,6 +182,7 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-23-05": "nixpkgs-23-05", + "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index 585b96e..c789cbb 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs-master.url = "github:NixOS/nixpkgs/master"; nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; @@ -10,7 +11,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -28,7 +29,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -38,7 +39,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; }) hosts; }; From ccfbd59d6fddcfae125e54ca60c95fd7b6f8da56 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 8 Mar 2024 00:51:14 +0100 Subject: [PATCH 149/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/5b7772406956f95e8a0e1f27218b1e7cf6e9164a' (2024-02-26) → 'github:nix-community/nixos-generators/10e801a76fa611f8ce7937e2c9b7677888a54fa0' (2024-03-07) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/479831ed8b3c9c7b80533999f880c7d0bf6a491b' (2024-02-25) → 'github:nix-community/nixpkgs.lib/7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c' (2024-03-03) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/227a4c47bef2390a7925693c51489e84169b1957' (2024-02-25) → 'github:NixOS/nixpkgs/03e303468a0b89792bc40c2f3a7cd8a322b66fad' (2024-03-06) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/cd2ec848a90ffdbe716c8829e6c4f75406c5b1a3' (2024-02-26) → 'github:NixOS/nixpkgs/c8cd65298e567e1e604431e4544361e365410f8c' (2024-03-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/94cda73bf2fd675de987db7c3ac81e861b892266' (2024-02-26) → 'github:NixOS/nixpkgs/413506a7ca983170cc8c7bc47f0845a2e6e03e95' (2024-03-07) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 05eff3a..ad3ce5b 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1708821942, - "narHash": "sha256-jd+E1SD59qty65pwqad2mftzkT6vW5nNFWVuvayh4Zw=", + "lastModified": 1709426687, + "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "479831ed8b3c9c7b80533999f880c7d0bf6a491b", + "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1708940320, - "narHash": "sha256-QOWRJlqT5FRESiaO42/QV/GbSRNKSa4XUDs3cNQsoWI=", + "lastModified": 1709821158, + "narHash": "sha256-76L6tymnmFY3zDPBi0Mi5G6HcISHKw7xHuYYmzKrTK4=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "5b7772406956f95e8a0e1f27218b1e7cf6e9164a", + "rev": "10e801a76fa611f8ce7937e2c9b7677888a54fa0", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1708905176, - "narHash": "sha256-pphkt8iO8CV/TugI7bsPOvFzi5mRSifkEQiwqYBK28s=", + "lastModified": 1709763014, + "narHash": "sha256-CopSGZnFg+7n7WwBZ/iqIQhLJo0Xc59OWQo9zN9gmwo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "227a4c47bef2390a7925693c51489e84169b1957", + "rev": "03e303468a0b89792bc40c2f3a7cd8a322b66fad", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1708963602, - "narHash": "sha256-ODloNfAj9CUN44L1VEvjh5nwV6pseDUZ3/lI6IgYUeo=", + "lastModified": 1709855257, + "narHash": "sha256-1G57sSUmJ6Pi6WLlOEC3x43mEMECKU4NDkRfNdaHUs0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cd2ec848a90ffdbe716c8829e6c4f75406c5b1a3", + "rev": "c8cd65298e567e1e604431e4544361e365410f8c", "type": "github" }, "original": { @@ -148,11 +148,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1708954320, - "narHash": "sha256-n3LXNMlz7ORCjfIrIUo19a844Fec2+yg7k6NspdVCxs=", + "lastModified": 1709812245, + "narHash": "sha256-i/RysAZgUYsu8618g3yKG65J3CRUIOUPqo+TckMR6iE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "94cda73bf2fd675de987db7c3ac81e861b892266", + "rev": "413506a7ca983170cc8c7bc47f0845a2e6e03e95", "type": "github" }, "original": { From e893ef4a19c8bde989be29950b34c015d2f80659 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 8 Mar 2024 01:22:37 +0100 Subject: [PATCH 150/386] Patch mastodon for longer profile descriptions --- config/hosts/mastodon/mastodon.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 7c055e6..f36e682 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,7 +2,7 @@ let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-2ZTwgcApKrXnO6isJFZk2oLaFB8hm1OAlPxftxXL25g="; + hash = "sha256-Fcbuj5BGkQd3X/gViqqB+NRIvjUlUED32tNEJrzYh5o="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { @@ -18,9 +18,8 @@ let "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" - "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" + "${mastodonNekoversePatches}/patches/006_increase_profile_limits.patch" "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" - "${mastodonNekoversePatches}/patches/008_increase_profile_metadata_limit.patch" ]; }; yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; From 6db5d5967b5dfb55e1388c315e87016035952ab5 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 8 Mar 2024 01:23:26 +0100 Subject: [PATCH 151/386] Bump element-web to 1.11.59 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 876a25e..2c102a3 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.58"; + elementWebVersion = "1.11.59"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-986R9DIGD0twoVXAVHyeO33uLz4CZsajgv5Gn2vd2gE="; + sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18="; }; elementWebSecurityHeaders = '' # Configuration best practices From addf1e37afa81195b0c28f56f4a5bdf02ceb76fe Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 15 Apr 2024 20:02:16 +0200 Subject: [PATCH 152/386] bump flake.lock --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index ad3ce5b..8886adc 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1709426687, - "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=", + "lastModified": 1712450863, + "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c", + "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1709821158, - "narHash": "sha256-76L6tymnmFY3zDPBi0Mi5G6HcISHKw7xHuYYmzKrTK4=", + "lastModified": 1712537332, + "narHash": "sha256-yYlxv1sg/TNl6hghjAe0ct+/p5PwXiT1mpuaExjhR88=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "10e801a76fa611f8ce7937e2c9b7677888a54fa0", + "rev": "d942db8df8ee860556a38754f15b8d03bf7e6933", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709763014, - "narHash": "sha256-CopSGZnFg+7n7WwBZ/iqIQhLJo0Xc59OWQo9zN9gmwo=", + "lastModified": 1713180868, + "narHash": "sha256-5CSnPSCEWeUmrFiLuYIQIPQzPrpCB8x3VhE+oXLRO3k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "03e303468a0b89792bc40c2f3a7cd8a322b66fad", + "rev": "140546acf30a8212a03a88ded8506413fa3b5d21", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1709855257, - "narHash": "sha256-1G57sSUmJ6Pi6WLlOEC3x43mEMECKU4NDkRfNdaHUs0=", + "lastModified": 1713201277, + "narHash": "sha256-xHxbvpjepaDEc3DxJNMCWOFyBqW7yIANbUU+yWSL9+c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c8cd65298e567e1e604431e4544361e365410f8c", + "rev": "fc69edccf533e2731ab8850c59482907e0d4fc28", "type": "github" }, "original": { @@ -148,11 +148,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1709812245, - "narHash": "sha256-i/RysAZgUYsu8618g3yKG65J3CRUIOUPqo+TckMR6iE=", + "lastModified": 1713156337, + "narHash": "sha256-oPG4CUVQGc/8q0k4nS8YK44o2q14cqQSo9OijH1E+Vs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "413506a7ca983170cc8c7bc47f0845a2e6e03e95", + "rev": "b941d525061a6e4f43882318225799c901f1ad40", "type": "github" }, "original": { From 78418667307f07cbcb79ad9a24bcb823b0cd2279 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 5 May 2024 21:54:03 +0200 Subject: [PATCH 153/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/d942db8df8ee860556a38754f15b8d03bf7e6933' (2024-04-08) → 'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e' (2024-04-22) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/140546acf30a8212a03a88ded8506413fa3b5d21' (2024-04-15) → 'github:NixOS/nixpkgs/1552982a8e5848fe2fec7d669d54ee86aa743101' (2024-05-05) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/fc69edccf533e2731ab8850c59482907e0d4fc28' (2024-04-15) → 'github:NixOS/nixpkgs/f1edf105d0bde9776d5060b5f8dcc16aea86cb44' (2024-05-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/b941d525061a6e4f43882318225799c901f1ad40' (2024-04-15) → 'github:NixOS/nixpkgs/9f5a6d72fa3985e4cd8fca3926d14ae8b54bcf75' (2024-05-05) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 8886adc..184a7b1 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1712537332, - "narHash": "sha256-yYlxv1sg/TNl6hghjAe0ct+/p5PwXiT1mpuaExjhR88=", + "lastModified": 1713783234, + "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "d942db8df8ee860556a38754f15b8d03bf7e6933", + "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1713180868, - "narHash": "sha256-5CSnPSCEWeUmrFiLuYIQIPQzPrpCB8x3VhE+oXLRO3k=", + "lastModified": 1714902782, + "narHash": "sha256-TdQNxaviQZlGU1VakHpDq3qqhP+0HhieieYRGZN46Ec=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "140546acf30a8212a03a88ded8506413fa3b5d21", + "rev": "1552982a8e5848fe2fec7d669d54ee86aa743101", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1713201277, - "narHash": "sha256-xHxbvpjepaDEc3DxJNMCWOFyBqW7yIANbUU+yWSL9+c=", + "lastModified": 1714938357, + "narHash": "sha256-CZmX0Dm7HhEBNMoeRDQIS6Ltd+kVtRVMPIt5iW9urQQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fc69edccf533e2731ab8850c59482907e0d4fc28", + "rev": "f1edf105d0bde9776d5060b5f8dcc16aea86cb44", "type": "github" }, "original": { @@ -148,11 +148,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1713156337, - "narHash": "sha256-oPG4CUVQGc/8q0k4nS8YK44o2q14cqQSo9OijH1E+Vs=", + "lastModified": 1714923658, + "narHash": "sha256-f54abULm+mOb74m4iDMbXpEsIClOu56q5u6ijbiuIbs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b941d525061a6e4f43882318225799c901f1ad40", + "rev": "9f5a6d72fa3985e4cd8fca3926d14ae8b54bcf75", "type": "github" }, "original": { From 99c956cbee6a501b96d346c3db8417b4551b6a3f Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 26 May 2024 14:23:25 +0200 Subject: [PATCH 154/386] Remove unifi-controller --- .../hosts/unifi-controller/configuration.nix | 23 ------------------- config/hosts/unifi-controller/default.nix | 7 ------ config/hosts/unifi-controller/unifi.nix | 12 ---------- hosts.nix | 4 ---- 4 files changed, 46 deletions(-) delete mode 100644 config/hosts/unifi-controller/configuration.nix delete mode 100644 config/hosts/unifi-controller/default.nix delete mode 100644 config/hosts/unifi-controller/unifi.nix diff --git a/config/hosts/unifi-controller/configuration.nix b/config/hosts/unifi-controller/configuration.nix deleted file mode 100644 index 565cdf7..0000000 --- a/config/hosts/unifi-controller/configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "unifi-controller"; - firewall = { - allowedTCPPorts = [ 53 8080 8443 8880 8843 6789 27117 ]; - allowedUDPPorts = [ 53 3478 5514 10001 1900 123 ]; - allowedUDPPortRanges = [ - { - from = 5656; - to = 5699; - } - ]; - }; - }; - - system.stateVersion = "23.11"; -} diff --git a/config/hosts/unifi-controller/default.nix b/config/hosts/unifi-controller/default.nix deleted file mode 100644 index f66e094..0000000 --- a/config/hosts/unifi-controller/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./unifi.nix - ]; -} diff --git a/config/hosts/unifi-controller/unifi.nix b/config/hosts/unifi-controller/unifi.nix deleted file mode 100644 index 75a7094..0000000 --- a/config/hosts/unifi-controller/unifi.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, lib, ... }: -{ - services.unifi = { - enable = true; - unifiPackage = pkgs.unifi; - }; - - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ - "unifi-controller" - "mongodb" - ]; -} diff --git a/hosts.nix b/hosts.nix index 80145ea..4bebbbc 100644 --- a/hosts.nix +++ b/hosts.nix @@ -114,10 +114,6 @@ in site = "vs"; environment = "proxmox"; }; - unifi-controller = { - site = "wg"; - environment = "proxmox"; - }; valkyrie = { hostNixpkgs = nixpkgs-23-05; site = "af"; From 2eaef1b54578cd52da699f8b8588a4c104766bec Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 26 May 2024 14:30:59 +0200 Subject: [PATCH 155/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e' (2024-04-22) → 'github:nix-community/nixos-generators/d14b286322c7f4f897ca4b1726ce38cb68596c94' (2024-05-20) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1552982a8e5848fe2fec7d669d54ee86aa743101' (2024-05-05) → 'github:NixOS/nixpkgs/8ed72179617b1b4dbd15134371daf4e9c4c039ee' (2024-05-26) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/f1edf105d0bde9776d5060b5f8dcc16aea86cb44' (2024-05-05) → 'github:NixOS/nixpkgs/61f95814d35e9faf61aa1dd81bd7acdf9a5514b9' (2024-05-26) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/9f5a6d72fa3985e4cd8fca3926d14ae8b54bcf75' (2024-05-05) → 'github:NixOS/nixpkgs/8debaa1f45995e3a621c1f55c09bf68e214f5878' (2024-05-26) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 184a7b1..52edb0e 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1713783234, - "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=", + "lastModified": 1716210724, + "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e", + "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1714902782, - "narHash": "sha256-TdQNxaviQZlGU1VakHpDq3qqhP+0HhieieYRGZN46Ec=", + "lastModified": 1716702362, + "narHash": "sha256-1iExBg0gqYHqSEwALu4LYPOKlJMbUUbsfhsGZf2mi0M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1552982a8e5848fe2fec7d669d54ee86aa743101", + "rev": "8ed72179617b1b4dbd15134371daf4e9c4c039ee", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1714938357, - "narHash": "sha256-CZmX0Dm7HhEBNMoeRDQIS6Ltd+kVtRVMPIt5iW9urQQ=", + "lastModified": 1716726580, + "narHash": "sha256-qfzXu2ar19X9GUg//K2IrMbwHbmaZPVktSmtLtMSe7s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f1edf105d0bde9776d5060b5f8dcc16aea86cb44", + "rev": "61f95814d35e9faf61aa1dd81bd7acdf9a5514b9", "type": "github" }, "original": { @@ -148,11 +148,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1714923658, - "narHash": "sha256-f54abULm+mOb74m4iDMbXpEsIClOu56q5u6ijbiuIbs=", + "lastModified": 1716704148, + "narHash": "sha256-XsWxhtvSUsft43XbSkpSroSyUyXj4focTG2CFCx1wqE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9f5a6d72fa3985e4cd8fca3926d14ae8b54bcf75", + "rev": "8debaa1f45995e3a621c1f55c09bf68e214f5878", "type": "github" }, "original": { From eb672f077f15e7ef0de2bd6cfa9aaba664bfefc2 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 26 May 2024 16:03:05 +0200 Subject: [PATCH 156/386] Get keycloak 23.0.7 from master --- config/hosts/keycloak/keycloak.nix | 3 ++- flake.lock | 17 +++++++++++++++++ flake.nix | 7 ++++--- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix index 79e9a96..0937e24 100644 --- a/config/hosts/keycloak/keycloak.nix +++ b/config/hosts/keycloak/keycloak.nix @@ -1,7 +1,8 @@ -{ ... }: +{ nixpkgs-master-keycloak-23_0_7, ... }: { services.keycloak = { enable = true; + package = nixpkgs-master-keycloak-23_0_7.legacyPackages."x86_64-linux".keycloak; settings = { hostname = "id.nekover.se"; hostname-admin = "keycloak-admin.nekover.se"; diff --git a/flake.lock b/flake.lock index 52edb0e..0535751 100644 --- a/flake.lock +++ b/flake.lock @@ -146,6 +146,22 @@ "type": "github" } }, + "nixpkgs-master-keycloak-23_0_7": { + "locked": { + "lastModified": 1708610845, + "narHash": "sha256-2ta+qGOkQJOeDx00bzxmjP0XO38xkJjZDDA+hq/04SM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "edc6a7a312c4f914f9bded421efa6f0b1b715693", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "edc6a7a312c4f914f9bded421efa6f0b1b715693", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1716704148, @@ -183,6 +199,7 @@ "nixpkgs": "nixpkgs", "nixpkgs-23-05": "nixpkgs-23-05", "nixpkgs-master": "nixpkgs-master", + "nixpkgs-master-keycloak-23_0_7": "nixpkgs-master-keycloak-23_0_7", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index c789cbb..9abb06c 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; + nixpkgs-master-keycloak-23_0_7.url = "github:NixOS/nixpkgs/edc6a7a312c4f914f9bded421efa6f0b1b715693"; nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; @@ -11,7 +12,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-master-keycloak-23_0_7, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -29,7 +30,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master nixpkgs-master-keycloak-23_0_7 hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -39,7 +40,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master nixpkgs-master-keycloak-23_0_7 hosts simple-nixos-mailserver; }) hosts; }; From cfd5f8561926adb2669d957e2ecc41d87dcb0919 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 26 May 2024 16:20:34 +0200 Subject: [PATCH 157/386] Bump element-web to 1.11.67 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 2c102a3..3316006 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.59"; + elementWebVersion = "1.11.67"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18="; + sha256 = "sha256-Mleha39aEwa+qbJCVW1RmGDHb/noX9+Zo2IvjaLxhtE="; }; elementWebSecurityHeaders = '' # Configuration best practices From e920b367ded9cb4f64f0dac4107f5fb793bf8ff3 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 31 May 2024 17:12:26 +0200 Subject: [PATCH 158/386] Bump mastodon to v4.2.9 --- config/hosts/mastodon/mastodon.nix | 4 ++-- flake.lock | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index f36e682..cb13ab5 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.8"; + version = "4.2.9"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-7/E7iHqJxmYSorXYti7h8EbP7wcOAaD04ToLeU2I/nY="; + sha256 = "sha256-VjR4lXlb1p8mmpOGxPqbmCCEaB7SP90ccPSMfGFx6IQ="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" diff --git a/flake.lock b/flake.lock index 0535751..791aca5 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1716702362, - "narHash": "sha256-1iExBg0gqYHqSEwALu4LYPOKlJMbUUbsfhsGZf2mi0M=", + "lastModified": 1717106496, + "narHash": "sha256-CXCHENGIy/SNEHBTLH2Pz/J9XvcTPnk73QROAEHtGM0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8ed72179617b1b4dbd15134371daf4e9c4c039ee", + "rev": "2ac5652e83ddfca412a4b338714cb9afb27357d0", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1716726580, - "narHash": "sha256-qfzXu2ar19X9GUg//K2IrMbwHbmaZPVktSmtLtMSe7s=", + "lastModified": 1717165608, + "narHash": "sha256-mm/4TxdqIzONGiXuJQQEIfoFdB72aW7SQUqiLJ6pEjE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "61f95814d35e9faf61aa1dd81bd7acdf9a5514b9", + "rev": "1ee0e2dcfecd93168f757deff4ed33d7d574484c", "type": "github" }, "original": { @@ -164,11 +164,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1716704148, - "narHash": "sha256-XsWxhtvSUsft43XbSkpSroSyUyXj4focTG2CFCx1wqE=", + "lastModified": 1717112898, + "narHash": "sha256-7R2ZvOnvd9h8fDd65p0JnB7wXfUvreox3xFdYWd1BnY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8debaa1f45995e3a621c1f55c09bf68e214f5878", + "rev": "6132b0f6e344ce2fe34fc051b72fb46e34f668e0", "type": "github" }, "original": { From 76db8d3907caf0845b140059d630168dc02728d0 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 25 Jun 2024 22:56:12 +0200 Subject: [PATCH 159/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/4be04c4f5d112f662df788262113b488d21352ec' (2024-06-25) → 'github:NixOS/nixpkgs/8cce9d0ae31e51a5505650daa046fb22960766ed' (2024-06-25) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 791aca5..1995d10 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1716210724, - "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=", + "lastModified": 1718025593, + "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94", + "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1717106496, - "narHash": "sha256-CXCHENGIy/SNEHBTLH2Pz/J9XvcTPnk73QROAEHtGM0=", + "lastModified": 1719160247, + "narHash": "sha256-mWvCCJFG7RFMFXyQHdxDX56RKYdzXmQ25sy69uRQ8BI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2ac5652e83ddfca412a4b338714cb9afb27357d0", + "rev": "74b529ef56db2bc5ac41b40dca2e57e222964e3a", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1717165608, - "narHash": "sha256-mm/4TxdqIzONGiXuJQQEIfoFdB72aW7SQUqiLJ6pEjE=", + "lastModified": 1719348949, + "narHash": "sha256-uohZYX9g9MuEZlzME38gJyMpNK/bIixzuLkQn3CG5yg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1ee0e2dcfecd93168f757deff4ed33d7d574484c", + "rev": "8cce9d0ae31e51a5505650daa046fb22960766ed", "type": "github" }, "original": { @@ -164,11 +164,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1717112898, - "narHash": "sha256-7R2ZvOnvd9h8fDd65p0JnB7wXfUvreox3xFdYWd1BnY=", + "lastModified": 1719327525, + "narHash": "sha256-fPWiFM4aYbK9zGTt3KJ9CwX//iyElRiNHWNj2hk3i0E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6132b0f6e344ce2fe34fc051b72fb46e34f668e0", + "rev": "191a3fd9786d09c8d82e89ed68c4463e7be09b3e", "type": "github" }, "original": { From afc8565fc77f9b0ba0cffef0568422755b0643bc Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 1 Jul 2024 15:57:16 +0200 Subject: [PATCH 160/386] Bump nix channel versions --- flake.nix | 7 +++---- hosts.nix | 3 +-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/flake.nix b/flake.nix index 9abb06c..1520a61 100644 --- a/flake.nix +++ b/flake.nix @@ -1,18 +1,17 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; nixpkgs-master-keycloak-23_0_7.url = "github:NixOS/nixpkgs/edc6a7a312c4f914f9bded421efa6f0b1b715693"; - nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-master-keycloak-23_0_7, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-master-keycloak-23_0_7, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; diff --git a/hosts.nix b/hosts.nix index 4bebbbc..5de4e6f 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,4 +1,4 @@ -{ nixpkgs, nixpkgs-unstable, nixpkgs-23-05, ... }: +{ nixpkgs, nixpkgs-unstable, ... }: let # Set of environment specific modules environments = { @@ -115,7 +115,6 @@ in environment = "proxmox"; }; valkyrie = { - hostNixpkgs = nixpkgs-23-05; site = "af"; environment = "openstack"; }; From 15a8615e02bd6b4f6d903510d8386284afe7e770 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 1 Jul 2024 15:58:50 +0200 Subject: [PATCH 161/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/35c20ba421dfa5059e20e0ef2343c875372bdcf3' (2024-06-10) → 'github:nix-community/nixos-generators/140dcc2b9a0eb87ba5e9011076a1a7af19179ab1' (2024-07-01) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/3c62b6a12571c9a7f65ab037173ee153d539905f' (2024-04-07) → 'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6' (2024-06-30) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/74b529ef56db2bc5ac41b40dca2e57e222964e3a' (2024-06-23) → 'github:NixOS/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e' (2024-07-01) • Removed input 'nixpkgs-23-05' • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/8cce9d0ae31e51a5505650daa046fb22960766ed' (2024-06-25) → 'github:NixOS/nixpkgs/79456ded62c3a1f6c25520799d5d822f8a6b0dc7' (2024-07-01) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/191a3fd9786d09c8d82e89ed68c4463e7be09b3e' (2024-06-25) → 'github:NixOS/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc' (2024-07-01) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/e47f3719f1db3e0961a4358d4cb234a0acaa7baf' (2024-01-25) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/29916981e7b3b5782dc5085ad18490113f8ff63b' (2024-06-11) • Updated input 'simple-nixos-mailserver/flake-compat': 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) → 'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04) • Updated input 'simple-nixos-mailserver/nixpkgs': 'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21) → 'github:NixOS/nixpkgs/e8057b67ebf307f01bdcc8fba94d94f75039d1f6' (2024-06-05) • Removed input 'simple-nixos-mailserver/nixpkgs-23_05' • Removed input 'simple-nixos-mailserver/nixpkgs-23_11' • Added input 'simple-nixos-mailserver/nixpkgs-24_05': 'github:NixOS/nixpkgs/805a384895c696f802a9bf5bf4720f37385df547' (2024-05-31) • Updated input 'simple-nixos-mailserver/utils': 'github:numtide/flake-utils/5021eac20303a61fafe17224c087f5519baed54d' (2020-11-14) → 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28) • Added input 'simple-nixos-mailserver/utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) --- flake.lock | 123 +++++++++++++++++++++++------------------------------ 1 file changed, 54 insertions(+), 69 deletions(-) diff --git a/flake.lock b/flake.lock index 1995d10..df78fc6 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1712450863, - "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=", + "lastModified": 1719708727, + "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f", + "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1718025593, - "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=", + "lastModified": 1719841141, + "narHash": "sha256-WOyohxFJJdfDvEB7N3eTcX44lNU2rZes1inHsyHL7mM=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3", + "rev": "140dcc2b9a0eb87ba5e9011076a1a7af19179ab1", "type": "github" }, "original": { @@ -70,73 +70,42 @@ }, "nixpkgs": { "locked": { - "lastModified": 1719160247, - "narHash": "sha256-mWvCCJFG7RFMFXyQHdxDX56RKYdzXmQ25sy69uRQ8BI=", + "lastModified": 1719825363, + "narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "74b529ef56db2bc5ac41b40dca2e57e222964e3a", + "rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11-small", + "ref": "nixos-24.05-small", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-23-05": { + "nixpkgs-24_05": { "locked": { - "lastModified": 1705033721, - "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.05-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-23_05": { - "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-23.05", - "type": "indirect" - } - }, - "nixpkgs-23_11": { - "locked": { - "lastModified": 1706098335, - "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a77ab169a83a4175169d78684ddd2e54486ac651", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "type": "indirect" } }, "nixpkgs-master": { "locked": { - "lastModified": 1719348949, - "narHash": "sha256-uohZYX9g9MuEZlzME38gJyMpNK/bIixzuLkQn3CG5yg=", + "lastModified": 1719841698, + "narHash": "sha256-oxCNic7Lw+NKzqYO5r2knhU89PcQb22jUqu/N30Yam4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8cce9d0ae31e51a5505650daa046fb22960766ed", + "rev": "79456ded62c3a1f6c25520799d5d822f8a6b0dc7", "type": "github" }, "original": { @@ -164,11 +133,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1719327525, - "narHash": "sha256-fPWiFM4aYbK9zGTt3KJ9CwX//iyElRiNHWNj2hk3i0E=", + "lastModified": 1719824438, + "narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "191a3fd9786d09c8d82e89ed68c4463e7be09b3e", + "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc", "type": "github" }, "original": { @@ -180,11 +149,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "lastModified": 1717602782, + "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6", "type": "github" }, "original": { @@ -197,7 +166,6 @@ "inputs": { "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", - "nixpkgs-23-05": "nixpkgs-23-05", "nixpkgs-master": "nixpkgs-master", "nixpkgs-master-keycloak-23_0_7": "nixpkgs-master-keycloak-23_0_7", "nixpkgs-unstable": "nixpkgs-unstable", @@ -209,32 +177,49 @@ "blobs": "blobs", "flake-compat": "flake-compat", "nixpkgs": "nixpkgs_2", - "nixpkgs-23_05": "nixpkgs-23_05", - "nixpkgs-23_11": "nixpkgs-23_11", + "nixpkgs-24_05": "nixpkgs-24_05", "utils": "utils" }, "locked": { - "lastModified": 1706219574, - "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=", + "lastModified": 1718084203, + "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf", + "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixos-mailserver", "type": "gitlab" } }, - "utils": { + "systems": { "locked": { - "lastModified": 1605370193, - "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "owner": "numtide", "repo": "flake-utils", - "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", "type": "github" }, "original": { From 6b3c6567a5d0f1d8a748d882b903826623720061 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 4 Jul 2024 17:21:02 +0200 Subject: [PATCH 162/386] Update/fix keycloak, matrix, nextcloud, wireguard-nat-nftables --- config/hosts/keycloak/keycloak.nix | 3 +-- config/hosts/matrix/matrix-synapse.nix | 15 ++++++++------- config/hosts/nextcloud/nextcloud.nix | 6 +++--- flake.lock | 17 ----------------- flake.nix | 7 +++---- pkgs/wireguard-nat-nftables/default.nix | 12 +++--------- 6 files changed, 18 insertions(+), 42 deletions(-) diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix index 0937e24..79e9a96 100644 --- a/config/hosts/keycloak/keycloak.nix +++ b/config/hosts/keycloak/keycloak.nix @@ -1,8 +1,7 @@ -{ nixpkgs-master-keycloak-23_0_7, ... }: +{ ... }: { services.keycloak = { enable = true; - package = nixpkgs-master-keycloak-23_0_7.legacyPackages."x86_64-linux".keycloak; settings = { hostname = "id.nekover.se"; hostname-admin = "keycloak-admin.nekover.se"; diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 6527503..e719484 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -47,13 +47,6 @@ turn_user_lifetime = 86400000; turn_allow_guests = true; }; - sliding-sync = { - enable = true; - settings = { - SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; - }; - environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; - }; extras = [ "oidc" ]; extraConfigFiles = [ "/secrets/matrix-registration-shared-secret.secret" @@ -62,4 +55,12 @@ "/secrets/matrix-keycloak-client-secret.secret" ]; }; + + services.matrix-sliding-sync = { + enable = true; + settings = { + SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; + }; + environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; + }; } diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 839d15d..0b1f3a2 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -2,13 +2,12 @@ { services.nextcloud = { enable = true; - package = pkgs.nextcloud28; + package = pkgs.nextcloud29; hostName = "cloud.nekover.se"; https = true; config = { dbtype = "pgsql"; adminpassFile = "/secrets/nextcloud-adminpass.secret"; - defaultPhoneRegion = "DE"; }; database.createLocally = true; configureRedis = true; @@ -17,7 +16,7 @@ inherit bookmarks contacts calendar tasks twofactor_webauthn user_oidc; }; maxUploadSize = "16G"; - extraOptions = { + settings = { mail_smtpmode = "smtp"; mail_sendmailmode = "smtp"; mail_smtpsecure = "ssl"; @@ -28,6 +27,7 @@ mail_smtphost = "mail-1.grzb.de"; mail_smtpport = 465; mail_smtpname = "cloud@nekover.se"; + default_phone_region = "DE"; }; # Only contains mail_smtppassword secretFile = "/secrets/nextcloud-secretfile.secret"; diff --git a/flake.lock b/flake.lock index df78fc6..aa5196f 100644 --- a/flake.lock +++ b/flake.lock @@ -115,22 +115,6 @@ "type": "github" } }, - "nixpkgs-master-keycloak-23_0_7": { - "locked": { - "lastModified": 1708610845, - "narHash": "sha256-2ta+qGOkQJOeDx00bzxmjP0XO38xkJjZDDA+hq/04SM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "edc6a7a312c4f914f9bded421efa6f0b1b715693", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "edc6a7a312c4f914f9bded421efa6f0b1b715693", - "type": "github" - } - }, "nixpkgs-unstable": { "locked": { "lastModified": 1719824438, @@ -167,7 +151,6 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", - "nixpkgs-master-keycloak-23_0_7": "nixpkgs-master-keycloak-23_0_7", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index 1520a61..5cf2232 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,6 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; - nixpkgs-master-keycloak-23_0_7.url = "github:NixOS/nixpkgs/edc6a7a312c4f914f9bded421efa6f0b1b715693"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; @@ -11,7 +10,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-master-keycloak-23_0_7, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -29,7 +28,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable nixpkgs-master nixpkgs-master-keycloak-23_0_7 hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -39,7 +38,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable nixpkgs-master nixpkgs-master-keycloak-23_0_7 hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; }) hosts; }; diff --git a/pkgs/wireguard-nat-nftables/default.nix b/pkgs/wireguard-nat-nftables/default.nix index e687cee..3ce972e 100644 --- a/pkgs/wireguard-nat-nftables/default.nix +++ b/pkgs/wireguard-nat-nftables/default.nix @@ -1,17 +1,11 @@ { pkgs, ... }: -let - nftablesWithPythonOverlay = final: prev: { - nftables = (prev.nftables.override { withPython = true; }); - }; - pkgs-overlay = pkgs.extend nftablesWithPythonOverlay; -in -pkgs-overlay.python310Packages.buildPythonApplication { +pkgs.python3Packages.buildPythonApplication { pname = "wireguard-nat-nftables"; version = "0.0.1"; - propagatedBuildInputs = with pkgs-overlay; [ + propagatedBuildInputs = with pkgs; [ wireguard-tools - python310Packages.nftables + python3Packages.nftables ]; src = ./src; From cb524ed9e010defdcd198102ee9e0a6139e5c87b Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 4 Jul 2024 17:31:08 +0200 Subject: [PATCH 163/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/140dcc2b9a0eb87ba5e9011076a1a7af19179ab1' (2024-07-01) → 'github:nix-community/nixos-generators/168b220231a70e47cc1f0919048fa5914415fb18' (2024-07-04) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e' (2024-07-01) → 'github:NixOS/nixpkgs/8668e0cd7cdcd7c048aa0aedb8051feb44e04130' (2024-07-04) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/79456ded62c3a1f6c25520799d5d822f8a6b0dc7' (2024-07-01) → 'github:NixOS/nixpkgs/0c811d5f56f318bdbc3241ead65ca3b88d6c4a70' (2024-07-04) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc' (2024-07-01) → 'github:NixOS/nixpkgs/1af787b0e7fda63e5313fb1a6815019e0c4d6f9b' (2024-07-04) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index aa5196f..66c0caf 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1719841141, - "narHash": "sha256-WOyohxFJJdfDvEB7N3eTcX44lNU2rZes1inHsyHL7mM=", + "lastModified": 1720055043, + "narHash": "sha256-SKizewU4UeYrkZWPUjur8EoxscGoNb0pGcrNL4YzAIg=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "140dcc2b9a0eb87ba5e9011076a1a7af19179ab1", + "rev": "168b220231a70e47cc1f0919048fa5914415fb18", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1719825363, - "narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=", + "lastModified": 1720054931, + "narHash": "sha256-scsZLzV/mGMbKdH1vrLmNuXtrQK8xo4vzAs05ZeGO40=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e", + "rev": "8668e0cd7cdcd7c048aa0aedb8051feb44e04130", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1719841698, - "narHash": "sha256-oxCNic7Lw+NKzqYO5r2knhU89PcQb22jUqu/N30Yam4=", + "lastModified": 1720105773, + "narHash": "sha256-YO8hXGHrwKe8xV272ztIjpg/nu6tYtMHCjQtmROC9ew=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "79456ded62c3a1f6c25520799d5d822f8a6b0dc7", + "rev": "0c811d5f56f318bdbc3241ead65ca3b88d6c4a70", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1719824438, - "narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=", + "lastModified": 1720067112, + "narHash": "sha256-RqDbuJnwe29ffD8KE810dLxzCyaX5cvXks8TaJZK4H4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc", + "rev": "1af787b0e7fda63e5313fb1a6815019e0c4d6f9b", "type": "github" }, "original": { From f48588d3afbfeed06d3b8526a1a864e4421b2f59 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 4 Jul 2024 17:35:45 +0200 Subject: [PATCH 164/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Added input 'nixpkgs-mastodon-4-2-10': 'github:NixOS/nixpkgs/e8f680e000d5c5b4a0ff998e6423951bcf06ba35' (2024-07-04) --- flake.lock | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/flake.lock b/flake.lock index 66c0caf..773cd38 100644 --- a/flake.lock +++ b/flake.lock @@ -115,6 +115,22 @@ "type": "github" } }, + "nixpkgs-mastodon-4-2-10": { + "locked": { + "lastModified": 1720106533, + "narHash": "sha256-m1f/yXrCX3czYSVvBz5jdJ41dcCVsKlSIrnH0i83L6U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e8f680e000d5c5b4a0ff998e6423951bcf06ba35", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e8f680e000d5c5b4a0ff998e6423951bcf06ba35", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1720067112, @@ -151,6 +167,7 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", + "nixpkgs-mastodon-4-2-10": "nixpkgs-mastodon-4-2-10", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } From 82a77f596d7a9bcb495245b280771ae29d3b9b7f Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 4 Jul 2024 17:52:01 +0200 Subject: [PATCH 165/386] Update mastodo to 4.2.10 --- config/hosts/mastodon/mastodon.nix | 8 ++++---- flake.nix | 7 ++++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index cb13ab5..a1d82d2 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,4 +1,4 @@ -{ pkgs, nixpkgs-unstable, ... }: +{ pkgs, nixpkgs-mastodon-4-2-10, ... }: let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.9"; + version = "4.2.10"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-VjR4lXlb1p8mmpOGxPqbmCCEaB7SP90ccPSMfGFx6IQ="; + sha256 = "sha256-z3veI0CpZk6mBgygqXk8SN/5WWjy5VkKLxC7nOLnyZE="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" @@ -25,7 +25,7 @@ let yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; }); }; - pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; + pkgs-overlay = nixpkgs-mastodon-4-2-10.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { diff --git a/flake.nix b/flake.nix index 5cf2232..876a711 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; + nixpkgs-mastodon-4-2-10.url = "github:NixOS/nixpkgs/e8f680e000d5c5b4a0ff998e6423951bcf06ba35"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; @@ -10,7 +11,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-mastodon-4-2-10, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -28,7 +29,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master nixpkgs-mastodon-4-2-10 hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -38,7 +39,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master nixpkgs-mastodon-4-2-10 hosts simple-nixos-mailserver; }) hosts; }; From d8d71453c31188ad86a70f06f4705318fe0761c4 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 3 Aug 2024 23:12:05 +0200 Subject: [PATCH 166/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/168b220231a70e47cc1f0919048fa5914415fb18' (2024-07-04) → 'github:nix-community/nixos-generators/75cbb2a5e19c18840d105a72d036c6c92fc46c5d' (2024-07-29) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6' (2024-06-30) → 'github:nix-community/nixpkgs.lib/d15f6f6021693898fcd2c6a9bb13707383da9bbc' (2024-07-28) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8668e0cd7cdcd7c048aa0aedb8051feb44e04130' (2024-07-04) → 'github:NixOS/nixpkgs/15ed5d4537fd46399513bb040bf98415c825281b' (2024-08-02) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/0c811d5f56f318bdbc3241ead65ca3b88d6c4a70' (2024-07-04) → 'github:NixOS/nixpkgs/7f9ed2e65a92f1496daa9ab73539a9d02c2454b3' (2024-08-03) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/1af787b0e7fda63e5313fb1a6815019e0c4d6f9b' (2024-07-04) → 'github:NixOS/nixpkgs/6602aa2586f35fc8c6c46246a1dcac6940ca3f0f' (2024-08-03) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 773cd38..491040e 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1719708727, - "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=", + "lastModified": 1722128034, + "narHash": "sha256-L8rwzYPsLo/TYtydPJoQyYOfetuiyQYnTWYcyB8UE/s=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6", + "rev": "d15f6f6021693898fcd2c6a9bb13707383da9bbc", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1720055043, - "narHash": "sha256-SKizewU4UeYrkZWPUjur8EoxscGoNb0pGcrNL4YzAIg=", + "lastModified": 1722214420, + "narHash": "sha256-qfHC1p5hcErGcE672/KhBkyWYloekQpqIxtcbcUVYkA=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "168b220231a70e47cc1f0919048fa5914415fb18", + "rev": "75cbb2a5e19c18840d105a72d036c6c92fc46c5d", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1720054931, - "narHash": "sha256-scsZLzV/mGMbKdH1vrLmNuXtrQK8xo4vzAs05ZeGO40=", + "lastModified": 1722621932, + "narHash": "sha256-Uz5xeHsH7+qZVncZwfzGd+CTjxd0mwaP7Q/pbs7OB5c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8668e0cd7cdcd7c048aa0aedb8051feb44e04130", + "rev": "15ed5d4537fd46399513bb040bf98415c825281b", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1720105773, - "narHash": "sha256-YO8hXGHrwKe8xV272ztIjpg/nu6tYtMHCjQtmROC9ew=", + "lastModified": 1722719323, + "narHash": "sha256-1O9VQB7WD1NKBz9maYGJAU0EqoajEYQSiSlrjdKWz8s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0c811d5f56f318bdbc3241ead65ca3b88d6c4a70", + "rev": "7f9ed2e65a92f1496daa9ab73539a9d02c2454b3", "type": "github" }, "original": { @@ -133,11 +133,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1720067112, - "narHash": "sha256-RqDbuJnwe29ffD8KE810dLxzCyaX5cvXks8TaJZK4H4=", + "lastModified": 1722685361, + "narHash": "sha256-6Zn2SVJYffCtenHEHsb2PmzQsX5+cRsforNJZmlK630=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1af787b0e7fda63e5313fb1a6815019e0c4d6f9b", + "rev": "6602aa2586f35fc8c6c46246a1dcac6940ca3f0f", "type": "github" }, "original": { From 5f2ed0074bf3583d1eca885665ae4dd0a2042a6f Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 12 Aug 2024 20:14:13 +0200 Subject: [PATCH 167/386] Update valkyrie IP --- config/hosts/mastodon/mastodon.nix | 4 ++-- config/hosts/valkyrie/services.nix | 2 +- flake.lock | 17 ----------------- flake.nix | 7 +++---- 4 files changed, 6 insertions(+), 24 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index a1d82d2..9abd69d 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,4 +1,4 @@ -{ pkgs, nixpkgs-mastodon-4-2-10, ... }: +{ pkgs, nixpkgs-unstable, ... }: let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; @@ -25,7 +25,7 @@ let yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; }); }; - pkgs-overlay = nixpkgs-mastodon-4-2-10.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; + pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index 5af708c..dc0fa6d 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -3,7 +3,7 @@ let wireguard-nat-nftables = import ../../../pkgs/wireguard-nat-nftables pkgs; config = pkgs.writeText "wireguard-nat-nftables-config" (builtins.toJSON { interface = "ens3"; - interface_address = "172.16.4.180"; + interface_address = "172.16.4.239"; wg_interface = "wg0"; pubkey_port_mapping = { # okayu diff --git a/flake.lock b/flake.lock index 491040e..a6fd892 100644 --- a/flake.lock +++ b/flake.lock @@ -115,22 +115,6 @@ "type": "github" } }, - "nixpkgs-mastodon-4-2-10": { - "locked": { - "lastModified": 1720106533, - "narHash": "sha256-m1f/yXrCX3czYSVvBz5jdJ41dcCVsKlSIrnH0i83L6U=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e8f680e000d5c5b4a0ff998e6423951bcf06ba35", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e8f680e000d5c5b4a0ff998e6423951bcf06ba35", - "type": "github" - } - }, "nixpkgs-unstable": { "locked": { "lastModified": 1722685361, @@ -167,7 +151,6 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", - "nixpkgs-mastodon-4-2-10": "nixpkgs-mastodon-4-2-10", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index 876a711..5cf2232 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,6 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; - nixpkgs-mastodon-4-2-10.url = "github:NixOS/nixpkgs/e8f680e000d5c5b4a0ff998e6423951bcf06ba35"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; @@ -11,7 +10,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-mastodon-4-2-10, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -29,7 +28,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable nixpkgs-master nixpkgs-mastodon-4-2-10 hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -39,7 +38,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable nixpkgs-master nixpkgs-mastodon-4-2-10 hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; }) hosts; }; From e1425e2463ee94cbc4d4e99e6df2555954849ba9 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 12 Aug 2024 20:14:28 +0200 Subject: [PATCH 168/386] Bump element-web to 1.1.72 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 3316006..8fe843c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.67"; + elementWebVersion = "1.11.72"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-Mleha39aEwa+qbJCVW1RmGDHb/noX9+Zo2IvjaLxhtE="; + sha256 = "sha256-3pa4OVHBWZvHLsnE2JK5+sVpOXBKO5yJSQJNJokdF98="; }; elementWebSecurityHeaders = '' # Configuration best practices From b9ba3af5bc675b5a865fb0b4337f057f07b65af8 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Sep 2024 17:23:09 +0200 Subject: [PATCH 169/386] Enable push to create repo on forgejo --- config/hosts/forgejo/forgejo.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index d9f4a36..45961cf 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -38,6 +38,10 @@ repo = { DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; }; + repository = { + ENABLE_PUSH_CREATE_USER = true; + ENABLE_PUSH_CREATE_ORG = true; + }; actions = { ENABLED = true; ARTIFACT_RETENTION_DAYS = 30; From f5e8438f0ed89dbe88ac9ef366b059ae92be0e29 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Sep 2024 17:44:41 +0200 Subject: [PATCH 170/386] Add user fi --- config/common/default.nix | 1 + config/users/colmena-deploy/default.nix | 1 + config/users/fi/default.nix | 12 ++++++++++++ config/users/yuri/default.nix | 1 + 4 files changed, 15 insertions(+) create mode 100644 config/users/fi/default.nix diff --git a/config/common/default.nix b/config/common/default.nix index c57eaba..c8930ec 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -6,6 +6,7 @@ ./openssh.nix ../users/colmena-deploy ../users/yuri + ../users/fi ]; time.timeZone = "Europe/Berlin"; diff --git a/config/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix index 1766855..cc4029b 100644 --- a/config/users/colmena-deploy/default.nix +++ b/config/users/colmena-deploy/default.nix @@ -7,6 +7,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPJbR09ZqPnfZkx9JNjCurJDXWa5XtNeNQfkPRU/ZnY colmena-deploy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" ]; }; } diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix new file mode 100644 index 0000000..2039f05 --- /dev/null +++ b/config/users/fi/default.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + users.users.fi = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" + ]; + }; +} diff --git a/config/users/yuri/default.nix b/config/users/yuri/default.nix index 546de5e..4b2b8ac 100644 --- a/config/users/yuri/default.nix +++ b/config/users/yuri/default.nix @@ -6,6 +6,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" ]; }; } From 359614030330fc96ca5b99f1d364eb438218c57f Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Sep 2024 17:46:05 +0200 Subject: [PATCH 171/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/75cbb2a5e19c18840d105a72d036c6c92fc46c5d' (2024-07-29) → 'github:nix-community/nixos-generators/214efbd73241d72a8f48b8b9a73bb54895cd51a7' (2024-09-09) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/d15f6f6021693898fcd2c6a9bb13707383da9bbc' (2024-07-28) → 'github:nix-community/nixpkgs.lib/68584f89dd0eb16fea5d80ae127f3f681f6a5df7' (2024-09-08) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/15ed5d4537fd46399513bb040bf98415c825281b' (2024-08-02) → 'github:NixOS/nixpkgs/44a71ff39c182edaf25a7ace5c9454e7cba2c658' (2024-09-10) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/7f9ed2e65a92f1496daa9ab73539a9d02c2454b3' (2024-08-03) → 'github:NixOS/nixpkgs/c711a6c3032741bd1384ac057b43b55989c63e72' (2024-09-10) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/6602aa2586f35fc8c6c46246a1dcac6940ca3f0f' (2024-08-03) → 'github:NixOS/nixpkgs/28e9b6d60ffd048dbbfbce525f8ab5bd726a22c3' (2024-09-10) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index a6fd892..2f0f2cc 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1722128034, - "narHash": "sha256-L8rwzYPsLo/TYtydPJoQyYOfetuiyQYnTWYcyB8UE/s=", + "lastModified": 1725757153, + "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "d15f6f6021693898fcd2c6a9bb13707383da9bbc", + "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1722214420, - "narHash": "sha256-qfHC1p5hcErGcE672/KhBkyWYloekQpqIxtcbcUVYkA=", + "lastModified": 1725843519, + "narHash": "sha256-Z6DglUwgFDz6fIvQ89wx/uBVWrGvEGECq0Ypyk/eigE=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "75cbb2a5e19c18840d105a72d036c6c92fc46c5d", + "rev": "214efbd73241d72a8f48b8b9a73bb54895cd51a7", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722621932, - "narHash": "sha256-Uz5xeHsH7+qZVncZwfzGd+CTjxd0mwaP7Q/pbs7OB5c=", + "lastModified": 1725930920, + "narHash": "sha256-RVhD9hnlTT2nJzPHlAqrWqCkA7T6CYrP41IoVRkciZM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "15ed5d4537fd46399513bb040bf98415c825281b", + "rev": "44a71ff39c182edaf25a7ace5c9454e7cba2c658", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1722719323, - "narHash": "sha256-1O9VQB7WD1NKBz9maYGJAU0EqoajEYQSiSlrjdKWz8s=", + "lastModified": 1725982370, + "narHash": "sha256-SYyrZjFpB9oX+UZYfxigIzmZhqVk5OT9xhSsu8wP4mA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f9ed2e65a92f1496daa9ab73539a9d02c2454b3", + "rev": "c711a6c3032741bd1384ac057b43b55989c63e72", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1722685361, - "narHash": "sha256-6Zn2SVJYffCtenHEHsb2PmzQsX5+cRsforNJZmlK630=", + "lastModified": 1725946965, + "narHash": "sha256-tt4Z99aNEuqEERF4H1TZ1t6GH/nU8A869mtgGVZIdfE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6602aa2586f35fc8c6c46246a1dcac6940ca3f0f", + "rev": "28e9b6d60ffd048dbbfbce525f8ab5bd726a22c3", "type": "github" }, "original": { From a7fbce4774c8ab63ec04371aa66c5451763651b3 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Sep 2024 17:50:35 +0200 Subject: [PATCH 172/386] Update mastodon to 4.2.12 and element-web to 1.11.77 --- config/hosts/mastodon/mastodon.nix | 4 ++-- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 9abd69d..7146635 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.10"; + version = "4.2.12"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-z3veI0CpZk6mBgygqXk8SN/5WWjy5VkKLxC7nOLnyZE="; + sha256 = "sha256-q+j7zHJrIUOumJfk4w5BVu7eTUa1AjI5ho8XoOA2uJU="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 8fe843c..c2d71d6 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.72"; + elementWebVersion = "1.11.77"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-3pa4OVHBWZvHLsnE2JK5+sVpOXBKO5yJSQJNJokdF98="; + sha256 = "sha256-O5Dt54fBoKalaeevBn7px/06Kiuhf6mvogLk4Bvvnrg="; }; elementWebSecurityHeaders = '' # Configuration best practices From ded3c53d827d6cd1171052d8e7de4445e4a28eb1 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Sep 2024 19:04:55 +0200 Subject: [PATCH 173/386] Set matrix m.authentication well-known entries --- config/hosts/web-public-2/virtualHosts/nekover.se.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 7c95ec5..6d1643a 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -16,7 +16,7 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"m.authentication\": {\"issuer\": \"https://id.nekover.se\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; From a732332f11855731775a77704d01994a2170d5f2 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 15 Sep 2024 17:35:06 +0200 Subject: [PATCH 174/386] Setup oidc for elementx --- config/hosts/web-public-2/virtualHosts/nekover.se.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 6d1643a..08a61ea 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -16,7 +16,7 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"m.authentication\": {\"issuer\": \"https://id.nekover.se\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; From f1113760c65baa9451ab06a0e7cd2ffb4d08ba78 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 4 Oct 2024 16:03:21 +0200 Subject: [PATCH 175/386] Update mastodon to 4.2.13 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 7146635..0c511e9 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.12"; + version = "4.2.13"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-q+j7zHJrIUOumJfk4w5BVu7eTUa1AjI5ho8XoOA2uJU="; + sha256 = "sha256-+HGu02fjYJ1x6Tk9AdqmFN7JHk3UnlvCdiQ/5yMu69M="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From 17481883b02128fe7d857407269b9c46364e2811 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 4 Oct 2024 16:10:16 +0200 Subject: [PATCH 176/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/214efbd73241d72a8f48b8b9a73bb54895cd51a7' (2024-09-09) → 'github:nix-community/nixos-generators/9ae128172f823956e54947fe471bc6dfa670ecb4' (2024-10-03) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/68584f89dd0eb16fea5d80ae127f3f681f6a5df7' (2024-09-08) → 'github:nix-community/nixpkgs.lib/bb58a3bf239e03fca9d51062e2fe028a4ea5a3d1' (2024-09-29) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/44a71ff39c182edaf25a7ace5c9454e7cba2c658' (2024-09-10) → 'github:NixOS/nixpkgs/0799dfba72420acad00f6c6b643e42f14589da6f' (2024-10-03) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/c711a6c3032741bd1384ac057b43b55989c63e72' (2024-09-10) → 'github:NixOS/nixpkgs/f8dd10da7e5eb9627059b29f1f2f4a0a0fd8351a' (2024-10-04) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/28e9b6d60ffd048dbbfbce525f8ab5bd726a22c3' (2024-09-10) → 'github:NixOS/nixpkgs/7f8bae4f304f2b6e60466ce1d562f4af258a4c79' (2024-10-04) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 2f0f2cc..9652cd3 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1725757153, - "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=", + "lastModified": 1727571693, + "narHash": "sha256-b7sFVeqMtz8xntCL3tBY3O8suTg5PeF53LTL3eCcKyc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7", + "rev": "bb58a3bf239e03fca9d51062e2fe028a4ea5a3d1", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1725843519, - "narHash": "sha256-Z6DglUwgFDz6fIvQ89wx/uBVWrGvEGECq0Ypyk/eigE=", + "lastModified": 1727917377, + "narHash": "sha256-eefXdEPUMuhiV6Vy3ASSyApCseE9OoKDgL/G6qenw/4=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "214efbd73241d72a8f48b8b9a73bb54895cd51a7", + "rev": "9ae128172f823956e54947fe471bc6dfa670ecb4", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1725930920, - "narHash": "sha256-RVhD9hnlTT2nJzPHlAqrWqCkA7T6CYrP41IoVRkciZM=", + "lastModified": 1727985947, + "narHash": "sha256-LVnuk1974/hdzbs6CQS75NDwJZwhpRy9JryKX5SLQ0k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "44a71ff39c182edaf25a7ace5c9454e7cba2c658", + "rev": "0799dfba72420acad00f6c6b643e42f14589da6f", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1725982370, - "narHash": "sha256-SYyrZjFpB9oX+UZYfxigIzmZhqVk5OT9xhSsu8wP4mA=", + "lastModified": 1728050621, + "narHash": "sha256-z0bIPB1EkMDwCGg8PubWpleO5zsDrhCKTJhFu8k1DS4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c711a6c3032741bd1384ac057b43b55989c63e72", + "rev": "f8dd10da7e5eb9627059b29f1f2f4a0a0fd8351a", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1725946965, - "narHash": "sha256-tt4Z99aNEuqEERF4H1TZ1t6GH/nU8A869mtgGVZIdfE=", + "lastModified": 1728011170, + "narHash": "sha256-L/U/OCeiQCFG2Gg8IQaj1KB4lwoNXkvyjPYLxy9swy0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "28e9b6d60ffd048dbbfbce525f8ab5bd726a22c3", + "rev": "7f8bae4f304f2b6e60466ce1d562f4af258a4c79", "type": "github" }, "original": { From 75032445c72734f85ff8be9ce9ae84f32aafaead Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 5 Oct 2024 17:17:39 +0200 Subject: [PATCH 177/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/0799dfba72420acad00f6c6b643e42f14589da6f' (2024-10-03) → 'github:NixOS/nixpkgs/7886208f96bdd147662b47aa4432c013034bb02c' (2024-10-05) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/f8dd10da7e5eb9627059b29f1f2f4a0a0fd8351a' (2024-10-04) → 'github:NixOS/nixpkgs/ffec6dc98b42578b2cfea9b71e118228c46367a4' (2024-10-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7f8bae4f304f2b6e60466ce1d562f4af258a4c79' (2024-10-04) → 'github:NixOS/nixpkgs/d5f1752ca905354f763f2fab62e6139310b5ce91' (2024-10-04) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 9652cd3..f175878 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1727985947, - "narHash": "sha256-LVnuk1974/hdzbs6CQS75NDwJZwhpRy9JryKX5SLQ0k=", + "lastModified": 1728121536, + "narHash": "sha256-9Sp+r9kK3l194lFZdF1s7AghothogNI/xTAduJd6zNI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0799dfba72420acad00f6c6b643e42f14589da6f", + "rev": "7886208f96bdd147662b47aa4432c013034bb02c", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1728050621, - "narHash": "sha256-z0bIPB1EkMDwCGg8PubWpleO5zsDrhCKTJhFu8k1DS4=", + "lastModified": 1728140783, + "narHash": "sha256-T5BHSQd388PZEKANzSYFTFFwIZx7EBCnwnLP4oRNqwo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f8dd10da7e5eb9627059b29f1f2f4a0a0fd8351a", + "rev": "ffec6dc98b42578b2cfea9b71e118228c46367a4", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1728011170, - "narHash": "sha256-L/U/OCeiQCFG2Gg8IQaj1KB4lwoNXkvyjPYLxy9swy0=", + "lastModified": 1728055773, + "narHash": "sha256-Fih2RMPboL+nuY7IEp3ujaCjLXLgFfoDQf+CT/GJdok=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f8bae4f304f2b6e60466ce1d562f4af258a4c79", + "rev": "d5f1752ca905354f763f2fab62e6139310b5ce91", "type": "github" }, "original": { From f53512ab4acf14cfe603db47f34c4983c16c8ca3 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 29 Oct 2024 14:47:28 +0100 Subject: [PATCH 178/386] Update mastodon to v4.3.1 --- config/hosts/mastodon/mastodon.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 0c511e9..c4536eb 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,24 +2,24 @@ let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-Fcbuj5BGkQd3X/gViqqB+NRIvjUlUED32tNEJrzYh5o="; + hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.13"; + version = "4.3.1"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-+HGu02fjYJ1x6Tk9AdqmFN7JHk3UnlvCdiQ/5yMu69M="; + sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" - "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" - "${mastodonNekoversePatches}/patches/006_increase_profile_limits.patch" - "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" + "${mastodonNekoversePatches}/patches/004_improve_custom_emoji_support.patch" + "${mastodonNekoversePatches}/patches/005_increase_profile_limits.patch" + "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch" ]; }; yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; From 24589f125a7b4de67530b76e21b7f010bd72c4ad Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 29 Oct 2024 14:51:46 +0100 Subject: [PATCH 179/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/9ae128172f823956e54947fe471bc6dfa670ecb4?narHash=sha256-eefXdEPUMuhiV6Vy3ASSyApCseE9OoKDgL/G6qenw/4%3D' (2024-10-03) → 'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565?narHash=sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg%3D' (2024-10-21) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/bb58a3bf239e03fca9d51062e2fe028a4ea5a3d1?narHash=sha256-b7sFVeqMtz8xntCL3tBY3O8suTg5PeF53LTL3eCcKyc%3D' (2024-09-29) → 'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e?narHash=sha256-hUP9oxmnOmNnKcDOf5Y55HQ%2BNnoT0%2BbLWHLQWLLw9Ks%3D' (2024-10-20) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/7886208f96bdd147662b47aa4432c013034bb02c?narHash=sha256-9Sp%2Br9kK3l194lFZdF1s7AghothogNI/xTAduJd6zNI%3D' (2024-10-05) → 'github:NixOS/nixpkgs/dd6d18bf8d291daca03a444973bd4f9aa5c1f681?narHash=sha256-O2/v/ocUL0KsACqEIK5eD5XeX46duRIgKdOu6uCKarw%3D' (2024-10-28) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/ffec6dc98b42578b2cfea9b71e118228c46367a4?narHash=sha256-T5BHSQd388PZEKANzSYFTFFwIZx7EBCnwnLP4oRNqwo%3D' (2024-10-05) → 'github:NixOS/nixpkgs/ec7caabec9679b1a9008e0cbcfa4b14a2b600774?narHash=sha256-WPGVR8NW9ctqwLMtYV23b94ExQulTFoTKqD21WI3fbg%3D' (2024-10-29) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/d5f1752ca905354f763f2fab62e6139310b5ce91?narHash=sha256-Fih2RMPboL%2BnuY7IEp3ujaCjLXLgFfoDQf%2BCT/GJdok%3D' (2024-10-04) → 'github:NixOS/nixpkgs/75e28c029ef2605f9841e0baa335d70065fe7ae2?narHash=sha256-P8wF4ag6Srmpb/gwskYpnIsnspbjZlRvu47iN527ABQ%3D' (2024-10-28) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index f175878..4534930 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1727571693, - "narHash": "sha256-b7sFVeqMtz8xntCL3tBY3O8suTg5PeF53LTL3eCcKyc=", + "lastModified": 1729386149, + "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "bb58a3bf239e03fca9d51062e2fe028a4ea5a3d1", + "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1727917377, - "narHash": "sha256-eefXdEPUMuhiV6Vy3ASSyApCseE9OoKDgL/G6qenw/4=", + "lastModified": 1729472750, + "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "9ae128172f823956e54947fe471bc6dfa670ecb4", + "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1728121536, - "narHash": "sha256-9Sp+r9kK3l194lFZdF1s7AghothogNI/xTAduJd6zNI=", + "lastModified": 1730142757, + "narHash": "sha256-O2/v/ocUL0KsACqEIK5eD5XeX46duRIgKdOu6uCKarw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7886208f96bdd147662b47aa4432c013034bb02c", + "rev": "dd6d18bf8d291daca03a444973bd4f9aa5c1f681", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1728140783, - "narHash": "sha256-T5BHSQd388PZEKANzSYFTFFwIZx7EBCnwnLP4oRNqwo=", + "lastModified": 1730209337, + "narHash": "sha256-WPGVR8NW9ctqwLMtYV23b94ExQulTFoTKqD21WI3fbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ffec6dc98b42578b2cfea9b71e118228c46367a4", + "rev": "ec7caabec9679b1a9008e0cbcfa4b14a2b600774", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1728055773, - "narHash": "sha256-Fih2RMPboL+nuY7IEp3ujaCjLXLgFfoDQf+CT/GJdok=", + "lastModified": 1730157240, + "narHash": "sha256-P8wF4ag6Srmpb/gwskYpnIsnspbjZlRvu47iN527ABQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d5f1752ca905354f763f2fab62e6139310b5ce91", + "rev": "75e28c029ef2605f9841e0baa335d70065fe7ae2", "type": "github" }, "original": { From f4544f588a25a556a7445cd351ef10e6263e30b0 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 29 Oct 2024 14:53:58 +0100 Subject: [PATCH 180/386] Update mastodon yarn hash --- config/hosts/mastodon/mastodon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index c4536eb..4bd22c2 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -22,7 +22,7 @@ let "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch" ]; }; - yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; + yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg="; }); }; pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; From 526286510a9293c89cf65d97eabbb083efe80cca Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 29 Oct 2024 16:22:12 +0100 Subject: [PATCH 181/386] Add mastodon active record encryption secrets --- config/hosts/mastodon/mastodon.nix | 3 +++ config/hosts/mastodon/secrets.nix | 24 ++++++++++++++++++++++++ hosts.nix | 1 + 3 files changed, 28 insertions(+) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 4bd22c2..b895735 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -46,6 +46,9 @@ in fromAddress = "Nekoverse "; }; streamingProcesses = 3; + activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret"; + activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret"; + activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret"; extraConfig = { SMTP_TLS = "true"; ES_PRESET = "single_node_cluster"; diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index f1f9457..950498d 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -41,5 +41,29 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-active-record-encryption-primary-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-active-record-encryption-key-derivation-salt.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-active-record-encryption-deterministic-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/hosts.nix b/hosts.nix index 5de4e6f..363f377 100644 --- a/hosts.nix +++ b/hosts.nix @@ -65,6 +65,7 @@ in environment = "proxmox"; }; mastodon = { + hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; From 5e2d516a4ca33d460f74973e9d0ab585b4a8bb88 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 29 Oct 2024 18:48:14 +0100 Subject: [PATCH 182/386] Add Tangerine-UI to mastodon --- config/hosts/mastodon/mastodon.nix | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index b895735..ed168ff 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,5 +1,10 @@ -{ pkgs, nixpkgs-unstable, ... }: +{ pkgs, ... }: let + tangerineUI = pkgs.fetchgit { + url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; + rev = "v2.2"; + hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ="; + }; mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU="; @@ -8,10 +13,21 @@ let mastodon = (prev.mastodon.override rec { version = "4.3.1"; srcOverride = final.applyPatches { - src = final.fetchgit { - url = "https://github.com/mastodon/mastodon.git"; - rev = "v${version}"; - sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4="; + src = pkgs.stdenv.mkDerivation { + name = "mastodonWithThemes"; + src = pkgs.fetchgit { + url = "https://github.com/mastodon/mastodon.git"; + rev = "v${version}"; + sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4="; + }; + installPhase = '' + cp -r ./ $out/ + cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/ + echo "tangerineui: styles/tangerineui.scss + tangerineui-purple: styles/tangerineui-purple.scss + tangerineui-cherry: styles/tangerineui-cherry.scss + tangerineui-lagoon: styles/tangerineui-lagoon.scss" >> $out/config/themes.yml + ''; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" @@ -25,7 +41,7 @@ let yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg="; }); }; - pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; + pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { From 1b39b6128dc201f7009981addce37be0a360d40d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 30 Oct 2024 00:10:18 +0100 Subject: [PATCH 183/386] Configure fedifetcher for mastodon --- .../containers/fedifetcher/default.nix | 23 ++++++++++ .../containers/fedifetcher/fedifetcher.nix | 42 +++++++++++++++++++ config/hosts/mastodon/default.nix | 1 + config/hosts/mastodon/secrets.nix | 8 ++++ 4 files changed, 74 insertions(+) create mode 100644 config/hosts/mastodon/containers/fedifetcher/default.nix create mode 100644 config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix diff --git a/config/hosts/mastodon/containers/fedifetcher/default.nix b/config/hosts/mastodon/containers/fedifetcher/default.nix new file mode 100644 index 0000000..3f2617e --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/default.nix @@ -0,0 +1,23 @@ +{ nixpkgs-unstable, ... }: +{ + containers.fedifetcher = { + nixpkgs = nixpkgs-unstable; + autoStart = true; + + bindMounts = { + "/secrets" = { + hostPath = "/secrets-fedifetcher"; + isReadOnly = true; + }; + }; + + config = { ... }: { + imports = [ + ./fedifetcher.nix + ]; + + networking.useHostResolvConf = true; + system.stateVersion = "24.05"; + }; + }; +} diff --git a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix new file mode 100644 index 0000000..7194c25 --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix @@ -0,0 +1,42 @@ +{ pkgs, lib, ... }: +{ + # config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix + systemd.services.fedifetcher = { + path = [ pkgs.fedifetcher ]; + description = "fetch fedi posts"; + script = '' + fedifetcher + ''; + environment = lib.mapAttrs' (n: v: + (lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n) + (builtins.toString v))) { + server = "social.nekover.se"; + state-dir = "/var/lib/fedifetcher"; + lock-file = "/run/fedifetcher/fedifetcher.lock"; + from-lists = 1; + from-notifications = 1; + max-bookmarks = 80; + max-favourites = 40; + max-follow-requests = 80; + max-followers = 80; + max-followings = 80; + remember-hosts-for-days = 30; + remember-users-for-hours = 168; + reply-interval-in-hours = 2; + }; + serviceConfig = { + DynamicUser = true; + User = "fedifetcher"; + RuntimeDirectory = "fedifetcher"; + RuntimeDirectoryPreserve = true; + StateDirectory = "fedifetcher"; + UMask = "0077"; + EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ]; + }; + }; + + systemd.timers.fedifetcher = { + wantedBy = [ "multi-user.target" ]; + timerConfig = { OnCalendar = "*:0/5"; }; + }; +} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix index 5651eb8..dc52ff4 100644 --- a/config/hosts/mastodon/default.nix +++ b/config/hosts/mastodon/default.nix @@ -5,5 +5,6 @@ ./mastodon.nix ./opensearch.nix ./nginx.nix + ./containers/fedifetcher ]; } diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 950498d..1389353 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -65,5 +65,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-fedifetcher-access-token.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ]; + destDir = "/secrets-fedifetcher"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } From 2fa9671c528a1e0f8b02a5dba4f92b608aa4ef8b Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 5 Nov 2024 01:41:15 +0100 Subject: [PATCH 184/386] Add cherry root user key to hydra builder --- config/hosts/hydra/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix index eff89d1..9b554d8 100644 --- a/config/hosts/hydra/configuration.nix +++ b/config/hosts/hydra/configuration.nix @@ -24,6 +24,7 @@ users.users.builder = { isNormalUser = true; openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/plZfxF/RtB+pJsUYx9HUgRcB56EoO0uj+j3AGzZta root@cherry" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara" ]; }; From b171f84ef75dea07628072721c9b42f7c493c264 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 7 Nov 2024 16:20:12 +0100 Subject: [PATCH 185/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/dd6d18bf8d291daca03a444973bd4f9aa5c1f681?narHash=sha256-O2/v/ocUL0KsACqEIK5eD5XeX46duRIgKdOu6uCKarw%3D' (2024-10-28) → 'github:NixOS/nixpkgs/83fb6c028368e465cd19bb127b86f971a5e41ebc?narHash=sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0%3D' (2024-11-07) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/ec7caabec9679b1a9008e0cbcfa4b14a2b600774?narHash=sha256-WPGVR8NW9ctqwLMtYV23b94ExQulTFoTKqD21WI3fbg%3D' (2024-10-29) → 'github:NixOS/nixpkgs/b651050919c85b9131fa0d2640115ffd9266daad?narHash=sha256-YsODAqOF2xAHyK4%2BpKiS9nmGu%2BvQW%2B9kc5P7uRCirIM%3D' (2024-11-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/75e28c029ef2605f9841e0baa335d70065fe7ae2?narHash=sha256-P8wF4ag6Srmpb/gwskYpnIsnspbjZlRvu47iN527ABQ%3D' (2024-10-28) → 'github:NixOS/nixpkgs/0093b93ec307d42f51ced7ce90dda6c37516e98a?narHash=sha256-fhkxOv9RGEoPZNyl7VOpHf0Xoqc%2Bbu0J/uW3BSg7tOs%3D' (2024-11-07) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 4534930..8912e2b 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730142757, - "narHash": "sha256-O2/v/ocUL0KsACqEIK5eD5XeX46duRIgKdOu6uCKarw=", + "lastModified": 1730963269, + "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dd6d18bf8d291daca03a444973bd4f9aa5c1f681", + "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1730209337, - "narHash": "sha256-WPGVR8NW9ctqwLMtYV23b94ExQulTFoTKqD21WI3fbg=", + "lastModified": 1730992357, + "narHash": "sha256-YsODAqOF2xAHyK4+pKiS9nmGu+vQW+9kc5P7uRCirIM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ec7caabec9679b1a9008e0cbcfa4b14a2b600774", + "rev": "b651050919c85b9131fa0d2640115ffd9266daad", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1730157240, - "narHash": "sha256-P8wF4ag6Srmpb/gwskYpnIsnspbjZlRvu47iN527ABQ=", + "lastModified": 1730945957, + "narHash": "sha256-fhkxOv9RGEoPZNyl7VOpHf0Xoqc+bu0J/uW3BSg7tOs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "75e28c029ef2605f9841e0baa335d70065fe7ae2", + "rev": "0093b93ec307d42f51ced7ce90dda6c37516e98a", "type": "github" }, "original": { From e9460e0f80def0395f08893ba3cadd8c7b7aeee4 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 186/386] Initial commit --- configuration/common/default.nix | 46 +++++++++++++++++++ configuration/proxmox-vm/default.nix | 9 ++++ .../proxmox-vm/hardware-configuration.nix | 34 ++++++++++++++ flake.lock | 27 +++++++++++ flake.nix | 39 ++++++++++++++++ hosts/coturn/configuration.nix | 15 ++++++ hosts/coturn/coturn.nix | 45 ++++++++++++++++++ hosts/coturn/default.nix | 8 ++++ hosts/coturn/secrets.nix | 11 +++++ hosts/jackett/configuration.nix | 15 ++++++ hosts/jackett/jackett.nix | 6 +++ hosts/netbox/configuration.nix | 15 ++++++ hosts/netbox/netbox.nix | 10 ++++ hosts/nitter/configuration.nix | 15 ++++++ hosts/nitter/default.nix | 8 ++++ hosts/nitter/nginx.nix | 29 ++++++++++++ hosts/nitter/nitter.nix | 19 ++++++++ hosts/tor-relay/configuration.nix | 15 ++++++ hosts/tor-relay/tor.nix | 18 ++++++++ users/yuri/default.nix | 11 +++++ 20 files changed, 395 insertions(+) create mode 100644 configuration/common/default.nix create mode 100644 configuration/proxmox-vm/default.nix create mode 100644 configuration/proxmox-vm/hardware-configuration.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/coturn/configuration.nix create mode 100644 hosts/coturn/coturn.nix create mode 100644 hosts/coturn/default.nix create mode 100644 hosts/coturn/secrets.nix create mode 100644 hosts/jackett/configuration.nix create mode 100644 hosts/jackett/jackett.nix create mode 100644 hosts/netbox/configuration.nix create mode 100644 hosts/netbox/netbox.nix create mode 100644 hosts/nitter/configuration.nix create mode 100644 hosts/nitter/default.nix create mode 100644 hosts/nitter/nginx.nix create mode 100644 hosts/nitter/nitter.nix create mode 100644 hosts/tor-relay/configuration.nix create mode 100644 hosts/tor-relay/tor.nix create mode 100644 users/yuri/default.nix diff --git a/configuration/common/default.nix b/configuration/common/default.nix new file mode 100644 index 0000000..d89f1dc --- /dev/null +++ b/configuration/common/default.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../users/yuri + ]; + + time.timeZone = "Europe/Berlin"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + keyMap = "de-latin1"; + }; + + security.sudo.wheelNeedsPassword = false; + + nix.settings = { + trusted-users = [ "@wheel" ]; + auto-optimise-store = true; + experimental-features = [ "nix-command" "flakes" ]; + }; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + environment.systemPackages = with pkgs; [ + htop + parted + tmux + nano + ]; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + services.fstrim.enable = true; +} diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix new file mode 100644 index 0000000..20d895c --- /dev/null +++ b/configuration/proxmox-vm/default.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + services.qemuGuest.enable = true; +} diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix new file mode 100644 index 0000000..c007292 --- /dev/null +++ b/configuration/proxmox-vm/hardware-configuration.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_blk" ]; + kernelModules = [ ]; + }; + + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + options = [ "x-nixos.autoresize" "x-initrd.mount" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..33a1357 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1688764204, + "narHash": "sha256-FsvK+tIvelCI0tWwlMDKfiyb7P/KfxpGbXMrdCKiT8s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d8bb6c681cf86265fdcf3cc3119f757bbb085835", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..7b641bc --- /dev/null +++ b/flake.nix @@ -0,0 +1,39 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + }; + + outputs = { nixpkgs, ... }: { + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + }; + + nitter = { name, nodes, pkgs, ... }: { + deployment = { + targetHost = "nixos-nitter.vs.grzb.de"; + targetUser = "yuri"; + }; + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/nitter + ]; + }; + + coturn = { name, nodes, pkgs, ... }: { + deployment = { + targetHost = "nixos-coturn.vs.grzb.de"; + targetUser = "yuri"; + }; + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/coturn + ]; + }; + }; + }; +} diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix new file mode 100644 index 0000000..a5df358 --- /dev/null +++ b/hosts/coturn/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + hostName = "coturn"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/coturn/coturn.nix b/hosts/coturn/coturn.nix new file mode 100644 index 0000000..c85dcba --- /dev/null +++ b/hosts/coturn/coturn.nix @@ -0,0 +1,45 @@ +{ ... }: +{ + services.coturn = { + enable = true; + + min-port = 49200; + max-port = 49500; + use-auth-secret = true; + static-auth-secret-file = "/secrets/static-auth-secret.secret"; + realm = "turn.nekover.se"; + cert = "/certs/turn.nekover.se/fullchain.pem"; + pkey = "/certs/turn.nekover.se/key.pem"; + no-tcp-relay = true; + extraConfig = " + external-ip=170.133.2.81/10.202.41.118 + prometheus + syslog + + no-tlsv1 + no-tlsv1_1 + + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + + allowed-peer-ip=10.202.41.118 + + user-quota=12 + total-quota=1200 + "; + }; +} diff --git a/hosts/coturn/default.nix b/hosts/coturn/default.nix new file mode 100644 index 0000000..63c719c --- /dev/null +++ b/hosts/coturn/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./secrets.nix + ./coturn.nix + ]; +} diff --git a/hosts/coturn/secrets.nix b/hosts/coturn/secrets.nix new file mode 100644 index 0000000..415b223 --- /dev/null +++ b/hosts/coturn/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."static-auth-secret.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ]; + destDir = "/secrets"; + user = "turnserver"; + group = "turnserver"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/jackett/configuration.nix b/hosts/jackett/configuration.nix new file mode 100644 index 0000000..72e9795 --- /dev/null +++ b/hosts/jackett/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./jackett.nix + ]; + + networking = { + hostName = "jackett"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/jackett/jackett.nix b/hosts/jackett/jackett.nix new file mode 100644 index 0000000..1b8707e --- /dev/null +++ b/hosts/jackett/jackett.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jackett = { + enable = true; + }; +} diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix new file mode 100644 index 0000000..637244a --- /dev/null +++ b/hosts/netbox/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./tor.nix + ]; + + networking = { + hostName = "tor-relay"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/netbox/netbox.nix b/hosts/netbox/netbox.nix new file mode 100644 index 0000000..07674e6 --- /dev/null +++ b/hosts/netbox/netbox.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + services.netox = { + enable = true; + + settings = { + + }; + }; +} diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix new file mode 100644 index 0000000..9abb412 --- /dev/null +++ b/hosts/nitter/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + hostName = "nitter"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/nitter/default.nix b/hosts/nitter/default.nix new file mode 100644 index 0000000..6aae884 --- /dev/null +++ b/hosts/nitter/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./nitter.nix + ]; +} diff --git a/hosts/nitter/nginx.nix b/hosts/nitter/nginx.nix new file mode 100644 index 0000000..cdec9b4 --- /dev/null +++ b/hosts/nitter/nginx.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + services.nginx = { + enable = true; + enableReload = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "nixos-nitter.vs.grzb.de" = { + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + + locations."/" = { + proxyPass = "http://localhost:8080"; + extraConfig = + "proxy_http_version 1.1;" + + "proxy_set_header Upgrade $http_upgrade;" + + "proxy_set_header Connection \"upgrade\";" + + "proxy_set_header Host $host;" + ; + }; + }; + }; + }; +} diff --git a/hosts/nitter/nitter.nix b/hosts/nitter/nitter.nix new file mode 100644 index 0000000..de780ac --- /dev/null +++ b/hosts/nitter/nitter.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + services.nitter = { + enable = true; + + server = { + title = "Birdsite"; + https = true; + address = "0.0.0.0"; + port = 8080; + }; + + preferences = { + theme = "Mastodon"; + replaceTwitter = "birdsite.nekover.se"; + infiniteScroll = true; + }; + }; +} diff --git a/hosts/tor-relay/configuration.nix b/hosts/tor-relay/configuration.nix new file mode 100644 index 0000000..637244a --- /dev/null +++ b/hosts/tor-relay/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./tor.nix + ]; + + networking = { + hostName = "tor-relay"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/tor-relay/tor.nix b/hosts/tor-relay/tor.nix new file mode 100644 index 0000000..54e9888 --- /dev/null +++ b/hosts/tor-relay/tor.nix @@ -0,0 +1,18 @@ +{ ... }: +{ + services.tor = { + enable = true; + + settings = { + Nickname = "vsm"; + ORPort = 9001; + ExitRelay = false; + SOCKSPort = 0; + ControlSocket = null; + ContactInfo = "admin@grzb.de"; + RelayBandwidthRate = "70 MBits"; + RelayBandwidthBurst = "150 Mbits"; + DirPort = 9030; + }; + }; +} diff --git a/users/yuri/default.nix b/users/yuri/default.nix new file mode 100644 index 0000000..f85b37e --- /dev/null +++ b/users/yuri/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + users.users.yuri = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + ]; + }; +} From 2ce9811f737ffdc65e0d7984e6d7c23a28dc5365 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 187/386] Add LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c675a23 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 yuri + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From 2960014d06191de49438cbdd4747c0b167edc655 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 188/386] Add .gitlab-ci.yml --- .gitlab-ci.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..e83ee8c --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,30 @@ +default: + image: nixos/nix:2.16.1 + +stages: + - update_flake_lock + - build + - apply + - commit_flake + +update_flake_lock: + stage: update_flake_lock + script: + - nix flake update --extra-experimental-features nix-command --extra-experimental-features flakes + +build: + stage: build + script: + - nix-env --install colmena + - colmena build + +apply: + stage: apply + script: + - nix-env --install colmena + - colmena apply + +commit_flake: + stage: commit_flake + script: + - echo "commit_flake" \ No newline at end of file From 6d106e52c122e78802909f03004bb7693ff2639b Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 189/386] miau --- .gitignore | 1 + .gitlab-ci.yml | 2 +- configuration/common/default.nix | 1 - configuration/proxmox-vm/default.nix | 1 - flake.lock | 6 +++--- users/yuri/default.nix | 1 - 6 files changed, 5 insertions(+), 7 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..722d5e7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vscode diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e83ee8c..2a9bad2 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ apply: stage: apply script: - nix-env --install colmena - - colmena apply + - colmena apply --no-keys commit_flake: stage: commit_flake diff --git a/configuration/common/default.nix b/configuration/common/default.nix index d89f1dc..5150469 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -1,5 +1,4 @@ { config, pkgs, ... }: - { imports = [ ../../users/yuri diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 20d895c..644147a 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -1,5 +1,4 @@ { ... }: - { imports = [ ./hardware-configuration.nix diff --git a/flake.lock b/flake.lock index 33a1357..bfa6a15 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1688764204, - "narHash": "sha256-FsvK+tIvelCI0tWwlMDKfiyb7P/KfxpGbXMrdCKiT8s=", + "lastModified": 1689048911, + "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d8bb6c681cf86265fdcf3cc3119f757bbb085835", + "rev": "8163a64662b43848802092d52015ef60777d6129", "type": "github" }, "original": { diff --git a/users/yuri/default.nix b/users/yuri/default.nix index f85b37e..ff0ac57 100644 --- a/users/yuri/default.nix +++ b/users/yuri/default.nix @@ -1,5 +1,4 @@ { ... }: - { users.users.yuri = { isNormalUser = true; From b8c4c65752b97a5f06601c9088d666827de91dad Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 190/386] Add colmena apply stage --- .gitlab-ci.yml | 12 +++++++++++- configuration/common/default.nix | 3 ++- flake.lock | 6 +++--- flake.nix | 4 ++-- users/colmena-deploy/default.nix | 11 +++++++++++ 5 files changed, 29 insertions(+), 7 deletions(-) create mode 100644 users/colmena-deploy/default.nix diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2a9bad2..8a85abe 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,9 +22,19 @@ apply: stage: apply script: - nix-env --install colmena + - eval $(ssh-agent -s) + - chmod 600 "$SSH_PRIVATE_KEY" + - ssh-add "$SSH_PRIVATE_KEY" + - git clone https://oauth2:${ACCESS_TOKEN_KNOWN_HOSTS}@git.grzb.de/yuri/known_hosts.git /root/.ssh - colmena apply --no-keys commit_flake: stage: commit_flake + variables: + GIT_AUTHOR_EMAIL: $GIT_AUTHOR_EMAIL + GIT_AUTHOR_NAME: $GIT_AUTHOR_NAME + GIT_COMMITTER_EMAIL: $GIT_COMMITTER_EMAIL + GIT_COMMITTER_NAME: $GIT_COMMITTER_NAME + ACCESS_TOKEN: $ACCESS_TOKEN script: - - echo "commit_flake" \ No newline at end of file + - nix-env --install git diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 5150469..71f1052 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: { imports = [ + ../../users/colmena-deploy ../../users/yuri ]; @@ -14,7 +15,7 @@ security.sudo.wheelNeedsPassword = false; nix.settings = { - trusted-users = [ "@wheel" ]; + trusted-users = [ "colmena-deploy" ]; auto-optimise-store = true; experimental-features = [ "nix-command" "flakes" ]; }; diff --git a/flake.lock b/flake.lock index bfa6a15..80f0d19 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689048911, - "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=", + "lastModified": 1689209875, + "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8163a64662b43848802092d52015ef60777d6129", + "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7b641bc..c752aaa 100644 --- a/flake.nix +++ b/flake.nix @@ -14,7 +14,7 @@ nitter = { name, nodes, pkgs, ... }: { deployment = { targetHost = "nixos-nitter.vs.grzb.de"; - targetUser = "yuri"; + targetUser = "colmena-deploy"; }; imports = [ ./configuration/common @@ -26,7 +26,7 @@ coturn = { name, nodes, pkgs, ... }: { deployment = { targetHost = "nixos-coturn.vs.grzb.de"; - targetUser = "yuri"; + targetUser = "colmena-deploy"; }; imports = [ ./configuration/common diff --git a/users/colmena-deploy/default.nix b/users/colmena-deploy/default.nix new file mode 100644 index 0000000..bebd6ef --- /dev/null +++ b/users/colmena-deploy/default.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + users.users.colmena-deploy = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPJbR09ZqPnfZkx9JNjCurJDXWa5XtNeNQfkPRU/ZnY colmena-deploy" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + ]; + }; +} From f426c9c0a94a748e05b97dc0c7da0b4781fb20b0 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 191/386] Add commit flake stage --- .gitlab-ci.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8a85abe..8cb05b5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,7 +3,6 @@ default: stages: - update_flake_lock - - build - apply - commit_flake @@ -11,12 +10,9 @@ update_flake_lock: stage: update_flake_lock script: - nix flake update --extra-experimental-features nix-command --extra-experimental-features flakes - -build: - stage: build - script: - - nix-env --install colmena - - colmena build + artifacts: + paths: + - ./flake.lock apply: stage: apply @@ -26,7 +22,11 @@ apply: - chmod 600 "$SSH_PRIVATE_KEY" - ssh-add "$SSH_PRIVATE_KEY" - git clone https://oauth2:${ACCESS_TOKEN_KNOWN_HOSTS}@git.grzb.de/yuri/known_hosts.git /root/.ssh + - colmena build - colmena apply --no-keys + artifacts: + paths: + - ./flake.lock commit_flake: stage: commit_flake @@ -37,4 +37,5 @@ commit_flake: GIT_COMMITTER_NAME: $GIT_COMMITTER_NAME ACCESS_TOKEN: $ACCESS_TOKEN script: - - nix-env --install git + - git commit -m "Update flake.lock file" -m "Triggered by scheduled pipeline $CI_PIPELINE_ID at $CI_PIPELINE_CREATED_AT." || failure_code=$? + - if [ "$failure_code" == "" ]; then git push https://gitlab-runner-server:${ACCESS_TOKEN}@${CI_SERVER_HOST}/yuri/nix-infra.git HEAD:$CI_COMMIT_BRANCH; fi From 0db118799233f32d53793c1daadfdb2e5e07b385 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 192/386] Switch nitter from testing VM to production --- flake.lock | 8 ++++---- flake.nix | 4 ++-- hosts/coturn/configuration.nix | 1 - hosts/nitter/configuration.nix | 1 - hosts/nitter/nitter.nix | 2 ++ 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/flake.lock b/flake.lock index 80f0d19..68d3a4c 100644 --- a/flake.lock +++ b/flake.lock @@ -2,16 +2,16 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689209875, - "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=", + "lastModified": 1689192006, + "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2", + "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index c752aaa..7323fd3 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; }; outputs = { nixpkgs, ... }: { @@ -13,7 +13,7 @@ nitter = { name, nodes, pkgs, ... }: { deployment = { - targetHost = "nixos-nitter.vs.grzb.de"; + targetHost = "nitter.vs.grzb.de"; targetUser = "colmena-deploy"; }; imports = [ diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix index a5df358..d345b75 100644 --- a/hosts/coturn/configuration.nix +++ b/hosts/coturn/configuration.nix @@ -2,7 +2,6 @@ { boot.loader.grub = { enable = true; - version = 2; device = "/dev/vda"; }; diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix index 9abb412..3ca72b4 100644 --- a/hosts/nitter/configuration.nix +++ b/hosts/nitter/configuration.nix @@ -2,7 +2,6 @@ { boot.loader.grub = { enable = true; - version = 2; device = "/dev/vda"; }; diff --git a/hosts/nitter/nitter.nix b/hosts/nitter/nitter.nix index de780ac..301a7ca 100644 --- a/hosts/nitter/nitter.nix +++ b/hosts/nitter/nitter.nix @@ -8,12 +8,14 @@ https = true; address = "0.0.0.0"; port = 8080; + hostname = "birdsite.nekover.se"; }; preferences = { theme = "Mastodon"; replaceTwitter = "birdsite.nekover.se"; infiniteScroll = true; + hlsPlayback = true; }; }; } From e09a241987d21e8f1a4e4c7ab091e953cff1df59 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 193/386] Add prometheus node exporter config --- configuration/common/default.nix | 1 + configuration/common/prometheus-node-exporter.nix | 7 +++++++ flake.lock | 6 +++--- 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 configuration/common/prometheus-node-exporter.nix diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 71f1052..78ac470 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: { imports = [ + ./prometheus-node-exporter.nix ../../users/colmena-deploy ../../users/yuri ]; diff --git a/configuration/common/prometheus-node-exporter.nix b/configuration/common/prometheus-node-exporter.nix new file mode 100644 index 0000000..ac2d1ac --- /dev/null +++ b/configuration/common/prometheus-node-exporter.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.prometheus.exporters.node = { + enable = true; + openFirewall = true; + }; +} diff --git a/flake.lock b/flake.lock index 68d3a4c..0648522 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689192006, - "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", + "lastModified": 1689282004, + "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", + "rev": "e74e68449c385db82de3170288a28cd0f608544f", "type": "github" }, "original": { From 89b86bcea58408a4a65e3dd2efa3f38792e5079b Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 194/386] Add tor-relay config --- flake.nix | 12 ++++++++++++ hosts/coturn/configuration.nix | 2 +- hosts/tor-relay/configuration.nix | 23 +++++++++++++++++------ hosts/tor-relay/default.nix | 7 +++++++ hosts/tor-relay/tor.nix | 4 ++-- 5 files changed, 39 insertions(+), 9 deletions(-) create mode 100644 hosts/tor-relay/default.nix diff --git a/flake.nix b/flake.nix index 7323fd3..8480f96 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,18 @@ ./hosts/coturn ]; }; + + tor-relay = { name, nodes, pkgs, ...}: { + deployment = { + targetHost = "tor-relay.vs.grzb.de"; + targetUser = "colmena-deploy"; + }; + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/tor-relay + ]; + }; }; }; } diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix index d345b75..094f157 100644 --- a/hosts/coturn/configuration.nix +++ b/hosts/coturn/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { boot.loader.grub = { enable = true; diff --git a/hosts/tor-relay/configuration.nix b/hosts/tor-relay/configuration.nix index 637244a..90dbc71 100644 --- a/hosts/tor-relay/configuration.nix +++ b/hosts/tor-relay/configuration.nix @@ -1,12 +1,23 @@ -{ config, pkgs, ... }: - +{ ... }: { - imports = [ - ./hardware-configuration.nix - ./tor.nix - ]; + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; networking = { + interfaces = { + "enp6s18".ipv6.addresses = [{ + address = "2001:470:5429::B3"; + prefixLength = 64; + }]; + }; + + defaultGateway6 = { + address = "2001:470:5429::1"; + interface = "enp6s18"; + }; + hostName = "tor-relay"; firewall.enable = false; }; diff --git a/hosts/tor-relay/default.nix b/hosts/tor-relay/default.nix new file mode 100644 index 0000000..585accc --- /dev/null +++ b/hosts/tor-relay/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./tor.nix + ]; +} diff --git a/hosts/tor-relay/tor.nix b/hosts/tor-relay/tor.nix index 54e9888..58efb89 100644 --- a/hosts/tor-relay/tor.nix +++ b/hosts/tor-relay/tor.nix @@ -10,8 +10,8 @@ SOCKSPort = 0; ControlSocket = null; ContactInfo = "admin@grzb.de"; - RelayBandwidthRate = "70 MBits"; - RelayBandwidthBurst = "150 Mbits"; + RelayBandwidthRate = "40 MBits"; + RelayBandwidthBurst = "50 Mbits"; DirPort = 9030; }; }; From 8de4bc39aa2a2478c5528e18cee9dcb3aba82da8 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 195/386] Add jackett config and generate colmena hosts from attribute set --- flake.lock | 6 +- flake.nix | 68 ++++++++----------- hosts/jackett/configuration.nix | 11 ++- hosts/jackett/default.nix | 7 ++ hosts/nitter/configuration.nix | 2 +- .../configuration.nix | 0 hosts/{coturn => nixos-coturn}/coturn.nix | 0 hosts/{coturn => nixos-coturn}/default.nix | 0 hosts/{coturn => nixos-coturn}/secrets.nix | 0 9 files changed, 46 insertions(+), 48 deletions(-) create mode 100644 hosts/jackett/default.nix rename hosts/{coturn => nixos-coturn}/configuration.nix (100%) rename hosts/{coturn => nixos-coturn}/coturn.nix (100%) rename hosts/{coturn => nixos-coturn}/default.nix (100%) rename hosts/{coturn => nixos-coturn}/secrets.nix (100%) diff --git a/flake.lock b/flake.lock index 0648522..e5a7558 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689282004, - "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=", + "lastModified": 1689373857, + "narHash": "sha256-mtBksyvhhT98Zsm9tYHuMKuLwUKDwv+BGTl6K5nOGhY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e74e68449c385db82de3170288a28cd0f608544f", + "rev": "dfdbcc428f365071f0ca3888f6ec8c25c3792885", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8480f96..928ebc4 100644 --- a/flake.nix +++ b/flake.nix @@ -3,49 +3,41 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; }; - outputs = { nixpkgs, ... }: { + outputs = { self, nixpkgs, ... }: { + hosts = { + nitter = { + site = "vs"; + }; + nixos-coturn = { + site = "vs"; + }; + tor-relay = { + site = "vs"; + }; + jackett = { + site = "vs"; + }; + }; + + generateColmenaHost = name: host : { + deployment = { + targetHost = "${name}.${host.site}.grzb.de"; + targetUser = "colmena-deploy"; + }; + + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/${name} + ]; + }; + colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; }; - - nitter = { name, nodes, pkgs, ... }: { - deployment = { - targetHost = "nitter.vs.grzb.de"; - targetUser = "colmena-deploy"; - }; - imports = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/nitter - ]; - }; - - coturn = { name, nodes, pkgs, ... }: { - deployment = { - targetHost = "nixos-coturn.vs.grzb.de"; - targetUser = "colmena-deploy"; - }; - imports = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/coturn - ]; - }; - - tor-relay = { name, nodes, pkgs, ...}: { - deployment = { - targetHost = "tor-relay.vs.grzb.de"; - targetUser = "colmena-deploy"; - }; - imports = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/tor-relay - ]; - }; - }; + } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; }; } diff --git a/hosts/jackett/configuration.nix b/hosts/jackett/configuration.nix index 72e9795..bd9bde9 100644 --- a/hosts/jackett/configuration.nix +++ b/hosts/jackett/configuration.nix @@ -1,10 +1,9 @@ -{ config, pkgs, ... }: - +{ ... }: { - imports = [ - ./hardware-configuration.nix - ./jackett.nix - ]; + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; networking = { hostName = "jackett"; diff --git a/hosts/jackett/default.nix b/hosts/jackett/default.nix new file mode 100644 index 0000000..98e612a --- /dev/null +++ b/hosts/jackett/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./jackett.nix + ]; +} diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix index 3ca72b4..a7002d0 100644 --- a/hosts/nitter/configuration.nix +++ b/hosts/nitter/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { boot.loader.grub = { enable = true; diff --git a/hosts/coturn/configuration.nix b/hosts/nixos-coturn/configuration.nix similarity index 100% rename from hosts/coturn/configuration.nix rename to hosts/nixos-coturn/configuration.nix diff --git a/hosts/coturn/coturn.nix b/hosts/nixos-coturn/coturn.nix similarity index 100% rename from hosts/coturn/coturn.nix rename to hosts/nixos-coturn/coturn.nix diff --git a/hosts/coturn/default.nix b/hosts/nixos-coturn/default.nix similarity index 100% rename from hosts/coturn/default.nix rename to hosts/nixos-coturn/default.nix diff --git a/hosts/coturn/secrets.nix b/hosts/nixos-coturn/secrets.nix similarity index 100% rename from hosts/coturn/secrets.nix rename to hosts/nixos-coturn/secrets.nix From 2daeaae0d131a932dbfb4244e1eed5e6d3f0fb83 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 196/386] Work on hydra config, fix tor relay config, prepare web-public-2 host --- configuration/common/default.nix | 9 +++++++- configuration/common/nginx.nix | 9 ++++++++ flake.lock | 6 ++--- flake.nix | 31 ++++++++++++++++++++++++++ hosts/hydra/configuration.nix | 14 ++++++++++++ hosts/hydra/default.nix | 10 +++++++++ hosts/hydra/hydra.nix | 14 ++++++++++++ hosts/hydra/nginx.nix | 33 ++++++++++++++++++++++++++++ hosts/hydra/nix-serve.nix | 9 ++++++++ hosts/hydra/secrets.nix | 11 ++++++++++ hosts/netbox/configuration.nix | 2 +- hosts/tor-relay/tor.nix | 10 +++++---- hosts/web-public-2/configuration.nix | 14 ++++++++++++ hosts/web-public-2/default.nix | 7 ++++++ hosts/web-public-2/nginx.nix | 6 +++++ 15 files changed, 176 insertions(+), 9 deletions(-) create mode 100644 configuration/common/nginx.nix create mode 100644 hosts/hydra/configuration.nix create mode 100644 hosts/hydra/default.nix create mode 100644 hosts/hydra/hydra.nix create mode 100644 hosts/hydra/nginx.nix create mode 100644 hosts/hydra/nix-serve.nix create mode 100644 hosts/hydra/secrets.nix create mode 100644 hosts/web-public-2/configuration.nix create mode 100644 hosts/web-public-2/default.nix create mode 100644 hosts/web-public-2/nginx.nix diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 78ac470..b94e91c 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -1,7 +1,8 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { imports = [ ./prometheus-node-exporter.nix + ./nginx.nix ../../users/colmena-deploy ../../users/yuri ]; @@ -36,6 +37,7 @@ services.openssh = { enable = true; + openFirewall = true; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; @@ -43,5 +45,10 @@ }; }; + security.acme = { + defaults.email = "acme@grzb.de"; + acceptTerms = true; + }; + services.fstrim.enable = true; } diff --git a/configuration/common/nginx.nix b/configuration/common/nginx.nix new file mode 100644 index 0000000..60fa3f9 --- /dev/null +++ b/configuration/common/nginx.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.nginx = { + enableReload = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; +} diff --git a/flake.lock b/flake.lock index e5a7558..5ef1dda 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689373857, - "narHash": "sha256-mtBksyvhhT98Zsm9tYHuMKuLwUKDwv+BGTl6K5nOGhY=", + "lastModified": 1689534811, + "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dfdbcc428f365071f0ca3888f6ec8c25c3792885", + "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 928ebc4..bcace6a 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,9 @@ jackett = { site = "vs"; }; + #hydra = { + # site = "vs"; + #}; }; generateColmenaHost = name: host : { @@ -39,5 +42,33 @@ }; }; } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; + + /* generateNixosSystem = { + name, + system ? "x86_64-linux", + group ? null, + modules ? [], + }: + let localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; + in localNixpkgs.lib.nixosSystem { + modules = modules ++ [ + ./configuration/common + ./users/yuri + ./users/colmena-deploy + (./hosts + "/${name}") + ]; + }; */ + + hydraJobs = { + nixConfigurations.nitter = let system = "x86_64-linux"; + in nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/nitter + ]; + }; + }; }; } diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix new file mode 100644 index 0000000..6e602ac --- /dev/null +++ b/hosts/hydra/configuration.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "hydra"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix new file mode 100644 index 0000000..c33a964 --- /dev/null +++ b/hosts/hydra/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./secrets.nix + ./hydra.nix + ./nix-serve.nix + ./nginx.nix + ]; +} diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix new file mode 100644 index 0000000..c8d4c3f --- /dev/null +++ b/hosts/hydra/hydra.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + services.hydra = { + enable = true; + hydraURL = "https://hydra.nekover.se"; + listenHost = "localhost"; + port = 3001; + useSubstitutes = true; + notificationSender = "hydra@robot.grzb.de"; + extraConfig = " + binary_cache_public_uri = https://nix-cache.nekover.se + "; + }; +} diff --git a/hosts/hydra/nginx.nix b/hosts/hydra/nginx.nix new file mode 100644 index 0000000..7756928 --- /dev/null +++ b/hosts/hydra/nginx.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + + "hydra.nekover.se" = { + enableACME = true; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + }]; + locations."/" = { + proxyPass = "http://localhost:3001"; + }; + }; + + "nix-cache.nekover.se" = { + enableACME = true; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + }]; + locations."/" = { + proxyPass = "http://localhost:5005"; + }; + }; + + }; + }; +} diff --git a/hosts/hydra/nix-serve.nix b/hosts/hydra/nix-serve.nix new file mode 100644 index 0000000..75c18cb --- /dev/null +++ b/hosts/hydra/nix-serve.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + services.nix-serve = { + enable = true; + port = 5005; + bindAddress = "localhost"; + secretKeyFile = "/secrets/signing-key.secret"; + }; +} diff --git a/hosts/hydra/secrets.nix b/hosts/hydra/secrets.nix new file mode 100644 index 0000000..7ccf047 --- /dev/null +++ b/hosts/hydra/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."signing-key.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix index 637244a..6040caf 100644 --- a/hosts/netbox/configuration.nix +++ b/hosts/netbox/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ diff --git a/hosts/tor-relay/tor.nix b/hosts/tor-relay/tor.nix index 58efb89..200e1e6 100644 --- a/hosts/tor-relay/tor.nix +++ b/hosts/tor-relay/tor.nix @@ -3,16 +3,18 @@ services.tor = { enable = true; + relay = { + enable = true; + role = "relay"; + }; + settings = { Nickname = "vsm"; ORPort = 9001; - ExitRelay = false; - SOCKSPort = 0; - ControlSocket = null; + DirPort = 9030; ContactInfo = "admin@grzb.de"; RelayBandwidthRate = "40 MBits"; RelayBandwidthBurst = "50 Mbits"; - DirPort = 9030; }; }; } diff --git a/hosts/web-public-2/configuration.nix b/hosts/web-public-2/configuration.nix new file mode 100644 index 0000000..dfeb4b0 --- /dev/null +++ b/hosts/web-public-2/configuration.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-02"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/web-public-2/default.nix b/hosts/web-public-2/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/hosts/web-public-2/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix new file mode 100644 index 0000000..5c7acd6 --- /dev/null +++ b/hosts/web-public-2/nginx.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.nginx = { + enable = true; + }; +} From 752fa6f83417b49c6b839ddff7b7997e2973d81c Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 197/386] Add config for public reverse proxy --- configuration/common/default.nix | 1 + flake.lock | 6 +- flake.nix | 3 + hosts/web-public-2/configuration.nix | 16 +- hosts/web-public-2/nginx.nix | 303 ++++++++++++++++++++++++++- users/colmena-deploy/default.nix | 1 + users/yuri/default.nix | 1 + 7 files changed, 325 insertions(+), 6 deletions(-) diff --git a/configuration/common/default.nix b/configuration/common/default.nix index b94e91c..2136658 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -48,6 +48,7 @@ security.acme = { defaults.email = "acme@grzb.de"; acceptTerms = true; + preliminarySelfsigned = true; }; services.fstrim.enable = true; diff --git a/flake.lock b/flake.lock index 5ef1dda..3f90c88 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689534811, - "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=", + "lastModified": 1689679375, + "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222", + "rev": "684c17c429c42515bafb3ad775d2a710947f3d67", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index bcace6a..820a1dd 100644 --- a/flake.nix +++ b/flake.nix @@ -20,6 +20,9 @@ #hydra = { # site = "vs"; #}; + web-public-2 = { + site = "vs"; + }; }; generateColmenaHost = name: host : { diff --git a/hosts/web-public-2/configuration.nix b/hosts/web-public-2/configuration.nix index dfeb4b0..081ca9a 100644 --- a/hosts/web-public-2/configuration.nix +++ b/hosts/web-public-2/configuration.nix @@ -5,8 +5,20 @@ device = "/dev/vda"; }; - networking = { - hostName = "web-public-02"; + networking = { + interfaces = { + "enp6s18".ipv6.addresses = [{ + address = "2001:470:5429::96"; + prefixLength = 64; + }]; + }; + + defaultGateway6 = { + address = "2001:470:5429::1"; + interface = "enp6s18"; + }; + + hostName = "web-public-2"; firewall.enable = false; }; diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 5c7acd6..8d050aa 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -1,6 +1,307 @@ -{ ... }: +{ pkgs, ... }: { services.nginx = { enable = true; + + streamConfig = '' + map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; + birdsite.nekover.se 127.0.0.1:8443; + element.nekover.se 127.0.0.1:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; + hydra.nekover.se hydra.vs.grzb.de:8443; + matrix.nekover.se 127.0.0.1:8443; + mewtube.nekover.se 127.0.0.1:8443; + nekover.se 127.0.0.1:8443; + nextcloud.grzb.de 127.0.0.1:8443; + nix-cache.nekover.se hydra.vs.grzb.de:8443; + social.nekover.se 127.0.0.1:8443; + } + + server { + listen 0.0.0.0:443; + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; + + virtualHosts = { + "nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/.well-known/matrix/server" = { + return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; + extraConfig = '' + add_header Content-Type application/json; + ''; + }; + locations."/.well-known/matrix/client" = { + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; + }; + + "anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + ''; + }; + + "birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://nitter.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + }; + + "element.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://element.vs.grzb.de"; + recommendedProxySettings = false; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + extraConfig = '' + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + ''; + }; + + "gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + ''; + }; + + "git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + ''; + }; + + "matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://matrix.vs.grzb.de:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 500M; + ''; + }; + }; + + "mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + }; + + "nextcloud.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ { + addr = "0.0.0.0"; + port = 80; + }{ + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; + locations."/" = { + proxyPass = "http://nextcloud.vs.grzb.de:80"; + }; + locations."= /.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + locations."= /.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + extraConfig = '' + proxy_read_timeout 3600; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 4096m; + ''; + }; + + "social.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://mastodon.vs.grzb.de:80"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 80m; + ''; + }; + }; }; } diff --git a/users/colmena-deploy/default.nix b/users/colmena-deploy/default.nix index bebd6ef..1766855 100644 --- a/users/colmena-deploy/default.nix +++ b/users/colmena-deploy/default.nix @@ -6,6 +6,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPJbR09ZqPnfZkx9JNjCurJDXWa5XtNeNQfkPRU/ZnY colmena-deploy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" ]; }; } diff --git a/users/yuri/default.nix b/users/yuri/default.nix index ff0ac57..546de5e 100644 --- a/users/yuri/default.nix +++ b/users/yuri/default.nix @@ -5,6 +5,7 @@ extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" ]; }; } From 045b6ad8e7de9f0159c40c0545e68fe76601d723 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 198/386] Add janky nginx config with workaround for proxy protocol --- flake.nix | 6 +- hosts/hydra/nginx.nix | 10 + hosts/web-public-2/nginx.nix | 289 +----------------- .../virtualHosts/anisync.grzb.de.nix | 26 ++ .../virtualHosts/birdsite.nekover.se.nix | 26 ++ hosts/web-public-2/virtualHosts/default.nix | 25 ++ .../virtualHosts/element.nekover.se.nix | 33 ++ .../virtualHosts/gameserver.grzb.de.nix | 31 ++ .../web-public-2/virtualHosts/git.grzb.de.nix | 33 ++ .../virtualHosts/matrix.nekover.se.nix | 33 ++ .../virtualHosts/mewtube.nekover.se.nix | 22 ++ .../web-public-2/virtualHosts/nekover.se.nix | 32 ++ .../virtualHosts/nextcloud.grzb.de.nix | 32 ++ .../virtualHosts/social.nekover.se.nix | 26 ++ 14 files changed, 343 insertions(+), 281 deletions(-) create mode 100644 hosts/web-public-2/virtualHosts/anisync.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/default.nix create mode 100644 hosts/web-public-2/virtualHosts/element.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/git.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/matrix.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/social.nekover.se.nix diff --git a/flake.nix b/flake.nix index 820a1dd..7ea666b 100644 --- a/flake.nix +++ b/flake.nix @@ -17,9 +17,9 @@ jackett = { site = "vs"; }; - #hydra = { - # site = "vs"; - #}; + hydra = { + site = "vs"; + }; web-public-2 = { site = "vs"; }; diff --git a/hosts/hydra/nginx.nix b/hosts/hydra/nginx.nix index 7756928..e313c2d 100644 --- a/hosts/hydra/nginx.nix +++ b/hosts/hydra/nginx.nix @@ -5,11 +5,16 @@ virtualHosts = { "hydra.nekover.se" = { + forceSSL = true; enableACME = true; listen = [{ + addr = "127.0.0.1"; + port = 1234; + }{ addr = "0.0.0.0"; port = 8443; ssl = true; + proxyProtocol = true; }]; locations."/" = { proxyPass = "http://localhost:3001"; @@ -17,11 +22,16 @@ }; "nix-cache.nekover.se" = { + forceSSL = true; enableACME = true; listen = [{ + addr = "127.0.0.1"; + port = 1234; + }{ addr = "0.0.0.0"; port = 8443; ssl = true; + proxyProtocol = true; }]; locations."/" = { proxyPass = "http://localhost:5005"; diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 8d050aa..77d48ac 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -1,5 +1,9 @@ -{ pkgs, ... }: +{ ... }: { + imports = [ + ./virtualHosts + ]; + services.nginx = { enable = true; @@ -10,13 +14,14 @@ element.nekover.se 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; - hydra.nekover.se hydra.vs.grzb.de:8443; + hydra.nekover.se 10.202.41.121:8443; matrix.nekover.se 127.0.0.1:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nextcloud.grzb.de 127.0.0.1:8443; - nix-cache.nekover.se hydra.vs.grzb.de:8443; + nix-cache.nekover.se 10.202.41.121:8443; social.nekover.se 127.0.0.1:8443; + test.grzb.de 127.0.0.1:8443; } server { @@ -28,280 +33,8 @@ } ''; - virtualHosts = { - "nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/.well-known/matrix/server" = { - return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; - extraConfig = '' - add_header Content-Type application/json; - ''; - }; - locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - ''; - }; - }; - - "anisync.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://anisync.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - extraConfig = '' - add_header X-Content-Type-Options nosniff; - ''; - }; - - "birdsite.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://nitter.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - }; - - "element.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://element.vs.grzb.de"; - recommendedProxySettings = false; - extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - extraConfig = '' - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - ''; - }; - - "gameserver.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://pterodactyl.vs.grzb.de"; - extraConfig = '' - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Content-Type-Options nosniff; - ''; - }; - - "git.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://gitlab.vs.grzb.de:80"; - extraConfig = '' - gzip off; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - ''; - }; - - "matrix.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - { - addr = "[::]"; - port = 8448; - ssl = true; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://matrix.vs.grzb.de:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size 500M; - ''; - }; - }; - - "mewtube.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://cloudtube.vs.grzb.de:10412"; - }; - }; - - "nextcloud.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ { - addr = "0.0.0.0"; - port = 80; - }{ - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - locations."/" = { - proxyPass = "http://nextcloud.vs.grzb.de:80"; - }; - locations."= /.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - locations."= /.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - extraConfig = '' - proxy_read_timeout 3600; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 4096m; - ''; - }; - - "social.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://mastodon.vs.grzb.de:80"; - proxyWebsockets = true; - }; - extraConfig = '' - client_max_body_size 80m; - ''; - }; - }; + appendHttpConfig = '' + add_header Strict-Transport-Security "max-age=63072000" always; + ''; }; } diff --git a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix new file mode 100644 index 0000000..6ccc410 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx.virtualHosts."anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix new file mode 100644 index 0000000..1bf6ec5 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx.virtualHosts."birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://nitter.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix new file mode 100644 index 0000000..f6aadad --- /dev/null +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -0,0 +1,25 @@ +{ ... }: +{ + imports = [ + ./anisync.grzb.de.nix + ./birdsite.nekover.se.nix + ./element.nekover.se.nix + ./gameserver.grzb.de.nix + ./git.grzb.de.nix + ./matrix.nekover.se.nix + ./mewtube.nekover.se.nix + ./nekover.se.nix + ./nextcloud.grzb.de.nix + ./social.nekover.se.nix + ]; + + services.nginx.virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/hosts/web-public-2/virtualHosts/element.nekover.se.nix new file mode 100644 index 0000000..70385d1 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.virtualHosts."element.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://element.vs.grzb.de"; + recommendedProxySettings = false; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + extraConfig = '' + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix new file mode 100644 index 0000000..ddb1332 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -0,0 +1,31 @@ +{ ... }: +{ + services.nginx.virtualHosts."gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/hosts/web-public-2/virtualHosts/git.grzb.de.nix new file mode 100644 index 0000000..554421a --- /dev/null +++ b/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.virtualHosts."git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix b/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix new file mode 100644 index 0000000..82455bf --- /dev/null +++ b/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.virtualHosts."matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://matrix.vs.grzb.de:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 500M; + ''; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix new file mode 100644 index 0000000..835cb35 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + services.nginx.virtualHosts."mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/nekover.se.nix b/hosts/web-public-2/virtualHosts/nekover.se.nix new file mode 100644 index 0000000..58847cd --- /dev/null +++ b/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -0,0 +1,32 @@ +{ ... }: +{ + services.nginx.virtualHosts."nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/.well-known/matrix/server" = { + return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; + extraConfig = '' + add_header Content-Type application/json; + ''; + }; + locations."/.well-known/matrix/client" = { + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix new file mode 100644 index 0000000..7a3f7d2 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix @@ -0,0 +1,32 @@ +{ ... }: +{ + services.nginx.virtualHosts."nextcloud.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ { + addr = "0.0.0.0"; + port = 80; + }{ + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; + locations."/" = { + proxyPass = "http://nextcloud.vs.grzb.de:80"; + }; + locations."= /.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + locations."= /.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + extraConfig = '' + proxy_read_timeout 3600; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 4096m; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/hosts/web-public-2/virtualHosts/social.nekover.se.nix new file mode 100644 index 0000000..5024b8f --- /dev/null +++ b/hosts/web-public-2/virtualHosts/social.nekover.se.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx.virtualHosts."social.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://mastodon.vs.grzb.de:80"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 80m; + ''; + }; +} From d1a9b3f082a6b6a2fbb9e97c038ae2fb599b1a84 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 199/386] Enable localhost as buld machine for hydra --- hosts/hydra/configuration.nix | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix index 6e602ac..5596bb5 100644 --- a/hosts/hydra/configuration.nix +++ b/hosts/hydra/configuration.nix @@ -1,8 +1,16 @@ { ... }: { - boot.loader.grub = { - enable = true; - device = "/dev/vda"; + boot = { + loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + binfmt.emulatedSystems = [ + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; }; networking = { @@ -10,5 +18,20 @@ firewall.enable = false; }; + nix = { + settings.allowed-uris = "http:// https://"; + buildMachines = [ + { + hostName = "localhost"; + systems = [ + "x86_64-linux" + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; + } + ]; + }; + system.stateVersion = "23.05"; } From 99c40b54b67afc66a169aefd308306dfaf14d775 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 200/386] Serve element-web directly from web-public-2 --- flake.nix | 16 ----- .../element-web-config/config.json | 48 ++++++++++++++ .../virtualHosts/element.nekover.se.nix | 66 ++++++++++++++++--- 3 files changed, 106 insertions(+), 24 deletions(-) create mode 100644 hosts/web-public-2/virtualHosts/element-web-config/config.json diff --git a/flake.nix b/flake.nix index 7ea666b..95eb8e1 100644 --- a/flake.nix +++ b/flake.nix @@ -46,22 +46,6 @@ }; } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; - /* generateNixosSystem = { - name, - system ? "x86_64-linux", - group ? null, - modules ? [], - }: - let localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; - in localNixpkgs.lib.nixosSystem { - modules = modules ++ [ - ./configuration/common - ./users/yuri - ./users/colmena-deploy - (./hosts + "/${name}") - ]; - }; */ - hydraJobs = { nixConfigurations.nitter = let system = "x86_64-linux"; in nixpkgs.lib.nixosSystem { diff --git a/hosts/web-public-2/virtualHosts/element-web-config/config.json b/hosts/web-public-2/virtualHosts/element-web-config/config.json new file mode 100644 index 0000000..96b6288 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/element-web-config/config.json @@ -0,0 +1,48 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "https://matrix.nekover.se", + "server_name": "Nekoverse" + }, + "m.identity_server": { + "base_url": "https://vector.im" + } + }, + "disable_custom_urls": false, + "disable_guests": false, + "disable_login_language_selector": false, + "disable_3pid_login": false, + "brand": "Element", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_widgets_urls": [ + "https://scalar.vector.im/_matrix/integrations/v1", + "https://scalar.vector.im/api", + "https://scalar-staging.vector.im/_matrix/integrations/v1", + "https://scalar-staging.vector.im/api", + "https://scalar-staging.riot.im/scalar/api" + ], + "bug_report_endpoint_url": "https://element.io/bugreports/submit", + "uisi_autorageshake_app": "element-auto-uisi", + "defaultCountryCode": "DE", + "showLabsSettings": true, + "features": { }, + "default_federate": true, + "default_theme": "dark", + "roomDirectory": { + "servers": [ + "matrix.org" + ] + }, + "piwik": false, + "enable_presence_by_hs_url": { + "https://matrix.org": false, + "https://matrix-client.matrix.org": false + }, + "settingDefaults": { + "breadcrumbs": true + }, + "jitsi": { + "preferredDomain": "meet.element.io" + } +} diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 70385d1..c4fdb27 100644 --- a/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,12 +1,25 @@ -{ ... }: +{ pkgs, ... }: +let + element-web = pkgs.fetchzip { + url = "https://github.com/vector-im/element-web/releases/download/v1.11.36/element-v1.11.36.tar.gz"; + sha256 = "sha256-HbKqfcYH3JWbrAeaYCF/Lg7D7bl5VSgsitxKQdvf+Oc="; + }; +in { services.nginx.virtualHosts."element.nekover.se" = { forceSSL = true; enableACME = true; + root = pkgs.buildEnv { + name = "element-web"; + paths = [ + element-web + ./element-web-config + ]; + }; listen = [ { - addr = "0.0.0.0"; - port = 80; + addr = "localhost"; + port = 1234; } { addr = "localhost"; @@ -15,19 +28,56 @@ proxyProtocol = true; } ]; - locations."/" = { - proxyPass = "http://element.vs.grzb.de"; - recommendedProxySettings = false; + + # Set no-cache for the version, config and index.html + # so that browsers always check for a new copy of Element Web. + # NB http://your-domain/ and http://your-domain/? are also covered by this + + locations."= /index.html" = { extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + add_header Cache-Control "no-cache"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Strict-Transport-Security "max-age=63072000" always; + ''; + }; + locations."= /version" = { + extraConfig = '' + add_header Cache-Control "no-cache"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Strict-Transport-Security "max-age=63072000" always; + ''; + }; + # covers config.json and config.hostname.json requests as it is prefix. + locations."/config" = { + extraConfig = '' + add_header Cache-Control "no-cache"; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Strict-Transport-Security "max-age=63072000" always; ''; }; extraConfig = '' + index index.html; + + # Configuration best practices + # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "frame-ancestors 'none'"; + + add_header Strict-Transport-Security "max-age=63072000" always; + + # redirect server error pages to the static page /50x.html + error_page 500 502 503 504 /50x.html; ''; }; } From 0b49bd74a66b46599a51860c468940171f2f044b Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 201/386] Add output for nixos-generators --- .gitignore | 1 + configuration/nixos-generators/default.nix | 14 +++++++ configuration/proxmox-vm/default.nix | 4 -- .../proxmox-vm/hardware-configuration.nix | 2 +- flake.lock | 37 +++++++++++++++++++ flake.nix | 20 +++++++++- 6 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 configuration/nixos-generators/default.nix diff --git a/.gitignore b/.gitignore index 722d5e7..02b9567 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .vscode +result diff --git a/configuration/nixos-generators/default.nix b/configuration/nixos-generators/default.nix new file mode 100644 index 0000000..2cda85e --- /dev/null +++ b/configuration/nixos-generators/default.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "base"; + firewall.enable = true; + }; + + system.stateVersion = "23.05"; +} diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 644147a..65105c0 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -1,8 +1,4 @@ { ... }: { - imports = [ - ./hardware-configuration.nix - ]; - services.qemuGuest.enable = true; } diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix index c007292..5fbbefa 100644 --- a/configuration/proxmox-vm/hardware-configuration.nix +++ b/configuration/proxmox-vm/hardware-configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") diff --git a/flake.lock b/flake.lock index 3f90c88..f4f6d2d 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,41 @@ { "nodes": { + "nixlib": { + "locked": { + "lastModified": 1689469483, + "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690133435, + "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1689679375, @@ -18,6 +54,7 @@ }, "root": { "inputs": { + "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs" } } diff --git a/flake.nix b/flake.nix index 95eb8e1..3fab58a 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,13 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, ... }: { + outputs = { self, nixpkgs, nixos-generators, ... }: { hosts = { nitter = { site = "vs"; @@ -34,6 +38,7 @@ imports = [ ./configuration/common ./configuration/proxmox-vm + ./configuration/proxmox-vm/hardware-configuration.nix ./hosts/${name} ]; }; @@ -57,5 +62,18 @@ ]; }; }; + + # Generate a base VM image for Proxmox with `nix build .#base-proxmox` + packages.x86_64-linux = { + base-proxmox = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + ./configuration/common + ./configuration/nixos-generators + ./configuration/proxmox-vm + ]; + format = "proxmox"; + }; + }; }; } From 2636e6769ba6568ea77d86f1a29c75d19b5e4a3f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 202/386] Add iperf host --- flake.nix | 21 ++++++++++++--------- hosts/iperf/configuration.nix | 14 ++++++++++++++ hosts/iperf/default.nix | 7 +++++++ hosts/iperf/iperf.nix | 7 +++++++ 4 files changed, 40 insertions(+), 9 deletions(-) create mode 100644 hosts/iperf/configuration.nix create mode 100644 hosts/iperf/default.nix create mode 100644 hosts/iperf/iperf.nix diff --git a/flake.nix b/flake.nix index 3fab58a..4b4fdc0 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,15 @@ outputs = { self, nixpkgs, nixos-generators, ... }: { hosts = { + hydra = { + site = "vs"; + }; + iperf = { + site = "vs"; + }; + jackett = { + site = "vs"; + }; nitter = { site = "vs"; }; @@ -18,12 +27,6 @@ tor-relay = { site = "vs"; }; - jackett = { - site = "vs"; - }; - hydra = { - site = "vs"; - }; web-public-2 = { site = "vs"; }; @@ -56,9 +59,9 @@ in nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/nitter + ./configuration/common + ./configuration/proxmox-vm + ./hosts/nitter ]; }; }; diff --git a/hosts/iperf/configuration.nix b/hosts/iperf/configuration.nix new file mode 100644 index 0000000..243344b --- /dev/null +++ b/hosts/iperf/configuration.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "iperf"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/iperf/default.nix b/hosts/iperf/default.nix new file mode 100644 index 0000000..2cb1ecd --- /dev/null +++ b/hosts/iperf/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./iperf.nix + ]; +} diff --git a/hosts/iperf/iperf.nix b/hosts/iperf/iperf.nix new file mode 100644 index 0000000..ae6cd90 --- /dev/null +++ b/hosts/iperf/iperf.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.iperf3 = { + enable = true; + openFirewall = true; + }; +} From cb83df1aed5aa82107fd5239856e99301796c11b Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 203/386] Generate hosts for hydra --- flake.lock | 8 +++---- flake.nix | 44 ++++++++++++++++++++++++---------- helper.nix | 25 +++++++++++++++++++ hosts/hydra/default.nix | 1 - hosts/nixos-coturn/default.nix | 1 - 5 files changed, 61 insertions(+), 18 deletions(-) create mode 100644 helper.nix diff --git a/flake.lock b/flake.lock index f4f6d2d..ad39d0d 100644 --- a/flake.lock +++ b/flake.lock @@ -38,16 +38,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1689679375, - "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=", + "lastModified": 1690538549, + "narHash": "sha256-FfScFHxidupVGPw9BrQOHz/SoFLRjoNmVC5ymS+g8xU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "684c17c429c42515bafb3ad775d2a710947f3d67", + "rev": "de5ca86149b0c4ff8bf69782cd25896fff0254e1", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 4b4fdc0..c8ae23e 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,15 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, nixpkgs, nixos-generators, ... }: { + outputs = { self, nixpkgs, nixos-generators, ... }@inputs: let + helper = (import ./helper.nix) inputs; + in { hosts = { hydra = { site = "vs"; @@ -32,7 +34,7 @@ }; }; - generateColmenaHost = name: host : { + generateColmenaHost = name: host: { deployment = { targetHost = "${name}.${host.site}.grzb.de"; targetUser = "colmena-deploy"; @@ -43,7 +45,7 @@ ./configuration/proxmox-vm ./configuration/proxmox-vm/hardware-configuration.nix ./hosts/${name} - ]; + ] ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; }; colmena = { @@ -54,18 +56,35 @@ }; } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; - hydraJobs = { - nixConfigurations.nitter = let system = "x86_64-linux"; - in nixpkgs.lib.nixosSystem { - inherit system; + nixosConfigurations = nixpkgs.lib.mapAttrs (name: config: let + nodeNixpkgs = self.outputs.colmena.meta.nodeNixpkgs.${name} or self.outputs.colmena.meta.nixpkgs; + nodeNixos = import (nodeNixpkgs.path + "/nixos/lib/eval-config.nix"); + in nodeNixos { modules = [ - ./configuration/common - ./configuration/proxmox-vm - ./hosts/nitter + #self.outputs.colmena.defaults + config + #inputs.colmena.nixosModules.deploymentOptions + { + _module.args.name = nixpkgs.lib.mkForce name; + _module.args.nodes = self.outputs.nixosConfigurations; + #nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + } ]; - }; + inherit (nodeNixpkgs) system; + } + ) (builtins.removeAttrs self.outputs.colmena ["meta" "defaults"]); + + hydraJobs = { + nixosConfigurations = nixpkgs.lib.mapAttrs (_: config: config.config.system.build.toplevel) self.outputs.nixosConfigurations; }; + /* + nixosConfigurations = (builtins.mapAttrs (helper.mapToNixosConfigurations) self.hosts); + hydraJobs = { + nixConfigurations = helper.buildHosts self.nixosConfigurations; + }; + */ + # Generate a base VM image for Proxmox with `nix build .#base-proxmox` packages.x86_64-linux = { base-proxmox = nixos-generators.nixosGenerate { @@ -78,5 +97,6 @@ format = "proxmox"; }; }; + }; } diff --git a/helper.nix b/helper.nix new file mode 100644 index 0000000..07a3e8e --- /dev/null +++ b/helper.nix @@ -0,0 +1,25 @@ +{ nixpkgs, ... }@inputs: +rec { + generateNixosSystem = name: { + system ? "x86_64-linux", + group ? null, + modules ? [], + site + }: let + localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; + in localNixpkgs.lib.nixosSystem { + system = system; + modules = modules ++ [ + ./configuration/common + ./configuration/proxmox-vm + ./configuration/proxmox-vm/hardware-configuration.nix + ./hosts/${name} + ]; + }; + + mapToNixosConfigurations = name: host: generateNixosSystem name host; + + filterUnderscore = hosts: (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") hosts); + + buildHosts = hosts: builtins.mapAttrs (name: host: host.config.system.build.toplevel) (filterUnderscore hosts); +} diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index c33a964..aeffee1 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -2,7 +2,6 @@ { imports = [ ./configuration.nix - ./secrets.nix ./hydra.nix ./nix-serve.nix ./nginx.nix diff --git a/hosts/nixos-coturn/default.nix b/hosts/nixos-coturn/default.nix index 63c719c..1036572 100644 --- a/hosts/nixos-coturn/default.nix +++ b/hosts/nixos-coturn/default.nix @@ -2,7 +2,6 @@ { imports = [ ./configuration.nix - ./secrets.nix ./coturn.nix ]; } From 8e633599dbfd4ca974ad6437334e999e416eb456 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 204/386] Test host specific nixpkgs --- flake.lock | 25 +++++++++++++--- flake.nix | 85 ++++++++++-------------------------------------------- helper.nix | 45 +++++++++++++++-------------- hosts.nix | 47 ++++++++++++++++++++++++++++++ 4 files changed, 106 insertions(+), 96 deletions(-) create mode 100644 hosts.nix diff --git a/flake.lock b/flake.lock index ad39d0d..5034288 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690538549, - "narHash": "sha256-FfScFHxidupVGPw9BrQOHz/SoFLRjoNmVC5ymS+g8xU=", + "lastModified": 1690630041, + "narHash": "sha256-gbnvqm5goS9DSKAqGFpq3398aOpwejmq4qWikqmQyRo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "de5ca86149b0c4ff8bf69782cd25896fff0254e1", + "rev": "d57e8c535d4cbb07f441c30988ce52eec69db7a8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1690628621, + "narHash": "sha256-fHmW03fQziNt1+tt/Goa0lwObsR8kY8auNEWnv92Sfw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9508c7104d697af158ebc719586d64eb7b64c0d7", "type": "github" }, "original": { @@ -55,7 +71,8 @@ "root": { "inputs": { "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable" } } }, diff --git a/flake.nix b/flake.nix index c8ae23e..92fda46 100644 --- a/flake.nix +++ b/flake.nix @@ -1,90 +1,35 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, nixpkgs, nixos-generators, ... }@inputs: let + outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let + hosts = import ./hosts.nix inputs; helper = (import ./helper.nix) inputs; in { - hosts = { - hydra = { - site = "vs"; - }; - iperf = { - site = "vs"; - }; - jackett = { - site = "vs"; - }; - nitter = { - site = "vs"; - }; - nixos-coturn = { - site = "vs"; - }; - tor-relay = { - site = "vs"; - }; - web-public-2 = { - site = "vs"; - }; - }; - - generateColmenaHost = name: host: { - deployment = { - targetHost = "${name}.${host.site}.grzb.de"; - targetUser = "colmena-deploy"; - }; - - imports = [ - ./configuration/common - ./configuration/proxmox-vm - ./configuration/proxmox-vm/hardware-configuration.nix - ./hosts/${name} - ] ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; - }; - colmena = { meta = { - nixpkgs = import nixpkgs { - system = "x86_64-linux"; - }; + # Set the default pkgs, which is pointless in this case, + # because nodeNixpkgs is overriding it anyway and a default value is generated. + # It is still needed for colmena to run. + nixpkgs = nixpkgs.legacyPackages."x86_64-linux"; + + # Specify nixpkgs to use for each host. + # The default is "nixpkgs" for "x86_64-linux" systems, + # but it is overridden by the host-specific "hostNixpkgs" and "system" attributes. + nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; }; - } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; - - nixosConfigurations = nixpkgs.lib.mapAttrs (name: config: let - nodeNixpkgs = self.outputs.colmena.meta.nodeNixpkgs.${name} or self.outputs.colmena.meta.nixpkgs; - nodeNixos = import (nodeNixpkgs.path + "/nixos/lib/eval-config.nix"); - in nodeNixos { - modules = [ - #self.outputs.colmena.defaults - config - #inputs.colmena.nixosModules.deploymentOptions - { - _module.args.name = nixpkgs.lib.mkForce name; - _module.args.nodes = self.outputs.nixosConfigurations; - #nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; - } - ]; - inherit (nodeNixpkgs) system; - } - ) (builtins.removeAttrs self.outputs.colmena ["meta" "defaults"]); + } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixosConfigurations = nixpkgs.lib.mapAttrs (_: config: config.config.system.build.toplevel) self.outputs.nixosConfigurations; + nixConfigurations = builtins.mapAttrs (helper.generateNixConfiguration) hosts; }; - /* - nixosConfigurations = (builtins.mapAttrs (helper.mapToNixosConfigurations) self.hosts); - hydraJobs = { - nixConfigurations = helper.buildHosts self.nixosConfigurations; - }; - */ - # Generate a base VM image for Proxmox with `nix build .#base-proxmox` packages.x86_64-linux = { base-proxmox = nixos-generators.nixosGenerate { diff --git a/helper.nix b/helper.nix index 07a3e8e..fc91e4e 100644 --- a/helper.nix +++ b/helper.nix @@ -1,25 +1,26 @@ -{ nixpkgs, ... }@inputs: -rec { - generateNixosSystem = name: { - system ? "x86_64-linux", - group ? null, - modules ? [], - site - }: let - localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; - in localNixpkgs.lib.nixosSystem { - system = system; - modules = modules ++ [ - ./configuration/common - ./configuration/proxmox-vm - ./configuration/proxmox-vm/hardware-configuration.nix - ./hosts/${name} - ]; +{ nixpkgs, ... }: +{ + generateColmenaHost = name: { + site, + modules, + ... + }: { + deployment = { + targetHost = "${name}.${site}.grzb.de"; + targetUser = "colmena-deploy"; + }; + + # Set imports and optionally import colmena secrets configuration + imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; }; - mapToNixosConfigurations = name: host: generateNixosSystem name host; - - filterUnderscore = hosts: (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") hosts); - - buildHosts = hosts: builtins.mapAttrs (name: host: host.config.system.build.toplevel) (filterUnderscore hosts); + generateNixConfiguration = name: { + hostNixpkgs, + system, + modules, + ... + }: + (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") (hostNixpkgs.lib.nixosSystem { + inherit system modules; + })).config.system.build.toplevel; } diff --git a/hosts.nix b/hosts.nix new file mode 100644 index 0000000..083d5b8 --- /dev/null +++ b/hosts.nix @@ -0,0 +1,47 @@ +{ nixpkgs, nixpkgs-unstable, ... }: +let + environments = { + "proxmox" = [ + ./configuration/proxmox-vm + ./configuration/proxmox-vm/hardware-configuration.nix + ]; + }; + generateDefaults = hosts: builtins.mapAttrs (name: { + hostNixpkgs ? nixpkgs, + system ? "x86_64-linux", + pkgs ? hostNixpkgs.legacyPackages.${system}, + environment ? "proxmox", + site + }: { + inherit hostNixpkgs system pkgs environment site; + modules = [ + ./configuration/common + ./hosts/${name} + ] ++ (if environments ? ${environment} then environments.${environment} else []); + }) hosts; +in + generateDefaults { + hydra = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + }; + iperf = { + site = "vs"; + }; + jackett = { + site = "vs"; + }; + nitter = { + site = "vs"; + }; + nixos-coturn = { + site = "vs"; + }; + tor-relay = { + site = "vs"; + }; + web-public-2 = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + }; + } From 32872cb4552b77e05b825aab878f9d4ad700d739 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 205/386] Generate colmena and hydraJobs outputs from the same hosts attribute set --- flake.nix | 2 +- helper.nix | 13 +++++++++---- hosts.nix | 6 +++++- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/flake.nix b/flake.nix index 92fda46..3615c48 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let hosts = import ./hosts.nix inputs; - helper = (import ./helper.nix) inputs; + helper = import ./helper.nix inputs; in { colmena = { meta = { diff --git a/helper.nix b/helper.nix index fc91e4e..2188959 100644 --- a/helper.nix +++ b/helper.nix @@ -19,8 +19,13 @@ system, modules, ... - }: - (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") (hostNixpkgs.lib.nixosSystem { - inherit system modules; - })).config.system.build.toplevel; + }: + let + # Filter attritubes starting with _ to avoid infinite recursion when building with hydra + # TODO: Why does this happen? + filter = name: host: (builtins.substring 0 1 name) != "_"; + in + (nixpkgs.lib.filterAttrs filter (hostNixpkgs.lib.nixosSystem { + inherit system modules; + })).config.system.build.toplevel; # Builds the entire NixOS system, see: https://nixos.org/manual/nixos/stable/#sec-building-parts } diff --git a/hosts.nix b/hosts.nix index 083d5b8..2ba24de 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,23 +1,27 @@ { nixpkgs, nixpkgs-unstable, ... }: let + # Set of environment specific modules environments = { "proxmox" = [ ./configuration/proxmox-vm ./configuration/proxmox-vm/hardware-configuration.nix ]; }; + # generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, system ? "x86_64-linux", + # pkgs is explicitly defined so that overlays for each host can easily be created pkgs ? hostNixpkgs.legacyPackages.${system}, environment ? "proxmox", site }: { inherit hostNixpkgs system pkgs environment site; + # define common and host modules and additionally add environment specific modules modules = [ ./configuration/common ./hosts/${name} - ] ++ (if environments ? ${environment} then environments.${environment} else []); + ] ++ environments.${environment}; }) hosts; in generateDefaults { From 7cc4f7fe165b43811cedc37ff450d6c9c6a6dba2 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 206/386] Bump flake.lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 5034288..7668670 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690630041, - "narHash": "sha256-gbnvqm5goS9DSKAqGFpq3398aOpwejmq4qWikqmQyRo=", + "lastModified": 1690726002, + "narHash": "sha256-cACz6jCJZtsZHGCJAN4vMobxzH5s6FCOTZHMrh/Hu0M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d57e8c535d4cbb07f441c30988ce52eec69db7a8", + "rev": "391e8db1f06c3f74c2d313a73135515023af3993", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1690628621, - "narHash": "sha256-fHmW03fQziNt1+tt/Goa0lwObsR8kY8auNEWnv92Sfw=", + "lastModified": 1690738238, + "narHash": "sha256-yUFU7PGQzOEDX2Y64QV7xNHkn3RjkOTqvZ5oW5gbgGY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9508c7104d697af158ebc719586d64eb7b64c0d7", + "rev": "6376df481833e5f2e83eade8d8f2d04beed007d0", "type": "github" }, "original": { From 399731bd0cf087bb2f8557b7b8b82d4b09046ae0 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 207/386] Set binary cache hint --- flake.nix | 9 +++++++++ hosts/netbox/configuration.nix | 15 --------------- hosts/netbox/netbox.nix | 10 ---------- 3 files changed, 9 insertions(+), 25 deletions(-) delete mode 100644 hosts/netbox/configuration.nix delete mode 100644 hosts/netbox/netbox.nix diff --git a/flake.nix b/flake.nix index 3615c48..90ed283 100644 --- a/flake.nix +++ b/flake.nix @@ -43,5 +43,14 @@ }; }; + # Binary cache hint + nixConfig = { + extra-substituters = [ + "https://nix-cache.nekover.se" + ]; + extra-trusted-public-keys = [ + "nix-cache.nekover.se:f/VfGqC5lctLzOa6pLLDmEkihcip4WYpYShlW3rivLU=" + ]; + }; }; } diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix deleted file mode 100644 index 6040caf..0000000 --- a/hosts/netbox/configuration.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: - -{ - imports = [ - ./hardware-configuration.nix - ./tor.nix - ]; - - networking = { - hostName = "tor-relay"; - firewall.enable = false; - }; - - system.stateVersion = "23.05"; -} diff --git a/hosts/netbox/netbox.nix b/hosts/netbox/netbox.nix deleted file mode 100644 index 07674e6..0000000 --- a/hosts/netbox/netbox.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: -{ - services.netox = { - enable = true; - - settings = { - - }; - }; -} From a03df6b14deb03734f961704387977dfa6d4b3c2 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 208/386] Use hacky workaround for enableACME check with a proxyProtocol listener --- hosts/web-public-2/virtualHosts/anisync.grzb.de.nix | 8 ++++---- .../web-public-2/virtualHosts/birdsite.nekover.se.nix | 8 ++++---- hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix | 8 ++++---- hosts/web-public-2/virtualHosts/git.grzb.de.nix | 8 ++++---- hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix | 8 ++++---- hosts/web-public-2/virtualHosts/nekover.se.nix | 8 ++++---- hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix | 10 ++++++---- hosts/web-public-2/virtualHosts/social.nekover.se.nix | 8 ++++---- 9 files changed, 36 insertions(+), 34 deletions(-) diff --git a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix index 6ccc410..b628ef7 100644 --- a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix index 1bf6ec5..a043d8e 100644 --- a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/hosts/web-public-2/virtualHosts/element.nekover.se.nix index c4fdb27..de1665b 100644 --- a/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -17,10 +17,10 @@ in ]; }; listen = [ - { + { addr = "localhost"; port = 1234; - } + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix index ddb1332..5070a0b 100644 --- a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/hosts/web-public-2/virtualHosts/git.grzb.de.nix index 554421a..fb156d8 100644 --- a/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix index 835cb35..fbc64fa 100644 --- a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/nekover.se.nix b/hosts/web-public-2/virtualHosts/nekover.se.nix index 58847cd..743135d 100644 --- a/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix index 7a3f7d2..87fcc68 100644 --- a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix @@ -3,10 +3,12 @@ services.nginx.virtualHosts."nextcloud.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ { - addr = "0.0.0.0"; - port = 80; - }{ + listen = [ + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check + { addr = "localhost"; port = 8443; ssl = true; diff --git a/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/hosts/web-public-2/virtualHosts/social.nekover.se.nix index 5024b8f..2c44a16 100644 --- a/hosts/web-public-2/virtualHosts/social.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/social.nekover.se.nix @@ -4,10 +4,10 @@ forceSSL = true; enableACME = true; listen = [ - { - addr = "0.0.0.0"; - port = 80; - } + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check { addr = "localhost"; port = 8443; From 92eb5d7385821c4a26c73cfc89d97f78e970859a Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 209/386] Enable console on serial port and print public ssh host key when booting --- configuration/common/default.nix | 18 ++++++++++++++++++ configuration/proxmox-vm/default.nix | 6 ++++++ hosts.nix | 1 - 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 2136658..1b2b085 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -51,5 +51,23 @@ preliminarySelfsigned = true; }; + # Print the ed25519 public ssh host key to console when booting + systemd.units."print-public-ssh-host-key.service" = { + enable = true; + text = '' + [Unit] + Description=print-public-ssh-host-key.service + Before=getty@tty1.service + + [Service] + Type=oneshot + ExecStart=/run/current-system/sw/bin/bash -c "/run/current-system/sw/bin/echo ----- ED25519 PUBLIC SSH HOST KEY -----\ + && /run/current-system/sw/bin/cut -d ' ' -f 1-2 /etc/ssh/ssh_host_ed25519_key.pub" + RemainAfterExit=no + StandardOutput=tty + ''; + wantedBy = [ "multi-user.target" ]; + }; + services.fstrim.enable = true; } diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 65105c0..47ed7df 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -1,4 +1,10 @@ { ... }: { + # Enable console output on TTY1 and serial console + boot.kernelParams = [ + "console=tty1" + "console=ttyS0,115200" + ]; + services.qemuGuest.enable = true; } diff --git a/hosts.nix b/hosts.nix index 2ba24de..133f155 100644 --- a/hosts.nix +++ b/hosts.nix @@ -7,7 +7,6 @@ let ./configuration/proxmox-vm/hardware-configuration.nix ]; }; - # generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, system ? "x86_64-linux", From 826c3ff28b29bfb97cf48f577d7773a4b5db0833 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 210/386] Add jellyfin host --- hosts.nix | 3 + hosts/jellyfin/configuration.nix | 17 +++++ hosts/jellyfin/default.nix | 10 +++ hosts/jellyfin/hardware-configuration.nix | 16 +++++ hosts/jellyfin/jellyfin.nix | 6 ++ hosts/jellyfin/nginx.nix | 65 +++++++++++++++++++ hosts/jellyfin/secrets.nix | 11 ++++ .../virtualHosts/acme-challenge.nix | 12 ++++ hosts/web-public-2/virtualHosts/default.nix | 1 + 9 files changed, 141 insertions(+) create mode 100644 hosts/jellyfin/configuration.nix create mode 100644 hosts/jellyfin/default.nix create mode 100644 hosts/jellyfin/hardware-configuration.nix create mode 100644 hosts/jellyfin/jellyfin.nix create mode 100644 hosts/jellyfin/nginx.nix create mode 100644 hosts/jellyfin/secrets.nix create mode 100644 hosts/web-public-2/virtualHosts/acme-challenge.nix diff --git a/hosts.nix b/hosts.nix index 133f155..4cac023 100644 --- a/hosts.nix +++ b/hosts.nix @@ -34,6 +34,9 @@ in jackett = { site = "vs"; }; + jellyfin = { + site = "vs"; + }; nitter = { site = "vs"; }; diff --git a/hosts/jellyfin/configuration.nix b/hosts/jellyfin/configuration.nix new file mode 100644 index 0000000..7d058cd --- /dev/null +++ b/hosts/jellyfin/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "jellyfin"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/jellyfin/default.nix b/hosts/jellyfin/default.nix new file mode 100644 index 0000000..9c80166 --- /dev/null +++ b/hosts/jellyfin/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./secrets.nix + ./jellyfin.nix + ./nginx.nix + ]; +} diff --git a/hosts/jellyfin/hardware-configuration.nix b/hosts/jellyfin/hardware-configuration.nix new file mode 100644 index 0000000..764a903 --- /dev/null +++ b/hosts/jellyfin/hardware-configuration.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + fileSystems."/mnt/media" = { + device = "//10.202.46.5/media"; + fsType = "cifs"; + options = [ + "username=jellyfin" + "credentials=/secrets/samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=jellyfin" + "gid=jellyfin" + "_netdev" + ]; + }; +} diff --git a/hosts/jellyfin/jellyfin.nix b/hosts/jellyfin/jellyfin.nix new file mode 100644 index 0000000..89deaaa --- /dev/null +++ b/hosts/jellyfin/jellyfin.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jellyfin = { + enable = true; + }; +} diff --git a/hosts/jellyfin/nginx.nix b/hosts/jellyfin/nginx.nix new file mode 100644 index 0000000..7d70066 --- /dev/null +++ b/hosts/jellyfin/nginx.nix @@ -0,0 +1,65 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts."jellyfin.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."= /" = { + return = "302 https://$host/web/"; + }; + locations."/" = { + proxyPass = "http://localhost:8096/"; + extraConfig = '' + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + ''; + }; + locations."= /web/" = { + proxyPass = "http://localhost:8096/web/index.html"; + }; + locations."/socket" = { + proxyPass = "http://localhost:8096/socket"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 20M; + + # Security / XSS Mitigation Headers + # NOTE: X-Frame-Options may cause issues with the webOS app + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + # COOP/COEP. Disable if you use external plugins/images/assets + add_header Cross-Origin-Opener-Policy "same-origin" always; + add_header Cross-Origin-Embedder-Policy "require-corp" always; + add_header Cross-Origin-Resource-Policy "same-origin" always; + + # Permissions policy. May cause issues on some clients + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + + # Tell browsers to use per-origin process isolation + add_header Origin-Agent-Cluster "?1" always; + + # Content Security Policy + # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + # Enforces https content and restricts JS/CSS to origin + # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. + # NOTE: The default CSP headers may cause issues with the webOS app + #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; + ''; + }; + }; +} diff --git a/hosts/jellyfin/secrets.nix b/hosts/jellyfin/secrets.nix new file mode 100644 index 0000000..c1c22c6 --- /dev/null +++ b/hosts/jellyfin/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."samba-credentials.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix new file mode 100644 index 0000000..d16de8f --- /dev/null +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.nginx.virtualHosts."jellyfin.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://jellyfin.vs.grzb.de:80"; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix index f6aadad..c5ec5ef 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -1,6 +1,7 @@ { ... }: { imports = [ + ./acme-challenge.nix ./anisync.grzb.de.nix ./birdsite.nekover.se.nix ./element.nekover.se.nix From 07e6a8a597abdd63a6acf0a757305da5154c0c6c Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 211/386] Enable firewall and migrate Jellyfin to NixOS --- hosts.nix | 5 ++++ hosts/hydra/configuration.nix | 5 +++- hosts/iperf/configuration.nix | 2 +- hosts/jellyfin/configuration.nix | 2 +- hosts/jellyfin/nginx.nix | 6 ++++ hosts/tor-relay/configuration.nix | 5 +++- .../configuration.nix | 17 +++++++++++ hosts/web-nonpublic-linuxcrewd/default.nix | 7 +++++ hosts/web-nonpublic-linuxcrewd/nginx.nix | 29 +++++++++++++++++++ hosts/web-public-2/configuration.nix | 5 +++- 10 files changed, 78 insertions(+), 5 deletions(-) create mode 100644 hosts/web-nonpublic-linuxcrewd/configuration.nix create mode 100644 hosts/web-nonpublic-linuxcrewd/default.nix create mode 100644 hosts/web-nonpublic-linuxcrewd/nginx.nix diff --git a/hosts.nix b/hosts.nix index 4cac023..6118252 100644 --- a/hosts.nix +++ b/hosts.nix @@ -35,6 +35,7 @@ in site = "vs"; }; jellyfin = { + hostNixpkgs = nixpkgs-unstable; site = "vs"; }; nitter = { @@ -50,4 +51,8 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + web-nonpublic-linuxcrewd = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + }; } diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix index 5596bb5..53a26b0 100644 --- a/hosts/hydra/configuration.nix +++ b/hosts/hydra/configuration.nix @@ -15,7 +15,10 @@ networking = { hostName = "hydra"; - firewall.enable = false; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; }; nix = { diff --git a/hosts/iperf/configuration.nix b/hosts/iperf/configuration.nix index 243344b..b46a7ce 100644 --- a/hosts/iperf/configuration.nix +++ b/hosts/iperf/configuration.nix @@ -7,7 +7,7 @@ networking = { hostName = "iperf"; - firewall.enable = false; + firewall.enable = true; }; system.stateVersion = "23.05"; diff --git a/hosts/jellyfin/configuration.nix b/hosts/jellyfin/configuration.nix index 7d058cd..98624e0 100644 --- a/hosts/jellyfin/configuration.nix +++ b/hosts/jellyfin/configuration.nix @@ -9,7 +9,7 @@ hostName = "jellyfin"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ 80 443 8443 ]; }; }; diff --git a/hosts/jellyfin/nginx.nix b/hosts/jellyfin/nginx.nix index 7d70066..04431d5 100644 --- a/hosts/jellyfin/nginx.nix +++ b/hosts/jellyfin/nginx.nix @@ -15,6 +15,12 @@ port = 443; ssl = true; } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } ]; locations."= /" = { return = "302 https://$host/web/"; diff --git a/hosts/tor-relay/configuration.nix b/hosts/tor-relay/configuration.nix index 90dbc71..7c2eb84 100644 --- a/hosts/tor-relay/configuration.nix +++ b/hosts/tor-relay/configuration.nix @@ -19,7 +19,10 @@ }; hostName = "tor-relay"; - firewall.enable = false; + firewall = { + enable = true; + allowedTCPPorts = [ 9001 9030 ]; + }; }; system.stateVersion = "23.05"; diff --git a/hosts/web-nonpublic-linuxcrewd/configuration.nix b/hosts/web-nonpublic-linuxcrewd/configuration.nix new file mode 100644 index 0000000..56a3254 --- /dev/null +++ b/hosts/web-nonpublic-linuxcrewd/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-2"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/web-nonpublic-linuxcrewd/default.nix b/hosts/web-nonpublic-linuxcrewd/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/hosts/web-nonpublic-linuxcrewd/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/hosts/web-nonpublic-linuxcrewd/nginx.nix b/hosts/web-nonpublic-linuxcrewd/nginx.nix new file mode 100644 index 0000000..7d1a420 --- /dev/null +++ b/hosts/web-nonpublic-linuxcrewd/nginx.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + services.nginx = { + enable = true; + + virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + + streamConfig = '' + map $ssl_preread_server_name $address { + jellyfin.grzb.de 10.202.46.101:8443; + } + + server { + listen 0.0.0.0:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; + }; +} diff --git a/hosts/web-public-2/configuration.nix b/hosts/web-public-2/configuration.nix index 081ca9a..94e74b6 100644 --- a/hosts/web-public-2/configuration.nix +++ b/hosts/web-public-2/configuration.nix @@ -19,7 +19,10 @@ }; hostName = "web-public-2"; - firewall.enable = false; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 5000 8448 ]; + }; }; system.stateVersion = "23.05"; From d7136d577f5f6d66c62792ece65d2ac2fba50267 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 212/386] Remove secret.nix from jellyfin imports --- hosts/jellyfin/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/jellyfin/default.nix b/hosts/jellyfin/default.nix index 9c80166..33e2290 100644 --- a/hosts/jellyfin/default.nix +++ b/hosts/jellyfin/default.nix @@ -3,7 +3,6 @@ imports = [ ./configuration.nix ./hardware-configuration.nix - ./secrets.nix ./jellyfin.nix ./nginx.nix ]; From 1aab87a1fee61bd6e60b33beac60c375d352e6d9 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 213/386] Add nextcloud host --- hosts.nix | 4 ++ hosts/nextcloud/configuration.nix | 17 +++++++++ hosts/nextcloud/default.nix | 7 ++++ hosts/nextcloud/nextcloud.nix | 38 +++++++++++++++++++ hosts/nextcloud/secrets.nix | 11 ++++++ hosts/web-public-2/nginx.nix | 2 +- .../virtualHosts/nextcloud.grzb.de.nix | 2 +- 7 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 hosts/nextcloud/configuration.nix create mode 100644 hosts/nextcloud/default.nix create mode 100644 hosts/nextcloud/nextcloud.nix create mode 100644 hosts/nextcloud/secrets.nix diff --git a/hosts.nix b/hosts.nix index 6118252..1116370 100644 --- a/hosts.nix +++ b/hosts.nix @@ -38,6 +38,10 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + nextcloud = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + }; nitter = { site = "vs"; }; diff --git a/hosts/nextcloud/configuration.nix b/hosts/nextcloud/configuration.nix new file mode 100644 index 0000000..da63943 --- /dev/null +++ b/hosts/nextcloud/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "nextcloud"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 8443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/nextcloud/default.nix b/hosts/nextcloud/default.nix new file mode 100644 index 0000000..81ddd9a --- /dev/null +++ b/hosts/nextcloud/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nextcloud.nix + ]; +} diff --git a/hosts/nextcloud/nextcloud.nix b/hosts/nextcloud/nextcloud.nix new file mode 100644 index 0000000..88aa605 --- /dev/null +++ b/hosts/nextcloud/nextcloud.nix @@ -0,0 +1,38 @@ +{ pkgs, config, ... }: +{ + services.nextcloud = { + enable = true; + package = pkgs.nextcloud27; + hostName = "cloud.nekover.se"; + https = true; + config = { + dbtype = "pgsql"; + adminpassFile = "/secrets/nextcloud-adminpass.secret"; + defaultPhoneRegion = "DE"; + }; + database.createLocally = true; + configureRedis = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + inherit bookmarks contacts calendar tasks twofactor_webauthn; + }; + maxUploadSize = "16G"; + }; + + services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + }; +} diff --git a/hosts/nextcloud/secrets.nix b/hosts/nextcloud/secrets.nix new file mode 100644 index 0000000..785e179 --- /dev/null +++ b/hosts/nextcloud/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."nextcloud-adminpass.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; + destDir = "/secrets"; + user = "nextcloud"; + group = "nextcloud"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 77d48ac..a72db45 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -11,6 +11,7 @@ map $ssl_preread_server_name $address { anisync.grzb.de 127.0.0.1:8443; birdsite.nekover.se 127.0.0.1:8443; + cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; @@ -21,7 +22,6 @@ nextcloud.grzb.de 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; social.nekover.se 127.0.0.1:8443; - test.grzb.de 127.0.0.1:8443; } server { diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix index 87fcc68..8cbdcc9 100644 --- a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix +++ b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix @@ -15,7 +15,7 @@ proxyProtocol = true; }]; locations."/" = { - proxyPass = "http://nextcloud.vs.grzb.de:80"; + proxyPass = "http://nextcloud-grzb.vs.grzb.de:80"; }; locations."= /.well-known/carddav" = { return = "301 $scheme://$host/remote.php/dav"; From 31edbd4ca4c6abef5ae1533d6377cf508a1578df Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 214/386] Improve Proxmox backup image generation --- configuration/common/default.nix | 5 +++-- configuration/nixos-generators/default.nix | 21 +++++++++++++++++++ configuration/proxmox-vm/default.nix | 4 ++++ .../proxmox-vm/hardware-configuration.nix | 3 +++ flake.lock | 12 +++++------ hosts.nix | 1 - 6 files changed, 37 insertions(+), 9 deletions(-) diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 1b2b085..e28c38a 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -58,11 +58,12 @@ [Unit] Description=print-public-ssh-host-key.service Before=getty@tty1.service + After=sshd.service [Service] Type=oneshot - ExecStart=/run/current-system/sw/bin/bash -c "/run/current-system/sw/bin/echo ----- ED25519 PUBLIC SSH HOST KEY -----\ - && /run/current-system/sw/bin/cut -d ' ' -f 1-2 /etc/ssh/ssh_host_ed25519_key.pub" + ExecStart=/run/current-system/sw/bin/bash -c "/run/current-system/sw/bin/echo -e \"----- ED25519 PUBLIC SSH HOST KEY -----\ + \n$(/run/current-system/sw/bin/cut -d ' ' -f 1-2 /etc/ssh/ssh_host_ed25519_key.pub)\"" RemainAfterExit=no StandardOutput=tty ''; diff --git a/configuration/nixos-generators/default.nix b/configuration/nixos-generators/default.nix index 2cda85e..e392d53 100644 --- a/configuration/nixos-generators/default.nix +++ b/configuration/nixos-generators/default.nix @@ -10,5 +10,26 @@ firewall.enable = true; }; + proxmox = { + qemuConf = { + ostype = "l26"; + cores = 2; + memory = 1024; + bios = "seabios"; + # Option not available in 23.05 + # diskSize = "8096"; + virtio0 = "local-zfs:base-disk-0,discard=on"; + boot = "order=virtio0"; + net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; + agent = true; + }; + qemuExtraConf = { + cpu = "cputype=host,flags=+aes"; + onboot = 1; + machine = "q35"; + template = 1; + }; + }; + system.stateVersion = "23.05"; } diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 47ed7df..4c5bc6e 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -1,5 +1,9 @@ { ... }: { + imports = [ + ./hardware-configuration.nix + ]; + # Enable console output on TTY1 and serial console boot.kernelParams = [ "console=tty1" diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix index 5fbbefa..0d9fa83 100644 --- a/configuration/proxmox-vm/hardware-configuration.nix +++ b/configuration/proxmox-vm/hardware-configuration.nix @@ -1,11 +1,14 @@ { config, lib, modulesPath, ... }: { + # hardware-configuration.nix copied and adapted from the default configuration generated by nixos-generators + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot = { initrd = { + # To use the VirtIO SCSI disks, add the "virtio_scsi" kernel module to availableKernelModules availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_blk" ]; kernelModules = [ ]; }; diff --git a/flake.lock b/flake.lock index 7668670..61c7311 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690726002, - "narHash": "sha256-cACz6jCJZtsZHGCJAN4vMobxzH5s6FCOTZHMrh/Hu0M=", + "lastModified": 1691016377, + "narHash": "sha256-Vvi49vIL2CzX5bsfE3qovcmzJpkfMo/Mx/coCbu5Jeo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "391e8db1f06c3f74c2d313a73135515023af3993", + "rev": "ad73028def6716978adaec5b0b7706edc611a83e", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1690738238, - "narHash": "sha256-yUFU7PGQzOEDX2Y64QV7xNHkn3RjkOTqvZ5oW5gbgGY=", + "lastModified": 1691071044, + "narHash": "sha256-bYBWtupK/NO/diSpye8TP1E0IC7wj29y2q6blD0FtPk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6376df481833e5f2e83eade8d8f2d04beed007d0", + "rev": "2a1f1797be6e4125ade0be6ac32bb70106ff7245", "type": "github" }, "original": { diff --git a/hosts.nix b/hosts.nix index 1116370..ab1de0e 100644 --- a/hosts.nix +++ b/hosts.nix @@ -4,7 +4,6 @@ let environments = { "proxmox" = [ ./configuration/proxmox-vm - ./configuration/proxmox-vm/hardware-configuration.nix ]; }; generateDefaults = hosts: builtins.mapAttrs (name: { From aac12a22fdd7c597b8ea7ddf85c6a804d2e7fe71 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 215/386] Set boot.growPartition = true --- configuration/proxmox-vm/default.nix | 6 ------ configuration/proxmox-vm/hardware-configuration.nix | 10 +++++++++- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix index 4c5bc6e..42fc9c9 100644 --- a/configuration/proxmox-vm/default.nix +++ b/configuration/proxmox-vm/default.nix @@ -4,11 +4,5 @@ ./hardware-configuration.nix ]; - # Enable console output on TTY1 and serial console - boot.kernelParams = [ - "console=tty1" - "console=ttyS0,115200" - ]; - services.qemuGuest.enable = true; } diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix index 0d9fa83..3d4a237 100644 --- a/configuration/proxmox-vm/hardware-configuration.nix +++ b/configuration/proxmox-vm/hardware-configuration.nix @@ -15,12 +15,20 @@ kernelModules = [ "kvm-amd" ]; extraModulePackages = [ ]; + + # Enable console output on TTY1 and serial console + kernelParams = [ + "console=tty1" + "console=ttyS0,115200" + ]; + + growPartition = true; }; fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; - options = [ "x-nixos.autoresize" "x-initrd.mount" ]; + autoResize = true; }; swapDevices = [ ]; From 9712f9a9d28a1c2bf4122bad19dbd69326b5056d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:39 +0100 Subject: [PATCH 216/386] Add SMTP configuration to nextcloud and use an additional disk for the data --- hosts/nextcloud/default.nix | 1 + hosts/nextcloud/hardware-configuration.nix | 10 +++++ hosts/nextcloud/nextcloud.nix | 49 +++++++++++++++------- hosts/nextcloud/secrets.nix | 24 +++++++---- 4 files changed, 62 insertions(+), 22 deletions(-) create mode 100644 hosts/nextcloud/hardware-configuration.nix diff --git a/hosts/nextcloud/default.nix b/hosts/nextcloud/default.nix index 81ddd9a..9677aef 100644 --- a/hosts/nextcloud/default.nix +++ b/hosts/nextcloud/default.nix @@ -2,6 +2,7 @@ { imports = [ ./configuration.nix + ./hardware-configuration.nix ./nextcloud.nix ]; } diff --git a/hosts/nextcloud/hardware-configuration.nix b/hosts/nextcloud/hardware-configuration.nix new file mode 100644 index 0000000..89fc191 --- /dev/null +++ b/hosts/nextcloud/hardware-configuration.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + fileSystems."/var/lib/nextcloud/data" = { + device = "/dev/vdb"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + options = [ "X-mount.owner=nextcloud" "X-mount.group=nextcloud" ]; + }; +} diff --git a/hosts/nextcloud/nextcloud.nix b/hosts/nextcloud/nextcloud.nix index 88aa605..e6cb567 100644 --- a/hosts/nextcloud/nextcloud.nix +++ b/hosts/nextcloud/nextcloud.nix @@ -17,22 +17,41 @@ inherit bookmarks contacts calendar tasks twofactor_webauthn; }; maxUploadSize = "16G"; + extraOptions = { + mail_smtpmode = "smtp"; + mail_sendmailmode = "smtp"; + mail_smtpsecure = "ssl"; + mail_from_address = "cloud"; + mail_domain = "nekover.se"; + mail_smtpauthtype = "LOGIN"; + mail_smtpauth = 1; + mail_smtphost = "mail.grzb.de"; + mail_smtpport = 465; + mail_smtpname = "nextcloud"; + }; + secretFile = "/secrets/nextcloud-secretfile.secret"; }; - services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + services.nginx = { + virtualHosts.${config.services.nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; }; } diff --git a/hosts/nextcloud/secrets.nix b/hosts/nextcloud/secrets.nix index 785e179..c4a91b9 100644 --- a/hosts/nextcloud/secrets.nix +++ b/hosts/nextcloud/secrets.nix @@ -1,11 +1,21 @@ { ... }: { - deployment.keys."nextcloud-adminpass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; - destDir = "/secrets"; - user = "nextcloud"; - group = "nextcloud"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "nextcloud-adminpass.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; + destDir = "/secrets"; + user = "nextcloud"; + group = "nextcloud"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "nextcloud-secretfile.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/secretfile" ]; + destDir = "/secrets"; + user = "nextcloud"; + group = "nextcloud"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } From 742b5e69e9921b2655d6763a2d459c1bc7448b7d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 217/386] Restrict allowedTCPPorts to port 8443 --- hosts/nextcloud/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nextcloud/configuration.nix b/hosts/nextcloud/configuration.nix index da63943..737eeae 100644 --- a/hosts/nextcloud/configuration.nix +++ b/hosts/nextcloud/configuration.nix @@ -9,7 +9,7 @@ hostName = "nextcloud"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 8443 ]; + allowedTCPPorts = [ 8443 ]; }; }; From 1b62b6b7a5e8473d8dab1bcef22fc5f5a22befd3 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 218/386] Fix hostname --- hosts/web-nonpublic-linuxcrewd/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/web-nonpublic-linuxcrewd/configuration.nix b/hosts/web-nonpublic-linuxcrewd/configuration.nix index 56a3254..7f9396b 100644 --- a/hosts/web-nonpublic-linuxcrewd/configuration.nix +++ b/hosts/web-nonpublic-linuxcrewd/configuration.nix @@ -6,7 +6,7 @@ }; networking = { - hostName = "web-public-2"; + hostName = "web-nonpublic-linuxcrewd"; firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; From 19bd3a211216f886419e63b2ae916cd2f597a356 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 219/386] Add netbox host --- hosts.nix | 3 ++ hosts/netbox/configuration.nix | 17 +++++++++++ hosts/netbox/default.nix | 8 +++++ hosts/netbox/netbox.nix | 7 +++++ hosts/netbox/nginx.nix | 29 +++++++++++++++++++ hosts/netbox/secrets.nix | 11 +++++++ .../virtualHosts/acme-challenge.nix | 9 ++++++ 7 files changed, 84 insertions(+) create mode 100644 hosts/netbox/configuration.nix create mode 100644 hosts/netbox/default.nix create mode 100644 hosts/netbox/netbox.nix create mode 100644 hosts/netbox/nginx.nix create mode 100644 hosts/netbox/secrets.nix diff --git a/hosts.nix b/hosts.nix index ab1de0e..9c83870 100644 --- a/hosts.nix +++ b/hosts.nix @@ -37,6 +37,9 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + netbox = { + site = "vs"; + }; nextcloud = { hostNixpkgs = nixpkgs-unstable; site = "vs"; diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix new file mode 100644 index 0000000..5bf8422 --- /dev/null +++ b/hosts/netbox/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "netbox"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/netbox/default.nix b/hosts/netbox/default.nix new file mode 100644 index 0000000..5dd147b --- /dev/null +++ b/hosts/netbox/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./netbox.nix + ./nginx.nix + ]; +} diff --git a/hosts/netbox/netbox.nix b/hosts/netbox/netbox.nix new file mode 100644 index 0000000..32e37e4 --- /dev/null +++ b/hosts/netbox/netbox.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.netbox = { + enable = true; + secretKeyFile = "/secrets/netbox-secret-key.secret"; + }; +} diff --git a/hosts/netbox/nginx.nix b/hosts/netbox/nginx.nix new file mode 100644 index 0000000..a2d1782 --- /dev/null +++ b/hosts/netbox/nginx.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + clientMaxBodySize = "25m"; + user = "netbox"; + virtualHosts."netbox.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/static/" = { + alias = "${config.services.netbox.dataDir}/static/"; + }; + locations."/" = { + proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; + }; + }; + }; +} diff --git a/hosts/netbox/secrets.nix b/hosts/netbox/secrets.nix new file mode 100644 index 0000000..e31c666 --- /dev/null +++ b/hosts/netbox/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."netbox-secret-key.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "netbox/secret-key" ]; + destDir = "/secrets"; + user = "netbox"; + group = "netbox"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index d16de8f..9dc3b4b 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -9,4 +9,13 @@ proxyPass = "http://jellyfin.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."netbox.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://netbox.vs.grzb.de:80"; + }; + }; } From f22ccdad10ad7c40d1467ac1d0215dca8e9673b7 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 220/386] Enable proxyprotocol for nitter host --- hosts.nix | 1 + hosts/nitter/configuration.nix | 5 ++- hosts/nitter/nginx.nix | 44 +++++++++---------- hosts/nitter/nitter.nix | 2 +- hosts/web-public-2/nginx.nix | 2 +- .../virtualHosts/birdsite.nekover.se.nix | 26 ----------- hosts/web-public-2/virtualHosts/default.nix | 1 - 7 files changed, 29 insertions(+), 52 deletions(-) delete mode 100644 hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix diff --git a/hosts.nix b/hosts.nix index 9c83870..8a451d1 100644 --- a/hosts.nix +++ b/hosts.nix @@ -45,6 +45,7 @@ in site = "vs"; }; nitter = { + hostNixpkgs = nixpkgs-unstable; site = "vs"; }; nixos-coturn = { diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix index a7002d0..bc54db7 100644 --- a/hosts/nitter/configuration.nix +++ b/hosts/nitter/configuration.nix @@ -7,7 +7,10 @@ networking = { hostName = "nitter"; - firewall.enable = false; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; }; system.stateVersion = "23.05"; diff --git a/hosts/nitter/nginx.nix b/hosts/nitter/nginx.nix index cdec9b4..d0f47ed 100644 --- a/hosts/nitter/nginx.nix +++ b/hosts/nitter/nginx.nix @@ -1,28 +1,28 @@ -{ ... }: +{ config, ... }: { services.nginx = { enable = true; - enableReload = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - virtualHosts = { - "nixos-nitter.vs.grzb.de" = { - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - - locations."/" = { - proxyPass = "http://localhost:8080"; - extraConfig = - "proxy_http_version 1.1;" + - "proxy_set_header Upgrade $http_upgrade;" + - "proxy_set_header Connection \"upgrade\";" + - "proxy_set_header Host $host;" - ; - }; + virtualHosts."birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "localhost"; + port = 1234; + } # workaround for enableACME check + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + locations."/" = { + proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; + proxyWebsockets = true; }; }; }; diff --git a/hosts/nitter/nitter.nix b/hosts/nitter/nitter.nix index 301a7ca..94165c4 100644 --- a/hosts/nitter/nitter.nix +++ b/hosts/nitter/nitter.nix @@ -6,7 +6,7 @@ server = { title = "Birdsite"; https = true; - address = "0.0.0.0"; + address = "127.0.0.1"; port = 8080; hostname = "birdsite.nekover.se"; }; diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index a72db45..713a09d 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -10,7 +10,7 @@ streamConfig = '' map $ssl_preread_server_name $address { anisync.grzb.de 127.0.0.1:8443; - birdsite.nekover.se 127.0.0.1:8443; + birdsite.nekover.se 10.202.41.107:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443; diff --git a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix deleted file mode 100644 index a043d8e..0000000 --- a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."birdsite.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://nitter.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - }; -} diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix index c5ec5ef..06d0bfd 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -3,7 +3,6 @@ imports = [ ./acme-challenge.nix ./anisync.grzb.de.nix - ./birdsite.nekover.se.nix ./element.nekover.se.nix ./gameserver.grzb.de.nix ./git.grzb.de.nix From 1ba819ed85cbd2b0aa5b6cfd21175000d0766d65 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 221/386] Increase opcache.interned_strings_buffer PHP option --- hosts/nextcloud/nextcloud.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/nextcloud/nextcloud.nix b/hosts/nextcloud/nextcloud.nix index e6cb567..d09b0fb 100644 --- a/hosts/nextcloud/nextcloud.nix +++ b/hosts/nextcloud/nextcloud.nix @@ -29,7 +29,12 @@ mail_smtpport = 465; mail_smtpname = "nextcloud"; }; + # Only contains mail_smtppassword secretFile = "/secrets/nextcloud-secretfile.secret"; + phpOptions = { + # The amount of memory for interned strings in Mbytes + "opcache.interned_strings_buffer" = "64"; + }; }; services.nginx = { From a63d5661b6322892ace3367edfa10a90d828e80b Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 222/386] WIP grafana --- hosts.nix | 3 ++ hosts/metrics/configuration.nix | 17 +++++++++++ hosts/metrics/default.nix | 9 ++++++ hosts/metrics/grafana.nix | 28 +++++++++++++++++++ hosts/metrics/nginx.nix | 26 +++++++++++++++++ hosts/metrics/prometheus.nix | 6 ++++ hosts/metrics/secrets.nix | 19 +++++++++++++ .../virtualHosts/acme-challenge.nix | 9 ++++++ 8 files changed, 117 insertions(+) create mode 100644 hosts/metrics/configuration.nix create mode 100644 hosts/metrics/default.nix create mode 100644 hosts/metrics/grafana.nix create mode 100644 hosts/metrics/nginx.nix create mode 100644 hosts/metrics/prometheus.nix create mode 100644 hosts/metrics/secrets.nix diff --git a/hosts.nix b/hosts.nix index 8a451d1..cb5887a 100644 --- a/hosts.nix +++ b/hosts.nix @@ -37,6 +37,9 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + metrics = { + site = "vs"; + }; netbox = { site = "vs"; }; diff --git a/hosts/metrics/configuration.nix b/hosts/metrics/configuration.nix new file mode 100644 index 0000000..c051c2d --- /dev/null +++ b/hosts/metrics/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "metrics"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/metrics/default.nix b/hosts/metrics/default.nix new file mode 100644 index 0000000..ef5c25c --- /dev/null +++ b/hosts/metrics/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./grafana.nix + ./prometheus.nix + ./nginx.nix + ]; +} diff --git a/hosts/metrics/grafana.nix b/hosts/metrics/grafana.nix new file mode 100644 index 0000000..c3ca63f --- /dev/null +++ b/hosts/metrics/grafana.nix @@ -0,0 +1,28 @@ +{ ... }: +{ + services.grafana = { + enable = true; + settings = { + server = { + domain = "grafana2.grzb.de"; + root_url = "https://grafana2.grzb.de"; + }; + security = { + cookie_secure = true; + cookie_samesite = "strict"; + admin_user = "yuri"; + admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}"; + admin_email = "yuri@nekover.se"; + }; + smtp = { + enabled = true; + host = "mail.grzb.de:465"; + user = "grafana"; + password = "$__file{/secrets/metrics-grafana-smtp-password.secret}"; + from_address = "grafana@robot.grzb.de"; + from_name = "Grafana"; + startTLS_policy = "NoStartTLS"; + }; + }; + }; +} diff --git a/hosts/metrics/nginx.nix b/hosts/metrics/nginx.nix new file mode 100644 index 0000000..660d06c --- /dev/null +++ b/hosts/metrics/nginx.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + "grafana2.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + }; + }; + }; + }; +} diff --git a/hosts/metrics/prometheus.nix b/hosts/metrics/prometheus.nix new file mode 100644 index 0000000..5c0d6a5 --- /dev/null +++ b/hosts/metrics/prometheus.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.prometheus = { + enable = true; + }; +} diff --git a/hosts/metrics/secrets.nix b/hosts/metrics/secrets.nix new file mode 100644 index 0000000..43b06b3 --- /dev/null +++ b/hosts/metrics/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."metrics-grafana-admin-password.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."metrics-grafana-smtp-password.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index 9dc3b4b..2edecfd 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -18,4 +18,13 @@ proxyPass = "http://netbox.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."grafana2.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://metrics.vs.grzb.de:80"; + }; + }; } From 001a71090368b80f26f1f98b2e5c8f28ee69a130 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 223/386] Add metrics host with Grafana and Prometheus --- flake.nix | 8 ++++++-- helper.nix | 4 ++-- hosts/metrics/grafana.nix | 14 +++++++++++--- hosts/metrics/nginx.nix | 3 ++- hosts/metrics/prometheus.nix | 15 ++++++++++++++- .../web-public-2/virtualHosts/acme-challenge.nix | 2 +- 6 files changed, 36 insertions(+), 10 deletions(-) diff --git a/flake.nix b/flake.nix index 90ed283..2e5abe8 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let hosts = import ./hosts.nix inputs; - helper = import ./helper.nix inputs; + helper = import ./helper.nix inputs; in { colmena = { meta = { @@ -23,11 +23,15 @@ # The default is "nixpkgs" for "x86_64-linux" systems, # but it is overridden by the host-specific "hostNixpkgs" and "system" attributes. nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; + + specialArgs = { + inherit hosts; + }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs (helper.generateNixConfiguration) hosts; + nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts; }) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` diff --git a/helper.nix b/helper.nix index 2188959..360b356 100644 --- a/helper.nix +++ b/helper.nix @@ -14,7 +14,7 @@ imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; }; - generateNixConfiguration = name: { + generateNixConfiguration = name: specialArgs: { hostNixpkgs, system, modules, @@ -26,6 +26,6 @@ filter = name: host: (builtins.substring 0 1 name) != "_"; in (nixpkgs.lib.filterAttrs filter (hostNixpkgs.lib.nixosSystem { - inherit system modules; + inherit system modules specialArgs; })).config.system.build.toplevel; # Builds the entire NixOS system, see: https://nixos.org/manual/nixos/stable/#sec-building-parts } diff --git a/hosts/metrics/grafana.nix b/hosts/metrics/grafana.nix index c3ca63f..7cf4dcf 100644 --- a/hosts/metrics/grafana.nix +++ b/hosts/metrics/grafana.nix @@ -1,11 +1,11 @@ -{ ... }: +{ config, ... }: { services.grafana = { enable = true; settings = { server = { - domain = "grafana2.grzb.de"; - root_url = "https://grafana2.grzb.de"; + domain = "grafana.grzb.de"; + root_url = "https://${config.services.grafana.settings.server.domain}"; }; security = { cookie_secure = true; @@ -24,5 +24,13 @@ startTLS_policy = "NoStartTLS"; }; }; + provision.datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:${builtins.toString config.services.prometheus.port}"; + isDefault = true; + } + ]; }; } diff --git a/hosts/metrics/nginx.nix b/hosts/metrics/nginx.nix index 660d06c..9e31454 100644 --- a/hosts/metrics/nginx.nix +++ b/hosts/metrics/nginx.nix @@ -3,7 +3,7 @@ services.nginx = { enable = true; virtualHosts = { - "grafana2.grzb.de" = { + ${config.services.grafana.settings.server.domain} = { forceSSL = true; enableACME = true; listen = [ @@ -19,6 +19,7 @@ ]; locations."/" = { proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; }; }; }; diff --git a/hosts/metrics/prometheus.nix b/hosts/metrics/prometheus.nix index 5c0d6a5..c4b45b1 100644 --- a/hosts/metrics/prometheus.nix +++ b/hosts/metrics/prometheus.nix @@ -1,6 +1,19 @@ -{ ... }: +{ hosts, ... }: { services.prometheus = { enable = true; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = builtins.map (name: { + targets = [ + "${name}.${hosts.${name}.site}.grzb.de:9100" + ]; + labels = { + host = "${name}.${hosts.${name}.site}.grzb.de"; + }; + }) (builtins.attrNames hosts); + } + ]; }; } diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index 2edecfd..82540d8 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -18,7 +18,7 @@ proxyPass = "http://netbox.vs.grzb.de:80"; }; }; - services.nginx.virtualHosts."grafana2.grzb.de" = { + services.nginx.virtualHosts."grafana.grzb.de" = { listen = [{ addr = "0.0.0.0"; port = 80; From 3f36a01a5a4ac279706e49edba340977a95685e0 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 224/386] Rename nixos-coturn to coturn and finish config --- hosts.nix | 2 +- hosts/coturn/acme.nix | 10 +++++++++ hosts/coturn/configuration.nix | 22 +++++++++++++++++++ hosts/{nixos-coturn => coturn}/coturn.nix | 12 +++++----- hosts/{nixos-coturn => coturn}/default.nix | 1 + hosts/{nixos-coturn => coturn}/secrets.nix | 0 hosts/nixos-coturn/configuration.nix | 14 ------------ .../virtualHosts/acme-challenge.nix | 9 ++++++++ 8 files changed, 49 insertions(+), 21 deletions(-) create mode 100644 hosts/coturn/acme.nix create mode 100644 hosts/coturn/configuration.nix rename hosts/{nixos-coturn => coturn}/coturn.nix (82%) rename hosts/{nixos-coturn => coturn}/default.nix (82%) rename hosts/{nixos-coturn => coturn}/secrets.nix (100%) delete mode 100644 hosts/nixos-coturn/configuration.nix diff --git a/hosts.nix b/hosts.nix index cb5887a..ff6d3f3 100644 --- a/hosts.nix +++ b/hosts.nix @@ -51,7 +51,7 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; - nixos-coturn = { + coturn = { site = "vs"; }; tor-relay = { diff --git a/hosts/coturn/acme.nix b/hosts/coturn/acme.nix new file mode 100644 index 0000000..69fe89d --- /dev/null +++ b/hosts/coturn/acme.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + security.acme.certs = { + "turn.nekover.se" = { + listenHTTP = ":80"; + group = "turnserver"; + reloadServices = [ "coturn.service" ]; + }; + }; +} diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix new file mode 100644 index 0000000..cb59fb9 --- /dev/null +++ b/hosts/coturn/configuration.nix @@ -0,0 +1,22 @@ +{ config, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "coturn"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 3478 5349 ]; + allowedUDPPorts = [ 3478 5349 ]; + allowedUDPPortRanges = [{ + from = config.services.coturn.min-port; + to = config.services.coturn.max-port; + }]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/nixos-coturn/coturn.nix b/hosts/coturn/coturn.nix similarity index 82% rename from hosts/nixos-coturn/coturn.nix rename to hosts/coturn/coturn.nix index c85dcba..719c872 100644 --- a/hosts/nixos-coturn/coturn.nix +++ b/hosts/coturn/coturn.nix @@ -1,17 +1,17 @@ -{ ... }: +{ config, ... }: { services.coturn = { enable = true; - min-port = 49200; max-port = 49500; use-auth-secret = true; static-auth-secret-file = "/secrets/static-auth-secret.secret"; realm = "turn.nekover.se"; - cert = "/certs/turn.nekover.se/fullchain.pem"; - pkey = "/certs/turn.nekover.se/key.pem"; + cert = "${config.security.acme.certs."turn.nekover.se".directory}/fullchain.pem"; + pkey = "${config.security.acme.certs."turn.nekover.se".directory}/key.pem"; no-tcp-relay = true; - extraConfig = " + no-cli = true; + extraConfig = '' external-ip=170.133.2.81/10.202.41.118 prometheus syslog @@ -40,6 +40,6 @@ user-quota=12 total-quota=1200 - "; + ''; }; } diff --git a/hosts/nixos-coturn/default.nix b/hosts/coturn/default.nix similarity index 82% rename from hosts/nixos-coturn/default.nix rename to hosts/coturn/default.nix index 1036572..bc32a3d 100644 --- a/hosts/nixos-coturn/default.nix +++ b/hosts/coturn/default.nix @@ -2,6 +2,7 @@ { imports = [ ./configuration.nix + ./acme.nix ./coturn.nix ]; } diff --git a/hosts/nixos-coturn/secrets.nix b/hosts/coturn/secrets.nix similarity index 100% rename from hosts/nixos-coturn/secrets.nix rename to hosts/coturn/secrets.nix diff --git a/hosts/nixos-coturn/configuration.nix b/hosts/nixos-coturn/configuration.nix deleted file mode 100644 index 094f157..0000000 --- a/hosts/nixos-coturn/configuration.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "coturn"; - firewall.enable = false; - }; - - system.stateVersion = "23.05"; -} diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index 82540d8..6ec8d36 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -27,4 +27,13 @@ proxyPass = "http://metrics.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."turn.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://coturn.vs.grzb.de:80"; + }; + }; } From 221a596e27dbbaf120619469dcb433e9b33eea72 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 225/386] Bump flake.lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 61c7311..8c5ec2a 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1691016377, - "narHash": "sha256-Vvi49vIL2CzX5bsfE3qovcmzJpkfMo/Mx/coCbu5Jeo=", + "lastModified": 1691406141, + "narHash": "sha256-5GME9kMEiPix0R383spkuYYvtmnYHxS1/0Q+ki6W8Gs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ad73028def6716978adaec5b0b7706edc611a83e", + "rev": "9ba5e0b04727309ed8583079a3eaefd0290c7a2b", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1691071044, - "narHash": "sha256-bYBWtupK/NO/diSpye8TP1E0IC7wj29y2q6blD0FtPk=", + "lastModified": 1691420187, + "narHash": "sha256-FTrMlGQqHViHbOPkI0JCNxMysxnPw1UA0+SiL4+Wafc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2a1f1797be6e4125ade0be6ac32bb70106ff7245", + "rev": "b367b9cf872c8de59d2379330dfe4f541f3ba5cc", "type": "github" }, "original": { From 2c160015e6ccdc39e65de05c72889681e6bbd971 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 226/386] Only run pipeline when specific RUN_JOB variable value is set --- .gitlab-ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8cb05b5..4c519b6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,6 +8,8 @@ stages: update_flake_lock: stage: update_flake_lock + rules: + - if: $RUN_JOB == "update_flake_lock" script: - nix flake update --extra-experimental-features nix-command --extra-experimental-features flakes artifacts: @@ -16,6 +18,8 @@ update_flake_lock: apply: stage: apply + rules: + - if: $RUN_JOB == "deploy" script: - nix-env --install colmena - eval $(ssh-agent -s) @@ -30,6 +34,8 @@ apply: commit_flake: stage: commit_flake + rules: + - if: $RUN_JOB == "update_flake_lock" variables: GIT_AUTHOR_EMAIL: $GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME: $GIT_AUTHOR_NAME From a81093890cf175682bcdc11be1fe80c133c26ca6 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 227/386] Add matrix-synapse host --- flake.lock | 12 +++---- hosts.nix | 3 ++ hosts/matrix/configuration.nix | 17 +++++++++ hosts/matrix/default.nix | 10 ++++++ hosts/matrix/hardware-configuration.nix | 21 +++++++++++ hosts/matrix/matrix-synapse.nix | 36 +++++++++++++++++++ hosts/matrix/nginx.nix | 35 ++++++++++++++++++ hosts/matrix/postgresql.nix | 13 +++++++ hosts/matrix/secrets.nix | 35 ++++++++++++++++++ hosts/web-public-2/nginx.nix | 2 +- .../virtualHosts/acme-challenge.nix | 9 +++++ hosts/web-public-2/virtualHosts/default.nix | 1 - .../virtualHosts/matrix.nekover.se.nix | 33 ----------------- 13 files changed, 186 insertions(+), 41 deletions(-) create mode 100644 hosts/matrix/configuration.nix create mode 100644 hosts/matrix/default.nix create mode 100644 hosts/matrix/hardware-configuration.nix create mode 100644 hosts/matrix/matrix-synapse.nix create mode 100644 hosts/matrix/nginx.nix create mode 100644 hosts/matrix/postgresql.nix create mode 100644 hosts/matrix/secrets.nix delete mode 100644 hosts/web-public-2/virtualHosts/matrix.nekover.se.nix diff --git a/flake.lock b/flake.lock index 8c5ec2a..61995d3 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1691406141, - "narHash": "sha256-5GME9kMEiPix0R383spkuYYvtmnYHxS1/0Q+ki6W8Gs=", + "lastModified": 1693183237, + "narHash": "sha256-c7OtyBkZ/vZE/WosBpRGRtkbWZjDHGJP7fg1FyB9Dsc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9ba5e0b04727309ed8583079a3eaefd0290c7a2b", + "rev": "ea5234e7073d5f44728c499192544a84244bf35a", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1691420187, - "narHash": "sha256-FTrMlGQqHViHbOPkI0JCNxMysxnPw1UA0+SiL4+Wafc=", + "lastModified": 1693184707, + "narHash": "sha256-MqCT/wuRKC79QJKlYhdfkUNerPcm63vZLd6P7lZGC0M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b367b9cf872c8de59d2379330dfe4f541f3ba5cc", + "rev": "48516a891d020801bc5304375739d2604400c741", "type": "github" }, "original": { diff --git a/hosts.nix b/hosts.nix index ff6d3f3..d608e79 100644 --- a/hosts.nix +++ b/hosts.nix @@ -37,6 +37,9 @@ in hostNixpkgs = nixpkgs-unstable; site = "vs"; }; + matrix = { + site = "vs"; + }; metrics = { site = "vs"; }; diff --git a/hosts/matrix/configuration.nix b/hosts/matrix/configuration.nix new file mode 100644 index 0000000..9ffa4c6 --- /dev/null +++ b/hosts/matrix/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "matrix"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 8443 8448 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix new file mode 100644 index 0000000..27528b7 --- /dev/null +++ b/hosts/matrix/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./postgresql.nix + ./matrix-synapse.nix + ./nginx.nix + ]; +} diff --git a/hosts/matrix/hardware-configuration.nix b/hosts/matrix/hardware-configuration.nix new file mode 100644 index 0000000..d014f39 --- /dev/null +++ b/hosts/matrix/hardware-configuration.nix @@ -0,0 +1,21 @@ +{ config, ... }: +{ + fileSystems."/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + }; + fileSystems."/var/lib/matrix-synapse/media_store" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/media_store"; + fsType = "none"; + options = [ "bind" "X-mount.owner=matrix-synapse" "X-mount.group=matrix-synapse" ]; + }; + fileSystems."/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/database"; + fsType = "none"; + options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ]; + }; +} diff --git a/hosts/matrix/matrix-synapse.nix b/hosts/matrix/matrix-synapse.nix new file mode 100644 index 0000000..e4f508e --- /dev/null +++ b/hosts/matrix/matrix-synapse.nix @@ -0,0 +1,36 @@ +{ ... }: +{ + services.matrix-synapse = { + enable = true; + settings = { + server_name = "nekover.se"; + public_baseurl = "https://matrix.nekover.se"; + database = { + name = "psycopg2"; + args.password = "synapse"; + }; + email = { + smtp_host = "mail.grzb.de"; + smtp_port = 465; + smtp_user = "matrix"; + force_tls = true; + notif_from = "Nekoverse Matrix Server "; + }; + max_upload_size = "500M"; + signing_key_path = "/secrets/matrix-homeserver-signing-key.secret"; + admin_contact = "mailto:admin@nekover.se"; + web_client_location = "https://element.nekover.se"; + turn_uris = [ + "turns:turn.nekover.se?transport=udp" + "turns:turn.nekover.se?transport=tcp" + ]; + turn_user_lifetime = 86400000; + turn_allow_guests = true; + }; + extraConfigFiles = [ + "/secrets/matrix-registration-shared-secret.secret" + "/secrets/matrix-turn-shared-secret.secret" + "/secrets/matrix-email-smtp-pass.secret" + ]; + }; +} diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix new file mode 100644 index 0000000..de8f332 --- /dev/null +++ b/hosts/matrix/nginx.nix @@ -0,0 +1,35 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + ]; + locations."~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://localhost:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/hosts/matrix/postgresql.nix b/hosts/matrix/postgresql.nix new file mode 100644 index 0000000..03b753a --- /dev/null +++ b/hosts/matrix/postgresql.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +{ + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; +} diff --git a/hosts/matrix/secrets.nix b/hosts/matrix/secrets.nix new file mode 100644 index 0000000..24329ea --- /dev/null +++ b/hosts/matrix/secrets.nix @@ -0,0 +1,35 @@ +{ ... }: +{ + deployment.keys."matrix-registration-shared-secret.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."matrix-turn-shared-secret.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."matrix-email-smtp-pass.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."matrix-homeserver-signing-key.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 713a09d..52acd48 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -16,7 +16,7 @@ gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; hydra.nekover.se 10.202.41.121:8443; - matrix.nekover.se 127.0.0.1:8443; + matrix.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nextcloud.grzb.de 127.0.0.1:8443; diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix index 6ec8d36..c04b2e8 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -9,6 +9,15 @@ proxyPass = "http://jellyfin.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."matrix.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://matrix.vs.grzb.de:80"; + }; + }; services.nginx.virtualHosts."netbox.grzb.de" = { listen = [{ addr = "0.0.0.0"; diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix index 06d0bfd..7df558e 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -6,7 +6,6 @@ ./element.nekover.se.nix ./gameserver.grzb.de.nix ./git.grzb.de.nix - ./matrix.nekover.se.nix ./mewtube.nekover.se.nix ./nekover.se.nix ./nextcloud.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix b/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix deleted file mode 100644 index 82455bf..0000000 --- a/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."matrix.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - { - addr = "[::]"; - port = 8448; - ssl = true; - } - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://matrix.vs.grzb.de:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size 500M; - ''; - }; - }; -} From 8ca3fb0ae2fa992a3824121d0d9e23d1c7b2d704 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 228/386] Bump flake.lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 61995d3..a011349 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693183237, - "narHash": "sha256-c7OtyBkZ/vZE/WosBpRGRtkbWZjDHGJP7fg1FyB9Dsc=", + "lastModified": 1693231525, + "narHash": "sha256-Zmh8m0HHcgGBDth6jdJPmc4UAAP0L4jQmqIztywF1Iw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ea5234e7073d5f44728c499192544a84244bf35a", + "rev": "c540061ac8d72d6e6d99345bd2d590c82b2f58c1", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1693184707, - "narHash": "sha256-MqCT/wuRKC79QJKlYhdfkUNerPcm63vZLd6P7lZGC0M=", + "lastModified": 1693282374, + "narHash": "sha256-QZUxjv/MsWjradxgHlQFkP1ynR4BAuedY/Hs+gMyss8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "48516a891d020801bc5304375739d2604400c741", + "rev": "3d958404528cd939451ca2ed30473c3d7ae4d746", "type": "github" }, "original": { From 3b04399847814aeea6592f44e9aa63d8041a2eea Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 229/386] Bump element-web to v1.11.40 --- hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/hosts/web-public-2/virtualHosts/element.nekover.se.nix index de1665b..ba220c7 100644 --- a/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,8 +1,8 @@ { pkgs, ... }: let element-web = pkgs.fetchzip { - url = "https://github.com/vector-im/element-web/releases/download/v1.11.36/element-v1.11.36.tar.gz"; - sha256 = "sha256-HbKqfcYH3JWbrAeaYCF/Lg7D7bl5VSgsitxKQdvf+Oc="; + url = "https://github.com/vector-im/element-web/releases/download/v1.11.40/element-v1.11.40.tar.gz"; + sha256 = "sha256-IZ1FjT9fAv6wDfgLcCLBHwg6iXGXC4E0/2/67hArD4w="; }; in { From 6baf116c501cf9c5e596ce1e351bf1a5f54e0cac Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 230/386] Just do the nginx proxy_protocol listen in extraConfig and use stable packages --- hosts.nix | 3 --- hosts/hydra/nginx.nix | 31 +++++++++++++++---------------- hosts/nextcloud/nextcloud.nix | 14 ++------------ hosts/nitter/nginx.nix | 18 ++++++------------ 4 files changed, 23 insertions(+), 43 deletions(-) diff --git a/hosts.nix b/hosts.nix index d608e79..177da2d 100644 --- a/hosts.nix +++ b/hosts.nix @@ -24,7 +24,6 @@ let in generateDefaults { hydra = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; }; iperf = { @@ -47,11 +46,9 @@ in site = "vs"; }; nextcloud = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; }; nitter = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; }; coturn = { diff --git a/hosts/hydra/nginx.nix b/hosts/hydra/nginx.nix index e313c2d..5a15fe1 100644 --- a/hosts/hydra/nginx.nix +++ b/hosts/hydra/nginx.nix @@ -3,41 +3,40 @@ services.nginx = { enable = true; virtualHosts = { - "hydra.nekover.se" = { forceSSL = true; enableACME = true; listen = [{ - addr = "127.0.0.1"; - port = 1234; - }{ addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; + port = 80; }]; locations."/" = { proxyPass = "http://localhost:3001"; }; - }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; "nix-cache.nekover.se" = { forceSSL = true; enableACME = true; - listen = [{ - addr = "127.0.0.1"; - port = 1234; - }{ + listen = [ { addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; + port = 80; }]; locations."/" = { proxyPass = "http://localhost:5005"; }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; }; - }; }; } diff --git a/hosts/nextcloud/nextcloud.nix b/hosts/nextcloud/nextcloud.nix index d09b0fb..dd3a328 100644 --- a/hosts/nextcloud/nextcloud.nix +++ b/hosts/nextcloud/nextcloud.nix @@ -41,19 +41,9 @@ virtualHosts.${config.services.nextcloud.hostName} = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; diff --git a/hosts/nitter/nginx.nix b/hosts/nitter/nginx.nix index d0f47ed..862405c 100644 --- a/hosts/nitter/nginx.nix +++ b/hosts/nitter/nginx.nix @@ -5,18 +5,6 @@ virtualHosts."birdsite.nekover.se" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; locations."/robots.txt" = { return = "200 \"User-agent: *\\nDisallow: /\\n\""; }; @@ -24,6 +12,12 @@ proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; proxyWebsockets = true; }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; }; }; } From 502e5194dcc7017b7600b6901507417b0918d752 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 231/386] Update flake.lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index a011349..4b4607e 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693231525, - "narHash": "sha256-Zmh8m0HHcgGBDth6jdJPmc4UAAP0L4jQmqIztywF1Iw=", + "lastModified": 1693725722, + "narHash": "sha256-PJFNgOpNqrsafMgNuca8olo6ugxIFeQOBBiNtyq2FXA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c540061ac8d72d6e6d99345bd2d590c82b2f58c1", + "rev": "00cc1bbf20f8eb85b537f9f10b41a311f0e01e3e", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1693282374, - "narHash": "sha256-QZUxjv/MsWjradxgHlQFkP1ynR4BAuedY/Hs+gMyss8=", + "lastModified": 1693723626, + "narHash": "sha256-e6DnUnRT5aykzhme6wLUzYmSPw2G8j+RYwXluys2VJc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3d958404528cd939451ca2ed30473c3d7ae4d746", + "rev": "5e9ff98d1dccbb391a9769b5dc660a5f6e39c18b", "type": "github" }, "original": { From ba43f2ed5c5dd890aac304efa655966e9c555e68 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 232/386] Setup mail server and restructure some things --- {configuration => config}/common/default.nix | 4 +- {configuration => config}/common/nginx.nix | 0 .../common/prometheus-node-exporter.nix | 4 +- .../environments}/proxmox-vm/default.nix | 0 .../proxmox-vm/hardware-configuration.nix | 0 {hosts => config/hosts}/coturn/acme.nix | 0 .../hosts}/coturn/configuration.nix | 0 {hosts => config/hosts}/coturn/coturn.nix | 0 {hosts => config/hosts}/coturn/default.nix | 0 {hosts => config/hosts}/coturn/secrets.nix | 0 .../hosts}/hydra/configuration.nix | 0 {hosts => config/hosts}/hydra/default.nix | 0 {hosts => config/hosts}/hydra/hydra.nix | 0 {hosts => config/hosts}/hydra/nginx.nix | 0 {hosts => config/hosts}/hydra/nix-serve.nix | 0 {hosts => config/hosts}/hydra/secrets.nix | 0 .../hosts}/iperf/configuration.nix | 0 {hosts => config/hosts}/iperf/default.nix | 0 {hosts => config/hosts}/iperf/iperf.nix | 0 .../hosts}/jackett/configuration.nix | 0 {hosts => config/hosts}/jackett/default.nix | 0 {hosts => config/hosts}/jackett/jackett.nix | 0 .../hosts}/jellyfin/configuration.nix | 0 {hosts => config/hosts}/jellyfin/default.nix | 0 .../jellyfin/hardware-configuration.nix | 0 {hosts => config/hosts}/jellyfin/jellyfin.nix | 0 {hosts => config/hosts}/jellyfin/nginx.nix | 0 {hosts => config/hosts}/jellyfin/secrets.nix | 0 config/hosts/lifeline/configuration.nix | 69 +++++++++ config/hosts/lifeline/default.nix | 7 + .../hosts/lifeline/hardware-configuration.nix | 16 ++ config/hosts/lifeline/secrets.nix | 19 +++ config/hosts/mail-1/configuration.nix | 61 ++++++++ config/hosts/mail-1/default.nix | 7 + config/hosts/mail-1/secrets.nix | 85 ++++++++++ .../hosts/mail-1/simple-nixos-mailserver.nix | 66 ++++++++ .../hosts}/matrix/configuration.nix | 0 {hosts => config/hosts}/matrix/default.nix | 0 .../hosts}/matrix/hardware-configuration.nix | 0 .../hosts}/matrix/matrix-synapse.nix | 0 {hosts => config/hosts}/matrix/nginx.nix | 0 {hosts => config/hosts}/matrix/postgresql.nix | 0 {hosts => config/hosts}/matrix/secrets.nix | 0 .../hosts}/metrics/configuration.nix | 0 {hosts => config/hosts}/metrics/default.nix | 0 {hosts => config/hosts}/metrics/grafana.nix | 0 {hosts => config/hosts}/metrics/nginx.nix | 0 .../hosts}/metrics/prometheus.nix | 0 {hosts => config/hosts}/metrics/secrets.nix | 0 .../hosts}/netbox/configuration.nix | 0 {hosts => config/hosts}/netbox/default.nix | 0 {hosts => config/hosts}/netbox/netbox.nix | 0 {hosts => config/hosts}/netbox/nginx.nix | 0 {hosts => config/hosts}/netbox/secrets.nix | 0 .../hosts}/nextcloud/configuration.nix | 0 {hosts => config/hosts}/nextcloud/default.nix | 0 .../nextcloud/hardware-configuration.nix | 0 .../hosts}/nextcloud/nextcloud.nix | 0 {hosts => config/hosts}/nextcloud/secrets.nix | 0 .../hosts}/nitter/configuration.nix | 0 {hosts => config/hosts}/nitter/default.nix | 0 {hosts => config/hosts}/nitter/nginx.nix | 0 {hosts => config/hosts}/nitter/nitter.nix | 0 .../hosts}/tor-relay/configuration.nix | 0 {hosts => config/hosts}/tor-relay/default.nix | 0 {hosts => config/hosts}/tor-relay/tor.nix | 0 .../configuration.nix | 0 .../web-nonpublic-linuxcrewd/default.nix | 0 .../hosts}/web-nonpublic-linuxcrewd/nginx.nix | 0 .../hosts}/web-public-2/configuration.nix | 0 .../hosts}/web-public-2/default.nix | 0 .../hosts}/web-public-2/nginx.nix | 0 .../virtualHosts/acme-challenge.nix | 9 ++ .../virtualHosts/anisync.grzb.de.nix | 0 .../web-public-2/virtualHosts/default.nix | 1 - .../element-web-config/config.json | 0 .../virtualHosts/element.nekover.se.nix | 0 .../virtualHosts/gameserver.grzb.de.nix | 0 .../web-public-2/virtualHosts/git.grzb.de.nix | 0 .../virtualHosts/mewtube.nekover.se.nix | 0 .../web-public-2/virtualHosts/nekover.se.nix | 0 .../virtualHosts/social.nekover.se.nix | 0 .../nixos-generators/default.nix | 0 .../users}/colmena-deploy/default.nix | 0 {users => config/users}/yuri/default.nix | 0 flake.lock | 145 ++++++++++++++++-- flake.nix | 13 +- helper.nix | 2 +- hosts.nix | 36 ++++- .../virtualHosts/nextcloud.grzb.de.nix | 34 ---- 90 files changed, 512 insertions(+), 66 deletions(-) rename {configuration => config}/common/default.nix (96%) rename {configuration => config}/common/nginx.nix (100%) rename {configuration => config}/common/prometheus-node-exporter.nix (61%) rename {configuration => config/environments}/proxmox-vm/default.nix (100%) rename {configuration => config/environments}/proxmox-vm/hardware-configuration.nix (100%) rename {hosts => config/hosts}/coturn/acme.nix (100%) rename {hosts => config/hosts}/coturn/configuration.nix (100%) rename {hosts => config/hosts}/coturn/coturn.nix (100%) rename {hosts => config/hosts}/coturn/default.nix (100%) rename {hosts => config/hosts}/coturn/secrets.nix (100%) rename {hosts => config/hosts}/hydra/configuration.nix (100%) rename {hosts => config/hosts}/hydra/default.nix (100%) rename {hosts => config/hosts}/hydra/hydra.nix (100%) rename {hosts => config/hosts}/hydra/nginx.nix (100%) rename {hosts => config/hosts}/hydra/nix-serve.nix (100%) rename {hosts => config/hosts}/hydra/secrets.nix (100%) rename {hosts => config/hosts}/iperf/configuration.nix (100%) rename {hosts => config/hosts}/iperf/default.nix (100%) rename {hosts => config/hosts}/iperf/iperf.nix (100%) rename {hosts => config/hosts}/jackett/configuration.nix (100%) rename {hosts => config/hosts}/jackett/default.nix (100%) rename {hosts => config/hosts}/jackett/jackett.nix (100%) rename {hosts => config/hosts}/jellyfin/configuration.nix (100%) rename {hosts => config/hosts}/jellyfin/default.nix (100%) rename {hosts => config/hosts}/jellyfin/hardware-configuration.nix (100%) rename {hosts => config/hosts}/jellyfin/jellyfin.nix (100%) rename {hosts => config/hosts}/jellyfin/nginx.nix (100%) rename {hosts => config/hosts}/jellyfin/secrets.nix (100%) create mode 100644 config/hosts/lifeline/configuration.nix create mode 100644 config/hosts/lifeline/default.nix create mode 100644 config/hosts/lifeline/hardware-configuration.nix create mode 100644 config/hosts/lifeline/secrets.nix create mode 100644 config/hosts/mail-1/configuration.nix create mode 100644 config/hosts/mail-1/default.nix create mode 100644 config/hosts/mail-1/secrets.nix create mode 100644 config/hosts/mail-1/simple-nixos-mailserver.nix rename {hosts => config/hosts}/matrix/configuration.nix (100%) rename {hosts => config/hosts}/matrix/default.nix (100%) rename {hosts => config/hosts}/matrix/hardware-configuration.nix (100%) rename {hosts => config/hosts}/matrix/matrix-synapse.nix (100%) rename {hosts => config/hosts}/matrix/nginx.nix (100%) rename {hosts => config/hosts}/matrix/postgresql.nix (100%) rename {hosts => config/hosts}/matrix/secrets.nix (100%) rename {hosts => config/hosts}/metrics/configuration.nix (100%) rename {hosts => config/hosts}/metrics/default.nix (100%) rename {hosts => config/hosts}/metrics/grafana.nix (100%) rename {hosts => config/hosts}/metrics/nginx.nix (100%) rename {hosts => config/hosts}/metrics/prometheus.nix (100%) rename {hosts => config/hosts}/metrics/secrets.nix (100%) rename {hosts => config/hosts}/netbox/configuration.nix (100%) rename {hosts => config/hosts}/netbox/default.nix (100%) rename {hosts => config/hosts}/netbox/netbox.nix (100%) rename {hosts => config/hosts}/netbox/nginx.nix (100%) rename {hosts => config/hosts}/netbox/secrets.nix (100%) rename {hosts => config/hosts}/nextcloud/configuration.nix (100%) rename {hosts => config/hosts}/nextcloud/default.nix (100%) rename {hosts => config/hosts}/nextcloud/hardware-configuration.nix (100%) rename {hosts => config/hosts}/nextcloud/nextcloud.nix (100%) rename {hosts => config/hosts}/nextcloud/secrets.nix (100%) rename {hosts => config/hosts}/nitter/configuration.nix (100%) rename {hosts => config/hosts}/nitter/default.nix (100%) rename {hosts => config/hosts}/nitter/nginx.nix (100%) rename {hosts => config/hosts}/nitter/nitter.nix (100%) rename {hosts => config/hosts}/tor-relay/configuration.nix (100%) rename {hosts => config/hosts}/tor-relay/default.nix (100%) rename {hosts => config/hosts}/tor-relay/tor.nix (100%) rename {hosts => config/hosts}/web-nonpublic-linuxcrewd/configuration.nix (100%) rename {hosts => config/hosts}/web-nonpublic-linuxcrewd/default.nix (100%) rename {hosts => config/hosts}/web-nonpublic-linuxcrewd/nginx.nix (100%) rename {hosts => config/hosts}/web-public-2/configuration.nix (100%) rename {hosts => config/hosts}/web-public-2/default.nix (100%) rename {hosts => config/hosts}/web-public-2/nginx.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/acme-challenge.nix (83%) rename {hosts => config/hosts}/web-public-2/virtualHosts/anisync.grzb.de.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/default.nix (93%) rename {hosts => config/hosts}/web-public-2/virtualHosts/element-web-config/config.json (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/element.nekover.se.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/gameserver.grzb.de.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/git.grzb.de.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/mewtube.nekover.se.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/nekover.se.nix (100%) rename {hosts => config/hosts}/web-public-2/virtualHosts/social.nekover.se.nix (100%) rename {configuration => config}/nixos-generators/default.nix (100%) rename {users => config/users}/colmena-deploy/default.nix (100%) rename {users => config/users}/yuri/default.nix (100%) delete mode 100644 hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix diff --git a/configuration/common/default.nix b/config/common/default.nix similarity index 96% rename from configuration/common/default.nix rename to config/common/default.nix index e28c38a..8634acf 100644 --- a/configuration/common/default.nix +++ b/config/common/default.nix @@ -3,8 +3,8 @@ imports = [ ./prometheus-node-exporter.nix ./nginx.nix - ../../users/colmena-deploy - ../../users/yuri + ../users/colmena-deploy + ../users/yuri ]; time.timeZone = "Europe/Berlin"; diff --git a/configuration/common/nginx.nix b/config/common/nginx.nix similarity index 100% rename from configuration/common/nginx.nix rename to config/common/nginx.nix diff --git a/configuration/common/prometheus-node-exporter.nix b/config/common/prometheus-node-exporter.nix similarity index 61% rename from configuration/common/prometheus-node-exporter.nix rename to config/common/prometheus-node-exporter.nix index ac2d1ac..71f9baa 100644 --- a/configuration/common/prometheus-node-exporter.nix +++ b/config/common/prometheus-node-exporter.nix @@ -1,7 +1,7 @@ -{ ... }: +{ lib, ... }: { services.prometheus.exporters.node = { - enable = true; + enable = lib.mkDefault true; openFirewall = true; }; } diff --git a/configuration/proxmox-vm/default.nix b/config/environments/proxmox-vm/default.nix similarity index 100% rename from configuration/proxmox-vm/default.nix rename to config/environments/proxmox-vm/default.nix diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/config/environments/proxmox-vm/hardware-configuration.nix similarity index 100% rename from configuration/proxmox-vm/hardware-configuration.nix rename to config/environments/proxmox-vm/hardware-configuration.nix diff --git a/hosts/coturn/acme.nix b/config/hosts/coturn/acme.nix similarity index 100% rename from hosts/coturn/acme.nix rename to config/hosts/coturn/acme.nix diff --git a/hosts/coturn/configuration.nix b/config/hosts/coturn/configuration.nix similarity index 100% rename from hosts/coturn/configuration.nix rename to config/hosts/coturn/configuration.nix diff --git a/hosts/coturn/coturn.nix b/config/hosts/coturn/coturn.nix similarity index 100% rename from hosts/coturn/coturn.nix rename to config/hosts/coturn/coturn.nix diff --git a/hosts/coturn/default.nix b/config/hosts/coturn/default.nix similarity index 100% rename from hosts/coturn/default.nix rename to config/hosts/coturn/default.nix diff --git a/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix similarity index 100% rename from hosts/coturn/secrets.nix rename to config/hosts/coturn/secrets.nix diff --git a/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix similarity index 100% rename from hosts/hydra/configuration.nix rename to config/hosts/hydra/configuration.nix diff --git a/hosts/hydra/default.nix b/config/hosts/hydra/default.nix similarity index 100% rename from hosts/hydra/default.nix rename to config/hosts/hydra/default.nix diff --git a/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix similarity index 100% rename from hosts/hydra/hydra.nix rename to config/hosts/hydra/hydra.nix diff --git a/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix similarity index 100% rename from hosts/hydra/nginx.nix rename to config/hosts/hydra/nginx.nix diff --git a/hosts/hydra/nix-serve.nix b/config/hosts/hydra/nix-serve.nix similarity index 100% rename from hosts/hydra/nix-serve.nix rename to config/hosts/hydra/nix-serve.nix diff --git a/hosts/hydra/secrets.nix b/config/hosts/hydra/secrets.nix similarity index 100% rename from hosts/hydra/secrets.nix rename to config/hosts/hydra/secrets.nix diff --git a/hosts/iperf/configuration.nix b/config/hosts/iperf/configuration.nix similarity index 100% rename from hosts/iperf/configuration.nix rename to config/hosts/iperf/configuration.nix diff --git a/hosts/iperf/default.nix b/config/hosts/iperf/default.nix similarity index 100% rename from hosts/iperf/default.nix rename to config/hosts/iperf/default.nix diff --git a/hosts/iperf/iperf.nix b/config/hosts/iperf/iperf.nix similarity index 100% rename from hosts/iperf/iperf.nix rename to config/hosts/iperf/iperf.nix diff --git a/hosts/jackett/configuration.nix b/config/hosts/jackett/configuration.nix similarity index 100% rename from hosts/jackett/configuration.nix rename to config/hosts/jackett/configuration.nix diff --git a/hosts/jackett/default.nix b/config/hosts/jackett/default.nix similarity index 100% rename from hosts/jackett/default.nix rename to config/hosts/jackett/default.nix diff --git a/hosts/jackett/jackett.nix b/config/hosts/jackett/jackett.nix similarity index 100% rename from hosts/jackett/jackett.nix rename to config/hosts/jackett/jackett.nix diff --git a/hosts/jellyfin/configuration.nix b/config/hosts/jellyfin/configuration.nix similarity index 100% rename from hosts/jellyfin/configuration.nix rename to config/hosts/jellyfin/configuration.nix diff --git a/hosts/jellyfin/default.nix b/config/hosts/jellyfin/default.nix similarity index 100% rename from hosts/jellyfin/default.nix rename to config/hosts/jellyfin/default.nix diff --git a/hosts/jellyfin/hardware-configuration.nix b/config/hosts/jellyfin/hardware-configuration.nix similarity index 100% rename from hosts/jellyfin/hardware-configuration.nix rename to config/hosts/jellyfin/hardware-configuration.nix diff --git a/hosts/jellyfin/jellyfin.nix b/config/hosts/jellyfin/jellyfin.nix similarity index 100% rename from hosts/jellyfin/jellyfin.nix rename to config/hosts/jellyfin/jellyfin.nix diff --git a/hosts/jellyfin/nginx.nix b/config/hosts/jellyfin/nginx.nix similarity index 100% rename from hosts/jellyfin/nginx.nix rename to config/hosts/jellyfin/nginx.nix diff --git a/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix similarity index 100% rename from hosts/jellyfin/secrets.nix rename to config/hosts/jellyfin/secrets.nix diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix new file mode 100644 index 0000000..2930c69 --- /dev/null +++ b/config/hosts/lifeline/configuration.nix @@ -0,0 +1,69 @@ +{ pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; + + networking = { + hostName = "lifeline"; + useDHCP = true; + wireguard = { + enable = true; + interfaces.wg0 = { + privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret"; + listenPort = 51820; + ips = [ + "172.16.50.1/24" + ]; + peers = [ + { + name = "mail-1"; + publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret"; + allowedIPs = [ "172.16.50.2/32" ]; + } + ]; + postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + }; + }; + nat = { + enable = true; + internalInterfaces = [ "wg0" ]; + externalInterface = "ens6"; + forwardPorts = [ + { + destination = "172.16.50.2:25"; + proto = "tcp"; + sourcePort = 25; + } + { + destination = "172.16.50.2:465"; + proto = "tcp"; + sourcePort = 465; + } + { + destination = "172.16.50.2:993"; + proto = "tcp"; + sourcePort = 993; + } + ]; + }; + firewall = { + allowedUDPPorts = [ 51820 ]; + }; + }; + + services.prometheus.exporters.node.enable = false; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/lifeline/default.nix b/config/hosts/lifeline/default.nix new file mode 100644 index 0000000..9d284a8 --- /dev/null +++ b/config/hosts/lifeline/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ]; +} diff --git a/config/hosts/lifeline/hardware-configuration.nix b/config/hosts/lifeline/hardware-configuration.nix new file mode 100644 index 0000000..85d6d9a --- /dev/null +++ b/config/hosts/lifeline/hardware-configuration.nix @@ -0,0 +1,16 @@ +{ modulesPath, ... }: +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd = { + availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + kernelModules = [ "nvme" ]; + }; + + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; +} diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix new file mode 100644 index 0000000..90f3f12 --- /dev/null +++ b/config/hosts/lifeline/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix new file mode 100644 index 0000000..4638917 --- /dev/null +++ b/config/hosts/mail-1/configuration.nix @@ -0,0 +1,61 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "mail-1"; + useDHCP = true; + defaultGateway = { + address = "172.16.50.1"; + interface = "wg0"; + }; + interfaces.enp6s18.ipv4 = { + routes = [ + { + address = "10.201.0.0"; + prefixLength = 16; + via = "10.202.41.1"; + } + { + address = "10.202.0.0"; + prefixLength = 16; + via = "10.202.41.1"; + } + { + address = "172.21.87.0"; # management VPN + prefixLength = 24; + via = "10.202.41.1"; + } + { + address = "217.160.117.160"; # + prefixLength = 32; + via = "10.202.41.1"; + } + ]; + }; + wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ + "172.16.50.2/24" + ]; + peers = [ + { + name = "lifeline"; + publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY="; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret"; + endpoint = "lifeline.io.grzb.de:51820"; + allowedIPs = [ "0.0.0.0/0" ]; + persistentKeepalive = 25; + } + ]; + privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret"; + }; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mail-1/default.nix b/config/hosts/mail-1/default.nix new file mode 100644 index 0000000..5537841 --- /dev/null +++ b/config/hosts/mail-1/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./simple-nixos-mailserver.nix + ]; +} diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix new file mode 100644 index 0000000..3352cee --- /dev/null +++ b/config/hosts/mail-1/secrets.nix @@ -0,0 +1,85 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "wireguard-valkyrie-mail-1-mail-1-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-mail-1-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-fiona-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-yuri-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-mio-vs-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-fubuki-wg-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-cloud-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-status-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-matrix-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-social-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix new file mode 100644 index 0000000..81fa130 --- /dev/null +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -0,0 +1,66 @@ +{ simple-nixos-mailserver, ... }: +{ + imports = [ + simple-nixos-mailserver.nixosModule { + mailserver = { + enable = true; + openFirewall = true; + fqdn = "mail-1.grzb.de"; + enableImap = false; + enableImapSsl = true; + enableSubmission = false; + enableSubmissionSsl = true; + lmtpSaveToDetailMailbox = "no"; + domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; + loginAccounts = { + "fiona@grzb.de" = { + hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret"; + aliases = [ "@grzb.de" ]; + catchAll = [ "grzb.de" ]; + }; + "yuri@nekover.se" = { + hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret"; + aliases = [ "@nekover.se" ]; + catchAll = [ "nekover.se" ]; + }; + "mio@vs.grzb.de" = { + hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret"; + sendOnly = true; + aliases = [ "root@vs.grzb.de" ]; + }; + "fubuki@wg.grzb.de" = { + hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret"; + sendOnly = true; + aliases = [ "root@wg.grzb.de" ]; + }; + "cloud@nekover.se" = { + hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret"; + sendOnly = true; + }; + "status@nekover.se" = { + hashedPasswordFile = "/secrets/mail-status-nekover-se.secret"; + sendOnly = true; + }; + "matrix@nekover.se" = { + hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; + "social@nekover.se" = { + hashedPasswordFile = "/secrets/mail-social-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; + }; + certificateScheme = "acme-nginx"; + }; + } + ]; + + services.postfix = { + transport = "relay:[mail-2.grzb.de]"; + extraConfig = '' + proxy_interfaces = 212.53.203.19 + ''; + }; +} diff --git a/hosts/matrix/configuration.nix b/config/hosts/matrix/configuration.nix similarity index 100% rename from hosts/matrix/configuration.nix rename to config/hosts/matrix/configuration.nix diff --git a/hosts/matrix/default.nix b/config/hosts/matrix/default.nix similarity index 100% rename from hosts/matrix/default.nix rename to config/hosts/matrix/default.nix diff --git a/hosts/matrix/hardware-configuration.nix b/config/hosts/matrix/hardware-configuration.nix similarity index 100% rename from hosts/matrix/hardware-configuration.nix rename to config/hosts/matrix/hardware-configuration.nix diff --git a/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix similarity index 100% rename from hosts/matrix/matrix-synapse.nix rename to config/hosts/matrix/matrix-synapse.nix diff --git a/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix similarity index 100% rename from hosts/matrix/nginx.nix rename to config/hosts/matrix/nginx.nix diff --git a/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix similarity index 100% rename from hosts/matrix/postgresql.nix rename to config/hosts/matrix/postgresql.nix diff --git a/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix similarity index 100% rename from hosts/matrix/secrets.nix rename to config/hosts/matrix/secrets.nix diff --git a/hosts/metrics/configuration.nix b/config/hosts/metrics/configuration.nix similarity index 100% rename from hosts/metrics/configuration.nix rename to config/hosts/metrics/configuration.nix diff --git a/hosts/metrics/default.nix b/config/hosts/metrics/default.nix similarity index 100% rename from hosts/metrics/default.nix rename to config/hosts/metrics/default.nix diff --git a/hosts/metrics/grafana.nix b/config/hosts/metrics/grafana.nix similarity index 100% rename from hosts/metrics/grafana.nix rename to config/hosts/metrics/grafana.nix diff --git a/hosts/metrics/nginx.nix b/config/hosts/metrics/nginx.nix similarity index 100% rename from hosts/metrics/nginx.nix rename to config/hosts/metrics/nginx.nix diff --git a/hosts/metrics/prometheus.nix b/config/hosts/metrics/prometheus.nix similarity index 100% rename from hosts/metrics/prometheus.nix rename to config/hosts/metrics/prometheus.nix diff --git a/hosts/metrics/secrets.nix b/config/hosts/metrics/secrets.nix similarity index 100% rename from hosts/metrics/secrets.nix rename to config/hosts/metrics/secrets.nix diff --git a/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix similarity index 100% rename from hosts/netbox/configuration.nix rename to config/hosts/netbox/configuration.nix diff --git a/hosts/netbox/default.nix b/config/hosts/netbox/default.nix similarity index 100% rename from hosts/netbox/default.nix rename to config/hosts/netbox/default.nix diff --git a/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix similarity index 100% rename from hosts/netbox/netbox.nix rename to config/hosts/netbox/netbox.nix diff --git a/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix similarity index 100% rename from hosts/netbox/nginx.nix rename to config/hosts/netbox/nginx.nix diff --git a/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix similarity index 100% rename from hosts/netbox/secrets.nix rename to config/hosts/netbox/secrets.nix diff --git a/hosts/nextcloud/configuration.nix b/config/hosts/nextcloud/configuration.nix similarity index 100% rename from hosts/nextcloud/configuration.nix rename to config/hosts/nextcloud/configuration.nix diff --git a/hosts/nextcloud/default.nix b/config/hosts/nextcloud/default.nix similarity index 100% rename from hosts/nextcloud/default.nix rename to config/hosts/nextcloud/default.nix diff --git a/hosts/nextcloud/hardware-configuration.nix b/config/hosts/nextcloud/hardware-configuration.nix similarity index 100% rename from hosts/nextcloud/hardware-configuration.nix rename to config/hosts/nextcloud/hardware-configuration.nix diff --git a/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix similarity index 100% rename from hosts/nextcloud/nextcloud.nix rename to config/hosts/nextcloud/nextcloud.nix diff --git a/hosts/nextcloud/secrets.nix b/config/hosts/nextcloud/secrets.nix similarity index 100% rename from hosts/nextcloud/secrets.nix rename to config/hosts/nextcloud/secrets.nix diff --git a/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix similarity index 100% rename from hosts/nitter/configuration.nix rename to config/hosts/nitter/configuration.nix diff --git a/hosts/nitter/default.nix b/config/hosts/nitter/default.nix similarity index 100% rename from hosts/nitter/default.nix rename to config/hosts/nitter/default.nix diff --git a/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix similarity index 100% rename from hosts/nitter/nginx.nix rename to config/hosts/nitter/nginx.nix diff --git a/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix similarity index 100% rename from hosts/nitter/nitter.nix rename to config/hosts/nitter/nitter.nix diff --git a/hosts/tor-relay/configuration.nix b/config/hosts/tor-relay/configuration.nix similarity index 100% rename from hosts/tor-relay/configuration.nix rename to config/hosts/tor-relay/configuration.nix diff --git a/hosts/tor-relay/default.nix b/config/hosts/tor-relay/default.nix similarity index 100% rename from hosts/tor-relay/default.nix rename to config/hosts/tor-relay/default.nix diff --git a/hosts/tor-relay/tor.nix b/config/hosts/tor-relay/tor.nix similarity index 100% rename from hosts/tor-relay/tor.nix rename to config/hosts/tor-relay/tor.nix diff --git a/hosts/web-nonpublic-linuxcrewd/configuration.nix b/config/hosts/web-nonpublic-linuxcrewd/configuration.nix similarity index 100% rename from hosts/web-nonpublic-linuxcrewd/configuration.nix rename to config/hosts/web-nonpublic-linuxcrewd/configuration.nix diff --git a/hosts/web-nonpublic-linuxcrewd/default.nix b/config/hosts/web-nonpublic-linuxcrewd/default.nix similarity index 100% rename from hosts/web-nonpublic-linuxcrewd/default.nix rename to config/hosts/web-nonpublic-linuxcrewd/default.nix diff --git a/hosts/web-nonpublic-linuxcrewd/nginx.nix b/config/hosts/web-nonpublic-linuxcrewd/nginx.nix similarity index 100% rename from hosts/web-nonpublic-linuxcrewd/nginx.nix rename to config/hosts/web-nonpublic-linuxcrewd/nginx.nix diff --git a/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix similarity index 100% rename from hosts/web-public-2/configuration.nix rename to config/hosts/web-public-2/configuration.nix diff --git a/hosts/web-public-2/default.nix b/config/hosts/web-public-2/default.nix similarity index 100% rename from hosts/web-public-2/default.nix rename to config/hosts/web-public-2/default.nix diff --git a/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix similarity index 100% rename from hosts/web-public-2/nginx.nix rename to config/hosts/web-public-2/nginx.nix diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix similarity index 83% rename from hosts/web-public-2/virtualHosts/acme-challenge.nix rename to config/hosts/web-public-2/virtualHosts/acme-challenge.nix index c04b2e8..f5adeea 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -9,6 +9,15 @@ proxyPass = "http://jellyfin.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."mail-1.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://mail-1.vs.grzb.de:80"; + }; + }; services.nginx.virtualHosts."matrix.nekover.se" = { listen = [{ addr = "0.0.0.0"; diff --git a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/anisync.grzb.de.nix rename to config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix similarity index 93% rename from hosts/web-public-2/virtualHosts/default.nix rename to config/hosts/web-public-2/virtualHosts/default.nix index 7df558e..6a5c3bb 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -8,7 +8,6 @@ ./git.grzb.de.nix ./mewtube.nekover.se.nix ./nekover.se.nix - ./nextcloud.grzb.de.nix ./social.nekover.se.nix ]; diff --git a/hosts/web-public-2/virtualHosts/element-web-config/config.json b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json similarity index 100% rename from hosts/web-public-2/virtualHosts/element-web-config/config.json rename to config/hosts/web-public-2/virtualHosts/element-web-config/config.json diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/element.nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/element.nekover.se.nix diff --git a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix rename to config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/git.grzb.de.nix rename to config/hosts/web-public-2/virtualHosts/git.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix diff --git a/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/nekover.se.nix diff --git a/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/social.nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/social.nekover.se.nix diff --git a/configuration/nixos-generators/default.nix b/config/nixos-generators/default.nix similarity index 100% rename from configuration/nixos-generators/default.nix rename to config/nixos-generators/default.nix diff --git a/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix similarity index 100% rename from users/colmena-deploy/default.nix rename to config/users/colmena-deploy/default.nix diff --git a/users/yuri/default.nix b/config/users/yuri/default.nix similarity index 100% rename from users/yuri/default.nix rename to config/users/yuri/default.nix diff --git a/flake.lock b/flake.lock index 4b4607e..3d6c071 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,44 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "nixlib": { "locked": { - "lastModified": 1689469483, - "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=", + "lastModified": 1693701915, + "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c", + "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", "type": "github" }, "original": { @@ -23,11 +55,11 @@ ] }, "locked": { - "lastModified": 1690133435, - "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=", + "lastModified": 1693791338, + "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586", + "rev": "8ee78470029e641cddbd8721496da1316b47d3b4", "type": "github" }, "original": { @@ -38,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693725722, - "narHash": "sha256-PJFNgOpNqrsafMgNuca8olo6ugxIFeQOBBiNtyq2FXA=", + "lastModified": 1694493899, + "narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "00cc1bbf20f8eb85b537f9f10b41a311f0e01e3e", + "rev": "c5167858ca4870e933da123762eb55363ccefe2b", "type": "github" }, "original": { @@ -52,13 +84,43 @@ "type": "github" } }, - "nixpkgs-unstable": { + "nixpkgs-22_11": { "locked": { - "lastModified": 1693723626, - "narHash": "sha256-e6DnUnRT5aykzhme6wLUzYmSPw2G8j+RYwXluys2VJc=", + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e9ff98d1dccbb391a9769b5dc660a5f6e39c18b", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1694502577, + "narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72", "type": "github" }, "original": { @@ -68,11 +130,66 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1670751203, + "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1687462267, + "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "24128c3052090311688b09a400aa408ba61c6ee5", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-23.05", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 2e5abe8..2a78e5b 100644 --- a/flake.nix +++ b/flake.nix @@ -6,9 +6,10 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let + outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; in { @@ -25,13 +26,13 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit hosts; + inherit hosts simple-nixos-mailserver; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts; }) hosts; + nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` @@ -39,9 +40,9 @@ base-proxmox = nixos-generators.nixosGenerate { system = "x86_64-linux"; modules = [ - ./configuration/common - ./configuration/nixos-generators - ./configuration/proxmox-vm + ./config/common + ./config/nixos-generators + ./config/environments/proxmox-vm ]; format = "proxmox"; }; diff --git a/helper.nix b/helper.nix index 360b356..c59a44c 100644 --- a/helper.nix +++ b/helper.nix @@ -11,7 +11,7 @@ }; # Set imports and optionally import colmena secrets configuration - imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; + imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./config/hosts/${name}/secrets.nix) ./config/hosts/${name}/secrets.nix; }; generateNixConfiguration = name: specialArgs: { diff --git a/hosts.nix b/hosts.nix index 177da2d..6d496d4 100644 --- a/hosts.nix +++ b/hosts.nix @@ -3,66 +3,90 @@ let # Set of environment specific modules environments = { "proxmox" = [ - ./configuration/proxmox-vm - ]; + ./config/environments/proxmox-vm + ]; }; generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, system ? "x86_64-linux", # pkgs is explicitly defined so that overlays for each host can easily be created pkgs ? hostNixpkgs.legacyPackages.${system}, - environment ? "proxmox", + environment ? "", site }: { inherit hostNixpkgs system pkgs environment site; # define common and host modules and additionally add environment specific modules modules = [ - ./configuration/common - ./hosts/${name} - ] ++ environments.${environment}; + ./config/common + ./config/hosts/${name} + ] ++ (if environment != "" then environments.${environment} else []); }) hosts; in generateDefaults { + #fee = { + # site = "wg"; + # environment = "bare-metal"; + #}; hydra = { site = "vs"; + environment = "proxmox"; }; iperf = { site = "vs"; + environment = "proxmox"; }; jackett = { site = "vs"; + environment = "proxmox"; }; jellyfin = { hostNixpkgs = nixpkgs-unstable; site = "vs"; + environment = "proxmox"; + }; + lifeline = { + site = "io"; + }; + mail-1 = { + site = "vs"; + environment = "proxmox"; }; matrix = { site = "vs"; + environment = "proxmox"; }; metrics = { site = "vs"; + environment = "proxmox"; }; netbox = { site = "vs"; + environment = "proxmox"; }; nextcloud = { site = "vs"; + environment = "proxmox"; }; nitter = { site = "vs"; + environment = "proxmox"; }; coturn = { site = "vs"; + environment = "proxmox"; }; tor-relay = { site = "vs"; + environment = "proxmox"; }; web-public-2 = { hostNixpkgs = nixpkgs-unstable; site = "vs"; + environment = "proxmox"; }; web-nonpublic-linuxcrewd = { hostNixpkgs = nixpkgs-unstable; site = "vs"; + environment = "proxmox"; }; } diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix deleted file mode 100644 index 8cbdcc9..0000000 --- a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."nextcloud.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - locations."/" = { - proxyPass = "http://nextcloud-grzb.vs.grzb.de:80"; - }; - locations."= /.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - locations."= /.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - extraConfig = '' - proxy_read_timeout 3600; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 4096m; - ''; - }; -} From fd7b411ee42c83183507fef2421d6b8a1e482d48 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 233/386] Enable firewall --- config/hosts/lifeline/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index 2930c69..b26eb44 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -59,6 +59,7 @@ ]; }; firewall = { + enable = true; allowedUDPPorts = [ 51820 ]; }; }; From e35df8b0f173d2bec7ad9d3d5d2ca2e3cc219232 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 234/386] Add valkyrie host --- config/common/default.nix | 4 +- config/environments/openstack-vm/default.nix | 8 +++ .../openstack-vm/hardware-configuration.nix | 24 +++++++++ config/hosts/valkyrie/configuration.nix | 51 +++++++++++++++++++ .../containers/uptime-kuma/default.nix | 14 +++++ config/hosts/valkyrie/default.nix | 8 +++ config/hosts/valkyrie/nginx.nix | 25 +++++++++ config/hosts/valkyrie/secrets.nix | 35 +++++++++++++ config/nixos-generators/default.nix | 21 -------- config/nixos-generators/proxmox.nix | 23 +++++++++ flake.nix | 16 +++++- hosts.nix | 8 ++- 12 files changed, 211 insertions(+), 26 deletions(-) create mode 100644 config/environments/openstack-vm/default.nix create mode 100644 config/environments/openstack-vm/hardware-configuration.nix create mode 100644 config/hosts/valkyrie/configuration.nix create mode 100644 config/hosts/valkyrie/containers/uptime-kuma/default.nix create mode 100644 config/hosts/valkyrie/default.nix create mode 100644 config/hosts/valkyrie/nginx.nix create mode 100644 config/hosts/valkyrie/secrets.nix create mode 100644 config/nixos-generators/proxmox.nix diff --git a/config/common/default.nix b/config/common/default.nix index 8634acf..ea3ccf2 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: { imports = [ ./prometheus-node-exporter.nix @@ -41,7 +41,7 @@ settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; - PermitRootLogin = "no"; + PermitRootLogin = lib.mkForce "no"; }; }; diff --git a/config/environments/openstack-vm/default.nix b/config/environments/openstack-vm/default.nix new file mode 100644 index 0000000..8edb909 --- /dev/null +++ b/config/environments/openstack-vm/default.nix @@ -0,0 +1,8 @@ +{ lib, ... }: +{ + imports = [ + ./hardware-configuration.nix + ]; + + users.users.root.initialPassword = lib.mkForce null; +} diff --git a/config/environments/openstack-vm/hardware-configuration.nix b/config/environments/openstack-vm/hardware-configuration.nix new file mode 100644 index 0000000..cf5fdd0 --- /dev/null +++ b/config/environments/openstack-vm/hardware-configuration.nix @@ -0,0 +1,24 @@ +{ ... }: +{ + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + autoResize = true; + }; + + boot = { + growPartition = true; + kernelParams = [ "console=tty1" ]; + loader.grub = { + enable = true; + device = "/dev/vda"; + extraConfig = '' + serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1 + terminal_output console serial + terminal_input console serial + ''; + }; + }; + + systemd.services."serial-getty@tty1".enable = true; +} diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix new file mode 100644 index 0000000..1d73f92 --- /dev/null +++ b/config/hosts/valkyrie/configuration.nix @@ -0,0 +1,51 @@ +{ ... }: +{ + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; + + networking = { + hostName = "valkyrie"; + nftables.enable = true; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 51820 51827 51828 ]; + }; + wireguard = { + enable = true; + interfaces.wg0 = { + listenPort = 51820; + ips = [ + "10.203.10.3/24" + ]; + peers = [ + { + name = "site1-grzb"; + publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; + endpoint = "site1.grzb.de:51826"; + allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; + } + { + name = "site2-grzb"; + publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; + endpoint = "site2.grzb.de:51826"; + allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; + } + { + name = "site2-jsts"; + publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; + endpoint = "site1.jsts.xyz:51823"; + allowedIPs = [ "10.203.10.4/32" ]; + } + ]; + privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + }; + }; + }; + + services.prometheus.exporters.node.enable = false; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix new file mode 100644 index 0000000..2939abd --- /dev/null +++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix @@ -0,0 +1,14 @@ +{ nixpkgs-unstable, ... }: +{ + containers.uptime-kuma = { + nixpkgs = nixpkgs-unstable; + autoStart = true; + config = { ... }: { + services.uptime-kuma = { + enable = true; + }; + + system.stateVersion = "23.05"; + }; + }; +} diff --git a/config/hosts/valkyrie/default.nix b/config/hosts/valkyrie/default.nix new file mode 100644 index 0000000..b8c16ea --- /dev/null +++ b/config/hosts/valkyrie/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./containers/uptime-kuma + ]; +} diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix new file mode 100644 index 0000000..ada3379 --- /dev/null +++ b/config/hosts/valkyrie/nginx.nix @@ -0,0 +1,25 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts."status.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix new file mode 100644 index 0000000..7e7512c --- /dev/null +++ b/config/hosts/valkyrie/secrets.nix @@ -0,0 +1,35 @@ +{ ... }: +{ + deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/nixos-generators/default.nix b/config/nixos-generators/default.nix index e392d53..2cda85e 100644 --- a/config/nixos-generators/default.nix +++ b/config/nixos-generators/default.nix @@ -10,26 +10,5 @@ firewall.enable = true; }; - proxmox = { - qemuConf = { - ostype = "l26"; - cores = 2; - memory = 1024; - bios = "seabios"; - # Option not available in 23.05 - # diskSize = "8096"; - virtio0 = "local-zfs:base-disk-0,discard=on"; - boot = "order=virtio0"; - net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; - agent = true; - }; - qemuExtraConf = { - cpu = "cputype=host,flags=+aes"; - onboot = 1; - machine = "q35"; - template = 1; - }; - }; - system.stateVersion = "23.05"; } diff --git a/config/nixos-generators/proxmox.nix b/config/nixos-generators/proxmox.nix new file mode 100644 index 0000000..196f802 --- /dev/null +++ b/config/nixos-generators/proxmox.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + proxmox = { + qemuConf = { + ostype = "l26"; + cores = 2; + memory = 1024; + bios = "seabios"; + # Option not available in 23.05 + # diskSize = "8096"; + virtio0 = "local-zfs:base-disk-0,discard=on"; + boot = "order=virtio0"; + net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; + agent = true; + }; + qemuExtraConf = { + cpu = "cputype=host,flags=+aes"; + onboot = 1; + machine = "q35"; + template = 1; + }; + }; +} diff --git a/flake.nix b/flake.nix index 2a78e5b..4b25dcb 100644 --- a/flake.nix +++ b/flake.nix @@ -26,13 +26,15 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit hosts simple-nixos-mailserver; + inherit nixpkgs-unstable hosts simple-nixos-mailserver; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts; + nixConfigurations = builtins.mapAttrs ( + host: helper.generateNixConfiguration host { inherit nixpkgs-unstable hosts simple-nixos-mailserver; } + ) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` @@ -42,10 +44,20 @@ modules = [ ./config/common ./config/nixos-generators + ./config/nixos-generators/proxmox.nix ./config/environments/proxmox-vm ]; format = "proxmox"; }; + base-openstack = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + ./config/common + ./config/nixos-generators + ./config/environments/openstack-vm + ]; + format = "openstack"; + }; }; # Binary cache hint diff --git a/hosts.nix b/hosts.nix index 6d496d4..472ac92 100644 --- a/hosts.nix +++ b/hosts.nix @@ -5,6 +5,9 @@ let "proxmox" = [ ./config/environments/proxmox-vm ]; + "openstack" = [ + ./config/environments/openstack-vm + ]; }; generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, @@ -25,7 +28,6 @@ in generateDefaults { #fee = { # site = "wg"; - # environment = "bare-metal"; #}; hydra = { site = "vs"; @@ -79,6 +81,10 @@ in site = "vs"; environment = "proxmox"; }; + valkyrie = { + site = "af"; + environment = "openstack"; + }; web-public-2 = { hostNixpkgs = nixpkgs-unstable; site = "vs"; From 93924044c41173a503bf8a5b6431067d133e8fd8 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 235/386] Add wireguard-nat-nftables python script --- config/hosts/valkyrie/default.nix | 1 + config/hosts/valkyrie/services.nix | 30 ++++++ flake.nix | 9 +- pkgs/wireguard-nat-nftables/default.nix | 17 ++++ pkgs/wireguard-nat-nftables/src/setup.py | 7 ++ .../src/wireguard-nat-nftables.py | 92 +++++++++++++++++++ 6 files changed, 152 insertions(+), 4 deletions(-) create mode 100644 config/hosts/valkyrie/services.nix create mode 100644 pkgs/wireguard-nat-nftables/default.nix create mode 100644 pkgs/wireguard-nat-nftables/src/setup.py create mode 100644 pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py diff --git a/config/hosts/valkyrie/default.nix b/config/hosts/valkyrie/default.nix index b8c16ea..68a1b85 100644 --- a/config/hosts/valkyrie/default.nix +++ b/config/hosts/valkyrie/default.nix @@ -4,5 +4,6 @@ ./configuration.nix ./nginx.nix ./containers/uptime-kuma + ./services.nix ]; } diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix new file mode 100644 index 0000000..895865c --- /dev/null +++ b/config/hosts/valkyrie/services.nix @@ -0,0 +1,30 @@ +{ pkgs, ... }: +let + wireguard-nat-nftables = import ../../../pkgs/wireguard-nat-nftables pkgs; + config = pkgs.writeText "wireguard-nat-nftables-config" (builtins.toJSON { + interface = "ens3"; + wg_interface = "wg0"; + pubkey_port_mapping = { + "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=" = [ 51827 51829 ]; + "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=" = [ 51828 51830 ]; + "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=" = [ 51821 51824 ]; + }; + }); +in +{ + systemd.services.wireguard-nat-nftables = { + description = "A python script to update nftable dnat rules based on WireGuard peer IPs"; + requires = [ "wireguard-wg0.service" ]; + after = [ "wireguard-wg0.service" ]; + + script = '' + ${wireguard-nat-nftables}/bin/wireguard-nat-nftables.py ${config} + ''; + + serviceConfig = { + Type = "simple"; + User = "root"; + Group = "root"; + }; + }; +} diff --git a/flake.nix b/flake.nix index 4b25dcb..a9af2db 100644 --- a/flake.nix +++ b/flake.nix @@ -9,7 +9,8 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: let + outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: + let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; in { @@ -32,9 +33,9 @@ } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs ( - host: helper.generateNixConfiguration host { inherit nixpkgs-unstable hosts simple-nixos-mailserver; } - ) hosts; + nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { + inherit nixpkgs-unstable hosts simple-nixos-mailserver; + }) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` diff --git a/pkgs/wireguard-nat-nftables/default.nix b/pkgs/wireguard-nat-nftables/default.nix new file mode 100644 index 0000000..4a75703 --- /dev/null +++ b/pkgs/wireguard-nat-nftables/default.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: +let + nftablesWithPythonOverlay = final: prev: { + nftables = (prev.nftables.override { withPython = true; }); + }; + pkgs-overlay = pkgs.extend nftablesWithPythonOverlay; +in +pkgs-overlay.python310Packages.buildPythonApplication { + pname = "wireguard-nat-nftables"; + version = "0.0.1"; + + propagatedBuildInputs = with pkgs-overlay; [ + python310Packages.nftables + ]; + + src = ./src; +} diff --git a/pkgs/wireguard-nat-nftables/src/setup.py b/pkgs/wireguard-nat-nftables/src/setup.py new file mode 100644 index 0000000..4bcc53c --- /dev/null +++ b/pkgs/wireguard-nat-nftables/src/setup.py @@ -0,0 +1,7 @@ +from distutils.core import setup + +setup( + name='wireguard-nat-nftables', + version='0.0.1', + scripts=['wireguard-nat-nftables.py'] +) diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py new file mode 100644 index 0000000..a1c09c0 --- /dev/null +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -0,0 +1,92 @@ +#!/usr/bin/env python3 + +import nftables +import json +import subprocess +import time +import sys + +def main(): + f = open(sys.argv[1], "r") + config = json.loads(f.read()) + f.close() + + interface = config["interface"] + wg_interface = config["wg_interface"] + pubkey_port_mapping = config["pubkey_port_mapping"] + + nft = nftables.Nftables() + nft.set_json_output(True) + nft.set_handle_output(True) + + # add nat table rules for dnat and snat masquerade + nft.cmd("add table nat") + nft.cmd("add chain nat prerouting { type nat hook prerouting priority -100; }") + nft.cmd("add chain nat postrouting { type nat hook postrouting priority 100; }") + + # load current nftables rules + rc, output, error = nft.cmd("list ruleset") + if error: + print(error, file=sys.stderr) + nftables_output = json.loads(output) + + add_masquerade = True + for item in nftables_output["nftables"]: + if ("rule" in item + and item["rule"]["family"] == "ip" + and item["rule"]["table"] == "nat" + and item["rule"]["chain"] == "postrouting" + and "masquerade" in item["rule"]["expr"][0] + ): + add_masquerade = False + break + if add_masquerade: + nft.cmd("add rule nat postrouting masquerade") + + while True: + # list WireGuard peer endpoint addresses of WireGuard VPN connection + process = subprocess.Popen(["wg", "show", wg_interface, "endpoints"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = process.communicate() + lines = stdout.decode().split("\n")[:-1] + if stderr: + print("{}: {}".format(wg_interface, stderr.decode()), file=sys.stderr) + else: + # map destination port to IP + port_ip_mapping = {} + for line in lines: + pubkey = line.split("\t")[0] + ip = line.split("\t")[1].split(":")[0] # probably only works for IPv4 + for port in pubkey_port_mapping[pubkey]: + port_ip_mapping[port] = ip + + # load current nftables rules + rc, output, error = nft.cmd("list ruleset") + if error: + print(error, file=sys.stderr) + nftables_output = json.loads(output) + + # update existing nftable dnat rules, if the remote IP mismatches + for item in nftables_output["nftables"]: + if "rule" in item and item["rule"]["family"] == "ip" and item["rule"]["table"] == "nat" and item["rule"]["chain"] == "prerouting": + handle = item["rule"]["handle"] + ip = item["rule"]["expr"][2]["dnat"]["addr"] + port = item["rule"]["expr"][1]["match"]["right"] + if not ip == port_ip_mapping[port]: + rc, output, error = nft.cmd("replace rule nat prerouting handle {} iif {} udp dport {} dnat to {}".format(handle, interface, port, port_ip_mapping[port])) + if error: + eprint(error) + else: + print("Changed dnat address from {} to {} for UDP port {}".format(ip, port_ip_mapping[port], port)) + port_ip_mapping.pop(port) + + # loop through all remaining ports and add needed dnat rules + for port in port_ip_mapping: + rc, output, error = nft.cmd("add rule nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port])) + if error: + print(error, file=sys.stderr) + else: + print("Added dnat rule from UDP port {} to address {}".format(port, port_ip_mapping[port])) + time.sleep(10) + +if __name__ == "__main__": + main() From 0f3e7771a5eeed1b0a537e45e9bc1167b460598e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 236/386] Pass libnftables.so.1 path into python script --- config/hosts/valkyrie/services.nix | 2 +- pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index 895865c..c9b65f2 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -18,7 +18,7 @@ in after = [ "wireguard-wg0.service" ]; script = '' - ${wireguard-nat-nftables}/bin/wireguard-nat-nftables.py ${config} + ${wireguard-nat-nftables}/bin/wireguard-nat-nftables.py ${config} ${pkgs.nftables}/lib ''; serviceConfig = { diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py index a1c09c0..3bc8e96 100644 --- a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -15,7 +15,7 @@ def main(): wg_interface = config["wg_interface"] pubkey_port_mapping = config["pubkey_port_mapping"] - nft = nftables.Nftables() + nft = nftables.Nftables(sys.argv[2] + "/libnftables.so.1") nft.set_json_output(True) nft.set_handle_output(True) From fec97bb1462d1987b674f6e1c6d5fa162e71c68e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 237/386] Add missing wireguard-tools dependency --- config/environments/openstack-vm/default.nix | 4 +- .../openstack-vm/hardware-configuration.nix | 24 ---- config/hosts/lifeline/configuration.nix | 50 +------- config/hosts/mail-1/configuration.nix | 12 +- config/hosts/valkyrie/configuration.nix | 111 +++++++++++++----- config/hosts/valkyrie/secrets.nix | 16 +++ pkgs/wireguard-nat-nftables/default.nix | 3 +- 7 files changed, 107 insertions(+), 113 deletions(-) delete mode 100644 config/environments/openstack-vm/hardware-configuration.nix diff --git a/config/environments/openstack-vm/default.nix b/config/environments/openstack-vm/default.nix index 8edb909..a2124f4 100644 --- a/config/environments/openstack-vm/default.nix +++ b/config/environments/openstack-vm/default.nix @@ -1,7 +1,7 @@ -{ lib, ... }: +{ lib, modulesPath, ... }: { imports = [ - ./hardware-configuration.nix + "${modulesPath}/virtualisation/openstack-config.nix" ]; users.users.root.initialPassword = lib.mkForce null; diff --git a/config/environments/openstack-vm/hardware-configuration.nix b/config/environments/openstack-vm/hardware-configuration.nix deleted file mode 100644 index cf5fdd0..0000000 --- a/config/environments/openstack-vm/hardware-configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ ... }: -{ - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - autoResize = true; - }; - - boot = { - growPartition = true; - kernelParams = [ "console=tty1" ]; - loader.grub = { - enable = true; - device = "/dev/vda"; - extraConfig = '' - serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1 - terminal_output console serial - terminal_input console serial - ''; - }; - }; - - systemd.services."serial-getty@tty1".enable = true; -} diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index b26eb44..d31ab0a 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ ... }: { boot.loader.grub = { enable = true; @@ -10,54 +10,6 @@ networking = { hostName = "lifeline"; useDHCP = true; - wireguard = { - enable = true; - interfaces.wg0 = { - privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret"; - listenPort = 51820; - ips = [ - "172.16.50.1/24" - ]; - peers = [ - { - name = "mail-1"; - publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; - presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret"; - allowedIPs = [ "172.16.50.2/32" ]; - } - ]; - postSetup = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE - ''; - postShutdown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE - ''; - }; - }; - nat = { - enable = true; - internalInterfaces = [ "wg0" ]; - externalInterface = "ens6"; - forwardPorts = [ - { - destination = "172.16.50.2:25"; - proto = "tcp"; - sourcePort = 25; - } - { - destination = "172.16.50.2:465"; - proto = "tcp"; - sourcePort = 465; - } - { - destination = "172.16.50.2:993"; - proto = "tcp"; - sourcePort = 993; - } - ]; - }; firewall = { enable = true; allowedUDPPorts = [ 51820 ]; diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index 4638917..b66124e 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -30,7 +30,7 @@ via = "10.202.41.1"; } { - address = "217.160.117.160"; # + address = "212.53.203.19"; # valkyrie.af.grzb.de prefixLength = 32; via = "10.202.41.1"; } @@ -44,15 +44,15 @@ ]; peers = [ { - name = "lifeline"; - publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY="; - presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret"; - endpoint = "lifeline.io.grzb.de:51820"; + name = "valkyrie"; + publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; + presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; + endpoint = "212.53.203.19:51821"; allowedIPs = [ "0.0.0.0/0" ]; persistentKeepalive = 25; } ]; - privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret"; + privateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; }; }; }; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 1d73f92..f6de52a 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; @@ -8,41 +8,90 @@ firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 51820 51827 51828 ]; + allowedUDPPorts = [ 51820 51821 51827 51828 ]; }; wireguard = { enable = true; - interfaces.wg0 = { - listenPort = 51820; - ips = [ - "10.203.10.3/24" - ]; - peers = [ - { - name = "site1-grzb"; - publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; - endpoint = "site1.grzb.de:51826"; - allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; - } - { - name = "site2-grzb"; - publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; - endpoint = "site2.grzb.de:51826"; - allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; - } - { - name = "site2-jsts"; - publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; - endpoint = "site1.jsts.xyz:51823"; - allowedIPs = [ "10.203.10.4/32" ]; - } - ]; - privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + interfaces = { + # Site-to-site WireGuard setup also used for nftables dnat IP refresh thingy + wg0 = { + listenPort = 51820; + ips = [ + "10.203.10.3/24" + ]; + peers = [ + { + name = "site1-grzb"; + publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; + endpoint = "site1.grzb.de:51826"; + allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; + } + { + name = "site2-grzb"; + publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; + endpoint = "site2.grzb.de:51826"; + allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; + } + { + name = "site2-jsts"; + publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; + endpoint = "site1.jsts.xyz:51823"; + allowedIPs = [ "10.203.10.4/32" ]; + } + ]; + privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + }; + # mail-1 VPN + wg1 = { + listenPort = 51821; + ips = [ + "172.16.50.1/24" + ]; + peers = [ + { + name = "mail-1"; + publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; + presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; + allowedIPs = [ "172.16.50.2/32" ]; + } + ]; + postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; + }; }; }; + nat = { + enable = true; + internalInterfaces = [ "wg1" ]; + externalInterface = "ens3"; + forwardPorts = [ + { + destination = "172.16.50.2:25"; + proto = "tcp"; + sourcePort = 25; + } + { + destination = "172.16.50.2:465"; + proto = "tcp"; + sourcePort = 465; + } + { + destination = "172.16.50.2:993"; + proto = "tcp"; + sourcePort = 993; + } + ]; + }; }; services.prometheus.exporters.node.enable = false; diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix index 7e7512c..4395a6d 100644 --- a/config/hosts/valkyrie/secrets.nix +++ b/config/hosts/valkyrie/secrets.nix @@ -32,4 +32,20 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; } diff --git a/pkgs/wireguard-nat-nftables/default.nix b/pkgs/wireguard-nat-nftables/default.nix index 4a75703..e687cee 100644 --- a/pkgs/wireguard-nat-nftables/default.nix +++ b/pkgs/wireguard-nat-nftables/default.nix @@ -4,12 +4,13 @@ let nftables = (prev.nftables.override { withPython = true; }); }; pkgs-overlay = pkgs.extend nftablesWithPythonOverlay; -in +in pkgs-overlay.python310Packages.buildPythonApplication { pname = "wireguard-nat-nftables"; version = "0.0.1"; propagatedBuildInputs = with pkgs-overlay; [ + wireguard-tools python310Packages.nftables ]; From bbe382c0f285a09ba592db6ee8e81e1fa9a48f5b Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 238/386] Use host resolv.conf in container --- config/hosts/valkyrie/containers/uptime-kuma/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix index 2939abd..78d3437 100644 --- a/config/hosts/valkyrie/containers/uptime-kuma/default.nix +++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix @@ -4,6 +4,8 @@ nixpkgs = nixpkgs-unstable; autoStart = true; config = { ... }: { + networking.useHostResolvConf = true; + services.uptime-kuma = { enable = true; }; From 8e153de225ffa4f8109ac14185a71d16e096dfd3 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 239/386] Change mail-1 wireguard port as it is already used for STS setup --- config/hosts/mail-1/configuration.nix | 4 ++-- config/hosts/valkyrie/configuration.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index b66124e..d9b4fa6 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ hosts, ... }: { boot.loader.grub = { enable = true; @@ -47,7 +47,7 @@ name = "valkyrie"; publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; - endpoint = "212.53.203.19:51821"; + endpoint = "212.53.203.19:51822"; allowedIPs = [ "0.0.0.0/0" ]; persistentKeepalive = 25; } diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index f6de52a..8751e09 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -8,7 +8,7 @@ firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 51820 51821 51827 51828 ]; + allowedUDPPorts = [ 51820 51821 51822 51827 51828 ]; }; wireguard = { enable = true; @@ -46,7 +46,7 @@ }; # mail-1 VPN wg1 = { - listenPort = 51821; + listenPort = 51822; ips = [ "172.16.50.1/24" ]; From 5b8d0943fc0db47e289d92dfd478c93a66d16896 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 240/386] Fix WireGuard nat rules --- config/hosts/lifeline/configuration.nix | 39 +++++- config/hosts/lifeline/secrets.nix | 8 +- config/hosts/mail-1/configuration.nix | 120 +++++++++++------- .../hosts/mail-1/simple-nixos-mailserver.nix | 3 + config/hosts/mail-2/configuration.nix | 91 +++++++++++++ config/hosts/mail-2/default.nix | 7 + config/hosts/mail-2/postfix.nix | 17 +++ config/hosts/mail-2/secrets.nix | 19 +++ config/hosts/valkyrie/configuration.nix | 10 +- flake.lock | 12 +- hosts.nix | 4 + 11 files changed, 269 insertions(+), 61 deletions(-) create mode 100644 config/hosts/mail-2/configuration.nix create mode 100644 config/hosts/mail-2/default.nix create mode 100644 config/hosts/mail-2/postfix.nix create mode 100644 config/hosts/mail-2/secrets.nix diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index d31ab0a..1f53208 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { boot.loader.grub = { enable = true; @@ -14,6 +14,43 @@ enable = true; allowedUDPPorts = [ 51820 ]; }; + # mail-2 VPN + wireguard = { + enable = true; + interfaces.wg0 = { + listenPort = 51820; + ips = [ + "172.16.50.1/24" + ]; + peers = [ + { + name = "mail-2"; + publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM="; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret"; + allowedIPs = [ "172.16.50.2/32" ]; + } + ]; + postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret"; + }; + }; + nat = { + enable = true; + internalInterfaces = [ "wg0" ]; + externalInterface = "ens6"; + forwardPorts = [{ + destination = "172.16.50.2:25"; + proto = "tcp"; + sourcePort = 25; + }]; + }; }; services.prometheus.exporters.node.enable = false; diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix index 90f3f12..b14e281 100644 --- a/config/hosts/lifeline/secrets.nix +++ b/config/hosts/lifeline/secrets.nix @@ -1,15 +1,15 @@ { ... }: { - deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ]; + deployment.keys."wireguard-lifeline-wg0-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-wg0-privatekey" ]; destDir = "/secrets"; user = "root"; group = "root"; permissions = "0640"; uploadAt = "pre-activation"; }; - deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ]; + deployment.keys."wireguard-lifeline-mail-2-lifeline-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; destDir = "/secrets"; user = "root"; group = "root"; diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index d9b4fa6..c34643d 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -1,61 +1,91 @@ -{ hosts, ... }: +{ pkgs, ... }: { boot.loader.grub = { enable = true; device = "/dev/vda"; }; - networking = { - hostName = "mail-1"; - useDHCP = true; - defaultGateway = { - address = "172.16.50.1"; - interface = "wg0"; - }; - interfaces.enp6s18.ipv4 = { - routes = [ - { - address = "10.201.0.0"; - prefixLength = 16; - via = "10.202.41.1"; - } - { - address = "10.202.0.0"; - prefixLength = 16; - via = "10.202.41.1"; - } - { - address = "172.21.87.0"; # management VPN - prefixLength = 24; - via = "10.202.41.1"; - } - { - address = "212.53.203.19"; # valkyrie.af.grzb.de - prefixLength = 32; - via = "10.202.41.1"; - } - ]; - }; - wireguard = { - enable = true; - interfaces.wg0 = { - ips = [ - "172.16.50.2/24" + systemd.network = { + enable = true; + networks = { + "enp6s18" = { + matchConfig.Name = "enp6s18"; + address = [ + "10.202.41.123/24" ]; - peers = [ + routes = [ { - name = "valkyrie"; - publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; - presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; - endpoint = "212.53.203.19:51822"; - allowedIPs = [ "0.0.0.0/0" ]; - persistentKeepalive = 25; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.201.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.202.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "172.21.87.0/24"; + }; + } + { + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "212.53.203.19/32"; + }; } ]; - privateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; + linkConfig.RequiredForOnline = "routable"; + }; + "wg0" = { + matchConfig.Name = "wg0"; + address = [ + "172.16.50.2/24" + ]; + DHCP = "no"; + gateway = [ + "172.16.50.1" + ]; + }; + }; + netdevs = { + "wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; + PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; + Endpoint = "212.53.203.19:51822"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; + }]; }; }; }; + networking = { + hostName = "mail-1"; + useDHCP = false; + firewall = { + enable = true; + allowedTCPPorts = [ 25 465 993 ]; + }; + }; + + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + system.stateVersion = "23.05"; } diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 81fa130..63a0e3a 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -59,8 +59,11 @@ services.postfix = { transport = "relay:[mail-2.grzb.de]"; +<<<<<<< HEAD extraConfig = '' proxy_interfaces = 212.53.203.19 ''; +======= +>>>>>>> 0e55e66 (Use systemd-networkd on mail servers) }; } diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix new file mode 100644 index 0000000..38384cb --- /dev/null +++ b/config/hosts/mail-2/configuration.nix @@ -0,0 +1,91 @@ +{ pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + systemd.network = { + enable = true; + networks = { + "enp6s18" = { + matchConfig.Name = "enp6s18"; + address = [ + "10.201.41.100/24" + ]; + routes = [ + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.201.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.202.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "172.21.87.0/24"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "217.160.117.160/32"; + }; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + "wg0" = { + matchConfig.Name = "wg0"; + address = [ + "172.16.50.2/24" + ]; + DHCP = "no"; + gateway = [ + "172.16.50.1" + ]; + }; + }; + netdevs = { + "wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4="; + PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret"; + Endpoint = "217.160.117.160:51820"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; + }]; + }; + }; + }; + + networking = { + hostName = "mail-2"; + useDHCP = false; + firewall = { + enable = true; + allowedTCPPorts = [ 25 ]; + }; + }; + + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mail-2/default.nix b/config/hosts/mail-2/default.nix new file mode 100644 index 0000000..471f0d6 --- /dev/null +++ b/config/hosts/mail-2/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./postfix.nix + ]; +} diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix new file mode 100644 index 0000000..d81e999 --- /dev/null +++ b/config/hosts/mail-2/postfix.nix @@ -0,0 +1,17 @@ +{ ... }: { + # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup + services.postfix = { + enable = true; + hostname = "mail-2.grzb.de"; + relayDomains = [ + "grzb.de" + "nekover.se" + ]; + extraConfig = '' + message_size_limit = 20971520 + smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination + proxy_interfaces = 217.160.117.160 + relay_recipient_maps = + ''; + }; +} diff --git a/config/hosts/mail-2/secrets.nix b/config/hosts/mail-2/secrets.nix new file mode 100644 index 0000000..70606af --- /dev/null +++ b/config/hosts/mail-2/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 8751e09..008ead2 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -35,7 +35,7 @@ allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; } { - name = "site2-jsts"; + name = "site1-jsts"; publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; endpoint = "site1.jsts.xyz:51823"; @@ -59,12 +59,12 @@ } ]; postSetup = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE ''; postShutdown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE ''; privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; }; diff --git a/flake.lock b/flake.lock index 3d6c071..1f29fe8 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694493899, - "narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=", + "lastModified": 1695011647, + "narHash": "sha256-A0iKkey2LBlKCvwMR0HDXSs7ubdFP3ly8YE3m2zS/L4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c5167858ca4870e933da123762eb55363ccefe2b", + "rev": "4d2bff6897a5434eef9bd958c7e89c96dec569e0", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1694502577, - "narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=", + "lastModified": 1694928810, + "narHash": "sha256-M/3+pRQmM+FeBeSKRp0b01pncbNiiC2ggJE4Wpi7c1Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72", + "rev": "948e8754755a9f27587d5bd109af2cfad313add8", "type": "github" }, "original": { diff --git a/hosts.nix b/hosts.nix index 472ac92..195a247 100644 --- a/hosts.nix +++ b/hosts.nix @@ -53,6 +53,10 @@ in site = "vs"; environment = "proxmox"; }; + mail-2 = { + site = "wg"; + environment = "proxmox"; + }; matrix = { site = "vs"; environment = "proxmox"; From ebc5b0bb296d7afc9036564308798dce62074f2a Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 241/386] Add tcpdump to default packages --- config/common/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/common/default.nix b/config/common/default.nix index ea3ccf2..0aee917 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -33,6 +33,7 @@ parted tmux nano + tcpdump ]; services.openssh = { From f835277ef021c4a65c7730930d93fca0cea98a29 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 242/386] Use another subnet for WireGuard tunnel as is conflicts with the openstack internal subnet --- config/hosts/lifeline/configuration.nix | 10 +++++----- config/hosts/mail-1/configuration.nix | 4 ++-- config/hosts/mail-1/simple-nixos-mailserver.nix | 3 --- config/hosts/mail-2/configuration.nix | 4 ++-- config/hosts/valkyrie/configuration.nix | 14 +++++++------- 5 files changed, 16 insertions(+), 19 deletions(-) diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index 1f53208..207e1ad 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -20,23 +20,23 @@ interfaces.wg0 = { listenPort = 51820; ips = [ - "172.16.50.1/24" + "172.18.50.1/24" ]; peers = [ { name = "mail-2"; publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM="; presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret"; - allowedIPs = [ "172.16.50.2/32" ]; + allowedIPs = [ "172.18.50.2/32" ]; } ]; postSetup = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE ''; privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret"; }; @@ -46,7 +46,7 @@ internalInterfaces = [ "wg0" ]; externalInterface = "ens6"; forwardPorts = [{ - destination = "172.16.50.2:25"; + destination = "172.18.50.2:25"; proto = "tcp"; sourcePort = 25; }]; diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index c34643d..2418afc 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -44,11 +44,11 @@ "wg0" = { matchConfig.Name = "wg0"; address = [ - "172.16.50.2/24" + "172.18.50.2/24" ]; DHCP = "no"; gateway = [ - "172.16.50.1" + "172.18.50.1" ]; }; }; diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 63a0e3a..81fa130 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -59,11 +59,8 @@ services.postfix = { transport = "relay:[mail-2.grzb.de]"; -<<<<<<< HEAD extraConfig = '' proxy_interfaces = 212.53.203.19 ''; -======= ->>>>>>> 0e55e66 (Use systemd-networkd on mail servers) }; } diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix index 38384cb..1b622c7 100644 --- a/config/hosts/mail-2/configuration.nix +++ b/config/hosts/mail-2/configuration.nix @@ -44,11 +44,11 @@ "wg0" = { matchConfig.Name = "wg0"; address = [ - "172.16.50.2/24" + "172.18.50.2/24" ]; DHCP = "no"; gateway = [ - "172.16.50.1" + "172.18.50.1" ]; }; }; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 008ead2..116e57d 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -48,23 +48,23 @@ wg1 = { listenPort = 51822; ips = [ - "172.16.50.1/24" + "172.18.50.1/24" ]; peers = [ { name = "mail-1"; publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; - allowedIPs = [ "172.16.50.2/32" ]; + allowedIPs = [ "172.18.50.2/32" ]; } ]; postSetup = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE ''; privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; }; @@ -76,17 +76,17 @@ externalInterface = "ens3"; forwardPorts = [ { - destination = "172.16.50.2:25"; + destination = "172.18.50.2:25"; proto = "tcp"; sourcePort = 25; } { - destination = "172.16.50.2:465"; + destination = "172.18.50.2:465"; proto = "tcp"; sourcePort = 465; } { - destination = "172.16.50.2:993"; + destination = "172.18.50.2:993"; proto = "tcp"; sourcePort = 993; } From 8e4202f579460e2432e0e024f754a5d0de017b2f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 243/386] Use a less generic nftables table name --- .../src/wireguard-nat-nftables.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py index 3bc8e96..c72869d 100644 --- a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -20,9 +20,9 @@ def main(): nft.set_handle_output(True) # add nat table rules for dnat and snat masquerade - nft.cmd("add table nat") - nft.cmd("add chain nat prerouting { type nat hook prerouting priority -100; }") - nft.cmd("add chain nat postrouting { type nat hook postrouting priority 100; }") + nft.cmd("add table wireguard-nat") + nft.cmd("add chain wireguard-nat prerouting { type nat hook prerouting priority -100; }") + nft.cmd("add chain wireguard-nat postrouting { type nat hook postrouting priority 100; }") # load current nftables rules rc, output, error = nft.cmd("list ruleset") @@ -34,14 +34,14 @@ def main(): for item in nftables_output["nftables"]: if ("rule" in item and item["rule"]["family"] == "ip" - and item["rule"]["table"] == "nat" + and item["rule"]["table"] == "wireguard-nat" and item["rule"]["chain"] == "postrouting" and "masquerade" in item["rule"]["expr"][0] ): add_masquerade = False break if add_masquerade: - nft.cmd("add rule nat postrouting masquerade") + nft.cmd("add rule wireguard-nat postrouting masquerade") while True: # list WireGuard peer endpoint addresses of WireGuard VPN connection @@ -67,12 +67,12 @@ def main(): # update existing nftable dnat rules, if the remote IP mismatches for item in nftables_output["nftables"]: - if "rule" in item and item["rule"]["family"] == "ip" and item["rule"]["table"] == "nat" and item["rule"]["chain"] == "prerouting": + if "rule" in item and item["rule"]["family"] == "ip" and item["rule"]["table"] == "wireguard-nat" and item["rule"]["chain"] == "prerouting": handle = item["rule"]["handle"] ip = item["rule"]["expr"][2]["dnat"]["addr"] port = item["rule"]["expr"][1]["match"]["right"] if not ip == port_ip_mapping[port]: - rc, output, error = nft.cmd("replace rule nat prerouting handle {} iif {} udp dport {} dnat to {}".format(handle, interface, port, port_ip_mapping[port])) + rc, output, error = nft.cmd("replace rule wireguard-nat prerouting handle {} iif {} udp dport {} dnat to {}".format(handle, interface, port, port_ip_mapping[port])) if error: eprint(error) else: @@ -81,7 +81,7 @@ def main(): # loop through all remaining ports and add needed dnat rules for port in port_ip_mapping: - rc, output, error = nft.cmd("add rule nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port])) + rc, output, error = nft.cmd("add rule wireguard-nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port])) if error: print(error, file=sys.stderr) else: From 6da99baf6b5dcccbc366c476d54034e72eda504e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 244/386] Use snat rule instead if masquerade for wireguard nat --- config/hosts/valkyrie/configuration.nix | 2 +- config/hosts/valkyrie/services.nix | 1 + .../src/wireguard-nat-nftables.py | 20 +++++-------------- 3 files changed, 7 insertions(+), 16 deletions(-) diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 116e57d..f4e2db5 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -8,7 +8,7 @@ firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 51820 51821 51822 51827 51828 ]; + allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ]; }; wireguard = { enable = true; diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index c9b65f2..602c80c 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -3,6 +3,7 @@ let wireguard-nat-nftables = import ../../../pkgs/wireguard-nat-nftables pkgs; config = pkgs.writeText "wireguard-nat-nftables-config" (builtins.toJSON { interface = "ens3"; + interface_address = "172.16.4.180"; wg_interface = "wg0"; pubkey_port_mapping = { "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=" = [ 51827 51829 ]; diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py index c72869d..c49b4b7 100644 --- a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -12,6 +12,7 @@ def main(): f.close() interface = config["interface"] + interface_address = config["interface_address"] wg_interface = config["wg_interface"] pubkey_port_mapping = config["pubkey_port_mapping"] @@ -19,30 +20,19 @@ def main(): nft.set_json_output(True) nft.set_handle_output(True) - # add nat table rules for dnat and snat masquerade + # add nat table rules for dnat and snat nft.cmd("add table wireguard-nat") + nft.cmd("flush table wireguard-nat") nft.cmd("add chain wireguard-nat prerouting { type nat hook prerouting priority -100; }") nft.cmd("add chain wireguard-nat postrouting { type nat hook postrouting priority 100; }") - + nft.cmd("add rule wireguard-nat postrouting oifname {} snat to {}".format(interface, interface_address)) + # load current nftables rules rc, output, error = nft.cmd("list ruleset") if error: print(error, file=sys.stderr) nftables_output = json.loads(output) - add_masquerade = True - for item in nftables_output["nftables"]: - if ("rule" in item - and item["rule"]["family"] == "ip" - and item["rule"]["table"] == "wireguard-nat" - and item["rule"]["chain"] == "postrouting" - and "masquerade" in item["rule"]["expr"][0] - ): - add_masquerade = False - break - if add_masquerade: - nft.cmd("add rule wireguard-nat postrouting masquerade") - while True: # list WireGuard peer endpoint addresses of WireGuard VPN connection process = subprocess.Popen(["wg", "show", wg_interface, "endpoints"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) From b4df0351c5c6b644c3623da12a18d4ef3688f128 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 245/386] Forward port 80 to mail servers for the http acme challange --- config/hosts/lifeline/configuration.nix | 11 +++++++++-- config/hosts/valkyrie/configuration.nix | 5 +++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index 207e1ad..500c407 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -45,11 +45,18 @@ enable = true; internalInterfaces = [ "wg0" ]; externalInterface = "ens6"; - forwardPorts = [{ + forwardPorts = [ + { destination = "172.18.50.2:25"; proto = "tcp"; sourcePort = 25; - }]; + } + { + destination = "172.18.50.2:80"; + proto = "tcp"; + sourcePort = 80; + } + ]; }; }; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index f4e2db5..fd3cd45 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -80,6 +80,11 @@ proto = "tcp"; sourcePort = 25; } + { + destination = "172.18.50.2:80"; + proto = "tcp"; + sourcePort = 80; + } { destination = "172.18.50.2:465"; proto = "tcp"; From d0b153d112d1c80c062ccdf60633a83d2a776c9f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 246/386] Enable TLS on mail relay --- config/hosts/mail-2/acme.nix | 9 +++++++++ config/hosts/mail-2/configuration.nix | 2 +- config/hosts/mail-2/default.nix | 1 + config/hosts/mail-2/postfix.nix | 5 ++++- 4 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 config/hosts/mail-2/acme.nix diff --git a/config/hosts/mail-2/acme.nix b/config/hosts/mail-2/acme.nix new file mode 100644 index 0000000..c6a353c --- /dev/null +++ b/config/hosts/mail-2/acme.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + security.acme.certs = { + "mail-2.grzb.de" = { + listenHTTP = ":80"; + reloadServices = [ "postfix.service" ]; + }; + }; +} diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix index 1b622c7..b4a7192 100644 --- a/config/hosts/mail-2/configuration.nix +++ b/config/hosts/mail-2/configuration.nix @@ -79,7 +79,7 @@ useDHCP = false; firewall = { enable = true; - allowedTCPPorts = [ 25 ]; + allowedTCPPorts = [ 25 80 ]; }; }; diff --git a/config/hosts/mail-2/default.nix b/config/hosts/mail-2/default.nix index 471f0d6..ab5c757 100644 --- a/config/hosts/mail-2/default.nix +++ b/config/hosts/mail-2/default.nix @@ -3,5 +3,6 @@ imports = [ ./configuration.nix ./postfix.nix + ./acme.nix ]; } diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix index d81e999..eb88cdf 100644 --- a/config/hosts/mail-2/postfix.nix +++ b/config/hosts/mail-2/postfix.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ config, ... }: +{ # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup services.postfix = { enable = true; @@ -7,6 +8,8 @@ "grzb.de" "nekover.se" ]; + sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem"; + sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem"; extraConfig = '' message_size_limit = 20971520 smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination From f941aa1c0174fb0621c6b1afee0b8edb6b381b2b Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 247/386] Configure TLS settings on mail relay --- config/hosts/mail-2/postfix.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix index eb88cdf..b7e54f3 100644 --- a/config/hosts/mail-2/postfix.nix +++ b/config/hosts/mail-2/postfix.nix @@ -15,6 +15,23 @@ smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination proxy_interfaces = 217.160.117.160 relay_recipient_maps = + smtp_tls_ciphers = high + smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtp_tls_mandatory_ciphers = high + smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtpd_tls_auth_only = yes + smtpd_tls_ciphers = high + smtpd_tls_eecdh_grade = ultra + smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtpd_tls_loglevel = 1 + smtpd_tls_mandatory_ciphers = high + smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + tls_preempt_cipherlist = yes + tls_random_source = dev:/dev/urandom ''; }; } From d18fe3199168c51731b468dac7304d3c3acfd7d0 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 248/386] Use only snake case for element-web config since camel case is deprecated --- config/hosts/mail-1/simple-nixos-mailserver.nix | 3 +++ config/hosts/matrix/matrix-synapse.nix | 4 ++-- config/hosts/nextcloud/nextcloud.nix | 4 ++-- .../virtualHosts/element-web-config/config.json | 10 +++++----- .../web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- flake.lock | 12 ++++++------ 6 files changed, 20 insertions(+), 17 deletions(-) diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 81fa130..126b0dc 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -10,7 +10,10 @@ enableImapSsl = true; enableSubmission = false; enableSubmissionSsl = true; +<<<<<<< HEAD lmtpSaveToDetailMailbox = "no"; +======= +>>>>>>> 634557c (Change mail config of services to use new mail server) domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; loginAccounts = { "fiona@grzb.de" = { diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index e4f508e..19f8824 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -10,9 +10,9 @@ args.password = "synapse"; }; email = { - smtp_host = "mail.grzb.de"; + smtp_host = "mail-1.grzb.de"; smtp_port = 465; - smtp_user = "matrix"; + smtp_user = "matrix@nekover.se"; force_tls = true; notif_from = "Nekoverse Matrix Server "; }; diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index dd3a328..22f456e 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -25,9 +25,9 @@ mail_domain = "nekover.se"; mail_smtpauthtype = "LOGIN"; mail_smtpauth = 1; - mail_smtphost = "mail.grzb.de"; + mail_smtphost = "mail-1.grzb.de"; mail_smtpport = 465; - mail_smtpname = "nextcloud"; + mail_smtpname = "cloud@nekover.se"; }; # Only contains mail_smtppassword secretFile = "/secrets/nextcloud-secretfile.secret"; diff --git a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json index 96b6288..7344ce4 100644 --- a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json +++ b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json @@ -24,12 +24,12 @@ ], "bug_report_endpoint_url": "https://element.io/bugreports/submit", "uisi_autorageshake_app": "element-auto-uisi", - "defaultCountryCode": "DE", - "showLabsSettings": true, - "features": { }, + "default_country_code": "DE", + "show_labs_settings": true, + "features": {}, "default_federate": true, "default_theme": "dark", - "roomDirectory": { + "room_directory": { "servers": [ "matrix.org" ] @@ -39,7 +39,7 @@ "https://matrix.org": false, "https://matrix-client.matrix.org": false }, - "settingDefaults": { + "setting_defaults": { "breadcrumbs": true }, "jitsi": { diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index ba220c7..9e6bbf9 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,8 +1,8 @@ { pkgs, ... }: let element-web = pkgs.fetchzip { - url = "https://github.com/vector-im/element-web/releases/download/v1.11.40/element-v1.11.40.tar.gz"; - sha256 = "sha256-IZ1FjT9fAv6wDfgLcCLBHwg6iXGXC4E0/2/67hArD4w="; + url = "https://github.com/vector-im/element-web/releases/download/v1.11.43/element-v1.11.43.tar.gz"; + sha256 = "sha256-MxUu5dFf4RL0crQol4hG6gNE+9Qu5/vBWdpf0ENaFV0="; }; in { diff --git a/flake.lock b/flake.lock index 1f29fe8..ca1b1d6 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1695011647, - "narHash": "sha256-A0iKkey2LBlKCvwMR0HDXSs7ubdFP3ly8YE3m2zS/L4=", + "lastModified": 1695106126, + "narHash": "sha256-5BDOEo5miK+46ByqhooW32viYzDUmHrw++UK8zkMbPg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4d2bff6897a5434eef9bd958c7e89c96dec569e0", + "rev": "53d337b63c8f9d7e0f8709cae0008a9655bee33e", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1694928810, - "narHash": "sha256-M/3+pRQmM+FeBeSKRp0b01pncbNiiC2ggJE4Wpi7c1Q=", + "lastModified": 1695043561, + "narHash": "sha256-ajrDIUJA5RB6Y2I1G4suDhiDMJuwg1WarNuasshRobE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "948e8754755a9f27587d5bd109af2cfad313add8", + "rev": "089313d7c7c864b21648d78fb8700062dafab1f2", "type": "github" }, "original": { From e7259ca98071b55ee1177c18fd6b85027f7d82af Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 249/386] Set resolv.conf file manually for uptime-kuma container due to a bug --- config/hosts/valkyrie/containers/uptime-kuma/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix index 78d3437..ca36384 100644 --- a/config/hosts/valkyrie/containers/uptime-kuma/default.nix +++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix @@ -10,6 +10,13 @@ enable = true; }; + # The resolv.conf file doesn't seem to be copied from host after the first start of the container after reboot + # See: https://nixos.wiki/wiki/NixOS_Containers#Troubleshooting + environment.etc."resolv.conf".text = '' + nameserver 172.16.0.2 + nameserver 172.16.0.3 + ''; + system.stateVersion = "23.05"; }; }; From 894694229aed04e89dac4b63cd9eca97e4f3a695 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 250/386] Setup paperless host and reverse proxy for acme http challange --- .../hosts/mail-1/simple-nixos-mailserver.nix | 3 -- config/hosts/paperless/configuration.nix | 17 ++++++++++ config/hosts/paperless/default.nix | 9 ++++++ .../paperless/hardware-configuration.nix | 30 ++++++++++++++++++ config/hosts/paperless/nginx.nix | 31 +++++++++++++++++++ config/hosts/paperless/paperless.nix | 8 +++++ config/hosts/paperless/secrets.nix | 19 ++++++++++++ config/hosts/web-public-1/configuration.nix | 17 ++++++++++ config/hosts/web-public-1/default.nix | 7 +++++ config/hosts/web-public-1/nginx.nix | 10 ++++++ .../virtualHosts/acme-challenge.nix | 12 +++++++ .../web-public-1/virtualHosts/default.nix | 16 ++++++++++ hosts.nix | 8 +++++ 13 files changed, 184 insertions(+), 3 deletions(-) create mode 100644 config/hosts/paperless/configuration.nix create mode 100644 config/hosts/paperless/default.nix create mode 100644 config/hosts/paperless/hardware-configuration.nix create mode 100644 config/hosts/paperless/nginx.nix create mode 100644 config/hosts/paperless/paperless.nix create mode 100644 config/hosts/paperless/secrets.nix create mode 100644 config/hosts/web-public-1/configuration.nix create mode 100644 config/hosts/web-public-1/default.nix create mode 100644 config/hosts/web-public-1/nginx.nix create mode 100644 config/hosts/web-public-1/virtualHosts/acme-challenge.nix create mode 100644 config/hosts/web-public-1/virtualHosts/default.nix diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 126b0dc..81fa130 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -10,10 +10,7 @@ enableImapSsl = true; enableSubmission = false; enableSubmissionSsl = true; -<<<<<<< HEAD lmtpSaveToDetailMailbox = "no"; -======= ->>>>>>> 634557c (Change mail config of services to use new mail server) domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; loginAccounts = { "fiona@grzb.de" = { diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix new file mode 100644 index 0000000..494f08c --- /dev/null +++ b/config/hosts/paperless/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "paperless"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix new file mode 100644 index 0000000..e6ebeed --- /dev/null +++ b/config/hosts/paperless/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./nginx.nix + ./paperless.nix + ]; +} diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix new file mode 100644 index 0000000..69684c1 --- /dev/null +++ b/config/hosts/paperless/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + fileSystems = { + "/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + }; + "/mnt/paperless-consume" = { + device = "//10.201.40.10/paperless-consume"; + fsType = "cifs"; + options = [ + "username=paperless" + "credentials=/secrets/paperless-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=paperless" + "gid=paperless" + "_netdev" + ]; + }; + "/var/lib/paperless" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/paperless"; + fsType = "none"; + options = [ "bind" "X-mount.owner=paperless" "X-mount.group=paperless" ]; + }; + }; +} diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix new file mode 100644 index 0000000..e4a2131 --- /dev/null +++ b/config/hosts/paperless/nginx.nix @@ -0,0 +1,31 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."paperless.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}"; + proxyWebsockets = true; + extraConfig = '' + add_header Referrer-Policy "strict-origin-when-cross-origin"; + ''; + }; + extraConfig = '' + client_max_body_size 100M; + ''; + }; + }; +} diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix new file mode 100644 index 0000000..1def83d --- /dev/null +++ b/config/hosts/paperless/paperless.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.paperless = { + enable = true; + consumptionDir = "/mnt/paperless-consume"; + passwordFile = "/secrets/paperless-admin-password.secret"; + }; +} diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix new file mode 100644 index 0000000..92a8b1d --- /dev/null +++ b/config/hosts/paperless/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."paperless-admin-password.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ]; + destDir = "/secrets"; + user = "paperless"; + group = "paperless"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."paperless-samba-credentials.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix new file mode 100644 index 0000000..7f3b8fa --- /dev/null +++ b/config/hosts/web-public-1/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-1"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/config/hosts/web-public-1/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix new file mode 100644 index 0000000..0453a73 --- /dev/null +++ b/config/hosts/web-public-1/nginx.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./virtualHosts + ]; + + services.nginx = { + enable = true; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix new file mode 100644 index 0000000..fd1e474 --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.nginx.virtualHosts."paperless.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://paperless.wg.grzb.de:80"; + }; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix new file mode 100644 index 0000000..e191a9c --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/default.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + imports = [ + ./acme-challenge.nix + ]; + + services.nginx.virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; +} diff --git a/hosts.nix b/hosts.nix index 195a247..ab78a2d 100644 --- a/hosts.nix +++ b/hosts.nix @@ -77,6 +77,10 @@ in site = "vs"; environment = "proxmox"; }; + paperless = { + site = "wg"; + environment = "proxmox"; + }; coturn = { site = "vs"; environment = "proxmox"; @@ -89,6 +93,10 @@ in site = "af"; environment = "openstack"; }; + web-public-1 = { + site = "wg"; + environment = "proxmox"; + }; web-public-2 = { hostNixpkgs = nixpkgs-unstable; site = "vs"; From 16bff599941cbc5130373fc061661aff3ce66302 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 251/386] Set real IP from local proxy --- config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix | 3 +++ config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 3 +++ config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix | 3 +++ config/hosts/web-public-2/virtualHosts/git.grzb.de.nix | 3 +++ config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix | 4 ++++ config/hosts/web-public-2/virtualHosts/nekover.se.nix | 4 ++++ config/hosts/web-public-2/virtualHosts/social.nekover.se.nix | 3 +++ 7 files changed, 23 insertions(+) diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix index b628ef7..381294e 100644 --- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -21,6 +21,9 @@ }; extraConfig = '' add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 9e6bbf9..8e9b555 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -78,6 +78,9 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix index 5070a0b..4efedd4 100644 --- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -26,6 +26,9 @@ extraConfig = '' client_max_body_size 1024m; add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix index fb156d8..03b1a96 100644 --- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -28,6 +28,9 @@ client_max_body_size 1024m; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix index fbc64fa..3a297e8 100644 --- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -18,5 +18,9 @@ locations."/" = { proxyPass = "http://cloudtube.vs.grzb.de:10412"; }; + extraConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 743135d..7ea6e2c 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -28,5 +28,9 @@ add_header Access-Control-Allow-Origin *; ''; }; + extraConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; }; } diff --git a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix index 2c44a16..174e360 100644 --- a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix @@ -21,6 +21,9 @@ }; extraConfig = '' client_max_body_size 80m; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; ''; }; } From 2ac5dd8b5d27e8281ac8cc367a09c344505a27a7 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 252/386] Change Content-Security-Policy "frame-ancestors" from "none" to "self" Fixes downloads in element-web --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 8e9b555..47c2735 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -72,7 +72,7 @@ in add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Content-Security-Policy "frame-ancestors 'self'"; add_header Strict-Transport-Security "max-age=63072000" always; From b5c2206a4e5861478902d0752eb406503e986ee8 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 253/386] Enable dehydrated device feature for element-web client --- .../web-public-2/virtualHosts/element-web-config/config.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json index 7344ce4..9877940 100644 --- a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json +++ b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json @@ -26,7 +26,9 @@ "uisi_autorageshake_app": "element-auto-uisi", "default_country_code": "DE", "show_labs_settings": true, - "features": {}, + "features": { + "feature_dehydration": true + }, "default_federate": true, "default_theme": "dark", "room_directory": { From acff45ec6b7caa4f2b3acea04e78b6a283da74db Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 254/386] Also listen on "::1" --- config/hosts/matrix/matrix-synapse.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 19f8824..893cfb2 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -3,6 +3,26 @@ services.matrix-synapse = { enable = true; settings = { + listeners = [{ + port = 8008; + bind_addresses = [ + "::1" + "127.0.0.1" + ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + compress = true; + names = [ "client" ]; + } + { + compress = false; + names = [ "federation" ]; + } + ]; + }]; server_name = "nekover.se"; public_baseurl = "https://matrix.nekover.se"; database = { From 40bcd7ae4f2243abbf841f203b98b8874469b974 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 255/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/8ee78470029e641cddbd8721496da1316b47d3b4' (2023-09-04) → 'github:nix-community/nixos-generators/150f38bd1e09e20987feacb1b0d5991357532fb5' (2023-09-30) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/53d337b63c8f9d7e0f8709cae0008a9655bee33e' (2023-09-19) → 'github:NixOS/nixpkgs/ef8e9997fcb37d5c8372dc1349185bd0d31752a6' (2023-10-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/089313d7c7c864b21648d78fb8700062dafab1f2' (2023-09-18) → 'github:NixOS/nixpkgs/e462c9172c685f0839baaa54bb5b49276a23dab7' (2023-10-06) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index ca1b1d6..40c9232 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1693791338, - "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=", + "lastModified": 1696058303, + "narHash": "sha256-eNqKWpF5zG0SrgbbtljFOrRgFgRzCc4++TMFADBMLnc=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "8ee78470029e641cddbd8721496da1316b47d3b4", + "rev": "150f38bd1e09e20987feacb1b0d5991357532fb5", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1695106126, - "narHash": "sha256-5BDOEo5miK+46ByqhooW32viYzDUmHrw++UK8zkMbPg=", + "lastModified": 1696524703, + "narHash": "sha256-KqzFNzhq0GpT09h1w2r2h7NxYvxDnzU3qOWYbfbAqyw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "53d337b63c8f9d7e0f8709cae0008a9655bee33e", + "rev": "ef8e9997fcb37d5c8372dc1349185bd0d31752a6", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1695043561, - "narHash": "sha256-ajrDIUJA5RB6Y2I1G4suDhiDMJuwg1WarNuasshRobE=", + "lastModified": 1696589439, + "narHash": "sha256-Ye+flokLfswVz9PZEyJ5yGJ1VqmJe3bDgwWt9Z4MuqQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "089313d7c7c864b21648d78fb8700062dafab1f2", + "rev": "e462c9172c685f0839baaa54bb5b49276a23dab7", "type": "github" }, "original": { From 6fcdfe2a84bc38167caced74a42ce05313898338 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 256/386] Enable sliding-sync for matrix-synapse --- config/hosts/matrix/matrix-synapse.nix | 9 ++++++++- config/hosts/matrix/nginx.nix | 19 ++++++++++++------- config/hosts/matrix/secrets.nix | 8 ++++++++ .../web-public-2/virtualHosts/nekover.se.nix | 2 +- 4 files changed, 29 insertions(+), 9 deletions(-) diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 893cfb2..1a4fb12 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { services.matrix-synapse = { enable = true; @@ -47,6 +47,13 @@ turn_user_lifetime = 86400000; turn_allow_guests = true; }; + sliding-sync = { + enable = true; + settings = { + SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; + }; + environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; + }; extraConfigFiles = [ "/secrets/matrix-registration-shared-secret.secret" "/secrets/matrix-turn-shared-secret.secret" diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index de8f332..234362d 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -16,13 +16,18 @@ ssl = true; } ]; - locations."~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://localhost:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; - ''; + locations = { + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://127.0.0.1:8009"; + }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 24329ea..7024f35 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -32,4 +32,12 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + deployment.keys."matrix-SYNCV3_SECRET.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/SYNCV3_SECRET" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; } diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 7ea6e2c..91c131d 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -22,7 +22,7 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; From 50a28738aea2e4508d28cd262e193eca82b81cd7 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 257/386] Set locations priority for matrix reverse proxy --- config/hosts/matrix/nginx.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index 234362d..1b28649 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -17,6 +17,10 @@ } ]; locations = { + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://127.0.0.1:8009"; + priority = 999; + }; "~ ^(/_matrix|/_synapse/client)" = { proxyPass = "http://127.0.0.1:8008"; extraConfig = '' @@ -25,9 +29,6 @@ client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; ''; }; - "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { - proxyPass = "http://127.0.0.1:8009"; - }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; From 611d6a103110ff48ed27418998e73d7dc8a6d8a6 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 258/386] Increase worker_connections and set worker_processes to auto --- config/hosts/web-public-2/nginx.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 52acd48..82c4b8f 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -7,6 +7,10 @@ services.nginx = { enable = true; + eventsConfig = '' + worker_connections 1024; + ''; + streamConfig = '' map $ssl_preread_server_name $address { anisync.grzb.de 127.0.0.1:8443; @@ -33,6 +37,10 @@ } ''; + appendConfig = '' + worker_processes auto; + ''; + appendHttpConfig = '' add_header Strict-Transport-Security "max-age=63072000" always; ''; From 6fb5c186fbcafe39bfaed48631bf945f5f322e40 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 259/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/8ee78470029e641cddbd8721496da1316b47d3b4' (2023-09-04) → 'github:nix-community/nixos-generators/150f38bd1e09e20987feacb1b0d5991357532fb5' (2023-09-30) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/ce210c81d3677233bedc9b70c70ab6d3e7f828f8' (2023-09-29) → 'github:NixOS/nixpkgs/e49c28b3baa3a93bdadb8966dd128f9985ea0a09' (2023-10-04) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/cdd726e1deb44c031ee8975528d6b283ed8cf021' (2023-09-29) → 'github:NixOS/nixpkgs/349bdd9653c42f1793d338b43aefe08883c5ebee' (2023-10-04) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 40c9232..0a0404b 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696524703, - "narHash": "sha256-KqzFNzhq0GpT09h1w2r2h7NxYvxDnzU3qOWYbfbAqyw=", + "lastModified": 1696435587, + "narHash": "sha256-otsVJPs+YMXjTJFEJ3ZzvaJ1e3Q74aStE2MSb2dxuZM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ef8e9997fcb37d5c8372dc1349185bd0d31752a6", + "rev": "e49c28b3baa3a93bdadb8966dd128f9985ea0a09", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696589439, - "narHash": "sha256-Ye+flokLfswVz9PZEyJ5yGJ1VqmJe3bDgwWt9Z4MuqQ=", + "lastModified": 1696434248, + "narHash": "sha256-qivb3b3b5Cxe5/8qwCJ4CJCw/ENtim5zlhDItGR0p1I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e462c9172c685f0839baaa54bb5b49276a23dab7", + "rev": "349bdd9653c42f1793d338b43aefe08883c5ebee", "type": "github" }, "original": { From 6c93696fb0a340d9e36b15593c3206714c10caa1 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 260/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/e49c28b3baa3a93bdadb8966dd128f9985ea0a09' (2023-10-04) → 'github:NixOS/nixpkgs/de9b8eb55b195f318eb839351b83b3560a990169' (2023-10-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/349bdd9653c42f1793d338b43aefe08883c5ebee' (2023-10-04) → 'github:NixOS/nixpkgs/b7a3aaae3859cd1ffd4c4fd850bf45d0304f9033' (2023-10-07) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 0a0404b..6400156 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696435587, - "narHash": "sha256-otsVJPs+YMXjTJFEJ3ZzvaJ1e3Q74aStE2MSb2dxuZM=", + "lastModified": 1696692673, + "narHash": "sha256-Voskclky52BKbqSE4z0Lv30bn0WOsRfim7uk0aN2A7w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e49c28b3baa3a93bdadb8966dd128f9985ea0a09", + "rev": "de9b8eb55b195f318eb839351b83b3560a990169", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696434248, - "narHash": "sha256-qivb3b3b5Cxe5/8qwCJ4CJCw/ENtim5zlhDItGR0p1I=", + "lastModified": 1696653406, + "narHash": "sha256-0K9FEM+vwIctSy0FlmLube6C0PW4CBeRVm2dd85mozI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "349bdd9653c42f1793d338b43aefe08883c5ebee", + "rev": "b7a3aaae3859cd1ffd4c4fd850bf45d0304f9033", "type": "github" }, "original": { From 8721f9b3a24a43c625090a7a2a3330667f524cd1 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 261/386] Migrate Mastodon to NixOS --- config/hosts/mastodon/configuration.nix | 43 +++++++ config/hosts/mastodon/default.nix | 9 ++ config/hosts/mastodon/mastodon.nix | 51 +++++++++ config/hosts/mastodon/nginx.nix | 48 ++++++++ config/hosts/mastodon/opensearch.nix | 5 + config/hosts/mastodon/secrets.nix | 37 ++++++ config/hosts/web-public-2/nginx.nix | 2 +- .../virtualHosts/acme-challenge.nix | 105 ++++++++++-------- .../web-public-2/virtualHosts/default.nix | 1 - .../virtualHosts/social.nekover.se.nix | 29 ----- hosts.nix | 4 + 11 files changed, 256 insertions(+), 78 deletions(-) create mode 100644 config/hosts/mastodon/configuration.nix create mode 100644 config/hosts/mastodon/default.nix create mode 100644 config/hosts/mastodon/mastodon.nix create mode 100644 config/hosts/mastodon/nginx.nix create mode 100644 config/hosts/mastodon/opensearch.nix create mode 100644 config/hosts/mastodon/secrets.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/social.nekover.se.nix diff --git a/config/hosts/mastodon/configuration.nix b/config/hosts/mastodon/configuration.nix new file mode 100644 index 0000000..aad67b7 --- /dev/null +++ b/config/hosts/mastodon/configuration.nix @@ -0,0 +1,43 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "mastodon"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 8443 ]; + }; + }; + + fileSystems = { + "/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoResize = true; + }; + "/var/lib/mastodon/public-system" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/mastodon"; + fsType = "none"; + options = [ "bind" "X-mount.owner=mastodon" "X-mount.group=mastodon" ]; + }; + "/var/lib/postgresql" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/postgresql"; + fsType = "none"; + options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ]; + }; + "/var/lib/private/opensearch/data" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/opensearch"; + fsType = "none"; + options = [ "bind" "X-mount.owner=opensearch" "X-mount.group=opensearch" ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix new file mode 100644 index 0000000..5651eb8 --- /dev/null +++ b/config/hosts/mastodon/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./mastodon.nix + ./opensearch.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix new file mode 100644 index 0000000..620e6c2 --- /dev/null +++ b/config/hosts/mastodon/mastodon.nix @@ -0,0 +1,51 @@ +{ pkgs, ... }: +let + mastodonNekoversePatches = pkgs.fetchgit { + url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; + hash = "sha256-+HoE3rXiJUpAUYiXj4BaOL68cCG1tN8p+TI7vRxrA1Y="; + }; + mastodonNekoverseOverlay = final: prev: { + mastodon = (prev.mastodon.override rec { + version = "4.1.9"; + srcOverride = final.applyPatches { + src = final.fetchgit { + url = "https://github.com/mastodon/mastodon.git"; + rev = "v${version}"; + sha256 = "sha256-xpE/mg2AeioW6NThUjLS+SBxGavG4w1xtp3BOMADfYo="; + }; + patches = [ + "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" + "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" + "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" + "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" + "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" + "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" + ]; + }; + }); + }; + pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; +in +{ + services.mastodon = { + enable = true; + package = pkgs-overlay.mastodon; + localDomain = "social.nekover.se"; + secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; + otpSecretFile = "/secrets/mastodon-otp-secret.secret"; + vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; + smtp = { + authenticate = true; + host = "mail-1.grzb.de"; + port = 465; + user = "social@nekover.se"; + passwordFile = "/secrets/mastodon-email-smtp-pass.secret"; + fromAddress = "Nekoverse "; + }; + extraConfig = { + SMTP_TLS = "true"; + ES_PRESET = "single_node_cluster"; + }; + elasticsearch.host = "127.0.0.1"; + }; +} diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix new file mode 100644 index 0000000..f9d541f --- /dev/null +++ b/config/hosts/mastodon/nginx.nix @@ -0,0 +1,48 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + group = "mastodon"; + virtualHosts."social.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + + root = "${config.services.mastodon.package}/public/"; + + locations = { + "/" = { + tryFiles = "$uri @proxy"; + }; + + "/system/".alias = "/var/lib/mastodon/public-system/"; + + "^~ /api/v1/streaming" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + }; + + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/mastodon/opensearch.nix b/config/hosts/mastodon/opensearch.nix new file mode 100644 index 0000000..b787d77 --- /dev/null +++ b/config/hosts/mastodon/opensearch.nix @@ -0,0 +1,5 @@ +{ ... }: { + services.opensearch = { + enable = true; + }; +} diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix new file mode 100644 index 0000000..b6a827c --- /dev/null +++ b/config/hosts/mastodon/secrets.nix @@ -0,0 +1,37 @@ +{ ... }: +{ + deployment.keys = { + "mastodon-secret-key-base.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/secret-key-base" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-otp-secret.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/otp-secret" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-vapid-private-key.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/vapid-private-key" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-email-smtp-pass.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/email-smtp-pass" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 82c4b8f..ea0732c 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -25,7 +25,7 @@ nekover.se 127.0.0.1:8443; nextcloud.grzb.de 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; - social.nekover.se 127.0.0.1:8443; + social.nekover.se 10.202.41.104:8443; } server { diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index f5adeea..7e0190e 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -1,57 +1,68 @@ { ... }: { - services.nginx.virtualHosts."jellyfin.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://jellyfin.vs.grzb.de:80"; + services.nginx.virtualHosts = { + "jellyfin.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://jellyfin.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."mail-1.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://mail-1.vs.grzb.de:80"; + "mail-1.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://mail-1.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."matrix.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://matrix.vs.grzb.de:80"; + "mastodon.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://mastodon.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."netbox.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://netbox.vs.grzb.de:80"; + "matrix.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://matrix.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."grafana.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://metrics.vs.grzb.de:80"; + "netbox.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://netbox.vs.grzb.de:80"; + }; }; - }; - services.nginx.virtualHosts."turn.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://coturn.vs.grzb.de:80"; + "grafana.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://metrics.vs.grzb.de:80"; + }; + }; + "turn.nekover.se" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://coturn.vs.grzb.de:80"; + }; }; }; } diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index 6a5c3bb..53294f7 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -8,7 +8,6 @@ ./git.grzb.de.nix ./mewtube.nekover.se.nix ./nekover.se.nix - ./social.nekover.se.nix ]; services.nginx.virtualHosts."_" = { diff --git a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix deleted file mode 100644 index 174e360..0000000 --- a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."social.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://mastodon.vs.grzb.de:80"; - proxyWebsockets = true; - }; - extraConfig = '' - client_max_body_size 80m; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/hosts.nix b/hosts.nix index ab78a2d..fc2716d 100644 --- a/hosts.nix +++ b/hosts.nix @@ -57,6 +57,10 @@ in site = "wg"; environment = "proxmox"; }; + mastodon = { + site = "vs"; + environment = "proxmox"; + }; matrix = { site = "vs"; environment = "proxmox"; From 3d529a2e79b4f466271c32bb2aeeb586a57bc77e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 262/386] Remove nextcloud.grzb.de mapping --- config/hosts/web-public-2/nginx.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index ea0732c..46a711c 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -23,7 +23,6 @@ matrix.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; - nextcloud.grzb.de 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; social.nekover.se 10.202.41.104:8443; } From 208ddf869d0d4dc2920e94bf01b428e5c1db6ccd Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 263/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/de9b8eb55b195f318eb839351b83b3560a990169' (2023-10-07) → 'github:NixOS/nixpkgs/8be69c1764f58e07099e4a24b926f49bbada8c7f' (2023-10-09) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/b7a3aaae3859cd1ffd4c4fd850bf45d0304f9033' (2023-10-07) → 'github:NixOS/nixpkgs/5a9c737c587d2c34d63c5b3cb53c6ab0705bdf4f' (2023-10-09) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 6400156..922fe2e 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696692673, - "narHash": "sha256-Voskclky52BKbqSE4z0Lv30bn0WOsRfim7uk0aN2A7w=", + "lastModified": 1696815342, + "narHash": "sha256-MHA0Ye0PaFF6pay6tP9yMgwWvuqRraa9bH45U88RwC4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "de9b8eb55b195f318eb839351b83b3560a990169", + "rev": "8be69c1764f58e07099e4a24b926f49bbada8c7f", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696653406, - "narHash": "sha256-0K9FEM+vwIctSy0FlmLube6C0PW4CBeRVm2dd85mozI=", + "lastModified": 1696826630, + "narHash": "sha256-oGU94vo6pkzGbaSsPHjpHtOUg6b7nL8v3xATnrcw3cQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b7a3aaae3859cd1ffd4c4fd850bf45d0304f9033", + "rev": "5a9c737c587d2c34d63c5b3cb53c6ab0705bdf4f", "type": "github" }, "original": { From 5a33e2803c0e9b2307d01f97edd9c2198b70f6be Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 264/386] Update element-web and clean up configuration --- .../virtualHosts/element.nekover.se.nix | 65 +++++++------------ 1 file changed, 23 insertions(+), 42 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 47c2735..f9b78d1 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,20 @@ { pkgs, ... }: let + elementWebVersion = "1.11.46"; element-web = pkgs.fetchzip { - url = "https://github.com/vector-im/element-web/releases/download/v1.11.43/element-v1.11.43.tar.gz"; - sha256 = "sha256-MxUu5dFf4RL0crQol4hG6gNE+9Qu5/vBWdpf0ENaFV0="; + url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; + sha256 = "sha256-EQ6a8WK8ILYidbS+0FGzI4XQbZFh+M6Y7eZ28YcsIrg="; }; + elementWebSecurityHeaders = '' + # Configuration best practices + # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'self'"; + + add_header Strict-Transport-Security "max-age=63072000" always; + ''; in { services.nginx.virtualHosts."element.nekover.se" = { @@ -16,66 +27,36 @@ in ./element-web-config ]; }; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; # Set no-cache for the version, config and index.html # so that browsers always check for a new copy of Element Web. # NB http://your-domain/ and http://your-domain/? are also covered by this locations."= /index.html" = { - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' add_header Cache-Control "no-cache"; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - add_header Strict-Transport-Security "max-age=63072000" always; ''; }; locations."= /version" = { - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' add_header Cache-Control "no-cache"; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - add_header Strict-Transport-Security "max-age=63072000" always; ''; }; # covers config.json and config.hostname.json requests as it is prefix. locations."/config" = { - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' add_header Cache-Control "no-cache"; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - add_header Strict-Transport-Security "max-age=63072000" always; ''; }; - extraConfig = '' + extraConfig = elementWebSecurityHeaders + '' index index.html; - # Configuration best practices - # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'self'"; - - add_header Strict-Transport-Security "max-age=63072000" always; - # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; From c4b1fba0e253caf31ab8727901c667d76edad017 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 265/386] Use stable channel and use helper function for acme challenge proxy --- config/hosts/coturn/secrets.nix | 4 +- config/hosts/hydra/secrets.nix | 4 +- config/hosts/jellyfin/secrets.nix | 4 +- config/hosts/lifeline/secrets.nix | 34 ++++--- config/hosts/mail-2/secrets.nix | 34 ++++--- config/hosts/mastodon/secrets.nix | 10 +- config/hosts/matrix/secrets.nix | 82 ++++++++-------- config/hosts/metrics/secrets.nix | 34 ++++--- config/hosts/netbox/secrets.nix | 4 +- config/hosts/nextcloud/secrets.nix | 6 +- config/hosts/paperless/secrets.nix | 34 ++++--- config/hosts/valkyrie/secrets.nix | 98 ++++++++++--------- config/hosts/web-public-2/nginx.nix | 49 +++++----- .../virtualHosts/acme-challenge.nix | 85 ++++------------ .../virtualHosts/anisync.grzb.de.nix | 18 ++-- .../virtualHosts/gameserver.grzb.de.nix | 18 ++-- .../web-public-2/virtualHosts/git.grzb.de.nix | 18 ++-- .../virtualHosts/mewtube.nekover.se.nix | 18 ++-- .../web-public-2/virtualHosts/nekover.se.nix | 18 ++-- flake.nix | 3 + hosts.nix | 1 - 21 files changed, 257 insertions(+), 319 deletions(-) diff --git a/config/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix index 415b223..48fd211 100644 --- a/config/hosts/coturn/secrets.nix +++ b/config/hosts/coturn/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv,... }: { deployment.keys."static-auth-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ]; + keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ]; destDir = "/secrets"; user = "turnserver"; group = "turnserver"; diff --git a/config/hosts/hydra/secrets.nix b/config/hosts/hydra/secrets.nix index 7ccf047..43329f7 100644 --- a/config/hosts/hydra/secrets.nix +++ b/config/hosts/hydra/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys."signing-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ]; + keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ]; destDir = "/secrets"; user = "root"; group = "root"; diff --git a/config/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix index c1c22c6..922d4c4 100644 --- a/config/hosts/jellyfin/secrets.nix +++ b/config/hosts/jellyfin/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys."samba-credentials.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ]; + keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ]; destDir = "/secrets"; user = "root"; group = "root"; diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix index b14e281..f2b6e23 100644 --- a/config/hosts/lifeline/secrets.nix +++ b/config/hosts/lifeline/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."wireguard-lifeline-wg0-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-lifeline-mail-2-lifeline-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "wireguard-lifeline-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-lifeline-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mail-2/secrets.nix b/config/hosts/mail-2/secrets.nix index 70606af..67beb5b 100644 --- a/config/hosts/mail-2/secrets.nix +++ b/config/hosts/mail-2/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "wireguard-mail-2-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-mail-2-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index b6a827c..42f7489 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -1,8 +1,8 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys = { "mastodon-secret-key-base.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/secret-key-base" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; @@ -10,7 +10,7 @@ uploadAt = "pre-activation"; }; "mastodon-otp-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/otp-secret" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; @@ -18,7 +18,7 @@ uploadAt = "pre-activation"; }; "mastodon-vapid-private-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/vapid-private-key" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; @@ -26,7 +26,7 @@ uploadAt = "pre-activation"; }; "mastodon-email-smtp-pass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/email-smtp-pass" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 7024f35..dac6301 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -1,43 +1,45 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."matrix-registration-shared-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-turn-shared-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-email-smtp-pass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-homeserver-signing-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-SYNCV3_SECRET.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/SYNCV3_SECRET" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "matrix-registration-shared-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-turn-shared-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-email-smtp-pass.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-homeserver-signing-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-SYNCV3_SECRET.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/SYNCV3_SECRET" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/metrics/secrets.nix b/config/hosts/metrics/secrets.nix index 43b06b3..fcf9baa 100644 --- a/config/hosts/metrics/secrets.nix +++ b/config/hosts/metrics/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."metrics-grafana-admin-password.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."metrics-grafana-smtp-password.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "metrics-grafana-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "metrics-grafana-smtp-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix index e31c666..216aca4 100644 --- a/config/hosts/netbox/secrets.nix +++ b/config/hosts/netbox/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys."netbox-secret-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "netbox/secret-key" ]; + keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; destDir = "/secrets"; user = "netbox"; group = "netbox"; diff --git a/config/hosts/nextcloud/secrets.nix b/config/hosts/nextcloud/secrets.nix index c4a91b9..b344d78 100644 --- a/config/hosts/nextcloud/secrets.nix +++ b/config/hosts/nextcloud/secrets.nix @@ -1,8 +1,8 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys = { "nextcloud-adminpass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; + keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ]; destDir = "/secrets"; user = "nextcloud"; group = "nextcloud"; @@ -10,7 +10,7 @@ uploadAt = "pre-activation"; }; "nextcloud-secretfile.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/secretfile" ]; + keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ]; destDir = "/secrets"; user = "nextcloud"; group = "nextcloud"; diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix index 92a8b1d..6726881 100644 --- a/config/hosts/paperless/secrets.nix +++ b/config/hosts/paperless/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."paperless-admin-password.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ]; - destDir = "/secrets"; - user = "paperless"; - group = "paperless"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."paperless-samba-credentials.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "paperless-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; + destDir = "/secrets"; + user = "paperless"; + group = "paperless"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "paperless-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix index 4395a6d..3acc555 100644 --- a/config/hosts/valkyrie/secrets.nix +++ b/config/hosts/valkyrie/secrets.nix @@ -1,51 +1,53 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "wireguard-valkyrie-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site1-grzb-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site2-grzb-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site1-jsts-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-wg1-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 46a711c..122a4b2 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -11,33 +11,32 @@ worker_connections 1024; ''; - streamConfig = '' - map $ssl_preread_server_name $address { - anisync.grzb.de 127.0.0.1:8443; - birdsite.nekover.se 10.202.41.107:8443; - cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 127.0.0.1:8443; - gameserver.grzb.de 127.0.0.1:8443; - git.grzb.de 127.0.0.1:8443; - hydra.nekover.se 10.202.41.121:8443; - matrix.nekover.se 10.202.41.112:8443; - mewtube.nekover.se 127.0.0.1:8443; - nekover.se 127.0.0.1:8443; - nix-cache.nekover.se 10.202.41.121:8443; - social.nekover.se 10.202.41.104:8443; - } - - server { - listen 0.0.0.0:443; - listen [::]:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - ''; - appendConfig = '' worker_processes auto; + + stream { + map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; + birdsite.nekover.se 10.202.41.107:8443; + cloud.nekover.se 10.202.41.122:8443; + element.nekover.se 127.0.0.1:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; + hydra.nekover.se 10.202.41.121:8443; + matrix.nekover.se 10.202.41.112:8443; + mewtube.nekover.se 127.0.0.1:8443; + nekover.se 127.0.0.1:8443; + nix-cache.nekover.se 10.202.41.121:8443; + social.nekover.se 10.202.41.104:8443; + } + server { + listen 0.0.0.0:443; + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + } ''; appendHttpConfig = '' diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 7e0190e..9cd0be4 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -1,68 +1,23 @@ { ... }: -{ - services.nginx.virtualHosts = { - "jellyfin.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://jellyfin.vs.grzb.de:80"; - }; - }; - "mail-1.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://mail-1.vs.grzb.de:80"; - }; - }; - "mastodon.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://mastodon.vs.grzb.de:80"; - }; - }; - "matrix.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://matrix.vs.grzb.de:80"; - }; - }; - "netbox.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://netbox.vs.grzb.de:80"; - }; - }; - "grafana.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://metrics.vs.grzb.de:80"; - }; - }; - "turn.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://coturn.vs.grzb.de:80"; - }; - }; +let + acmeDomainMap = { + "jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; + "mail-1.grzb.de" = "mail-1.vs.grzb.de"; + "social.nekover.se" = "mastodon.vs.grzb.de"; + "matrix.nekover.se" = "matrix.vs.grzb.de"; + "netbox.grzb.de" = "netbox.vs.grzb.de"; + "grafana.grzb.de" = "metrics.vs.grzb.de"; + "turn.nekover.se" = "coturn.vs.grzb.de"; }; +in +{ + services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://${target}:80"; + }; + }) acmeDomainMap); } diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix index 381294e..9a3950a 100644 --- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."anisync.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://anisync.vs.grzb.de:8080"; proxyWebsockets = true; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix index 4efedd4..c746f3d 100644 --- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."gameserver.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://pterodactyl.vs.grzb.de"; extraConfig = '' diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix index 03b1a96..ac9eefb 100644 --- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."git.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://gitlab.vs.grzb.de:80"; extraConfig = '' diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix index 3a297e8..1ab842a 100644 --- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."mewtube.nekover.se" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://cloudtube.vs.grzb.de:10412"; }; diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 91c131d..7c95ec5 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."nekover.se" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/.well-known/matrix/server" = { return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; extraConfig = '' diff --git a/flake.nix b/flake.nix index a9af2db..d2341f7 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,9 @@ specialArgs = { inherit nixpkgs-unstable hosts simple-nixos-mailserver; + + # Provide environment for secret key command + keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; diff --git a/hosts.nix b/hosts.nix index fc2716d..4f00d17 100644 --- a/hosts.nix +++ b/hosts.nix @@ -102,7 +102,6 @@ in environment = "proxmox"; }; web-public-2 = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; From 237197f5e70e22cd1c9b965293c98ef1521476d6 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 266/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8be69c1764f58e07099e4a24b926f49bbada8c7f' (2023-10-09) → 'github:NixOS/nixpkgs/22723a1d7deab53e5c1022906089e4247a5d3e77' (2023-10-09) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/5a9c737c587d2c34d63c5b3cb53c6ab0705bdf4f' (2023-10-09) → 'github:NixOS/nixpkgs/38aa96fc39c9719994f08100f791c27d31ee7892' (2023-10-09) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 922fe2e..0bf2fe5 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696815342, - "narHash": "sha256-MHA0Ye0PaFF6pay6tP9yMgwWvuqRraa9bH45U88RwC4=", + "lastModified": 1696874073, + "narHash": "sha256-HNcQddEVmBVbMeH0I4LUEKFyZNvGfIYeXvyMYBvXjZ0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8be69c1764f58e07099e4a24b926f49bbada8c7f", + "rev": "22723a1d7deab53e5c1022906089e4247a5d3e77", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696826630, - "narHash": "sha256-oGU94vo6pkzGbaSsPHjpHtOUg6b7nL8v3xATnrcw3cQ=", + "lastModified": 1696874314, + "narHash": "sha256-Tdq3pVF1We5rX5sI6IsyFmh0pHQmpS6GQBdaBdH0FkY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5a9c737c587d2c34d63c5b3cb53c6ab0705bdf4f", + "rev": "38aa96fc39c9719994f08100f791c27d31ee7892", "type": "github" }, "original": { From 42de10657d5e8ae672bd2984fb3b1fda0457ce23 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 267/386] Use OpenSSH config from CCCHH nix-infra repo --- config/common/default.nix | 13 ++---------- config/common/openssh.nix | 42 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 11 deletions(-) create mode 100644 config/common/openssh.nix diff --git a/config/common/default.nix b/config/common/default.nix index 0aee917..c57eaba 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -1,8 +1,9 @@ -{ pkgs, lib, ... }: +{ pkgs, ... }: { imports = [ ./prometheus-node-exporter.nix ./nginx.nix + ./openssh.nix ../users/colmena-deploy ../users/yuri ]; @@ -36,16 +37,6 @@ tcpdump ]; - services.openssh = { - enable = true; - openFirewall = true; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = lib.mkForce "no"; - }; - }; - security.acme = { defaults.email = "acme@grzb.de"; acceptTerms = true; diff --git a/config/common/openssh.nix b/config/common/openssh.nix new file mode 100644 index 0000000..e706571 --- /dev/null +++ b/config/common/openssh.nix @@ -0,0 +1,42 @@ +# Common SSH configuration. +# Sources for this configuration: +# - https://nixos.org/manual/nixos/stable/#sec-ssh +# - https://infosec.mozilla.org/guidelines/openssh +# - Julians deploy_ssh_server_config Ansible role + +{ lib, ... }: +{ + services.openssh = { + enable = true; + openFirewall = true; + + settings = { + # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09. + # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09. + + # X11 Forwarding shouldn't be needed. + X11Forwarding = false; + + # Don't allow root login. + PermitRootLogin = lib.mkForce "no"; + + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + + # Set this according to Mozilla Modern guideline as of 2023-09-09. + # The guidelines description: + # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a + # clear audit track of which key was using to log in. + LogLevel = "VERBOSE"; + }; + + # Set those according to Mozilla Modern guideline as of 2023-09-09. + # The guidelines description: + # Log sftp level file access (read/write/etc.) that would not be easily + # logged otherwise. + sftpFlags = [ + "-f AUTHPRIV" + "-l INFO" + ]; + }; +} From 002421bd678b7f2ef406743d24e1d1a2e8d4e27b Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 268/386] Add searx host --- config/hosts/searx/configuration.nix | 17 +++++++++++ config/hosts/searx/default.nix | 8 +++++ config/hosts/searx/nginx.nix | 29 +++++++++++++++++++ config/hosts/searx/searx.nix | 29 +++++++++++++++++++ config/hosts/searx/secrets.nix | 11 +++++++ config/hosts/web-public-2/nginx.nix | 1 + .../virtualHosts/acme-challenge.nix | 1 + hosts.nix | 5 ++++ 8 files changed, 101 insertions(+) create mode 100644 config/hosts/searx/configuration.nix create mode 100644 config/hosts/searx/default.nix create mode 100644 config/hosts/searx/nginx.nix create mode 100644 config/hosts/searx/searx.nix create mode 100644 config/hosts/searx/secrets.nix diff --git a/config/hosts/searx/configuration.nix b/config/hosts/searx/configuration.nix new file mode 100644 index 0000000..1216183 --- /dev/null +++ b/config/hosts/searx/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "searx"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 8443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/searx/default.nix b/config/hosts/searx/default.nix new file mode 100644 index 0000000..ee2a678 --- /dev/null +++ b/config/hosts/searx/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./searx.nix + ]; +} diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix new file mode 100644 index 0000000..a84c171 --- /dev/null +++ b/config/hosts/searx/nginx.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."searx.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; + }; + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/searx/searx.nix b/config/hosts/searx/searx.nix new file mode 100644 index 0000000..cdb9940 --- /dev/null +++ b/config/hosts/searx/searx.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: +{ + services.searx = { + enable = true; + package = pkgs.searxng; + redisCreateLocally = true; + settings = { + general = { + debug = false; + instance_name = "SearXNG"; + }; + server = { + bind_address = "127.0.0.1"; + port = 8080; + base_url = "https://searx.nekover.se"; + limiter = true; + image_proxy = true; + secret_key = "@SEARX_SECRET_KEY@"; + }; + search = { + safe_search = 0; + autocomplete = "duckduckgo"; + }; + ui.static_use_hash = true; + enabled_plugins = [ "Hash plugin" "Self Informations" "Tracker URL remover" "Ahmia blacklist" ]; + }; + environmentFile = "/secrets/searx-secret-key.secret"; + }; +} diff --git a/config/hosts/searx/secrets.nix b/config/hosts/searx/secrets.nix new file mode 100644 index 0000000..38231fc --- /dev/null +++ b/config/hosts/searx/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."searx-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "searx/secret-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 122a4b2..907cdb8 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -27,6 +27,7 @@ mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; + searx.nekover.se 10.202.41.105:8443; social.nekover.se 10.202.41.104:8443; } server { diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 9cd0be4..eaf7188 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -7,6 +7,7 @@ let "matrix.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; + "searx.nekover.se" = "searx.vs.grzb.de"; "turn.nekover.se" = "coturn.vs.grzb.de"; }; in diff --git a/hosts.nix b/hosts.nix index 4f00d17..194cc45 100644 --- a/hosts.nix +++ b/hosts.nix @@ -89,6 +89,11 @@ in site = "vs"; environment = "proxmox"; }; + searx = { + hostNixpkgs = nixpkgs-unstable; + site = "vs"; + environment = "proxmox"; + }; tor-relay = { site = "vs"; environment = "proxmox"; From e679a2634b7900dadcb61e3ca1aa76aa9d28157f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 269/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/22723a1d7deab53e5c1022906089e4247a5d3e77' (2023-10-09) → 'github:NixOS/nixpkgs/0e1cff585c1a85aeab059d3109f66134a8f76935' (2023-10-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/38aa96fc39c9719994f08100f791c27d31ee7892' (2023-10-09) → 'github:NixOS/nixpkgs/982b24c40e743793c966b47b3bb3699881489ae0' (2023-10-15) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 0bf2fe5..10b69cb 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696874073, - "narHash": "sha256-HNcQddEVmBVbMeH0I4LUEKFyZNvGfIYeXvyMYBvXjZ0=", + "lastModified": 1697332183, + "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "22723a1d7deab53e5c1022906089e4247a5d3e77", + "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1696874314, - "narHash": "sha256-Tdq3pVF1We5rX5sI6IsyFmh0pHQmpS6GQBdaBdH0FkY=", + "lastModified": 1697343899, + "narHash": "sha256-66Dosy7YYVhkesbHXB4xxZZ+2NOi9CmFDyHOI1ZTAbQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "38aa96fc39c9719994f08100f791c27d31ee7892", + "rev": "982b24c40e743793c966b47b3bb3699881489ae0", "type": "github" }, "original": { From 8de22e8e11be6b588022a71e4f1a9cac7f237e53 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 270/386] Bump element-web to v1.11.47 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index f9b78d1..4810df6 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.46"; + elementWebVersion = "1.11.47"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-EQ6a8WK8ILYidbS+0FGzI4XQbZFh+M6Y7eZ28YcsIrg="; + sha256 = "sha256-iHhwiqRtssRQZltKj0mXgYLezgyO1Zkh9mfBLaX9xtk="; }; elementWebSecurityHeaders = '' # Configuration best practices From a0b626de2075679dce260be9f199ad69b4c7120f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 271/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/0e1cff585c1a85aeab059d3109f66134a8f76935' (2023-10-15) → 'github:NixOS/nixpkgs/21443a102b1a2f037d02e1d22e3e0ffdda2dbff9' (2023-10-21) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/982b24c40e743793c966b47b3bb3699881489ae0' (2023-10-15) → 'github:NixOS/nixpkgs/8dfad603247387df1df4826b8bea58efc5d012d8' (2023-10-22) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 10b69cb..d96f7fd 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1697332183, - "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=", + "lastModified": 1697912416, + "narHash": "sha256-2MLnJ9vLbiSyfA+mYHPdN76qAOfacJw/dX/sSiYdo2o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935", + "rev": "21443a102b1a2f037d02e1d22e3e0ffdda2dbff9", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1697343899, - "narHash": "sha256-66Dosy7YYVhkesbHXB4xxZZ+2NOi9CmFDyHOI1ZTAbQ=", + "lastModified": 1697935353, + "narHash": "sha256-dDwl5ziD24Gs0feke2seFXoQibHafb5XeNDWlUZxCbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "982b24c40e743793c966b47b3bb3699881489ae0", + "rev": "8dfad603247387df1df4826b8bea58efc5d012d8", "type": "github" }, "original": { From b48a6d472708f9a81991eb3737fcb1847efd005f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 272/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/21443a102b1a2f037d02e1d22e3e0ffdda2dbff9' (2023-10-21) → 'github:NixOS/nixpkgs/5896110a4e861bf2e675a3c3d8a171793fce2599' (2023-10-29) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/8dfad603247387df1df4826b8bea58efc5d012d8' (2023-10-22) → 'github:NixOS/nixpkgs/4e43dd49630303b00120c11d00d4fb01bb40188d' (2023-10-29) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index d96f7fd..4a18ddd 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1697912416, - "narHash": "sha256-2MLnJ9vLbiSyfA+mYHPdN76qAOfacJw/dX/sSiYdo2o=", + "lastModified": 1698607745, + "narHash": "sha256-J5QPuWxE17nO/UZJKEbupEM6Zx1wXIo/C+iP+44Hvl0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "21443a102b1a2f037d02e1d22e3e0ffdda2dbff9", + "rev": "5896110a4e861bf2e675a3c3d8a171793fce2599", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1697935353, - "narHash": "sha256-dDwl5ziD24Gs0feke2seFXoQibHafb5XeNDWlUZxCbg=", + "lastModified": 1698610559, + "narHash": "sha256-i8vFNXJz9VcH05oNe/3Jm5f+CtE3g5uOUvF/dobTMUQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8dfad603247387df1df4826b8bea58efc5d012d8", + "rev": "4e43dd49630303b00120c11d00d4fb01bb40188d", "type": "github" }, "original": { From cf16f6ac6e05acea671cc8c50d64edc68f86f19d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 273/386] Update mastodon-nekoverse-patches --- config/hosts/mastodon/mastodon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 620e6c2..620e379 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,7 +2,7 @@ let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-+HoE3rXiJUpAUYiXj4BaOL68cCG1tN8p+TI7vRxrA1Y="; + hash = "sha256-6YXWc8LTPdZzP1TWBmVp00CyZXUIzZbMX85cwrIcAks="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { From 31276014aabc6862481b698dc96b12faa60df13d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 274/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/5896110a4e861bf2e675a3c3d8a171793fce2599' (2023-10-29) → 'github:NixOS/nixpkgs/33e938c7823e47a787ad4f76003d14ff92ad96dd' (2023-11-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/4e43dd49630303b00120c11d00d4fb01bb40188d' (2023-10-29) → 'github:NixOS/nixpkgs/cfbb29d76949ae53c457f152c52c173ea4bdd862' (2023-11-07) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4a18ddd..ae8fff0 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1698607745, - "narHash": "sha256-J5QPuWxE17nO/UZJKEbupEM6Zx1wXIo/C+iP+44Hvl0=", + "lastModified": 1699351105, + "narHash": "sha256-jNgFflP+Z7PzQav2TtuLBGEXF9GsBq2s8aBH18vmldM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5896110a4e861bf2e675a3c3d8a171793fce2599", + "rev": "33e938c7823e47a787ad4f76003d14ff92ad96dd", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1698610559, - "narHash": "sha256-i8vFNXJz9VcH05oNe/3Jm5f+CtE3g5uOUvF/dobTMUQ=", + "lastModified": 1699354722, + "narHash": "sha256-abmqUReg4PsyQSwv4d0zjcWpMHrd3IFJiTb2tZpfF04=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4e43dd49630303b00120c11d00d4fb01bb40188d", + "rev": "cfbb29d76949ae53c457f152c52c173ea4bdd862", "type": "github" }, "original": { From fca31e58361906ed0297af69d742dd2084659fa1 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 275/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/33e938c7823e47a787ad4f76003d14ff92ad96dd' (2023-11-07) → 'github:NixOS/nixpkgs/1d55765508b8316798429875712dc1ef5e62a2fa' (2023-11-10) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/cfbb29d76949ae53c457f152c52c173ea4bdd862' (2023-11-07) → 'github:NixOS/nixpkgs/714e527a726c9613fca8e13586a1b19198d68d9b' (2023-11-10) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index ae8fff0..4b92509 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699351105, - "narHash": "sha256-jNgFflP+Z7PzQav2TtuLBGEXF9GsBq2s8aBH18vmldM=", + "lastModified": 1699646590, + "narHash": "sha256-f81xS0qN6H1ULTyArpZgdjsly4FY0BnvPXdmSb7hq+o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "33e938c7823e47a787ad4f76003d14ff92ad96dd", + "rev": "1d55765508b8316798429875712dc1ef5e62a2fa", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1699354722, - "narHash": "sha256-abmqUReg4PsyQSwv4d0zjcWpMHrd3IFJiTb2tZpfF04=", + "lastModified": 1699625425, + "narHash": "sha256-WTqlROYtFucqwiRGxUE2MIpWNPUoua+rIJqKX0oi8DU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cfbb29d76949ae53c457f152c52c173ea4bdd862", + "rev": "714e527a726c9613fca8e13586a1b19198d68d9b", "type": "github" }, "original": { From 1adebca1c23f0e9e185d0b6dfdc7d9c17ea5d2de Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 276/386] Open firewall for jellyfin http port --- config/hosts/jellyfin/jellyfin.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/jellyfin/jellyfin.nix b/config/hosts/jellyfin/jellyfin.nix index 89deaaa..cea5f69 100644 --- a/config/hosts/jellyfin/jellyfin.nix +++ b/config/hosts/jellyfin/jellyfin.nix @@ -2,5 +2,6 @@ { services.jellyfin = { enable = true; + openFirewall = true; }; } From 55b2ee651f2c80256b861453ab5a46dcdc3a6daa Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 277/386] Add vapid public key --- config/hosts/mastodon/mastodon.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 620e379..921208c 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -25,6 +25,7 @@ let }); }; pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; + vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { services.mastodon = { @@ -33,6 +34,7 @@ in localDomain = "social.nekover.se"; secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; otpSecretFile = "/secrets/mastodon-otp-secret.secret"; + vapidPublicKeyFile = "${vapidPublicKey}"; vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; smtp = { authenticate = true; From 9629ff36fc08d1e1af917022a01bd05285826316 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 278/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1d55765508b8316798429875712dc1ef5e62a2fa' (2023-11-10) → 'github:NixOS/nixpkgs/d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8' (2023-11-14) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/714e527a726c9613fca8e13586a1b19198d68d9b' (2023-11-10) → 'github:NixOS/nixpkgs/3298a053090d4bc6a7315588f786b6c96114970f' (2023-11-14) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4b92509..3cf3fad 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699646590, - "narHash": "sha256-f81xS0qN6H1ULTyArpZgdjsly4FY0BnvPXdmSb7hq+o=", + "lastModified": 1699994397, + "narHash": "sha256-xxNeIcMNMXH2EA9IAX6Cny+50mvY22LhIBiGZV363gc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1d55765508b8316798429875712dc1ef5e62a2fa", + "rev": "d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1699625425, - "narHash": "sha256-WTqlROYtFucqwiRGxUE2MIpWNPUoua+rIJqKX0oi8DU=", + "lastModified": 1699998596, + "narHash": "sha256-ktbY9CLmp9afb55TTNVuPLj90Sgbbqp4PwzxSJJb17o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "714e527a726c9613fca8e13586a1b19198d68d9b", + "rev": "3298a053090d4bc6a7315588f786b6c96114970f", "type": "github" }, "original": { From 3aaf04bc29636a7683dea39f195db2a6e66387e5 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 279/386] Update mastodon to 4.1.10 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 921208c..7dcf2ff 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.1.9"; + version = "4.1.10"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-xpE/mg2AeioW6NThUjLS+SBxGavG4w1xtp3BOMADfYo="; + sha256 = "sha256-22AhrI4wk/FhVJeRfhiI10MeYOJFoS0dwg3fWuWltoM="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From 4e395c175388825efa5bfd9078ac15947c670369 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 280/386] Update element-web to 1.11.49 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 4810df6..b98e9e5 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.47"; + elementWebVersion = "1.11.49"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-iHhwiqRtssRQZltKj0mXgYLezgyO1Zkh9mfBLaX9xtk="; + sha256 = "sha256-0w503Y4hgG6eFMuMMQyHjuMhyc+T4Rq1a5VDZN3POQc="; }; elementWebSecurityHeaders = '' # Configuration best practices From d5222ace1aee90bf873fbce9f59ddec1111f21b6 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 281/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8' (2023-11-14) → 'github:NixOS/nixpkgs/9fb122519e9cd465d532f736a98c1e1eb541ef6f' (2023-11-16) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/3298a053090d4bc6a7315588f786b6c96114970f' (2023-11-14) → 'github:NixOS/nixpkgs/9008bc4eb62c878d0812105ea1b34255d651df88' (2023-11-15) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 3cf3fad..319f4b6 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699994397, - "narHash": "sha256-xxNeIcMNMXH2EA9IAX6Cny+50mvY22LhIBiGZV363gc=", + "lastModified": 1700097215, + "narHash": "sha256-ODQ3gBTv1iHd7lG21H+ErVISB5wVeOhd/dEogOqHs/I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8", + "rev": "9fb122519e9cd465d532f736a98c1e1eb541ef6f", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1699998596, - "narHash": "sha256-ktbY9CLmp9afb55TTNVuPLj90Sgbbqp4PwzxSJJb17o=", + "lastModified": 1700083842, + "narHash": "sha256-uC5v4VyUPgC5L3zv7e9q6+TRCm+eiA+Ow5vcH67ef/I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3298a053090d4bc6a7315588f786b6c96114970f", + "rev": "9008bc4eb62c878d0812105ea1b34255d651df88", "type": "github" }, "original": { From f65b3c70e4e427be628e347b5c1e38b78508dbcb Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 282/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/9fb122519e9cd465d532f736a98c1e1eb541ef6f' (2023-11-16) → 'github:NixOS/nixpkgs/d7afe436f89670fb74eb0dcff2496f0ec530be48' (2023-11-16) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/9008bc4eb62c878d0812105ea1b34255d651df88' (2023-11-15) → 'github:NixOS/nixpkgs/7bea27b7ef1c23c7433e52327d81a01702d34272' (2023-11-16) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 319f4b6..28da249 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700097215, - "narHash": "sha256-ODQ3gBTv1iHd7lG21H+ErVISB5wVeOhd/dEogOqHs/I=", + "lastModified": 1700144580, + "narHash": "sha256-JSH+kxJ40pgyuVy7r/HF9IDFxAcuzwJBHZJH4g9+3vA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9fb122519e9cd465d532f736a98c1e1eb541ef6f", + "rev": "d7afe436f89670fb74eb0dcff2496f0ec530be48", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700083842, - "narHash": "sha256-uC5v4VyUPgC5L3zv7e9q6+TRCm+eiA+Ow5vcH67ef/I=", + "lastModified": 1700169889, + "narHash": "sha256-AnqotTs1cIpx7Rc0ML3cnQwGJGSmlaLQZ2xzbjLU3XQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9008bc4eb62c878d0812105ea1b34255d651df88", + "rev": "7bea27b7ef1c23c7433e52327d81a01702d34272", "type": "github" }, "original": { From 076d1217e91829050c5f9c0321cbb09ec12396c5 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 283/386] Update mastodon to v4.2.1 --- config/hosts/mastodon/mastodon.nix | 20 ++++++++++++++------ config/hosts/mastodon/nginx.nix | 18 +++++++++++++++++- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 7dcf2ff..a05107e 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,33 +1,40 @@ -{ pkgs, ... }: +{ pkgs, nixpkgs-unstable, ... }: let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-6YXWc8LTPdZzP1TWBmVp00CyZXUIzZbMX85cwrIcAks="; + hash = "sha256-HZP9UndsOcBhFV5T70R1HlYrCL+cqViZVJxHptxZKB8="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.1.10"; + version = "4.2.1"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-22AhrI4wk/FhVJeRfhiI10MeYOJFoS0dwg3fWuWltoM="; + sha256 = "sha256-SM9WdD+xpxo+gfBft9DARV6QjwNbF2Y9McVrrdDT3fw="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" - "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" + #"${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" ]; }; + yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; }); }; - pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; + pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { + disabledModules = [ "services/web-apps/mastodon.nix" ]; + + imports = [ + "${nixpkgs-unstable}/nixos/modules/services/web-apps/mastodon.nix" + ]; + services.mastodon = { enable = true; package = pkgs-overlay.mastodon; @@ -44,6 +51,7 @@ in passwordFile = "/secrets/mastodon-email-smtp-pass.secret"; fromAddress = "Nekoverse "; }; + streamingProcesses = 3; extraConfig = { SMTP_TLS = "true"; ES_PRESET = "single_node_cluster"; diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index f9d541f..f195089 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -3,6 +3,22 @@ services.nginx = { enable = true; group = "mastodon"; + upstreams.streaming = { + extraConfig = '' + least_conn; + ''; + servers = { + "unix:/run/mastodon-streaming/streaming-1.socket" = { + fail_timeout = "0"; + }; + "unix:/run/mastodon-streaming/streaming-2.socket" = { + fail_timeout = "0"; + }; + "unix:/run/mastodon-streaming/streaming-3.socket" = { + fail_timeout = "0"; + }; + }; + }; virtualHosts."social.nekover.se" = { forceSSL = true; enableACME = true; @@ -29,7 +45,7 @@ "/system/".alias = "/var/lib/mastodon/public-system/"; "^~ /api/v1/streaming" = { - proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyPass = "http://streaming"; proxyWebsockets = true; }; From eaf4385137563f5a8c9f2ca85bb8a82e134d98c1 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 284/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d7afe436f89670fb74eb0dcff2496f0ec530be48' (2023-11-16) → 'github:NixOS/nixpkgs/9ba29e2346bc542e9909d1021e8fd7d4b3f64db0' (2023-11-23) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7bea27b7ef1c23c7433e52327d81a01702d34272' (2023-11-16) → 'github:NixOS/nixpkgs/da41de71f62bf7fb989a04e39629b8adbf8aa8b5' (2023-11-22) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 28da249..a141dcd 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700144580, - "narHash": "sha256-JSH+kxJ40pgyuVy7r/HF9IDFxAcuzwJBHZJH4g9+3vA=", + "lastModified": 1700748986, + "narHash": "sha256-/nqLrNU297h3PCw4QyDpZKZEUHmialJdZW2ceYFobds=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d7afe436f89670fb74eb0dcff2496f0ec530be48", + "rev": "9ba29e2346bc542e9909d1021e8fd7d4b3f64db0", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700169889, - "narHash": "sha256-AnqotTs1cIpx7Rc0ML3cnQwGJGSmlaLQZ2xzbjLU3XQ=", + "lastModified": 1700641131, + "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7bea27b7ef1c23c7433e52327d81a01702d34272", + "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", "type": "github" }, "original": { From 10ccba8d9a104ed08c5be734c8e3fe1084ef5882 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 285/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/9ba29e2346bc542e9909d1021e8fd7d4b3f64db0' (2023-11-23) → 'github:NixOS/nixpkgs/cbd3f3722ac41a200c1655141e021cf12c3ba4e6' (2023-11-24) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/da41de71f62bf7fb989a04e39629b8adbf8aa8b5' (2023-11-22) → 'github:NixOS/nixpkgs/1b99d72c8b7468def0c633635c469bf828db33a0' (2023-11-24) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index a141dcd..a1c74f0 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700748986, - "narHash": "sha256-/nqLrNU297h3PCw4QyDpZKZEUHmialJdZW2ceYFobds=", + "lastModified": 1700854570, + "narHash": "sha256-GiwMS5sWSgF/CyZYbm+G5EcgG1VOEyvcsP5lE1L97Aw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9ba29e2346bc542e9909d1021e8fd7d4b3f64db0", + "rev": "cbd3f3722ac41a200c1655141e021cf12c3ba4e6", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700641131, - "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", + "lastModified": 1700867874, + "narHash": "sha256-0Dk63BLiG9rmfBf8LxFpz8KgpUkepehVzhhVDgfxWSo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", + "rev": "1b99d72c8b7468def0c633635c469bf828db33a0", "type": "github" }, "original": { From 975a5c1ece122812bec86dbc944d6ab1cf716d05 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 286/386] Fix http acme challange for status.nekover.se --- config/hosts/valkyrie/configuration.nix | 5 --- config/hosts/valkyrie/nginx.nix | 42 ++++++++++++++++--------- 2 files changed, 27 insertions(+), 20 deletions(-) diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index fd3cd45..f4e2db5 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -80,11 +80,6 @@ proto = "tcp"; sourcePort = 25; } - { - destination = "172.18.50.2:80"; - proto = "tcp"; - sourcePort = 80; - } { destination = "172.18.50.2:465"; proto = "tcp"; diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index ada3379..fae78f0 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -2,23 +2,35 @@ { services.nginx = { enable = true; - virtualHosts."status.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { + virtualHosts = { + "mail-1.grzb.de" = { + listen = [{ addr = "0.0.0.0"; port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; + }]; + locations."/" = { + # proxy port 80 to mail server nginx for acme http challange + proxyPass = "http://172.18.50.2:80"; + }; + }; + "status.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; }; }; }; From a576b5fa875a60787ccfc919ddc8a1000bf01e2e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 287/386] Update element-web to 1.11.50 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index b98e9e5..c67ca9c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.49"; + elementWebVersion = "1.11.50"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-0w503Y4hgG6eFMuMMQyHjuMhyc+T4Rq1a5VDZN3POQc="; + sha256 = "sha256-NdETOxGqY6xae8oQcz9NoXbDuLc0F/YaW0Ql5dxUEks="; }; elementWebSecurityHeaders = '' # Configuration best practices From 5425e47921de2abbd115ffecd1159ec6d45d7966 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 288/386] Use postgresql service from unstable --- config/hosts/mastodon/mastodon.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index a05107e..29a9560 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -29,9 +29,13 @@ let vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { - disabledModules = [ "services/web-apps/mastodon.nix" ]; + disabledModules = [ + "services/databases/postgresql.nix" + "services/web-apps/mastodon.nix" + ]; imports = [ + "${nixpkgs-unstable}/nixos/modules/services/databases/postgresql.nix" "${nixpkgs-unstable}/nixos/modules/services/web-apps/mastodon.nix" ]; From f792e9ea699a5edcd117914d093dc114d81688ad Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 289/386] Add navidrome host --- config/hosts/navidrome/configuration.nix | 33 +++++++++++++++++++ config/hosts/navidrome/default.nix | 7 ++++ config/hosts/navidrome/navidrome.nix | 9 +++++ config/hosts/navidrome/nginx.nix | 24 ++++++++++++++ config/hosts/navidrome/secrets.nix | 13 ++++++++ .../virtualHosts/acme-challenge.nix | 12 +++++-- hosts.nix | 5 +++ 7 files changed, 100 insertions(+), 3 deletions(-) create mode 100644 config/hosts/navidrome/configuration.nix create mode 100644 config/hosts/navidrome/default.nix create mode 100644 config/hosts/navidrome/navidrome.nix create mode 100644 config/hosts/navidrome/nginx.nix create mode 100644 config/hosts/navidrome/secrets.nix diff --git a/config/hosts/navidrome/configuration.nix b/config/hosts/navidrome/configuration.nix new file mode 100644 index 0000000..581a631 --- /dev/null +++ b/config/hosts/navidrome/configuration.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "navidrome"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + fileSystems = { + "/mnt/music" = { + device = "//10.202.40.5/music-ro"; + fsType = "cifs"; + options = [ + "username=navidrome" + "credentials=/secrets/navidrome-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=navidrome" + "gid=navidrome" + "_netdev" + ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/navidrome/default.nix b/config/hosts/navidrome/default.nix new file mode 100644 index 0000000..00d4a90 --- /dev/null +++ b/config/hosts/navidrome/default.nix @@ -0,0 +1,7 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./navidrome.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/navidrome/navidrome.nix b/config/hosts/navidrome/navidrome.nix new file mode 100644 index 0000000..74e3a1d --- /dev/null +++ b/config/hosts/navidrome/navidrome.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.navidrome = { + enable = true; + settings = { + Address = "unix:/run/navidrome/navidrome.socket"; + MusicFolder = "/mnt/music"; + }; + }; +} diff --git a/config/hosts/navidrome/nginx.nix b/config/hosts/navidrome/nginx.nix new file mode 100644 index 0000000..eef60dd --- /dev/null +++ b/config/hosts/navidrome/nginx.nix @@ -0,0 +1,24 @@ +{ ... }: { + services.nginx = { + enable = true; + user = "navidrome"; + virtualHosts."navidrome.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://unix:/run/navidrome/navidrome.socket"; + }; + }; + }; +} diff --git a/config/hosts/navidrome/secrets.nix b/config/hosts/navidrome/secrets.nix new file mode 100644 index 0000000..a11e957 --- /dev/null +++ b/config/hosts/navidrome/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "navidrome-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix index fd1e474..c9b7e61 100644 --- a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix @@ -1,12 +1,18 @@ { ... }: +let + acmeDomainMap = { + "paperless.grzb.de" = "paperless.wg.grzb.de"; + "navidrome.grzb.de" = "navidrome.wg.grzb.de"; + }; +in { - services.nginx.virtualHosts."paperless.grzb.de" = { + services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { listen = [{ addr = "0.0.0.0"; port = 80; }]; locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://paperless.wg.grzb.de:80"; + proxyPass = "http://${target}:80"; }; - }; + }) acmeDomainMap); } diff --git a/hosts.nix b/hosts.nix index 194cc45..afdbc03 100644 --- a/hosts.nix +++ b/hosts.nix @@ -69,6 +69,11 @@ in site = "vs"; environment = "proxmox"; }; + navidrome = { + hostNixpkgs = nixpkgs-unstable; + site = "wg"; + environment = "proxmox"; + }; netbox = { site = "vs"; environment = "proxmox"; From 0438949c2bb25f332d91955cab65cf238d0b8c41 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 290/386] Use 23.11 as default nixpkgs --- flake.lock | 25 +++++++++++++++++++++---- flake.nix | 5 +++-- hosts.nix | 4 +++- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index a1c74f0..6dffdd8 100644 --- a/flake.lock +++ b/flake.lock @@ -70,16 +70,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700854570, - "narHash": "sha256-GiwMS5sWSgF/CyZYbm+G5EcgG1VOEyvcsP5lE1L97Aw=", + "lastModified": 1701592216, + "narHash": "sha256-OVEAu1YBi3i8eB2f5uxR0Yws/uXgj2yHj/I963e6jxU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cbd3f3722ac41a200c1655141e021cf12c3ba4e6", + "rev": "f8a9aa9ca646691f9e192a62624b1548367b5dd9", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05-small", + "ref": "nixos-23.11-small", "repo": "nixpkgs", "type": "github" } @@ -99,6 +99,22 @@ "type": "indirect" } }, + "nixpkgs-23-05": { + "locked": { + "lastModified": 1701699333, + "narHash": "sha256-ePa4oynwTNXuc4bqbi5ZMrO72yGuTPukptuMmgXPM5k=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "42499b9f6515dbca54cec1cae78165fd4e5eccfe", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-23_05": { "locked": { "lastModified": 1684782344, @@ -149,6 +165,7 @@ "inputs": { "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", + "nixpkgs-23-05": "nixpkgs-23-05", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index d2341f7..337bdfa 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,8 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; @@ -9,7 +10,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; diff --git a/hosts.nix b/hosts.nix index afdbc03..2214fed 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,4 +1,4 @@ -{ nixpkgs, nixpkgs-unstable, ... }: +{ nixpkgs, nixpkgs-unstable, nixpkgs-23-05, ... }: let # Set of environment specific modules environments = { @@ -50,10 +50,12 @@ in site = "io"; }; mail-1 = { + hostNixpkgs = nixpkgs-23-05; site = "vs"; environment = "proxmox"; }; mail-2 = { + hostNixpkgs = nixpkgs-23-05; site = "wg"; environment = "proxmox"; }; From 8fecd41d7531fd8c6b28789cff2a73dbd9f8a126 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 291/386] Set netbox package to package from 23.11 --- config/hosts/netbox/netbox.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix index 32e37e4..b9ba2ad 100644 --- a/config/hosts/netbox/netbox.nix +++ b/config/hosts/netbox/netbox.nix @@ -1,7 +1,8 @@ -{ ... }: +{ pkgs, ... }: { services.netbox = { enable = true; + package = pkgs.netbox; secretKeyFile = "/secrets/netbox-secret-key.secret"; }; } From a1122ed942c7fc75cad30ad3f354fbb75eb38cb8 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 292/386] Update mastodon to 4.2.2 and add 008_increase_profile_metadata_limit patch --- config/hosts/mastodon/mastodon.nix | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 29a9560..f2d7304 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,16 +2,16 @@ let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-HZP9UndsOcBhFV5T70R1HlYrCL+cqViZVJxHptxZKB8="; + hash = "sha256-2ZTwgcApKrXnO6isJFZk2oLaFB8hm1OAlPxftxXL25g="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.1"; + version = "4.2.2"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-SM9WdD+xpxo+gfBft9DARV6QjwNbF2Y9McVrrdDT3fw="; + sha256 = "sha256-D3qIrxj6mHtepMAYHq6USOM+ukMF7J/y20/y+CUh5RU="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" @@ -20,6 +20,7 @@ let "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" + "${mastodonNekoversePatches}/patches/008_increase_profile_metadata_limit.patch" ]; }; yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; @@ -29,16 +30,6 @@ let vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { - disabledModules = [ - "services/databases/postgresql.nix" - "services/web-apps/mastodon.nix" - ]; - - imports = [ - "${nixpkgs-unstable}/nixos/modules/services/databases/postgresql.nix" - "${nixpkgs-unstable}/nixos/modules/services/web-apps/mastodon.nix" - ]; - services.mastodon = { enable = true; package = pkgs-overlay.mastodon; From b05e826790b698c4d7b7d7ea626053b9a94ca2db Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 293/386] Fix mastodon vm not booting due to mount options --- config/hosts/mastodon/configuration.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/mastodon/configuration.nix b/config/hosts/mastodon/configuration.nix index aad67b7..6ca384d 100644 --- a/config/hosts/mastodon/configuration.nix +++ b/config/hosts/mastodon/configuration.nix @@ -23,19 +23,19 @@ depends = [ "/mnt/data" ]; device = "/mnt/data/mastodon"; fsType = "none"; - options = [ "bind" "X-mount.owner=mastodon" "X-mount.group=mastodon" ]; + options = [ "bind" ]; }; "/var/lib/postgresql" = { depends = [ "/mnt/data" ]; device = "/mnt/data/postgresql"; fsType = "none"; - options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ]; + options = [ "bind" ]; }; "/var/lib/private/opensearch/data" = { depends = [ "/mnt/data" ]; device = "/mnt/data/opensearch"; fsType = "none"; - options = [ "bind" "X-mount.owner=opensearch" "X-mount.group=opensearch" ]; + options = [ "bind" ]; }; }; From 46277dc3cdafa5bcdd2121a6eb1289b386752fa2 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 294/386] Set nixos-generators proxmox disk size --- config/nixos-generators/proxmox.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/nixos-generators/proxmox.nix b/config/nixos-generators/proxmox.nix index 196f802..d199137 100644 --- a/config/nixos-generators/proxmox.nix +++ b/config/nixos-generators/proxmox.nix @@ -6,8 +6,7 @@ cores = 2; memory = 1024; bios = "seabios"; - # Option not available in 23.05 - # diskSize = "8096"; + diskSize = "8192"; virtio0 = "local-zfs:base-disk-0,discard=on"; boot = "order=virtio0"; net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1"; From 1fadf39b64e58ba650d161ec76dff3ed71a39aca Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 295/386] Keep valkyrie at 23.05 until I fix wireguard-nat-nftables pkg --- hosts.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts.nix b/hosts.nix index 2214fed..f5ee33c 100644 --- a/hosts.nix +++ b/hosts.nix @@ -106,6 +106,7 @@ in environment = "proxmox"; }; valkyrie = { + hostNixpkgs = nixpkgs-23-05; site = "af"; environment = "openstack"; }; From e9ab073be8bcae18fd7cce355b8ded68128226d5 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 296/386] Fix matrix vm not booting due to mount options --- config/hosts/matrix/hardware-configuration.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/matrix/hardware-configuration.nix b/config/hosts/matrix/hardware-configuration.nix index d014f39..fbc56c9 100644 --- a/config/hosts/matrix/hardware-configuration.nix +++ b/config/hosts/matrix/hardware-configuration.nix @@ -10,12 +10,12 @@ depends = [ "/mnt/data" ]; device = "/mnt/data/media_store"; fsType = "none"; - options = [ "bind" "X-mount.owner=matrix-synapse" "X-mount.group=matrix-synapse" ]; + options = [ "bind" ]; }; fileSystems."/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" = { depends = [ "/mnt/data" ]; device = "/mnt/data/database"; fsType = "none"; - options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ]; + options = [ "bind" ]; }; } From 70093647542b9a22468c45150b421d73a5270d8c Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 297/386] Fix paperless vm not booting due to mount options --- config/hosts/paperless/hardware-configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix index 69684c1..17b9b66 100644 --- a/config/hosts/paperless/hardware-configuration.nix +++ b/config/hosts/paperless/hardware-configuration.nix @@ -24,7 +24,7 @@ depends = [ "/mnt/data" ]; device = "/mnt/data/paperless"; fsType = "none"; - options = [ "bind" "X-mount.owner=paperless" "X-mount.group=paperless" ]; + options = [ "bind" ]; }; }; } From 6f7f8ab7b6b9b69e58dc05a8f3af36fc0ae78d09 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 298/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/150f38bd1e09e20987feacb1b0d5991357532fb5' (2023-09-30) → 'github:nix-community/nixos-generators/246219bc21b943c6f6812bb7744218ba0df08600' (2023-12-04) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/f8a9aa9ca646691f9e192a62624b1548367b5dd9' (2023-12-03) → 'github:NixOS/nixpkgs/71bb3aaf2222f5ac691edb7de046d74c6cfe466b' (2023-12-03) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/1b99d72c8b7468def0c633635c469bf828db33a0' (2023-11-24) → 'github:NixOS/nixpkgs/d08f6384a5d8e5cf28ab243752cd83eed2a5d700' (2023-12-04) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 6dffdd8..19028cb 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1696058303, - "narHash": "sha256-eNqKWpF5zG0SrgbbtljFOrRgFgRzCc4++TMFADBMLnc=", + "lastModified": 1701689616, + "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "150f38bd1e09e20987feacb1b0d5991357532fb5", + "rev": "246219bc21b943c6f6812bb7744218ba0df08600", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1701592216, - "narHash": "sha256-OVEAu1YBi3i8eB2f5uxR0Yws/uXgj2yHj/I963e6jxU=", + "lastModified": 1701641412, + "narHash": "sha256-8tIujWeoxRnkTjaQK4uzBxvhm0MxHilAi2VjlenQoBg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f8a9aa9ca646691f9e192a62624b1548367b5dd9", + "rev": "71bb3aaf2222f5ac691edb7de046d74c6cfe466b", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700867874, - "narHash": "sha256-0Dk63BLiG9rmfBf8LxFpz8KgpUkepehVzhhVDgfxWSo=", + "lastModified": 1701653742, + "narHash": "sha256-9bLa7tsNtFSsXZDC+XVHyT6auJxUY+gObkvnEgSV7TM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1b99d72c8b7468def0c633635c469bf828db33a0", + "rev": "d08f6384a5d8e5cf28ab243752cd83eed2a5d700", "type": "github" }, "original": { From 87ef024d566fb36ae140e8bd03b2b35e9dd66ff9 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 299/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/71bb3aaf2222f5ac691edb7de046d74c6cfe466b' (2023-12-03) → 'github:NixOS/nixpkgs/eb48fb87884618b6808a945c9b0561f376996466' (2023-12-11) • Updated input 'nixpkgs-23-05': 'github:NixOS/nixpkgs/42499b9f6515dbca54cec1cae78165fd4e5eccfe' (2023-12-04) → 'github:NixOS/nixpkgs/f3a9ecde534fa67c6fd5426083304463218875b6' (2023-12-11) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/d08f6384a5d8e5cf28ab243752cd83eed2a5d700' (2023-12-04) → 'github:NixOS/nixpkgs/120a26f8ce32ac2bdc0e49a9fed830b7446416b4' (2023-12-11) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 19028cb..9c780b5 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1701641412, - "narHash": "sha256-8tIujWeoxRnkTjaQK4uzBxvhm0MxHilAi2VjlenQoBg=", + "lastModified": 1702283490, + "narHash": "sha256-QB/77RvJSDvmaJ9VBAtSingT3x673q3F9VLfOhn2j9A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "71bb3aaf2222f5ac691edb7de046d74c6cfe466b", + "rev": "eb48fb87884618b6808a945c9b0561f376996466", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-23-05": { "locked": { - "lastModified": 1701699333, - "narHash": "sha256-ePa4oynwTNXuc4bqbi5ZMrO72yGuTPukptuMmgXPM5k=", + "lastModified": 1702278230, + "narHash": "sha256-9kiZPvAw5zQfKu5ozmIRlgpVAfC16xlMADuXNvklPF4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "42499b9f6515dbca54cec1cae78165fd4e5eccfe", + "rev": "f3a9ecde534fa67c6fd5426083304463218875b6", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1701653742, - "narHash": "sha256-9bLa7tsNtFSsXZDC+XVHyT6auJxUY+gObkvnEgSV7TM=", + "lastModified": 1702310776, + "narHash": "sha256-T2KJpsNjAytMsP6+xrhXfAb2KTG6Yt2D4hTTugpsJFo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d08f6384a5d8e5cf28ab243752cd83eed2a5d700", + "rev": "120a26f8ce32ac2bdc0e49a9fed830b7446416b4", "type": "github" }, "original": { From 51ad54469347ee4642e6899a18a73c774e1adf36 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 300/386] Setup radarr and sonarr on torrent host --- config/hosts/torrent/configuration.nix | 29 +++++++ config/hosts/torrent/default.nix | 11 +++ config/hosts/torrent/jackett.nix | 6 ++ config/hosts/torrent/nginx.nix | 80 +++++++++++++++++++ .../hosts/torrent/qbittorrent-nox/default.nix | 8 ++ .../hosts/torrent/qbittorrent-nox/nginx.nix | 51 ++++++++++++ .../torrent/qbittorrent-nox/services.nix | 13 +++ .../hosts/torrent/qbittorrent-nox/users.nix | 9 +++ config/hosts/torrent/radarr.nix | 8 ++ config/hosts/torrent/secrets.nix | 13 +++ config/hosts/torrent/sonarr.nix | 8 ++ .../virtualHosts/acme-challenge.nix | 6 +- hosts.nix | 4 + 13 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 config/hosts/torrent/configuration.nix create mode 100644 config/hosts/torrent/default.nix create mode 100644 config/hosts/torrent/jackett.nix create mode 100644 config/hosts/torrent/nginx.nix create mode 100644 config/hosts/torrent/qbittorrent-nox/default.nix create mode 100644 config/hosts/torrent/qbittorrent-nox/nginx.nix create mode 100644 config/hosts/torrent/qbittorrent-nox/services.nix create mode 100644 config/hosts/torrent/qbittorrent-nox/users.nix create mode 100644 config/hosts/torrent/radarr.nix create mode 100644 config/hosts/torrent/secrets.nix create mode 100644 config/hosts/torrent/sonarr.nix diff --git a/config/hosts/torrent/configuration.nix b/config/hosts/torrent/configuration.nix new file mode 100644 index 0000000..610fde4 --- /dev/null +++ b/config/hosts/torrent/configuration.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "torrent"; + }; + + fileSystems = { + "/mnt/media" = { + device = "//10.202.100.5/media"; + fsType = "cifs"; + options = [ + "username=torrent" + "credentials=/secrets/torrent-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=torrent" + "gid=torrent" + "_netdev" + ]; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/torrent/default.nix b/config/hosts/torrent/default.nix new file mode 100644 index 0000000..dc6a854 --- /dev/null +++ b/config/hosts/torrent/default.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./jackett.nix + ./qbittorrent-nox + ./radarr.nix + ./sonarr.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/torrent/jackett.nix b/config/hosts/torrent/jackett.nix new file mode 100644 index 0000000..1b8707e --- /dev/null +++ b/config/hosts/torrent/jackett.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jackett = { + enable = true; + }; +} diff --git a/config/hosts/torrent/nginx.nix b/config/hosts/torrent/nginx.nix new file mode 100644 index 0000000..3366a25 --- /dev/null +++ b/config/hosts/torrent/nginx.nix @@ -0,0 +1,80 @@ +{ ... }: +{ + services.nginx = { + enable = true; + + virtualHosts = { + "jackett.grzb.de" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:9117"; + proxyWebsockets = true; + }; + }; + }; + "radarr.grzb.de" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:7878"; + proxyWebsockets = true; + }; + }; + }; + "sonarr.grzb.de" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8989"; + proxyWebsockets = true; + }; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/config/hosts/torrent/qbittorrent-nox/default.nix b/config/hosts/torrent/qbittorrent-nox/default.nix new file mode 100644 index 0000000..0afc08c --- /dev/null +++ b/config/hosts/torrent/qbittorrent-nox/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./nginx.nix + ./services.nix + ./users.nix + ]; +} diff --git a/config/hosts/torrent/qbittorrent-nox/nginx.nix b/config/hosts/torrent/qbittorrent-nox/nginx.nix new file mode 100644 index 0000000..712c856 --- /dev/null +++ b/config/hosts/torrent/qbittorrent-nox/nginx.nix @@ -0,0 +1,51 @@ +# Sources for this configuration: +# - https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI +# - https://github.com/qbittorrent/qBittorrent/wiki/Linux-WebUI-HTTPS-with-Let's-Encrypt-certificates-and-NGINX-SSL-reverse-proxy + +{ ... }: +{ + services.nginx = { + enable = true; + + virtualHosts."torrent.grzb.de" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + extraConfig = '' + proxy_http_version 1.1; + + client_max_body_size 100M; + + # From: + # https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI + # + # Since v4.2.2, is possible to configure qBittorrent + # to set the "Secure" flag for the session cookie automatically. + # However, that option does nothing unless using qBittorrent's built-in HTTPS functionality. + # For this use case, where qBittorrent itself is using plain HTTP + # (and regardless of whether or not the external website uses HTTPS), + # the flag must be set here, in the proxy configuration itself. + # Note: If this flag is set while the external website uses only HTTP, this will cause + # the login mechanism to not work without any apparent errors in console/network resulting in "auth loops". + proxy_cookie_path / "/; Secure"; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/config/hosts/torrent/qbittorrent-nox/services.nix b/config/hosts/torrent/qbittorrent-nox/services.nix new file mode 100644 index 0000000..4050e15 --- /dev/null +++ b/config/hosts/torrent/qbittorrent-nox/services.nix @@ -0,0 +1,13 @@ +# Sources for this configuration: +# - https://github.com/NixOS/nixpkgs/issues/236736#issuecomment-1704670598 +# - https://nixos.org/manual/nixos/stable/#sect-nixos-systemd-nixos + +{ pkgs, ... }: +{ + systemd.packages = [ pkgs.qbittorrent-nox ]; + + systemd.services."qbittorrent-nox@torrent" = { + overrideStrategy = "asDropin"; + wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/config/hosts/torrent/qbittorrent-nox/users.nix b/config/hosts/torrent/qbittorrent-nox/users.nix new file mode 100644 index 0000000..6e184c9 --- /dev/null +++ b/config/hosts/torrent/qbittorrent-nox/users.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + users.users.torrent = { + isNormalUser = true; + group = "torrent"; + }; + + users.groups.torrent = {}; +} diff --git a/config/hosts/torrent/radarr.nix b/config/hosts/torrent/radarr.nix new file mode 100644 index 0000000..2a28c46 --- /dev/null +++ b/config/hosts/torrent/radarr.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.radarr = { + enable = true; + user = "torrent"; + group = "torrent"; + }; +} diff --git a/config/hosts/torrent/secrets.nix b/config/hosts/torrent/secrets.nix new file mode 100644 index 0000000..289778a --- /dev/null +++ b/config/hosts/torrent/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "torrent-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "torrent/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/torrent/sonarr.nix b/config/hosts/torrent/sonarr.nix new file mode 100644 index 0000000..fb0186a --- /dev/null +++ b/config/hosts/torrent/sonarr.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.sonarr = { + enable = true; + user = "torrent"; + group = "torrent"; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index eaf7188..4cc28af 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -3,11 +3,15 @@ let acmeDomainMap = { "jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; "mail-1.grzb.de" = "mail-1.vs.grzb.de"; - "social.nekover.se" = "mastodon.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; + "jackett.grzb.de" = "torrent.vs.grzb.de"; + "radarr.grzb.de" = "torrent.vs.grzb.de"; "searx.nekover.se" = "searx.vs.grzb.de"; + "social.nekover.se" = "mastodon.vs.grzb.de"; + "sonarr.grzb.de" = "torrent.vs.grzb.de"; + "torrent.grzb.de" = "torrent.vs.grzb.de"; "turn.nekover.se" = "coturn.vs.grzb.de"; }; in diff --git a/hosts.nix b/hosts.nix index f5ee33c..98e423a 100644 --- a/hosts.nix +++ b/hosts.nix @@ -101,6 +101,10 @@ in site = "vs"; environment = "proxmox"; }; + torrent = { + site = "vs"; + environment = "proxmox"; + }; tor-relay = { site = "vs"; environment = "proxmox"; From 825baee765a5ff009feb31c21fbb35cd4c28acf5 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 301/386] update mastodon to 4.2.3 and enable disable image processing patch --- config/hosts/mastodon/mastodon.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index f2d7304..94b890a 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,16 +6,16 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.2"; + version = "4.2.3"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-D3qIrxj6mHtepMAYHq6USOM+ukMF7J/y20/y+CUh5RU="; + sha256 = "sha256-e8O4kxsrHf+wEtl4S57xIL1VEvhUSjyCbmz4r9p8Zhw="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" - #"${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" + "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" From c99c426191214ce185ddd65956ddb7bb976e23b0 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 302/386] update element-web to 1.11.51 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index c67ca9c..5f38313 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.50"; + elementWebVersion = "1.11.51"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-NdETOxGqY6xae8oQcz9NoXbDuLc0F/YaW0Ql5dxUEks="; + sha256 = "sha256-axHYI83PIF8rpFCULQKqGB2kPIlz88yg2Xoah93ox/A="; }; elementWebSecurityHeaders = '' # Configuration best practices From 076e1c138b3b1462dab80231944291f387051305 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 303/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/eb48fb87884618b6808a945c9b0561f376996466' (2023-12-11) → 'github:NixOS/nixpkgs/dff64d4ba6e9dc3f0a4ef8737f372a528d5bc8d1' (2023-12-15) • Updated input 'nixpkgs-23-05': 'github:NixOS/nixpkgs/f3a9ecde534fa67c6fd5426083304463218875b6' (2023-12-11) → 'github:NixOS/nixpkgs/9f617c1533ee1222531c66aa4b80295f89cb7bec' (2023-12-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/120a26f8ce32ac2bdc0e49a9fed830b7446416b4' (2023-12-11) → 'github:NixOS/nixpkgs/02357adddd0889782362d999628de9d309d202dc' (2023-12-15) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 9c780b5..fa2e7d6 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1702283490, - "narHash": "sha256-QB/77RvJSDvmaJ9VBAtSingT3x673q3F9VLfOhn2j9A=", + "lastModified": 1702601832, + "narHash": "sha256-z+GyetKtwj7ZVZrRcI73N8Xy1B3JGAqDyPniBFRpIgo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "eb48fb87884618b6808a945c9b0561f376996466", + "rev": "dff64d4ba6e9dc3f0a4ef8737f372a528d5bc8d1", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-23-05": { "locked": { - "lastModified": 1702278230, - "narHash": "sha256-9kiZPvAw5zQfKu5ozmIRlgpVAfC16xlMADuXNvklPF4=", + "lastModified": 1702635902, + "narHash": "sha256-p2G/kv6/0LTR6B9saAlCwuFkPgeAkuZTGtsyp0waU3M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f3a9ecde534fa67c6fd5426083304463218875b6", + "rev": "9f617c1533ee1222531c66aa4b80295f89cb7bec", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1702310776, - "narHash": "sha256-T2KJpsNjAytMsP6+xrhXfAb2KTG6Yt2D4hTTugpsJFo=", + "lastModified": 1702635820, + "narHash": "sha256-rClms9NTmSL/WIN5VmEccVhUExMkjCrRNswxU9QGNNo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "120a26f8ce32ac2bdc0e49a9fed830b7446416b4", + "rev": "02357adddd0889782362d999628de9d309d202dc", "type": "github" }, "original": { From e25e9cfbf4601dc0e25d134127f4ac046f585c93 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 304/386] remove jackett host --- config/hosts/jackett/configuration.nix | 14 -------------- config/hosts/jackett/default.nix | 7 ------- config/hosts/jackett/jackett.nix | 6 ------ hosts.nix | 4 ---- 4 files changed, 31 deletions(-) delete mode 100644 config/hosts/jackett/configuration.nix delete mode 100644 config/hosts/jackett/default.nix delete mode 100644 config/hosts/jackett/jackett.nix diff --git a/config/hosts/jackett/configuration.nix b/config/hosts/jackett/configuration.nix deleted file mode 100644 index bd9bde9..0000000 --- a/config/hosts/jackett/configuration.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "jackett"; - firewall.enable = false; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/jackett/default.nix b/config/hosts/jackett/default.nix deleted file mode 100644 index 98e612a..0000000 --- a/config/hosts/jackett/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./jackett.nix - ]; -} diff --git a/config/hosts/jackett/jackett.nix b/config/hosts/jackett/jackett.nix deleted file mode 100644 index 1b8707e..0000000 --- a/config/hosts/jackett/jackett.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - services.jackett = { - enable = true; - }; -} diff --git a/hosts.nix b/hosts.nix index 98e423a..e1b5201 100644 --- a/hosts.nix +++ b/hosts.nix @@ -37,10 +37,6 @@ in site = "vs"; environment = "proxmox"; }; - jackett = { - site = "vs"; - environment = "proxmox"; - }; jellyfin = { hostNixpkgs = nixpkgs-unstable; site = "vs"; From 4a45ba7c4c6011975d3708b538543f15959e36d4 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 305/386] name public keys for wireguard-nat-nftables script --- config/hosts/valkyrie/services.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index 602c80c..5af708c 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -6,9 +6,12 @@ let interface_address = "172.16.4.180"; wg_interface = "wg0"; pubkey_port_mapping = { + # okayu "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=" = [ 51827 51829 ]; + # korone "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=" = [ 51828 51830 ]; - "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=" = [ 51821 51824 ]; + # june + "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=" = [ 51821 ]; }; }); in From e7bfc5275224e094f0b15b322f9ebea0506b931a Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 306/386] correct confusing comment in wireguard-nat-nftables script --- pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py index c49b4b7..d4c914e 100644 --- a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -69,7 +69,7 @@ def main(): print("Changed dnat address from {} to {} for UDP port {}".format(ip, port_ip_mapping[port], port)) port_ip_mapping.pop(port) - # loop through all remaining ports and add needed dnat rules + # loop through all ports and add needed dnat rules for port in port_ip_mapping: rc, output, error = nft.cmd("add rule wireguard-nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port])) if error: From 3166aed2d1aed858ddf5ae514f0ae724c6e8ccdb Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 307/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/dff64d4ba6e9dc3f0a4ef8737f372a528d5bc8d1' (2023-12-15) → 'github:NixOS/nixpkgs/3da785eeaad3d604ee3bccc0a3f07bfd11cb355a' (2024-01-02) • Updated input 'nixpkgs-23-05': 'github:NixOS/nixpkgs/9f617c1533ee1222531c66aa4b80295f89cb7bec' (2023-12-15) → 'github:NixOS/nixpkgs/2c9c58e98243930f8cb70387934daa4bc8b00373' (2023-12-31) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/02357adddd0889782362d999628de9d309d202dc' (2023-12-15) → 'github:NixOS/nixpkgs/e2e36d8af3b7c465311f11913b7dedd209633c84' (2024-01-02) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index fa2e7d6..ebca7d6 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1702601832, - "narHash": "sha256-z+GyetKtwj7ZVZrRcI73N8Xy1B3JGAqDyPniBFRpIgo=", + "lastModified": 1704172037, + "narHash": "sha256-+IkG0mfxwmaqCd3cGM5zZ2g7wZnPG8mwOQHXCsKhc5s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dff64d4ba6e9dc3f0a4ef8737f372a528d5bc8d1", + "rev": "3da785eeaad3d604ee3bccc0a3f07bfd11cb355a", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-23-05": { "locked": { - "lastModified": 1702635902, - "narHash": "sha256-p2G/kv6/0LTR6B9saAlCwuFkPgeAkuZTGtsyp0waU3M=", + "lastModified": 1704018918, + "narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9f617c1533ee1222531c66aa4b80295f89cb7bec", + "rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1702635820, - "narHash": "sha256-rClms9NTmSL/WIN5VmEccVhUExMkjCrRNswxU9QGNNo=", + "lastModified": 1704177376, + "narHash": "sha256-6AV8TWX/juwV8delRDtlbUzi1X8irrtCfrtcYByVhCs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "02357adddd0889782362d999628de9d309d202dc", + "rev": "e2e36d8af3b7c465311f11913b7dedd209633c84", "type": "github" }, "original": { From 206eba5b69fdf134878f54c7ebba54ebfc4b7a6f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 308/386] Update element-web to 1.11.52 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 5f38313..b3cadb2 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.51"; + elementWebVersion = "1.11.52"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-axHYI83PIF8rpFCULQKqGB2kPIlz88yg2Xoah93ox/A="; + sha256 = ""; }; elementWebSecurityHeaders = '' # Configuration best practices From a43107afcaf36b270c65cad80b67aa3c7319431e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 309/386] Add jellyseerr host --- config/hosts/jellyseerr/configuration.nix | 22 ++++++++++++++++ config/hosts/jellyseerr/default.nix | 8 ++++++ config/hosts/jellyseerr/jellyseerr.nix | 6 +++++ config/hosts/jellyseerr/nginx.nix | 26 +++++++++++++++++++ .../virtualHosts/acme-challenge.nix | 1 + hosts.nix | 4 +++ 6 files changed, 67 insertions(+) create mode 100644 config/hosts/jellyseerr/configuration.nix create mode 100644 config/hosts/jellyseerr/default.nix create mode 100644 config/hosts/jellyseerr/jellyseerr.nix create mode 100644 config/hosts/jellyseerr/nginx.nix diff --git a/config/hosts/jellyseerr/configuration.nix b/config/hosts/jellyseerr/configuration.nix new file mode 100644 index 0000000..05b8f3f --- /dev/null +++ b/config/hosts/jellyseerr/configuration.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "jellyseerr"; + firewall = { + allowedTCPPorts = [ 80 443 ]; + }; + extraHosts = + '' + 10.202.46.101 jellyfin.grzb.de + 10.202.100.102 radarr.grzb.de + 10.202.100.102 sonarr.grzb.de + ''; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/jellyseerr/default.nix b/config/hosts/jellyseerr/default.nix new file mode 100644 index 0000000..4a92a1b --- /dev/null +++ b/config/hosts/jellyseerr/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./jellyseerr.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/jellyseerr/jellyseerr.nix b/config/hosts/jellyseerr/jellyseerr.nix new file mode 100644 index 0000000..bd473b0 --- /dev/null +++ b/config/hosts/jellyseerr/jellyseerr.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jellyseerr = { + enable = true; + }; +} diff --git a/config/hosts/jellyseerr/nginx.nix b/config/hosts/jellyseerr/nginx.nix new file mode 100644 index 0000000..139b870 --- /dev/null +++ b/config/hosts/jellyseerr/nginx.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + + virtualHosts."jellyseerr.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.jellyseerr.port}"; + }; + }; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 4cc28af..9350a30 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -7,6 +7,7 @@ let "netbox.grzb.de" = "netbox.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; "jackett.grzb.de" = "torrent.vs.grzb.de"; + "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de"; "radarr.grzb.de" = "torrent.vs.grzb.de"; "searx.nekover.se" = "searx.vs.grzb.de"; "social.nekover.se" = "mastodon.vs.grzb.de"; diff --git a/hosts.nix b/hosts.nix index e1b5201..90e1143 100644 --- a/hosts.nix +++ b/hosts.nix @@ -42,6 +42,10 @@ in site = "vs"; environment = "proxmox"; }; + jellyseerr = { + site = "vs"; + environment = "proxmox"; + }; lifeline = { site = "io"; }; From 5e422ab161e2464e7218f0e268bf70159dc402f2 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 310/386] Update element-web to 1.11.53 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index b3cadb2..12a2abb 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.52"; + elementWebVersion = "1.11.53"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = ""; + sha256 = "sha256-asgx8g9xswBxdQCVnwaeQ2ycqNlfQzBiKc3Uk9GEWCM="; }; elementWebSecurityHeaders = '' # Configuration best practices From 82b79a0200a7e3f30cac58a22a91e3c9600ce02c Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 311/386] Add builder user to hydra for remote building --- config/hosts/hydra/configuration.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix index 53a26b0..eff89d1 100644 --- a/config/hosts/hydra/configuration.nix +++ b/config/hosts/hydra/configuration.nix @@ -21,8 +21,18 @@ }; }; + users.users.builder = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara" + ]; + }; + nix = { - settings.allowed-uris = "http:// https://"; + settings = { + trusted-users = [ "builder" ]; + allowed-uris = "http:// https://"; + }; buildMachines = [ { hostName = "localhost"; From 047dd92eac6ef8687ea124d3d60cd8b603117e77 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 312/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/3da785eeaad3d604ee3bccc0a3f07bfd11cb355a' (2024-01-02) → 'github:NixOS/nixpkgs/76fc2dd7efd18cb4251db2f35ab6655ee746e961' (2024-01-12) • Updated input 'nixpkgs-23-05': 'github:NixOS/nixpkgs/2c9c58e98243930f8cb70387934daa4bc8b00373' (2023-12-31) → 'github:NixOS/nixpkgs/a1982c92d8980a0114372973cbdfe0a307f1bdea' (2024-01-12) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/e2e36d8af3b7c465311f11913b7dedd209633c84' (2024-01-02) → 'github:NixOS/nixpkgs/a3ada00f8a297a06617b2882a0943c26c8f3f424' (2024-01-13) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index ebca7d6..8f5a50e 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704172037, - "narHash": "sha256-+IkG0mfxwmaqCd3cGM5zZ2g7wZnPG8mwOQHXCsKhc5s=", + "lastModified": 1705044370, + "narHash": "sha256-QmzSiphBSOCvhzMNUzhtZT/HpK4VyXqWEYRRPNtIfMQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3da785eeaad3d604ee3bccc0a3f07bfd11cb355a", + "rev": "76fc2dd7efd18cb4251db2f35ab6655ee746e961", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-23-05": { "locked": { - "lastModified": 1704018918, - "narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", + "lastModified": 1705033721, + "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", + "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1704177376, - "narHash": "sha256-6AV8TWX/juwV8delRDtlbUzi1X8irrtCfrtcYByVhCs=", + "lastModified": 1705157111, + "narHash": "sha256-zMphhlAFOlFgnZLNTsqIqUHfAhw2hCh7uO0Hy0H87Rk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e2e36d8af3b7c465311f11913b7dedd209633c84", + "rev": "a3ada00f8a297a06617b2882a0943c26c8f3f424", "type": "github" }, "original": { From 4dd8b13ba64da34fdca63f2fff637a3893f52e04 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 313/386] Change jellyfin host to stable nixpkgs --- hosts.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts.nix b/hosts.nix index 90e1143..72e0f2b 100644 --- a/hosts.nix +++ b/hosts.nix @@ -38,7 +38,6 @@ in environment = "proxmox"; }; jellyfin = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; From 881c72cb7568f3ad927718b39924c4f61072dc90 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 314/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/76fc2dd7efd18cb4251db2f35ab6655ee746e961' (2024-01-12) → 'github:NixOS/nixpkgs/d71f20967da064275ce084dd823cbd2bd31d5cba' (2024-01-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/a3ada00f8a297a06617b2882a0943c26c8f3f424' (2024-01-13) → 'github:NixOS/nixpkgs/715fac4e39626ca0d24481f3d1fdd54dbeeaced8' (2024-01-15) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 8f5a50e..9b8fd01 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705044370, - "narHash": "sha256-QmzSiphBSOCvhzMNUzhtZT/HpK4VyXqWEYRRPNtIfMQ=", + "lastModified": 1705277981, + "narHash": "sha256-N5oh7sam7MTXCLajzgcIlM8lQK0c50/4ndU5x5aoMG8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "76fc2dd7efd18cb4251db2f35ab6655ee746e961", + "rev": "d71f20967da064275ce084dd823cbd2bd31d5cba", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705157111, - "narHash": "sha256-zMphhlAFOlFgnZLNTsqIqUHfAhw2hCh7uO0Hy0H87Rk=", + "lastModified": 1705293701, + "narHash": "sha256-yJs738MxB+RsxGETqESof15lRJ5za6s3NmhjbXt8Kt4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a3ada00f8a297a06617b2882a0943c26c8f3f424", + "rev": "715fac4e39626ca0d24481f3d1fdd54dbeeaced8", "type": "github" }, "original": { From cbe2df1a25e0357f02c3eb6e6c156d0af882e811 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:40 +0100 Subject: [PATCH 315/386] Add keycloak host --- config/hosts/keycloak/configuration.nix | 16 +++ config/hosts/keycloak/default.nix | 8 ++ config/hosts/keycloak/keycloak.nix | 15 +++ config/hosts/keycloak/nginx.nix | 109 ++++++++++++++++++ config/hosts/keycloak/secrets.nix | 13 +++ config/hosts/mail-1/secrets.nix | 8 ++ .../hosts/mail-1/simple-nixos-mailserver.nix | 5 + config/hosts/web-public-2/nginx.nix | 1 + .../virtualHosts/acme-challenge.nix | 1 + hosts.nix | 4 + 10 files changed, 180 insertions(+) create mode 100644 config/hosts/keycloak/configuration.nix create mode 100644 config/hosts/keycloak/default.nix create mode 100644 config/hosts/keycloak/keycloak.nix create mode 100644 config/hosts/keycloak/nginx.nix create mode 100644 config/hosts/keycloak/secrets.nix diff --git a/config/hosts/keycloak/configuration.nix b/config/hosts/keycloak/configuration.nix new file mode 100644 index 0000000..2a80a98 --- /dev/null +++ b/config/hosts/keycloak/configuration.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "keycloak"; + firewall = { + allowedTCPPorts = [ 80 443 8443 ]; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/keycloak/default.nix b/config/hosts/keycloak/default.nix new file mode 100644 index 0000000..6289ce6 --- /dev/null +++ b/config/hosts/keycloak/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./keycloak.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix new file mode 100644 index 0000000..79e9a96 --- /dev/null +++ b/config/hosts/keycloak/keycloak.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + services.keycloak = { + enable = true; + settings = { + hostname = "id.nekover.se"; + hostname-admin = "keycloak-admin.nekover.se"; + hostname-strict-backchannel = true; + proxy = "edge"; + http-host = "127.0.0.1"; + http-port = 8080; + }; + database.passwordFile = "/secrets/keycloak-database-password.secret"; + }; +} diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix new file mode 100644 index 0000000..0c83ea0 --- /dev/null +++ b/config/hosts/keycloak/nginx.nix @@ -0,0 +1,109 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + "id.nekover.se" = { + forceSSL = true; + enableACME = true; + locations = { + # Redirect a user opening any not set location on id.nekover.se to the account management page. + "^~ /" = { + return = "307 https://id.nekover.se/realms/nekoverse/account/"; + }; + "/js/" = { + proxyPass = "http://127.0.0.1:8080/js/"; + }; + "/realms/" = { + proxyPass = "http://127.0.0.1:8080/realms/"; + }; + "/resources/" = { + proxyPass = "http://127.0.0.1:8080/resources/"; + }; + "/robots.txt" = { + proxyPass = "http://127.0.0.1:8080/robots.txt"; + }; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + + add_header Strict-Transport-Security "max-age=63072000" always; + + # To not have 502s sometimes when logging through PVE use bigger buffer_sizes. + # The error seemed to occur after logging in and out and in. Maybe related + # to Keycloak logout settings, but probably not. + # See: + # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate + # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size + proxy_buffer_size 128k; + proxy_buffers 8 128k; + + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + ''; + }; + "keycloak-admin.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations = { + # Redirect a user opening any not set location on id.nekover.se to the account management page. + "^~ /" = { + return = "307 https://keycloak-admin.nekover.se/admin/master/console/"; + }; + "/js/" = { + proxyPass = "http://127.0.0.1:8080/js/"; + }; + "/realms/" = { + proxyPass = "http://127.0.0.1:8080/realms/"; + }; + "/resources/" = { + proxyPass = "http://127.0.0.1:8080/resources/"; + }; + "/robots.txt" = { + proxyPass = "http://127.0.0.1:8080/robots.txt"; + }; + "/admin/" = { + proxyPass = "http://127.0.0.1:8080/admin/"; + }; + }; + extraConfig = '' + add_header Strict-Transport-Security "max-age=63072000" always; + + # To not have 502s sometimes when logging through PVE use bigger buffer_sizes. + # The error seemed to occur after logging in and out and in. Maybe related + # to Keycloak logout settings, but probably not. + # See: + # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate + # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size + proxy_buffer_size 128k; + proxy_buffers 8 128k; + + # Hide the X-Forwarded header. + proxy_hide_header X-Forwarded; + # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that + # is transparent). + # Also provide "_hidden" for by, since it's not relevant. + proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; + ''; + }; + }; + }; +} diff --git a/config/hosts/keycloak/secrets.nix b/config/hosts/keycloak/secrets.nix new file mode 100644 index 0000000..984e9ad --- /dev/null +++ b/config/hosts/keycloak/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "keycloak-database-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix index 3352cee..abf9863 100644 --- a/config/hosts/mail-1/secrets.nix +++ b/config/hosts/mail-1/secrets.nix @@ -81,5 +81,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mail-id-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/id-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 81fa130..61066e9 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -51,6 +51,11 @@ sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; + "id@nekover.se" = { + hashedPasswordFile = "/secrets/mail-id-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; }; certificateScheme = "acme-nginx"; }; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 907cdb8..dead4b7 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -23,6 +23,7 @@ gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; hydra.nekover.se 10.202.41.121:8443; + id.nekover.se 10.202.41.124:8443; matrix.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 9350a30..d910998 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -8,6 +8,7 @@ let "grafana.grzb.de" = "metrics.vs.grzb.de"; "jackett.grzb.de" = "torrent.vs.grzb.de"; "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de"; + "keycloak-admin.nekover.se" = "keycloak.vs.grzb.de"; "radarr.grzb.de" = "torrent.vs.grzb.de"; "searx.nekover.se" = "searx.vs.grzb.de"; "social.nekover.se" = "mastodon.vs.grzb.de"; diff --git a/hosts.nix b/hosts.nix index 72e0f2b..4dde06c 100644 --- a/hosts.nix +++ b/hosts.nix @@ -45,6 +45,10 @@ in site = "vs"; environment = "proxmox"; }; + keycloak = { + site = "vs"; + environment = "proxmox"; + }; lifeline = { site = "io"; }; From 42f7be1f6f31a098bfb207877db695128869ce70 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 316/386] Add unifi-controller host --- .../hosts/unifi-controller/configuration.nix | 23 +++++++++++++++++++ config/hosts/unifi-controller/default.nix | 7 ++++++ config/hosts/unifi-controller/unifi.nix | 12 ++++++++++ hosts.nix | 4 ++++ 4 files changed, 46 insertions(+) create mode 100644 config/hosts/unifi-controller/configuration.nix create mode 100644 config/hosts/unifi-controller/default.nix create mode 100644 config/hosts/unifi-controller/unifi.nix diff --git a/config/hosts/unifi-controller/configuration.nix b/config/hosts/unifi-controller/configuration.nix new file mode 100644 index 0000000..565cdf7 --- /dev/null +++ b/config/hosts/unifi-controller/configuration.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "unifi-controller"; + firewall = { + allowedTCPPorts = [ 53 8080 8443 8880 8843 6789 27117 ]; + allowedUDPPorts = [ 53 3478 5514 10001 1900 123 ]; + allowedUDPPortRanges = [ + { + from = 5656; + to = 5699; + } + ]; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/unifi-controller/default.nix b/config/hosts/unifi-controller/default.nix new file mode 100644 index 0000000..f66e094 --- /dev/null +++ b/config/hosts/unifi-controller/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./unifi.nix + ]; +} diff --git a/config/hosts/unifi-controller/unifi.nix b/config/hosts/unifi-controller/unifi.nix new file mode 100644 index 0000000..75a7094 --- /dev/null +++ b/config/hosts/unifi-controller/unifi.nix @@ -0,0 +1,12 @@ +{ pkgs, lib, ... }: +{ + services.unifi = { + enable = true; + unifiPackage = pkgs.unifi; + }; + + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "unifi-controller" + "mongodb" + ]; +} diff --git a/hosts.nix b/hosts.nix index 4dde06c..aee856e 100644 --- a/hosts.nix +++ b/hosts.nix @@ -112,6 +112,10 @@ in site = "vs"; environment = "proxmox"; }; + unifi-controller = { + site = "wg"; + environment = "proxmox"; + }; valkyrie = { hostNixpkgs = nixpkgs-23-05; site = "af"; From c9d6ec720effd3f0b2bb63ae909afafde0f63468 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 317/386] Add user_oidc app to nextcloud --- config/hosts/nextcloud/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 22f456e..369b2df 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -14,7 +14,7 @@ configureRedis = true; extraAppsEnable = true; extraApps = with config.services.nextcloud.package.packages.apps; { - inherit bookmarks contacts calendar tasks twofactor_webauthn; + inherit bookmarks contacts calendar tasks twofactor_webauthn user_oidc; }; maxUploadSize = "16G"; extraOptions = { From 1d53ff7a32d3ce6cb43925ca7b1f2795176ddb6a Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 318/386] Enable SSO with keycloak for mastodon --- config/hosts/mastodon/mastodon.nix | 14 ++++++++++++++ config/hosts/mastodon/secrets.nix | 8 ++++++++ 2 files changed, 22 insertions(+) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 94b890a..79c0da0 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -50,7 +50,21 @@ in extraConfig = { SMTP_TLS = "true"; ES_PRESET = "single_node_cluster"; + OIDC_CLIENT_ID = "mastodon"; + OIDC_ENABLED = "true"; + OMNIAUTH_ONLY = "false"; + OIDC_DISPLAY_NAME = "Login with Nekoverse ID"; + OIDC_ISSUER = "https://id.nekover.se/realms/nekoverse"; + OIDC_DISCOVERY = "true"; + OIDC_SCOPE = "openid,profile,email"; + OIDC_UID_FIELD = "preferred_username"; + OIDC_REDIRECT_URI = "https://social.nekover.se/auth/auth/openid_connect/callback"; + OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; + OIDC_END_SESSION_ENDPOINT = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/logout"; }; + extraEnvFiles = [ + "/secrets/mastodon-keycloak-client-secret.secret" + ]; elasticsearch.host = "127.0.0.1"; }; } diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 42f7489..f1f9457 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -33,5 +33,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-keycloak-client-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } From eb98a735b3410418fa93642674070ff7b7010d5d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 319/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/246219bc21b943c6f6812bb7744218ba0df08600' (2023-12-04) → 'github:nix-community/nixos-generators/521fb4cdd8a2e1a00d1adf0fea7135d1faf04234' (2024-01-16) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d71f20967da064275ce084dd823cbd2bd31d5cba' (2024-01-15) → 'github:NixOS/nixpkgs/8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0' (2024-01-18) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/715fac4e39626ca0d24481f3d1fdd54dbeeaced8' (2024-01-15) → 'github:NixOS/nixpkgs/7f10f172110477ea263d63b6c793ebd8637eed63' (2024-01-18) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 9b8fd01..3ac7c91 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1701689616, - "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=", + "lastModified": 1705400161, + "narHash": "sha256-0MFaNIwwpVWB1N9m7cfHAM2pSVtYESQ7tlHxnDTOhM4=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "246219bc21b943c6f6812bb7744218ba0df08600", + "rev": "521fb4cdd8a2e1a00d1adf0fea7135d1faf04234", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705277981, - "narHash": "sha256-N5oh7sam7MTXCLajzgcIlM8lQK0c50/4ndU5x5aoMG8=", + "lastModified": 1705596992, + "narHash": "sha256-35rXLgkJS050C8O8hj/zdoJq2zaglyBklGWWuyJ2YsU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d71f20967da064275ce084dd823cbd2bd31d5cba", + "rev": "8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705293701, - "narHash": "sha256-yJs738MxB+RsxGETqESof15lRJ5za6s3NmhjbXt8Kt4=", + "lastModified": 1705604756, + "narHash": "sha256-/yf1XDVcuGbUOE1bZkFJlQc91QcPJbu6PFLN4fHjdNQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "715fac4e39626ca0d24481f3d1fdd54dbeeaced8", + "rev": "7f10f172110477ea263d63b6c793ebd8637eed63", "type": "github" }, "original": { From f3292dcb86cd36cc1619e4f21f75ee8bc652b424 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 320/386] Enable Keycloak SSO for matrix --- config/hosts/matrix/matrix-synapse.nix | 2 ++ config/hosts/matrix/secrets.nix | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 1a4fb12..6527503 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -54,10 +54,12 @@ }; environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; }; + extras = [ "oidc" ]; extraConfigFiles = [ "/secrets/matrix-registration-shared-secret.secret" "/secrets/matrix-turn-shared-secret.secret" "/secrets/matrix-email-smtp-pass.secret" + "/secrets/matrix-keycloak-client-secret.secret" ]; }; } diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index dac6301..68e4771 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -41,5 +41,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "matrix-keycloak-client-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } From 89271781d885a5cd576b6bddc5371b7d3920fc11 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 321/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0' (2024-01-18) → 'github:NixOS/nixpkgs/c5b6c179f7b7adce1ee234df23e5cb9f1a78f87b' (2024-01-20) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7f10f172110477ea263d63b6c793ebd8637eed63' (2024-01-18) → 'github:NixOS/nixpkgs/7da66b359bcffc532b67035b54b49c25b0c0480c' (2024-01-21) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 3ac7c91..38a4303 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705596992, - "narHash": "sha256-35rXLgkJS050C8O8hj/zdoJq2zaglyBklGWWuyJ2YsU=", + "lastModified": 1705781397, + "narHash": "sha256-pOlDs1paCIAhr84QjFG72iv4iBsr0pIQyItxRHJhevE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8ae7c0e4333357288dc0ce3b6ae2c1685bf11fe0", + "rev": "c5b6c179f7b7adce1ee234df23e5cb9f1a78f87b", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705604756, - "narHash": "sha256-/yf1XDVcuGbUOE1bZkFJlQc91QcPJbu6PFLN4fHjdNQ=", + "lastModified": 1705847418, + "narHash": "sha256-I0EzjhMl5D/PI54DYhL/9iXmFmNb75M7PJ8/yrU5Z1A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f10f172110477ea263d63b6c793ebd8637eed63", + "rev": "7da66b359bcffc532b67035b54b49c25b0c0480c", "type": "github" }, "original": { From d496986ec833c8bfc0dee7b2deb65050a7a1066c Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 322/386] Update Nextcloud to nextcloud28 --- config/hosts/nextcloud/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 369b2df..839d15d 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -2,7 +2,7 @@ { services.nextcloud = { enable = true; - package = pkgs.nextcloud27; + package = pkgs.nextcloud28; hostName = "cloud.nekover.se"; https = true; config = { From 3b6e9351727f8144279d0ab2a421ea4bedddf7e9 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 323/386] Update mail servers to NixOS 23.11 --- flake.lock | 24 ++++++++++++++++++++---- flake.nix | 2 +- hosts.nix | 2 -- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 38a4303..818a43f 100644 --- a/flake.lock +++ b/flake.lock @@ -130,6 +130,21 @@ "type": "indirect" } }, + "nixpkgs-23_11": { + "locked": { + "lastModified": 1705774713, + "narHash": "sha256-j6ADaDH9XiumUzkTPlFyCBcoWYhO83lfgiSqEJF2zcs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1b64fc1287991a9cce717a01c1973ef86cb1af0b", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.11", + "type": "indirect" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1705847418, @@ -177,19 +192,20 @@ "nixpkgs": "nixpkgs_2", "nixpkgs-22_11": "nixpkgs-22_11", "nixpkgs-23_05": "nixpkgs-23_05", + "nixpkgs-23_11": "nixpkgs-23_11", "utils": "utils" }, "locked": { - "lastModified": 1687462267, - "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=", + "lastModified": 1703023684, + "narHash": "sha256-XQU4OaacV0F2tf9cNAvIMqlC0HBIrAtvb0MLjIHt+7M=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "24128c3052090311688b09a400aa408ba61c6ee5", + "rev": "4bfb8eb058f098302c97b909df2d019926e11220", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixos-mailserver", "type": "gitlab" } diff --git a/flake.nix b/flake.nix index 337bdfa..585b96e 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; }; outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: diff --git a/hosts.nix b/hosts.nix index aee856e..dd86f1c 100644 --- a/hosts.nix +++ b/hosts.nix @@ -53,12 +53,10 @@ in site = "io"; }; mail-1 = { - hostNixpkgs = nixpkgs-23-05; site = "vs"; environment = "proxmox"; }; mail-2 = { - hostNixpkgs = nixpkgs-23-05; site = "wg"; environment = "proxmox"; }; From 2bc1c4371d75af2cc98b74f09cfe0abbd5d62a13 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 324/386] Add forgejo host --- config/hosts/forgejo/configuration.nix | 16 +++++ config/hosts/forgejo/default.nix | 9 +++ config/hosts/forgejo/forgejo.nix | 60 +++++++++++++++++++ config/hosts/forgejo/nginx.nix | 37 ++++++++++++ config/hosts/forgejo/redis.nix | 12 ++++ config/hosts/forgejo/secrets.nix | 13 ++++ config/hosts/mail-1/secrets.nix | 8 +++ .../hosts/mail-1/simple-nixos-mailserver.nix | 5 ++ config/hosts/web-public-2/nginx.nix | 1 + .../virtualHosts/acme-challenge.nix | 1 + hosts.nix | 4 ++ 11 files changed, 166 insertions(+) create mode 100644 config/hosts/forgejo/configuration.nix create mode 100644 config/hosts/forgejo/default.nix create mode 100644 config/hosts/forgejo/forgejo.nix create mode 100644 config/hosts/forgejo/nginx.nix create mode 100644 config/hosts/forgejo/redis.nix create mode 100644 config/hosts/forgejo/secrets.nix diff --git a/config/hosts/forgejo/configuration.nix b/config/hosts/forgejo/configuration.nix new file mode 100644 index 0000000..66a5736 --- /dev/null +++ b/config/hosts/forgejo/configuration.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "forgejo"; + firewall = { + allowedTCPPorts = [ 80 8443 ]; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/forgejo/default.nix b/config/hosts/forgejo/default.nix new file mode 100644 index 0000000..d71bcad --- /dev/null +++ b/config/hosts/forgejo/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./forgejo.nix + ./redis.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix new file mode 100644 index 0000000..d9f4a36 --- /dev/null +++ b/config/hosts/forgejo/forgejo.nix @@ -0,0 +1,60 @@ +{ ... }: +{ + services.forgejo = { + enable = true; + database.type = "postgres"; + mailerPasswordFile = "/secrets/forgejo-mailer-password.secret"; + + settings = { + DEFAULT = { + APP_NAME = "Nekoverse Git"; + }; + server = { + DOMAIN = "git.nekover.se"; + PROTOCOL = "http"; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 3000; + ROOT_URL = "https://git.nekover.se/"; + # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. + # Doesn't need to be set. + }; + admin = { + DISABLE_REGULAR_ORG_CREATION = false; + }; + session = { + COOKIE_SECURE = true; + }; + "ui.meta" = { + AUTHOR = "Nekoverse Git"; + DESCRIPTION = "Git instance of the Nekoverse."; + KEYWORDS = "git,forge,forgejo,nekoverse"; + }; + service = { + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + DEFAULT_USER_VISIBILITY = "limited"; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + ENABLE_BASIC_AUTHENTICATION = false; + }; + repo = { + DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; + }; + actions = { + ENABLED = true; + ARTIFACT_RETENTION_DAYS = 30; + }; + mailer = { + ENABLED = true; + FROM = "nyareply@nekover.se"; + PROTOCOL = "smtps"; + SMTP_ADDR = "mail-1.grzb.de"; + SMTP_PORT = 465; + USER = "forgejo@nekover.se"; + }; + cache = { + ENABLED = true; + ADAPTER = "redis"; + HOST = "redis+socket:///run/redis-forgejo/redis.sock"; + }; + }; + }; +} diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix new file mode 100644 index 0000000..6df90b1 --- /dev/null +++ b/config/hosts/forgejo/nginx.nix @@ -0,0 +1,37 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."git.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + + locations."/" = { + proxyPass = "${config.services.forgejo.settings.server.PROTOCOL}://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + + # Disallow crawling archives to save disk space. + # See: https://forgejo.org/docs/latest/admin/search-engines-indexation/ + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\""; + }; + + extraConfig = '' + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/forgejo/redis.nix b/config/hosts/forgejo/redis.nix new file mode 100644 index 0000000..f1533bc --- /dev/null +++ b/config/hosts/forgejo/redis.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.redis.servers.forgejo = { + enable = true; + user = "forgejo"; + }; + + systemd.services.forgejo = { + after = [ "redis-forgejo.service" ]; + requires = [ "redis-forgejo.service" ]; + }; +} diff --git a/config/hosts/forgejo/secrets.nix b/config/hosts/forgejo/secrets.nix new file mode 100644 index 0000000..5c23295 --- /dev/null +++ b/config/hosts/forgejo/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "forgejo-mailer-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ]; + destDir = "/secrets"; + user = "forgejo"; + group = "forgejo"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix index abf9863..581461f 100644 --- a/config/hosts/mail-1/secrets.nix +++ b/config/hosts/mail-1/secrets.nix @@ -89,5 +89,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mail-forgejo-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 61066e9..a4b426a 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -56,6 +56,11 @@ sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; + "forgejo@nekover.se" = { + hashedPasswordFile = "/secrets/mail-forgejo-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; }; certificateScheme = "acme-nginx"; }; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index dead4b7..8debb31 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -22,6 +22,7 @@ element.nekover.se 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; + git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; matrix.nekover.se 10.202.41.112:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index d910998..558aa95 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -5,6 +5,7 @@ let "mail-1.grzb.de" = "mail-1.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; + "git.nekover.se" = "forgejo.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; "jackett.grzb.de" = "torrent.vs.grzb.de"; "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de"; diff --git a/hosts.nix b/hosts.nix index dd86f1c..80145ea 100644 --- a/hosts.nix +++ b/hosts.nix @@ -45,6 +45,10 @@ in site = "vs"; environment = "proxmox"; }; + forgejo = { + site = "vs"; + environment = "proxmox"; + }; keycloak = { site = "vs"; environment = "proxmox"; From 9def35ce2ef05def9ab2d93cee9fccc8c217c80f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 325/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/521fb4cdd8a2e1a00d1adf0fea7135d1faf04234' (2024-01-16) → 'github:nix-community/nixos-generators/896f6589db5b25023b812bbb6c1f5d3a499b1132' (2024-01-24) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/c5b6c179f7b7adce1ee234df23e5cb9f1a78f87b' (2024-01-20) → 'github:NixOS/nixpkgs/11d4781721d16e949fbd61f67bc6b09341b7bfc6' (2024-01-26) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7da66b359bcffc532b67035b54b49c25b0c0480c' (2024-01-21) → 'github:NixOS/nixpkgs/7ac72b3ee2af9bab80d66addd9b237277cc975c5' (2024-01-26) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/4bfb8eb058f098302c97b909df2d019926e11220' (2023-12-19) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/e47f3719f1db3e0961a4358d4cb234a0acaa7baf' (2024-01-25) • Updated input 'simple-nixos-mailserver/nixpkgs': 'github:NixOS/nixpkgs/64e0bf055f9d25928c31fb12924e59ff8ce71e60' (2022-12-11) → 'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21) • Removed input 'simple-nixos-mailserver/nixpkgs-22_11' • Updated input 'simple-nixos-mailserver/nixpkgs-23_05': 'github:NixOS/nixpkgs/8966c43feba2c701ed624302b6a935f97bcbdf88' (2023-05-22) → 'github:NixOS/nixpkgs/70bdadeb94ffc8806c0570eb5c2695ad29f0e421' (2024-01-03) • Updated input 'simple-nixos-mailserver/nixpkgs-23_11': 'github:NixOS/nixpkgs/1b64fc1287991a9cce717a01c1973ef86cb1af0b' (2024-01-20) → 'github:NixOS/nixpkgs/a77ab169a83a4175169d78684ddd2e54486ac651' (2024-01-24) --- flake.lock | 58 ++++++++++++++++++++---------------------------------- 1 file changed, 21 insertions(+), 37 deletions(-) diff --git a/flake.lock b/flake.lock index 818a43f..29dfa51 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1705400161, - "narHash": "sha256-0MFaNIwwpVWB1N9m7cfHAM2pSVtYESQ7tlHxnDTOhM4=", + "lastModified": 1706085261, + "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "521fb4cdd8a2e1a00d1adf0fea7135d1faf04234", + "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705781397, - "narHash": "sha256-pOlDs1paCIAhr84QjFG72iv4iBsr0pIQyItxRHJhevE=", + "lastModified": 1706306662, + "narHash": "sha256-CVeZHdqbJ63Z+2l9FNcje6AfTdG4Y3WbFHuEn0RFUl0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c5b6c179f7b7adce1ee234df23e5cb9f1a78f87b", + "rev": "11d4781721d16e949fbd61f67bc6b09341b7bfc6", "type": "github" }, "original": { @@ -84,21 +84,6 @@ "type": "github" } }, - "nixpkgs-22_11": { - "locked": { - "lastModified": 1669558522, - "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-22.11", - "type": "indirect" - } - }, "nixpkgs-23-05": { "locked": { "lastModified": 1705033721, @@ -117,11 +102,11 @@ }, "nixpkgs-23_05": { "locked": { - "lastModified": 1684782344, - "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "type": "github" }, "original": { @@ -132,11 +117,11 @@ }, "nixpkgs-23_11": { "locked": { - "lastModified": 1705774713, - "narHash": "sha256-j6ADaDH9XiumUzkTPlFyCBcoWYhO83lfgiSqEJF2zcs=", + "lastModified": 1706098335, + "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1b64fc1287991a9cce717a01c1973ef86cb1af0b", + "rev": "a77ab169a83a4175169d78684ddd2e54486ac651", "type": "github" }, "original": { @@ -147,11 +132,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705847418, - "narHash": "sha256-I0EzjhMl5D/PI54DYhL/9iXmFmNb75M7PJ8/yrU5Z1A=", + "lastModified": 1706275741, + "narHash": "sha256-53O2JHFdDTWHzTfLkZRAZVAk9ntChFhcTTnAtj6bJKE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7da66b359bcffc532b67035b54b49c25b0c0480c", + "rev": "7ac72b3ee2af9bab80d66addd9b237277cc975c5", "type": "github" }, "original": { @@ -163,11 +148,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1670751203, - "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "lastModified": 1705856552, + "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", "type": "github" }, "original": { @@ -190,17 +175,16 @@ "blobs": "blobs", "flake-compat": "flake-compat", "nixpkgs": "nixpkgs_2", - "nixpkgs-22_11": "nixpkgs-22_11", "nixpkgs-23_05": "nixpkgs-23_05", "nixpkgs-23_11": "nixpkgs-23_11", "utils": "utils" }, "locked": { - "lastModified": 1703023684, - "narHash": "sha256-XQU4OaacV0F2tf9cNAvIMqlC0HBIrAtvb0MLjIHt+7M=", + "lastModified": 1706219574, + "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "4bfb8eb058f098302c97b909df2d019926e11220", + "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf", "type": "gitlab" }, "original": { From 649027b9a0bb733019e2ce4e469cf5d17cfb606d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 326/386] Use jackett packge from unstable to work around faulty test --- config/hosts/torrent/jackett.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config/hosts/torrent/jackett.nix b/config/hosts/torrent/jackett.nix index 1b8707e..6aa6e5e 100644 --- a/config/hosts/torrent/jackett.nix +++ b/config/hosts/torrent/jackett.nix @@ -1,6 +1,8 @@ -{ ... }: +{ nixpkgs-unstable, ... }: { services.jackett = { enable = true; + # use package from unstable to work around faulty test in older jackett version + package = nixpkgs-unstable.legacyPackages."x86_64-linux".jackett; }; } From 58b47abc8b3f19bc57f1b7114b53557fbdb79746 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 327/386] Update mastodon to 4.2.4 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 79c0da0..4bb680c 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.3"; + version = "4.2.4"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-e8O4kxsrHf+wEtl4S57xIL1VEvhUSjyCbmz4r9p8Zhw="; + sha256 = "sha256-YPGOe9wywRls26PqEbqFeQRg7rcnRBO2NyiNW1fssts="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From 966b383494168ccfd896cd226a7f09f5099fbf47 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 328/386] Update element-web to 1.11.55 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 12a2abb..4d5e3b9 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.53"; + elementWebVersion = "1.11.55"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-asgx8g9xswBxdQCVnwaeQ2ycqNlfQzBiKc3Uk9GEWCM="; + sha256 = "sha256-lM1P23MTqAgrw3vjNSzDswmn0n8SRY6dBD0aELmoqsQ="; }; elementWebSecurityHeaders = '' # Configuration best practices From 0186301a188c116bc7f090162b9dab3fce1682ce Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 329/386] Update mastodon to 4.2.5 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 4bb680c..7822faa 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.4"; + version = "4.2.5"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-YPGOe9wywRls26PqEbqFeQRg7rcnRBO2NyiNW1fssts="; + sha256 = "sha256-dgC5V/CVE9F1ORTjPWUWc/JVcWCEj/pb4eWpDV0WliY="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From 4631413424e7d81849af9fe1fbbc66b3317504b2 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 330/386] Enable new Element calls in element-web --- .../virtualHosts/element-web-config/config.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json index 9877940..1da5a3e 100644 --- a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json +++ b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json @@ -27,7 +27,10 @@ "default_country_code": "DE", "show_labs_settings": true, "features": { - "feature_dehydration": true + "feature_dehydration": true, + "feature_video_rooms": true, + "feature_element_call_video_rooms": true, + "feature_group_calls": true }, "default_federate": true, "default_theme": "dark", @@ -47,4 +50,4 @@ "jitsi": { "preferredDomain": "meet.element.io" } -} +} \ No newline at end of file From 7946d94609ecd677f3f83838bca7ccbb471ddea6 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 331/386] Bump element-web to 1.11.58 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 4d5e3b9..876a25e 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.55"; + elementWebVersion = "1.11.58"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-lM1P23MTqAgrw3vjNSzDswmn0n8SRY6dBD0aELmoqsQ="; + sha256 = "sha256-986R9DIGD0twoVXAVHyeO33uLz4CZsajgv5Gn2vd2gE="; }; elementWebSecurityHeaders = '' # Configuration best practices From d491e6adbc23b37f9830ed60079749ebdb636e2a Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 332/386] Bump mastodon to 4.2.8 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 7822faa..7c055e6 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.5"; + version = "4.2.8"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-dgC5V/CVE9F1ORTjPWUWc/JVcWCEj/pb4eWpDV0WliY="; + sha256 = "sha256-7/E7iHqJxmYSorXYti7h8EbP7wcOAaD04ToLeU2I/nY="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From b1cb6c95009affa2f6f86182d8770749c450c0bd Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 333/386] Add nixpkgs master channel --- flake.lock | 43 ++++++++++++++++++++++++++++++------------- flake.nix | 7 ++++--- 2 files changed, 34 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index 29dfa51..05eff3a 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1693701915, - "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", + "lastModified": 1708821942, + "narHash": "sha256-jd+E1SD59qty65pwqad2mftzkT6vW5nNFWVuvayh4Zw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", + "rev": "479831ed8b3c9c7b80533999f880c7d0bf6a491b", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1706085261, - "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=", + "lastModified": 1708940320, + "narHash": "sha256-QOWRJlqT5FRESiaO42/QV/GbSRNKSa4XUDs3cNQsoWI=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132", + "rev": "5b7772406956f95e8a0e1f27218b1e7cf6e9164a", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706306662, - "narHash": "sha256-CVeZHdqbJ63Z+2l9FNcje6AfTdG4Y3WbFHuEn0RFUl0=", + "lastModified": 1708905176, + "narHash": "sha256-pphkt8iO8CV/TugI7bsPOvFzi5mRSifkEQiwqYBK28s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "11d4781721d16e949fbd61f67bc6b09341b7bfc6", + "rev": "227a4c47bef2390a7925693c51489e84169b1957", "type": "github" }, "original": { @@ -130,13 +130,29 @@ "type": "indirect" } }, - "nixpkgs-unstable": { + "nixpkgs-master": { "locked": { - "lastModified": 1706275741, - "narHash": "sha256-53O2JHFdDTWHzTfLkZRAZVAk9ntChFhcTTnAtj6bJKE=", + "lastModified": 1708963602, + "narHash": "sha256-ODloNfAj9CUN44L1VEvjh5nwV6pseDUZ3/lI6IgYUeo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7ac72b3ee2af9bab80d66addd9b237277cc975c5", + "rev": "cd2ec848a90ffdbe716c8829e6c4f75406c5b1a3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1708954320, + "narHash": "sha256-n3LXNMlz7ORCjfIrIUo19a844Fec2+yg7k6NspdVCxs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "94cda73bf2fd675de987db7c3ac81e861b892266", "type": "github" }, "original": { @@ -166,6 +182,7 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-23-05": "nixpkgs-23-05", + "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index 585b96e..c789cbb 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs-master.url = "github:NixOS/nixpkgs/master"; nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; @@ -10,7 +11,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -28,7 +29,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -38,7 +39,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; }) hosts; }; From 4aca353a4a3b10e9ee5336ee334d0206680f38e3 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 334/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/5b7772406956f95e8a0e1f27218b1e7cf6e9164a' (2024-02-26) → 'github:nix-community/nixos-generators/10e801a76fa611f8ce7937e2c9b7677888a54fa0' (2024-03-07) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/479831ed8b3c9c7b80533999f880c7d0bf6a491b' (2024-02-25) → 'github:nix-community/nixpkgs.lib/7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c' (2024-03-03) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/227a4c47bef2390a7925693c51489e84169b1957' (2024-02-25) → 'github:NixOS/nixpkgs/03e303468a0b89792bc40c2f3a7cd8a322b66fad' (2024-03-06) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/cd2ec848a90ffdbe716c8829e6c4f75406c5b1a3' (2024-02-26) → 'github:NixOS/nixpkgs/c8cd65298e567e1e604431e4544361e365410f8c' (2024-03-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/94cda73bf2fd675de987db7c3ac81e861b892266' (2024-02-26) → 'github:NixOS/nixpkgs/413506a7ca983170cc8c7bc47f0845a2e6e03e95' (2024-03-07) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 05eff3a..ad3ce5b 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1708821942, - "narHash": "sha256-jd+E1SD59qty65pwqad2mftzkT6vW5nNFWVuvayh4Zw=", + "lastModified": 1709426687, + "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "479831ed8b3c9c7b80533999f880c7d0bf6a491b", + "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1708940320, - "narHash": "sha256-QOWRJlqT5FRESiaO42/QV/GbSRNKSa4XUDs3cNQsoWI=", + "lastModified": 1709821158, + "narHash": "sha256-76L6tymnmFY3zDPBi0Mi5G6HcISHKw7xHuYYmzKrTK4=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "5b7772406956f95e8a0e1f27218b1e7cf6e9164a", + "rev": "10e801a76fa611f8ce7937e2c9b7677888a54fa0", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1708905176, - "narHash": "sha256-pphkt8iO8CV/TugI7bsPOvFzi5mRSifkEQiwqYBK28s=", + "lastModified": 1709763014, + "narHash": "sha256-CopSGZnFg+7n7WwBZ/iqIQhLJo0Xc59OWQo9zN9gmwo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "227a4c47bef2390a7925693c51489e84169b1957", + "rev": "03e303468a0b89792bc40c2f3a7cd8a322b66fad", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1708963602, - "narHash": "sha256-ODloNfAj9CUN44L1VEvjh5nwV6pseDUZ3/lI6IgYUeo=", + "lastModified": 1709855257, + "narHash": "sha256-1G57sSUmJ6Pi6WLlOEC3x43mEMECKU4NDkRfNdaHUs0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cd2ec848a90ffdbe716c8829e6c4f75406c5b1a3", + "rev": "c8cd65298e567e1e604431e4544361e365410f8c", "type": "github" }, "original": { @@ -148,11 +148,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1708954320, - "narHash": "sha256-n3LXNMlz7ORCjfIrIUo19a844Fec2+yg7k6NspdVCxs=", + "lastModified": 1709812245, + "narHash": "sha256-i/RysAZgUYsu8618g3yKG65J3CRUIOUPqo+TckMR6iE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "94cda73bf2fd675de987db7c3ac81e861b892266", + "rev": "413506a7ca983170cc8c7bc47f0845a2e6e03e95", "type": "github" }, "original": { From d0468529f059e1545e9ccdf351d0c28546199a54 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 335/386] Patch mastodon for longer profile descriptions --- config/hosts/mastodon/mastodon.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 7c055e6..f36e682 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,7 +2,7 @@ let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-2ZTwgcApKrXnO6isJFZk2oLaFB8hm1OAlPxftxXL25g="; + hash = "sha256-Fcbuj5BGkQd3X/gViqqB+NRIvjUlUED32tNEJrzYh5o="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { @@ -18,9 +18,8 @@ let "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" - "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch" + "${mastodonNekoversePatches}/patches/006_increase_profile_limits.patch" "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" - "${mastodonNekoversePatches}/patches/008_increase_profile_metadata_limit.patch" ]; }; yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; From 52680c0659cc0591e97934ccd6b3d34aa44758ed Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 336/386] Bump element-web to 1.11.59 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 876a25e..2c102a3 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.58"; + elementWebVersion = "1.11.59"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-986R9DIGD0twoVXAVHyeO33uLz4CZsajgv5Gn2vd2gE="; + sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18="; }; elementWebSecurityHeaders = '' # Configuration best practices From 80015d2ca2a49ed4807c0d5826d0692f56dc4995 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 337/386] bump flake.lock --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index ad3ce5b..8886adc 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1709426687, - "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=", + "lastModified": 1712450863, + "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c", + "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1709821158, - "narHash": "sha256-76L6tymnmFY3zDPBi0Mi5G6HcISHKw7xHuYYmzKrTK4=", + "lastModified": 1712537332, + "narHash": "sha256-yYlxv1sg/TNl6hghjAe0ct+/p5PwXiT1mpuaExjhR88=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "10e801a76fa611f8ce7937e2c9b7677888a54fa0", + "rev": "d942db8df8ee860556a38754f15b8d03bf7e6933", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709763014, - "narHash": "sha256-CopSGZnFg+7n7WwBZ/iqIQhLJo0Xc59OWQo9zN9gmwo=", + "lastModified": 1713180868, + "narHash": "sha256-5CSnPSCEWeUmrFiLuYIQIPQzPrpCB8x3VhE+oXLRO3k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "03e303468a0b89792bc40c2f3a7cd8a322b66fad", + "rev": "140546acf30a8212a03a88ded8506413fa3b5d21", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1709855257, - "narHash": "sha256-1G57sSUmJ6Pi6WLlOEC3x43mEMECKU4NDkRfNdaHUs0=", + "lastModified": 1713201277, + "narHash": "sha256-xHxbvpjepaDEc3DxJNMCWOFyBqW7yIANbUU+yWSL9+c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c8cd65298e567e1e604431e4544361e365410f8c", + "rev": "fc69edccf533e2731ab8850c59482907e0d4fc28", "type": "github" }, "original": { @@ -148,11 +148,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1709812245, - "narHash": "sha256-i/RysAZgUYsu8618g3yKG65J3CRUIOUPqo+TckMR6iE=", + "lastModified": 1713156337, + "narHash": "sha256-oPG4CUVQGc/8q0k4nS8YK44o2q14cqQSo9OijH1E+Vs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "413506a7ca983170cc8c7bc47f0845a2e6e03e95", + "rev": "b941d525061a6e4f43882318225799c901f1ad40", "type": "github" }, "original": { From 66d2b591a6ea6fb6fa570aed9d17ae4929c7a890 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 338/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/d942db8df8ee860556a38754f15b8d03bf7e6933' (2024-04-08) → 'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e' (2024-04-22) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/140546acf30a8212a03a88ded8506413fa3b5d21' (2024-04-15) → 'github:NixOS/nixpkgs/1552982a8e5848fe2fec7d669d54ee86aa743101' (2024-05-05) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/fc69edccf533e2731ab8850c59482907e0d4fc28' (2024-04-15) → 'github:NixOS/nixpkgs/f1edf105d0bde9776d5060b5f8dcc16aea86cb44' (2024-05-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/b941d525061a6e4f43882318225799c901f1ad40' (2024-04-15) → 'github:NixOS/nixpkgs/9f5a6d72fa3985e4cd8fca3926d14ae8b54bcf75' (2024-05-05) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 8886adc..184a7b1 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1712537332, - "narHash": "sha256-yYlxv1sg/TNl6hghjAe0ct+/p5PwXiT1mpuaExjhR88=", + "lastModified": 1713783234, + "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "d942db8df8ee860556a38754f15b8d03bf7e6933", + "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1713180868, - "narHash": "sha256-5CSnPSCEWeUmrFiLuYIQIPQzPrpCB8x3VhE+oXLRO3k=", + "lastModified": 1714902782, + "narHash": "sha256-TdQNxaviQZlGU1VakHpDq3qqhP+0HhieieYRGZN46Ec=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "140546acf30a8212a03a88ded8506413fa3b5d21", + "rev": "1552982a8e5848fe2fec7d669d54ee86aa743101", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1713201277, - "narHash": "sha256-xHxbvpjepaDEc3DxJNMCWOFyBqW7yIANbUU+yWSL9+c=", + "lastModified": 1714938357, + "narHash": "sha256-CZmX0Dm7HhEBNMoeRDQIS6Ltd+kVtRVMPIt5iW9urQQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fc69edccf533e2731ab8850c59482907e0d4fc28", + "rev": "f1edf105d0bde9776d5060b5f8dcc16aea86cb44", "type": "github" }, "original": { @@ -148,11 +148,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1713156337, - "narHash": "sha256-oPG4CUVQGc/8q0k4nS8YK44o2q14cqQSo9OijH1E+Vs=", + "lastModified": 1714923658, + "narHash": "sha256-f54abULm+mOb74m4iDMbXpEsIClOu56q5u6ijbiuIbs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b941d525061a6e4f43882318225799c901f1ad40", + "rev": "9f5a6d72fa3985e4cd8fca3926d14ae8b54bcf75", "type": "github" }, "original": { From 8ecb3c1c49112162a07039b719ddc27c50cf56eb Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 339/386] Remove unifi-controller --- .../hosts/unifi-controller/configuration.nix | 23 ------------------- config/hosts/unifi-controller/default.nix | 7 ------ config/hosts/unifi-controller/unifi.nix | 12 ---------- hosts.nix | 4 ---- 4 files changed, 46 deletions(-) delete mode 100644 config/hosts/unifi-controller/configuration.nix delete mode 100644 config/hosts/unifi-controller/default.nix delete mode 100644 config/hosts/unifi-controller/unifi.nix diff --git a/config/hosts/unifi-controller/configuration.nix b/config/hosts/unifi-controller/configuration.nix deleted file mode 100644 index 565cdf7..0000000 --- a/config/hosts/unifi-controller/configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "unifi-controller"; - firewall = { - allowedTCPPorts = [ 53 8080 8443 8880 8843 6789 27117 ]; - allowedUDPPorts = [ 53 3478 5514 10001 1900 123 ]; - allowedUDPPortRanges = [ - { - from = 5656; - to = 5699; - } - ]; - }; - }; - - system.stateVersion = "23.11"; -} diff --git a/config/hosts/unifi-controller/default.nix b/config/hosts/unifi-controller/default.nix deleted file mode 100644 index f66e094..0000000 --- a/config/hosts/unifi-controller/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./unifi.nix - ]; -} diff --git a/config/hosts/unifi-controller/unifi.nix b/config/hosts/unifi-controller/unifi.nix deleted file mode 100644 index 75a7094..0000000 --- a/config/hosts/unifi-controller/unifi.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, lib, ... }: -{ - services.unifi = { - enable = true; - unifiPackage = pkgs.unifi; - }; - - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ - "unifi-controller" - "mongodb" - ]; -} diff --git a/hosts.nix b/hosts.nix index 80145ea..4bebbbc 100644 --- a/hosts.nix +++ b/hosts.nix @@ -114,10 +114,6 @@ in site = "vs"; environment = "proxmox"; }; - unifi-controller = { - site = "wg"; - environment = "proxmox"; - }; valkyrie = { hostNixpkgs = nixpkgs-23-05; site = "af"; From 108c7a0ab5afb0ddbc80dfba7edb7c80b6f4613d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 340/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e' (2024-04-22) → 'github:nix-community/nixos-generators/d14b286322c7f4f897ca4b1726ce38cb68596c94' (2024-05-20) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1552982a8e5848fe2fec7d669d54ee86aa743101' (2024-05-05) → 'github:NixOS/nixpkgs/8ed72179617b1b4dbd15134371daf4e9c4c039ee' (2024-05-26) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/f1edf105d0bde9776d5060b5f8dcc16aea86cb44' (2024-05-05) → 'github:NixOS/nixpkgs/61f95814d35e9faf61aa1dd81bd7acdf9a5514b9' (2024-05-26) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/9f5a6d72fa3985e4cd8fca3926d14ae8b54bcf75' (2024-05-05) → 'github:NixOS/nixpkgs/8debaa1f45995e3a621c1f55c09bf68e214f5878' (2024-05-26) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 184a7b1..52edb0e 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1713783234, - "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=", + "lastModified": 1716210724, + "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e", + "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1714902782, - "narHash": "sha256-TdQNxaviQZlGU1VakHpDq3qqhP+0HhieieYRGZN46Ec=", + "lastModified": 1716702362, + "narHash": "sha256-1iExBg0gqYHqSEwALu4LYPOKlJMbUUbsfhsGZf2mi0M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1552982a8e5848fe2fec7d669d54ee86aa743101", + "rev": "8ed72179617b1b4dbd15134371daf4e9c4c039ee", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1714938357, - "narHash": "sha256-CZmX0Dm7HhEBNMoeRDQIS6Ltd+kVtRVMPIt5iW9urQQ=", + "lastModified": 1716726580, + "narHash": "sha256-qfzXu2ar19X9GUg//K2IrMbwHbmaZPVktSmtLtMSe7s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f1edf105d0bde9776d5060b5f8dcc16aea86cb44", + "rev": "61f95814d35e9faf61aa1dd81bd7acdf9a5514b9", "type": "github" }, "original": { @@ -148,11 +148,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1714923658, - "narHash": "sha256-f54abULm+mOb74m4iDMbXpEsIClOu56q5u6ijbiuIbs=", + "lastModified": 1716704148, + "narHash": "sha256-XsWxhtvSUsft43XbSkpSroSyUyXj4focTG2CFCx1wqE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9f5a6d72fa3985e4cd8fca3926d14ae8b54bcf75", + "rev": "8debaa1f45995e3a621c1f55c09bf68e214f5878", "type": "github" }, "original": { From 218f4bed0702c663c53e596fbe45d5fb96e0e1b9 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 341/386] Get keycloak 23.0.7 from master --- config/hosts/keycloak/keycloak.nix | 3 ++- flake.lock | 17 +++++++++++++++++ flake.nix | 7 ++++--- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix index 79e9a96..0937e24 100644 --- a/config/hosts/keycloak/keycloak.nix +++ b/config/hosts/keycloak/keycloak.nix @@ -1,7 +1,8 @@ -{ ... }: +{ nixpkgs-master-keycloak-23_0_7, ... }: { services.keycloak = { enable = true; + package = nixpkgs-master-keycloak-23_0_7.legacyPackages."x86_64-linux".keycloak; settings = { hostname = "id.nekover.se"; hostname-admin = "keycloak-admin.nekover.se"; diff --git a/flake.lock b/flake.lock index 52edb0e..0535751 100644 --- a/flake.lock +++ b/flake.lock @@ -146,6 +146,22 @@ "type": "github" } }, + "nixpkgs-master-keycloak-23_0_7": { + "locked": { + "lastModified": 1708610845, + "narHash": "sha256-2ta+qGOkQJOeDx00bzxmjP0XO38xkJjZDDA+hq/04SM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "edc6a7a312c4f914f9bded421efa6f0b1b715693", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "edc6a7a312c4f914f9bded421efa6f0b1b715693", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1716704148, @@ -183,6 +199,7 @@ "nixpkgs": "nixpkgs", "nixpkgs-23-05": "nixpkgs-23-05", "nixpkgs-master": "nixpkgs-master", + "nixpkgs-master-keycloak-23_0_7": "nixpkgs-master-keycloak-23_0_7", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index c789cbb..9abb06c 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; + nixpkgs-master-keycloak-23_0_7.url = "github:NixOS/nixpkgs/edc6a7a312c4f914f9bded421efa6f0b1b715693"; nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; @@ -11,7 +12,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-master-keycloak-23_0_7, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -29,7 +30,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master nixpkgs-master-keycloak-23_0_7 hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -39,7 +40,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master nixpkgs-master-keycloak-23_0_7 hosts simple-nixos-mailserver; }) hosts; }; From fb4da7873835fc3f856b3bef9d26d02b2cfd88f3 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 342/386] Bump element-web to 1.11.67 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 2c102a3..3316006 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.59"; + elementWebVersion = "1.11.67"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18="; + sha256 = "sha256-Mleha39aEwa+qbJCVW1RmGDHb/noX9+Zo2IvjaLxhtE="; }; elementWebSecurityHeaders = '' # Configuration best practices From f8db84293aca5cc3a5aedae4369784e51a8465c6 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 343/386] Bump mastodon to v4.2.9 --- config/hosts/mastodon/mastodon.nix | 4 ++-- flake.lock | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index f36e682..cb13ab5 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.8"; + version = "4.2.9"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-7/E7iHqJxmYSorXYti7h8EbP7wcOAaD04ToLeU2I/nY="; + sha256 = "sha256-VjR4lXlb1p8mmpOGxPqbmCCEaB7SP90ccPSMfGFx6IQ="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" diff --git a/flake.lock b/flake.lock index 0535751..791aca5 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1716702362, - "narHash": "sha256-1iExBg0gqYHqSEwALu4LYPOKlJMbUUbsfhsGZf2mi0M=", + "lastModified": 1717106496, + "narHash": "sha256-CXCHENGIy/SNEHBTLH2Pz/J9XvcTPnk73QROAEHtGM0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8ed72179617b1b4dbd15134371daf4e9c4c039ee", + "rev": "2ac5652e83ddfca412a4b338714cb9afb27357d0", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1716726580, - "narHash": "sha256-qfzXu2ar19X9GUg//K2IrMbwHbmaZPVktSmtLtMSe7s=", + "lastModified": 1717165608, + "narHash": "sha256-mm/4TxdqIzONGiXuJQQEIfoFdB72aW7SQUqiLJ6pEjE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "61f95814d35e9faf61aa1dd81bd7acdf9a5514b9", + "rev": "1ee0e2dcfecd93168f757deff4ed33d7d574484c", "type": "github" }, "original": { @@ -164,11 +164,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1716704148, - "narHash": "sha256-XsWxhtvSUsft43XbSkpSroSyUyXj4focTG2CFCx1wqE=", + "lastModified": 1717112898, + "narHash": "sha256-7R2ZvOnvd9h8fDd65p0JnB7wXfUvreox3xFdYWd1BnY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8debaa1f45995e3a621c1f55c09bf68e214f5878", + "rev": "6132b0f6e344ce2fe34fc051b72fb46e34f668e0", "type": "github" }, "original": { From 169d239cdea4d4c13ba07ae2c941c8682963f1a7 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 344/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/4be04c4f5d112f662df788262113b488d21352ec' (2024-06-25) → 'github:NixOS/nixpkgs/8cce9d0ae31e51a5505650daa046fb22960766ed' (2024-06-25) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 791aca5..1995d10 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1716210724, - "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=", + "lastModified": 1718025593, + "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94", + "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1717106496, - "narHash": "sha256-CXCHENGIy/SNEHBTLH2Pz/J9XvcTPnk73QROAEHtGM0=", + "lastModified": 1719160247, + "narHash": "sha256-mWvCCJFG7RFMFXyQHdxDX56RKYdzXmQ25sy69uRQ8BI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2ac5652e83ddfca412a4b338714cb9afb27357d0", + "rev": "74b529ef56db2bc5ac41b40dca2e57e222964e3a", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1717165608, - "narHash": "sha256-mm/4TxdqIzONGiXuJQQEIfoFdB72aW7SQUqiLJ6pEjE=", + "lastModified": 1719348949, + "narHash": "sha256-uohZYX9g9MuEZlzME38gJyMpNK/bIixzuLkQn3CG5yg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1ee0e2dcfecd93168f757deff4ed33d7d574484c", + "rev": "8cce9d0ae31e51a5505650daa046fb22960766ed", "type": "github" }, "original": { @@ -164,11 +164,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1717112898, - "narHash": "sha256-7R2ZvOnvd9h8fDd65p0JnB7wXfUvreox3xFdYWd1BnY=", + "lastModified": 1719327525, + "narHash": "sha256-fPWiFM4aYbK9zGTt3KJ9CwX//iyElRiNHWNj2hk3i0E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6132b0f6e344ce2fe34fc051b72fb46e34f668e0", + "rev": "191a3fd9786d09c8d82e89ed68c4463e7be09b3e", "type": "github" }, "original": { From 33293cf21ed1b0b5b835aa52a4ad2e23149219b0 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 345/386] Bump nix channel versions --- flake.nix | 7 +++---- hosts.nix | 3 +-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/flake.nix b/flake.nix index 9abb06c..1520a61 100644 --- a/flake.nix +++ b/flake.nix @@ -1,18 +1,17 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; nixpkgs-master-keycloak-23_0_7.url = "github:NixOS/nixpkgs/edc6a7a312c4f914f9bded421efa6f0b1b715693"; - nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05-small"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-master-keycloak-23_0_7, nixpkgs-23-05, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-master-keycloak-23_0_7, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; diff --git a/hosts.nix b/hosts.nix index 4bebbbc..5de4e6f 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,4 +1,4 @@ -{ nixpkgs, nixpkgs-unstable, nixpkgs-23-05, ... }: +{ nixpkgs, nixpkgs-unstable, ... }: let # Set of environment specific modules environments = { @@ -115,7 +115,6 @@ in environment = "proxmox"; }; valkyrie = { - hostNixpkgs = nixpkgs-23-05; site = "af"; environment = "openstack"; }; From 714bc199e174bea92178882da78d70facf9cf25e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 346/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/35c20ba421dfa5059e20e0ef2343c875372bdcf3' (2024-06-10) → 'github:nix-community/nixos-generators/140dcc2b9a0eb87ba5e9011076a1a7af19179ab1' (2024-07-01) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/3c62b6a12571c9a7f65ab037173ee153d539905f' (2024-04-07) → 'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6' (2024-06-30) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/74b529ef56db2bc5ac41b40dca2e57e222964e3a' (2024-06-23) → 'github:NixOS/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e' (2024-07-01) • Removed input 'nixpkgs-23-05' • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/8cce9d0ae31e51a5505650daa046fb22960766ed' (2024-06-25) → 'github:NixOS/nixpkgs/79456ded62c3a1f6c25520799d5d822f8a6b0dc7' (2024-07-01) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/191a3fd9786d09c8d82e89ed68c4463e7be09b3e' (2024-06-25) → 'github:NixOS/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc' (2024-07-01) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/e47f3719f1db3e0961a4358d4cb234a0acaa7baf' (2024-01-25) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/29916981e7b3b5782dc5085ad18490113f8ff63b' (2024-06-11) • Updated input 'simple-nixos-mailserver/flake-compat': 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) → 'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04) • Updated input 'simple-nixos-mailserver/nixpkgs': 'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21) → 'github:NixOS/nixpkgs/e8057b67ebf307f01bdcc8fba94d94f75039d1f6' (2024-06-05) • Removed input 'simple-nixos-mailserver/nixpkgs-23_05' • Removed input 'simple-nixos-mailserver/nixpkgs-23_11' • Added input 'simple-nixos-mailserver/nixpkgs-24_05': 'github:NixOS/nixpkgs/805a384895c696f802a9bf5bf4720f37385df547' (2024-05-31) • Updated input 'simple-nixos-mailserver/utils': 'github:numtide/flake-utils/5021eac20303a61fafe17224c087f5519baed54d' (2020-11-14) → 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28) • Added input 'simple-nixos-mailserver/utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) --- flake.lock | 123 +++++++++++++++++++++++------------------------------ 1 file changed, 54 insertions(+), 69 deletions(-) diff --git a/flake.lock b/flake.lock index 1995d10..df78fc6 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1712450863, - "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=", + "lastModified": 1719708727, + "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f", + "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1718025593, - "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=", + "lastModified": 1719841141, + "narHash": "sha256-WOyohxFJJdfDvEB7N3eTcX44lNU2rZes1inHsyHL7mM=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3", + "rev": "140dcc2b9a0eb87ba5e9011076a1a7af19179ab1", "type": "github" }, "original": { @@ -70,73 +70,42 @@ }, "nixpkgs": { "locked": { - "lastModified": 1719160247, - "narHash": "sha256-mWvCCJFG7RFMFXyQHdxDX56RKYdzXmQ25sy69uRQ8BI=", + "lastModified": 1719825363, + "narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "74b529ef56db2bc5ac41b40dca2e57e222964e3a", + "rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11-small", + "ref": "nixos-24.05-small", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-23-05": { + "nixpkgs-24_05": { "locked": { - "lastModified": 1705033721, - "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.05-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-23_05": { - "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-23.05", - "type": "indirect" - } - }, - "nixpkgs-23_11": { - "locked": { - "lastModified": 1706098335, - "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a77ab169a83a4175169d78684ddd2e54486ac651", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "type": "indirect" } }, "nixpkgs-master": { "locked": { - "lastModified": 1719348949, - "narHash": "sha256-uohZYX9g9MuEZlzME38gJyMpNK/bIixzuLkQn3CG5yg=", + "lastModified": 1719841698, + "narHash": "sha256-oxCNic7Lw+NKzqYO5r2knhU89PcQb22jUqu/N30Yam4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8cce9d0ae31e51a5505650daa046fb22960766ed", + "rev": "79456ded62c3a1f6c25520799d5d822f8a6b0dc7", "type": "github" }, "original": { @@ -164,11 +133,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1719327525, - "narHash": "sha256-fPWiFM4aYbK9zGTt3KJ9CwX//iyElRiNHWNj2hk3i0E=", + "lastModified": 1719824438, + "narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "191a3fd9786d09c8d82e89ed68c4463e7be09b3e", + "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc", "type": "github" }, "original": { @@ -180,11 +149,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "lastModified": 1717602782, + "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6", "type": "github" }, "original": { @@ -197,7 +166,6 @@ "inputs": { "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", - "nixpkgs-23-05": "nixpkgs-23-05", "nixpkgs-master": "nixpkgs-master", "nixpkgs-master-keycloak-23_0_7": "nixpkgs-master-keycloak-23_0_7", "nixpkgs-unstable": "nixpkgs-unstable", @@ -209,32 +177,49 @@ "blobs": "blobs", "flake-compat": "flake-compat", "nixpkgs": "nixpkgs_2", - "nixpkgs-23_05": "nixpkgs-23_05", - "nixpkgs-23_11": "nixpkgs-23_11", + "nixpkgs-24_05": "nixpkgs-24_05", "utils": "utils" }, "locked": { - "lastModified": 1706219574, - "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=", + "lastModified": 1718084203, + "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf", + "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixos-mailserver", "type": "gitlab" } }, - "utils": { + "systems": { "locked": { - "lastModified": 1605370193, - "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "owner": "numtide", "repo": "flake-utils", - "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", "type": "github" }, "original": { From 3b6acd6c4342f3f773afb3871e241cf5ecec3807 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 347/386] Update/fix keycloak, matrix, nextcloud, wireguard-nat-nftables --- config/hosts/keycloak/keycloak.nix | 3 +-- config/hosts/matrix/matrix-synapse.nix | 15 ++++++++------- config/hosts/nextcloud/nextcloud.nix | 6 +++--- flake.lock | 17 ----------------- flake.nix | 7 +++---- pkgs/wireguard-nat-nftables/default.nix | 12 +++--------- 6 files changed, 18 insertions(+), 42 deletions(-) diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix index 0937e24..79e9a96 100644 --- a/config/hosts/keycloak/keycloak.nix +++ b/config/hosts/keycloak/keycloak.nix @@ -1,8 +1,7 @@ -{ nixpkgs-master-keycloak-23_0_7, ... }: +{ ... }: { services.keycloak = { enable = true; - package = nixpkgs-master-keycloak-23_0_7.legacyPackages."x86_64-linux".keycloak; settings = { hostname = "id.nekover.se"; hostname-admin = "keycloak-admin.nekover.se"; diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 6527503..e719484 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -47,13 +47,6 @@ turn_user_lifetime = 86400000; turn_allow_guests = true; }; - sliding-sync = { - enable = true; - settings = { - SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; - }; - environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; - }; extras = [ "oidc" ]; extraConfigFiles = [ "/secrets/matrix-registration-shared-secret.secret" @@ -62,4 +55,12 @@ "/secrets/matrix-keycloak-client-secret.secret" ]; }; + + services.matrix-sliding-sync = { + enable = true; + settings = { + SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; + }; + environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; + }; } diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 839d15d..0b1f3a2 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -2,13 +2,12 @@ { services.nextcloud = { enable = true; - package = pkgs.nextcloud28; + package = pkgs.nextcloud29; hostName = "cloud.nekover.se"; https = true; config = { dbtype = "pgsql"; adminpassFile = "/secrets/nextcloud-adminpass.secret"; - defaultPhoneRegion = "DE"; }; database.createLocally = true; configureRedis = true; @@ -17,7 +16,7 @@ inherit bookmarks contacts calendar tasks twofactor_webauthn user_oidc; }; maxUploadSize = "16G"; - extraOptions = { + settings = { mail_smtpmode = "smtp"; mail_sendmailmode = "smtp"; mail_smtpsecure = "ssl"; @@ -28,6 +27,7 @@ mail_smtphost = "mail-1.grzb.de"; mail_smtpport = 465; mail_smtpname = "cloud@nekover.se"; + default_phone_region = "DE"; }; # Only contains mail_smtppassword secretFile = "/secrets/nextcloud-secretfile.secret"; diff --git a/flake.lock b/flake.lock index df78fc6..aa5196f 100644 --- a/flake.lock +++ b/flake.lock @@ -115,22 +115,6 @@ "type": "github" } }, - "nixpkgs-master-keycloak-23_0_7": { - "locked": { - "lastModified": 1708610845, - "narHash": "sha256-2ta+qGOkQJOeDx00bzxmjP0XO38xkJjZDDA+hq/04SM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "edc6a7a312c4f914f9bded421efa6f0b1b715693", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "edc6a7a312c4f914f9bded421efa6f0b1b715693", - "type": "github" - } - }, "nixpkgs-unstable": { "locked": { "lastModified": 1719824438, @@ -167,7 +151,6 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", - "nixpkgs-master-keycloak-23_0_7": "nixpkgs-master-keycloak-23_0_7", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index 1520a61..5cf2232 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,6 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; - nixpkgs-master-keycloak-23_0_7.url = "github:NixOS/nixpkgs/edc6a7a312c4f914f9bded421efa6f0b1b715693"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; @@ -11,7 +10,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-master-keycloak-23_0_7, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -29,7 +28,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable nixpkgs-master nixpkgs-master-keycloak-23_0_7 hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -39,7 +38,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable nixpkgs-master nixpkgs-master-keycloak-23_0_7 hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; }) hosts; }; diff --git a/pkgs/wireguard-nat-nftables/default.nix b/pkgs/wireguard-nat-nftables/default.nix index e687cee..3ce972e 100644 --- a/pkgs/wireguard-nat-nftables/default.nix +++ b/pkgs/wireguard-nat-nftables/default.nix @@ -1,17 +1,11 @@ { pkgs, ... }: -let - nftablesWithPythonOverlay = final: prev: { - nftables = (prev.nftables.override { withPython = true; }); - }; - pkgs-overlay = pkgs.extend nftablesWithPythonOverlay; -in -pkgs-overlay.python310Packages.buildPythonApplication { +pkgs.python3Packages.buildPythonApplication { pname = "wireguard-nat-nftables"; version = "0.0.1"; - propagatedBuildInputs = with pkgs-overlay; [ + propagatedBuildInputs = with pkgs; [ wireguard-tools - python310Packages.nftables + python3Packages.nftables ]; src = ./src; From 892503fb7bd7f081f45313ee752b4bbc55ea37f6 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 348/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/140dcc2b9a0eb87ba5e9011076a1a7af19179ab1' (2024-07-01) → 'github:nix-community/nixos-generators/168b220231a70e47cc1f0919048fa5914415fb18' (2024-07-04) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e' (2024-07-01) → 'github:NixOS/nixpkgs/8668e0cd7cdcd7c048aa0aedb8051feb44e04130' (2024-07-04) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/79456ded62c3a1f6c25520799d5d822f8a6b0dc7' (2024-07-01) → 'github:NixOS/nixpkgs/0c811d5f56f318bdbc3241ead65ca3b88d6c4a70' (2024-07-04) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc' (2024-07-01) → 'github:NixOS/nixpkgs/1af787b0e7fda63e5313fb1a6815019e0c4d6f9b' (2024-07-04) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index aa5196f..66c0caf 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1719841141, - "narHash": "sha256-WOyohxFJJdfDvEB7N3eTcX44lNU2rZes1inHsyHL7mM=", + "lastModified": 1720055043, + "narHash": "sha256-SKizewU4UeYrkZWPUjur8EoxscGoNb0pGcrNL4YzAIg=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "140dcc2b9a0eb87ba5e9011076a1a7af19179ab1", + "rev": "168b220231a70e47cc1f0919048fa5914415fb18", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1719825363, - "narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=", + "lastModified": 1720054931, + "narHash": "sha256-scsZLzV/mGMbKdH1vrLmNuXtrQK8xo4vzAs05ZeGO40=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e", + "rev": "8668e0cd7cdcd7c048aa0aedb8051feb44e04130", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1719841698, - "narHash": "sha256-oxCNic7Lw+NKzqYO5r2knhU89PcQb22jUqu/N30Yam4=", + "lastModified": 1720105773, + "narHash": "sha256-YO8hXGHrwKe8xV272ztIjpg/nu6tYtMHCjQtmROC9ew=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "79456ded62c3a1f6c25520799d5d822f8a6b0dc7", + "rev": "0c811d5f56f318bdbc3241ead65ca3b88d6c4a70", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1719824438, - "narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=", + "lastModified": 1720067112, + "narHash": "sha256-RqDbuJnwe29ffD8KE810dLxzCyaX5cvXks8TaJZK4H4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc", + "rev": "1af787b0e7fda63e5313fb1a6815019e0c4d6f9b", "type": "github" }, "original": { From d3e6b23629c913e440af6982dde51c8c0cacd0d3 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 349/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Added input 'nixpkgs-mastodon-4-2-10': 'github:NixOS/nixpkgs/e8f680e000d5c5b4a0ff998e6423951bcf06ba35' (2024-07-04) --- flake.lock | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/flake.lock b/flake.lock index 66c0caf..773cd38 100644 --- a/flake.lock +++ b/flake.lock @@ -115,6 +115,22 @@ "type": "github" } }, + "nixpkgs-mastodon-4-2-10": { + "locked": { + "lastModified": 1720106533, + "narHash": "sha256-m1f/yXrCX3czYSVvBz5jdJ41dcCVsKlSIrnH0i83L6U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e8f680e000d5c5b4a0ff998e6423951bcf06ba35", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e8f680e000d5c5b4a0ff998e6423951bcf06ba35", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1720067112, @@ -151,6 +167,7 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", + "nixpkgs-mastodon-4-2-10": "nixpkgs-mastodon-4-2-10", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } From 0732369ec943db58e5548b6731bf9b3c3760fa54 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 350/386] Update mastodo to 4.2.10 --- config/hosts/mastodon/mastodon.nix | 8 ++++---- flake.nix | 7 ++++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index cb13ab5..a1d82d2 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,4 +1,4 @@ -{ pkgs, nixpkgs-unstable, ... }: +{ pkgs, nixpkgs-mastodon-4-2-10, ... }: let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.9"; + version = "4.2.10"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-VjR4lXlb1p8mmpOGxPqbmCCEaB7SP90ccPSMfGFx6IQ="; + sha256 = "sha256-z3veI0CpZk6mBgygqXk8SN/5WWjy5VkKLxC7nOLnyZE="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" @@ -25,7 +25,7 @@ let yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; }); }; - pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; + pkgs-overlay = nixpkgs-mastodon-4-2-10.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { diff --git a/flake.nix b/flake.nix index 5cf2232..876a711 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; + nixpkgs-mastodon-4-2-10.url = "github:NixOS/nixpkgs/e8f680e000d5c5b4a0ff998e6423951bcf06ba35"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; @@ -10,7 +11,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-mastodon-4-2-10, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -28,7 +29,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master nixpkgs-mastodon-4-2-10 hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -38,7 +39,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master nixpkgs-mastodon-4-2-10 hosts simple-nixos-mailserver; }) hosts; }; From a5f239d23438d998d165bcdfd92b7eb0ad59dba5 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 351/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/168b220231a70e47cc1f0919048fa5914415fb18' (2024-07-04) → 'github:nix-community/nixos-generators/75cbb2a5e19c18840d105a72d036c6c92fc46c5d' (2024-07-29) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6' (2024-06-30) → 'github:nix-community/nixpkgs.lib/d15f6f6021693898fcd2c6a9bb13707383da9bbc' (2024-07-28) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8668e0cd7cdcd7c048aa0aedb8051feb44e04130' (2024-07-04) → 'github:NixOS/nixpkgs/15ed5d4537fd46399513bb040bf98415c825281b' (2024-08-02) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/0c811d5f56f318bdbc3241ead65ca3b88d6c4a70' (2024-07-04) → 'github:NixOS/nixpkgs/7f9ed2e65a92f1496daa9ab73539a9d02c2454b3' (2024-08-03) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/1af787b0e7fda63e5313fb1a6815019e0c4d6f9b' (2024-07-04) → 'github:NixOS/nixpkgs/6602aa2586f35fc8c6c46246a1dcac6940ca3f0f' (2024-08-03) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 773cd38..491040e 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1719708727, - "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=", + "lastModified": 1722128034, + "narHash": "sha256-L8rwzYPsLo/TYtydPJoQyYOfetuiyQYnTWYcyB8UE/s=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6", + "rev": "d15f6f6021693898fcd2c6a9bb13707383da9bbc", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1720055043, - "narHash": "sha256-SKizewU4UeYrkZWPUjur8EoxscGoNb0pGcrNL4YzAIg=", + "lastModified": 1722214420, + "narHash": "sha256-qfHC1p5hcErGcE672/KhBkyWYloekQpqIxtcbcUVYkA=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "168b220231a70e47cc1f0919048fa5914415fb18", + "rev": "75cbb2a5e19c18840d105a72d036c6c92fc46c5d", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1720054931, - "narHash": "sha256-scsZLzV/mGMbKdH1vrLmNuXtrQK8xo4vzAs05ZeGO40=", + "lastModified": 1722621932, + "narHash": "sha256-Uz5xeHsH7+qZVncZwfzGd+CTjxd0mwaP7Q/pbs7OB5c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8668e0cd7cdcd7c048aa0aedb8051feb44e04130", + "rev": "15ed5d4537fd46399513bb040bf98415c825281b", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1720105773, - "narHash": "sha256-YO8hXGHrwKe8xV272ztIjpg/nu6tYtMHCjQtmROC9ew=", + "lastModified": 1722719323, + "narHash": "sha256-1O9VQB7WD1NKBz9maYGJAU0EqoajEYQSiSlrjdKWz8s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0c811d5f56f318bdbc3241ead65ca3b88d6c4a70", + "rev": "7f9ed2e65a92f1496daa9ab73539a9d02c2454b3", "type": "github" }, "original": { @@ -133,11 +133,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1720067112, - "narHash": "sha256-RqDbuJnwe29ffD8KE810dLxzCyaX5cvXks8TaJZK4H4=", + "lastModified": 1722685361, + "narHash": "sha256-6Zn2SVJYffCtenHEHsb2PmzQsX5+cRsforNJZmlK630=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1af787b0e7fda63e5313fb1a6815019e0c4d6f9b", + "rev": "6602aa2586f35fc8c6c46246a1dcac6940ca3f0f", "type": "github" }, "original": { From aea6f7c3da6b90a7274b5cd1412742e6188ba6d5 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 352/386] Update valkyrie IP --- config/hosts/mastodon/mastodon.nix | 4 ++-- config/hosts/valkyrie/services.nix | 2 +- flake.lock | 17 ----------------- flake.nix | 7 +++---- 4 files changed, 6 insertions(+), 24 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index a1d82d2..9abd69d 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,4 +1,4 @@ -{ pkgs, nixpkgs-mastodon-4-2-10, ... }: +{ pkgs, nixpkgs-unstable, ... }: let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; @@ -25,7 +25,7 @@ let yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; }); }; - pkgs-overlay = nixpkgs-mastodon-4-2-10.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; + pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index 5af708c..dc0fa6d 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -3,7 +3,7 @@ let wireguard-nat-nftables = import ../../../pkgs/wireguard-nat-nftables pkgs; config = pkgs.writeText "wireguard-nat-nftables-config" (builtins.toJSON { interface = "ens3"; - interface_address = "172.16.4.180"; + interface_address = "172.16.4.239"; wg_interface = "wg0"; pubkey_port_mapping = { # okayu diff --git a/flake.lock b/flake.lock index 491040e..a6fd892 100644 --- a/flake.lock +++ b/flake.lock @@ -115,22 +115,6 @@ "type": "github" } }, - "nixpkgs-mastodon-4-2-10": { - "locked": { - "lastModified": 1720106533, - "narHash": "sha256-m1f/yXrCX3czYSVvBz5jdJ41dcCVsKlSIrnH0i83L6U=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e8f680e000d5c5b4a0ff998e6423951bcf06ba35", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e8f680e000d5c5b4a0ff998e6423951bcf06ba35", - "type": "github" - } - }, "nixpkgs-unstable": { "locked": { "lastModified": 1722685361, @@ -167,7 +151,6 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", - "nixpkgs-mastodon-4-2-10": "nixpkgs-mastodon-4-2-10", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } diff --git a/flake.nix b/flake.nix index 876a711..5cf2232 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,6 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; - nixpkgs-mastodon-4-2-10.url = "github:NixOS/nixpkgs/e8f680e000d5c5b4a0ff998e6423951bcf06ba35"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; @@ -11,7 +10,7 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixpkgs-mastodon-4-2-10, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -29,7 +28,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable nixpkgs-master nixpkgs-mastodon-4-2-10 hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; @@ -39,7 +38,7 @@ hydraJobs = { nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable nixpkgs-master nixpkgs-mastodon-4-2-10 hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; }) hosts; }; From a76d3023983daee7b6bc40f2a13cb211779534ef Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 353/386] Bump element-web to 1.1.72 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 3316006..8fe843c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.67"; + elementWebVersion = "1.11.72"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-Mleha39aEwa+qbJCVW1RmGDHb/noX9+Zo2IvjaLxhtE="; + sha256 = "sha256-3pa4OVHBWZvHLsnE2JK5+sVpOXBKO5yJSQJNJokdF98="; }; elementWebSecurityHeaders = '' # Configuration best practices From 71742d5dc27aa89ad08aa17490d36734bf043bed Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 354/386] Enable push to create repo on forgejo --- config/hosts/forgejo/forgejo.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index d9f4a36..45961cf 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -38,6 +38,10 @@ repo = { DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; }; + repository = { + ENABLE_PUSH_CREATE_USER = true; + ENABLE_PUSH_CREATE_ORG = true; + }; actions = { ENABLED = true; ARTIFACT_RETENTION_DAYS = 30; From d3c457b228af9e3ce4580cd1f969d3cb104f284f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 355/386] Add user fi --- config/common/default.nix | 1 + config/users/colmena-deploy/default.nix | 1 + config/users/fi/default.nix | 12 ++++++++++++ config/users/yuri/default.nix | 1 + 4 files changed, 15 insertions(+) create mode 100644 config/users/fi/default.nix diff --git a/config/common/default.nix b/config/common/default.nix index c57eaba..c8930ec 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -6,6 +6,7 @@ ./openssh.nix ../users/colmena-deploy ../users/yuri + ../users/fi ]; time.timeZone = "Europe/Berlin"; diff --git a/config/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix index 1766855..cc4029b 100644 --- a/config/users/colmena-deploy/default.nix +++ b/config/users/colmena-deploy/default.nix @@ -7,6 +7,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPJbR09ZqPnfZkx9JNjCurJDXWa5XtNeNQfkPRU/ZnY colmena-deploy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" ]; }; } diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix new file mode 100644 index 0000000..2039f05 --- /dev/null +++ b/config/users/fi/default.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + users.users.fi = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" + ]; + }; +} diff --git a/config/users/yuri/default.nix b/config/users/yuri/default.nix index 546de5e..4b2b8ac 100644 --- a/config/users/yuri/default.nix +++ b/config/users/yuri/default.nix @@ -6,6 +6,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" ]; }; } From ddfd4ef92cc9e35adb6c983e1cfce09e966e7d23 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 356/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/75cbb2a5e19c18840d105a72d036c6c92fc46c5d' (2024-07-29) → 'github:nix-community/nixos-generators/214efbd73241d72a8f48b8b9a73bb54895cd51a7' (2024-09-09) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/d15f6f6021693898fcd2c6a9bb13707383da9bbc' (2024-07-28) → 'github:nix-community/nixpkgs.lib/68584f89dd0eb16fea5d80ae127f3f681f6a5df7' (2024-09-08) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/15ed5d4537fd46399513bb040bf98415c825281b' (2024-08-02) → 'github:NixOS/nixpkgs/44a71ff39c182edaf25a7ace5c9454e7cba2c658' (2024-09-10) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/7f9ed2e65a92f1496daa9ab73539a9d02c2454b3' (2024-08-03) → 'github:NixOS/nixpkgs/c711a6c3032741bd1384ac057b43b55989c63e72' (2024-09-10) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/6602aa2586f35fc8c6c46246a1dcac6940ca3f0f' (2024-08-03) → 'github:NixOS/nixpkgs/28e9b6d60ffd048dbbfbce525f8ab5bd726a22c3' (2024-09-10) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index a6fd892..2f0f2cc 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1722128034, - "narHash": "sha256-L8rwzYPsLo/TYtydPJoQyYOfetuiyQYnTWYcyB8UE/s=", + "lastModified": 1725757153, + "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "d15f6f6021693898fcd2c6a9bb13707383da9bbc", + "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1722214420, - "narHash": "sha256-qfHC1p5hcErGcE672/KhBkyWYloekQpqIxtcbcUVYkA=", + "lastModified": 1725843519, + "narHash": "sha256-Z6DglUwgFDz6fIvQ89wx/uBVWrGvEGECq0Ypyk/eigE=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "75cbb2a5e19c18840d105a72d036c6c92fc46c5d", + "rev": "214efbd73241d72a8f48b8b9a73bb54895cd51a7", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722621932, - "narHash": "sha256-Uz5xeHsH7+qZVncZwfzGd+CTjxd0mwaP7Q/pbs7OB5c=", + "lastModified": 1725930920, + "narHash": "sha256-RVhD9hnlTT2nJzPHlAqrWqCkA7T6CYrP41IoVRkciZM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "15ed5d4537fd46399513bb040bf98415c825281b", + "rev": "44a71ff39c182edaf25a7ace5c9454e7cba2c658", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1722719323, - "narHash": "sha256-1O9VQB7WD1NKBz9maYGJAU0EqoajEYQSiSlrjdKWz8s=", + "lastModified": 1725982370, + "narHash": "sha256-SYyrZjFpB9oX+UZYfxigIzmZhqVk5OT9xhSsu8wP4mA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f9ed2e65a92f1496daa9ab73539a9d02c2454b3", + "rev": "c711a6c3032741bd1384ac057b43b55989c63e72", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1722685361, - "narHash": "sha256-6Zn2SVJYffCtenHEHsb2PmzQsX5+cRsforNJZmlK630=", + "lastModified": 1725946965, + "narHash": "sha256-tt4Z99aNEuqEERF4H1TZ1t6GH/nU8A869mtgGVZIdfE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6602aa2586f35fc8c6c46246a1dcac6940ca3f0f", + "rev": "28e9b6d60ffd048dbbfbce525f8ab5bd726a22c3", "type": "github" }, "original": { From 270222e714dca94b0a7c28c81564a9dc5b9e8aa8 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 357/386] Update mastodon to 4.2.12 and element-web to 1.11.77 --- config/hosts/mastodon/mastodon.nix | 4 ++-- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 9abd69d..7146635 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.10"; + version = "4.2.12"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-z3veI0CpZk6mBgygqXk8SN/5WWjy5VkKLxC7nOLnyZE="; + sha256 = "sha256-q+j7zHJrIUOumJfk4w5BVu7eTUa1AjI5ho8XoOA2uJU="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 8fe843c..c2d71d6 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.72"; + elementWebVersion = "1.11.77"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-3pa4OVHBWZvHLsnE2JK5+sVpOXBKO5yJSQJNJokdF98="; + sha256 = "sha256-O5Dt54fBoKalaeevBn7px/06Kiuhf6mvogLk4Bvvnrg="; }; elementWebSecurityHeaders = '' # Configuration best practices From 5a7bea1df2b67a6cc5165355a17e589da33bed7b Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 358/386] Set matrix m.authentication well-known entries --- config/hosts/web-public-2/virtualHosts/nekover.se.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 7c95ec5..6d1643a 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -16,7 +16,7 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"m.authentication\": {\"issuer\": \"https://id.nekover.se\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; From 79c7a1b0afa8d7bbac31c4058a1109f49721b6ff Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 359/386] Setup oidc for elementx --- config/hosts/web-public-2/virtualHosts/nekover.se.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 6d1643a..08a61ea 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -16,7 +16,7 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"m.authentication\": {\"issuer\": \"https://id.nekover.se\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; From 02f2e5b402486eb1c94a0108a303d768b726a9ae Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 360/386] Update mastodon to 4.2.13 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 7146635..0c511e9 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -6,12 +6,12 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.12"; + version = "4.2.13"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-q+j7zHJrIUOumJfk4w5BVu7eTUa1AjI5ho8XoOA2uJU="; + sha256 = "sha256-+HGu02fjYJ1x6Tk9AdqmFN7JHk3UnlvCdiQ/5yMu69M="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" From e9e581cf09218e57b2600d1d735af8cb6393a280 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 361/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/214efbd73241d72a8f48b8b9a73bb54895cd51a7' (2024-09-09) → 'github:nix-community/nixos-generators/9ae128172f823956e54947fe471bc6dfa670ecb4' (2024-10-03) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/68584f89dd0eb16fea5d80ae127f3f681f6a5df7' (2024-09-08) → 'github:nix-community/nixpkgs.lib/bb58a3bf239e03fca9d51062e2fe028a4ea5a3d1' (2024-09-29) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/44a71ff39c182edaf25a7ace5c9454e7cba2c658' (2024-09-10) → 'github:NixOS/nixpkgs/0799dfba72420acad00f6c6b643e42f14589da6f' (2024-10-03) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/c711a6c3032741bd1384ac057b43b55989c63e72' (2024-09-10) → 'github:NixOS/nixpkgs/f8dd10da7e5eb9627059b29f1f2f4a0a0fd8351a' (2024-10-04) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/28e9b6d60ffd048dbbfbce525f8ab5bd726a22c3' (2024-09-10) → 'github:NixOS/nixpkgs/7f8bae4f304f2b6e60466ce1d562f4af258a4c79' (2024-10-04) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 2f0f2cc..9652cd3 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1725757153, - "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=", + "lastModified": 1727571693, + "narHash": "sha256-b7sFVeqMtz8xntCL3tBY3O8suTg5PeF53LTL3eCcKyc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7", + "rev": "bb58a3bf239e03fca9d51062e2fe028a4ea5a3d1", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1725843519, - "narHash": "sha256-Z6DglUwgFDz6fIvQ89wx/uBVWrGvEGECq0Ypyk/eigE=", + "lastModified": 1727917377, + "narHash": "sha256-eefXdEPUMuhiV6Vy3ASSyApCseE9OoKDgL/G6qenw/4=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "214efbd73241d72a8f48b8b9a73bb54895cd51a7", + "rev": "9ae128172f823956e54947fe471bc6dfa670ecb4", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1725930920, - "narHash": "sha256-RVhD9hnlTT2nJzPHlAqrWqCkA7T6CYrP41IoVRkciZM=", + "lastModified": 1727985947, + "narHash": "sha256-LVnuk1974/hdzbs6CQS75NDwJZwhpRy9JryKX5SLQ0k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "44a71ff39c182edaf25a7ace5c9454e7cba2c658", + "rev": "0799dfba72420acad00f6c6b643e42f14589da6f", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1725982370, - "narHash": "sha256-SYyrZjFpB9oX+UZYfxigIzmZhqVk5OT9xhSsu8wP4mA=", + "lastModified": 1728050621, + "narHash": "sha256-z0bIPB1EkMDwCGg8PubWpleO5zsDrhCKTJhFu8k1DS4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c711a6c3032741bd1384ac057b43b55989c63e72", + "rev": "f8dd10da7e5eb9627059b29f1f2f4a0a0fd8351a", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1725946965, - "narHash": "sha256-tt4Z99aNEuqEERF4H1TZ1t6GH/nU8A869mtgGVZIdfE=", + "lastModified": 1728011170, + "narHash": "sha256-L/U/OCeiQCFG2Gg8IQaj1KB4lwoNXkvyjPYLxy9swy0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "28e9b6d60ffd048dbbfbce525f8ab5bd726a22c3", + "rev": "7f8bae4f304f2b6e60466ce1d562f4af258a4c79", "type": "github" }, "original": { From 73ee01aec0ef5f1ef7827a53b02f37fe5f9e2932 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 362/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/0799dfba72420acad00f6c6b643e42f14589da6f' (2024-10-03) → 'github:NixOS/nixpkgs/7886208f96bdd147662b47aa4432c013034bb02c' (2024-10-05) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/f8dd10da7e5eb9627059b29f1f2f4a0a0fd8351a' (2024-10-04) → 'github:NixOS/nixpkgs/ffec6dc98b42578b2cfea9b71e118228c46367a4' (2024-10-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/7f8bae4f304f2b6e60466ce1d562f4af258a4c79' (2024-10-04) → 'github:NixOS/nixpkgs/d5f1752ca905354f763f2fab62e6139310b5ce91' (2024-10-04) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 9652cd3..f175878 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1727985947, - "narHash": "sha256-LVnuk1974/hdzbs6CQS75NDwJZwhpRy9JryKX5SLQ0k=", + "lastModified": 1728121536, + "narHash": "sha256-9Sp+r9kK3l194lFZdF1s7AghothogNI/xTAduJd6zNI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0799dfba72420acad00f6c6b643e42f14589da6f", + "rev": "7886208f96bdd147662b47aa4432c013034bb02c", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1728050621, - "narHash": "sha256-z0bIPB1EkMDwCGg8PubWpleO5zsDrhCKTJhFu8k1DS4=", + "lastModified": 1728140783, + "narHash": "sha256-T5BHSQd388PZEKANzSYFTFFwIZx7EBCnwnLP4oRNqwo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f8dd10da7e5eb9627059b29f1f2f4a0a0fd8351a", + "rev": "ffec6dc98b42578b2cfea9b71e118228c46367a4", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1728011170, - "narHash": "sha256-L/U/OCeiQCFG2Gg8IQaj1KB4lwoNXkvyjPYLxy9swy0=", + "lastModified": 1728055773, + "narHash": "sha256-Fih2RMPboL+nuY7IEp3ujaCjLXLgFfoDQf+CT/GJdok=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f8bae4f304f2b6e60466ce1d562f4af258a4c79", + "rev": "d5f1752ca905354f763f2fab62e6139310b5ce91", "type": "github" }, "original": { From 6835686e87ad9eacd8d2c319ec81da7c80ca4fe3 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 363/386] Update mastodon to v4.3.1 --- config/hosts/mastodon/mastodon.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 0c511e9..c4536eb 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,24 +2,24 @@ let mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-Fcbuj5BGkQd3X/gViqqB+NRIvjUlUED32tNEJrzYh5o="; + hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.2.13"; + version = "4.3.1"; srcOverride = final.applyPatches { src = final.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-+HGu02fjYJ1x6Tk9AdqmFN7JHk3UnlvCdiQ/5yMu69M="; + sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4="; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" - "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch" - "${mastodonNekoversePatches}/patches/006_increase_profile_limits.patch" - "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch" + "${mastodonNekoversePatches}/patches/004_improve_custom_emoji_support.patch" + "${mastodonNekoversePatches}/patches/005_increase_profile_limits.patch" + "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch" ]; }; yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; From 06f155e6ce2dd2dd0fe53f4f8517ca3bbe2d4c90 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 364/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/9ae128172f823956e54947fe471bc6dfa670ecb4?narHash=sha256-eefXdEPUMuhiV6Vy3ASSyApCseE9OoKDgL/G6qenw/4%3D' (2024-10-03) → 'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565?narHash=sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg%3D' (2024-10-21) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/bb58a3bf239e03fca9d51062e2fe028a4ea5a3d1?narHash=sha256-b7sFVeqMtz8xntCL3tBY3O8suTg5PeF53LTL3eCcKyc%3D' (2024-09-29) → 'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e?narHash=sha256-hUP9oxmnOmNnKcDOf5Y55HQ%2BNnoT0%2BbLWHLQWLLw9Ks%3D' (2024-10-20) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/7886208f96bdd147662b47aa4432c013034bb02c?narHash=sha256-9Sp%2Br9kK3l194lFZdF1s7AghothogNI/xTAduJd6zNI%3D' (2024-10-05) → 'github:NixOS/nixpkgs/dd6d18bf8d291daca03a444973bd4f9aa5c1f681?narHash=sha256-O2/v/ocUL0KsACqEIK5eD5XeX46duRIgKdOu6uCKarw%3D' (2024-10-28) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/ffec6dc98b42578b2cfea9b71e118228c46367a4?narHash=sha256-T5BHSQd388PZEKANzSYFTFFwIZx7EBCnwnLP4oRNqwo%3D' (2024-10-05) → 'github:NixOS/nixpkgs/ec7caabec9679b1a9008e0cbcfa4b14a2b600774?narHash=sha256-WPGVR8NW9ctqwLMtYV23b94ExQulTFoTKqD21WI3fbg%3D' (2024-10-29) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/d5f1752ca905354f763f2fab62e6139310b5ce91?narHash=sha256-Fih2RMPboL%2BnuY7IEp3ujaCjLXLgFfoDQf%2BCT/GJdok%3D' (2024-10-04) → 'github:NixOS/nixpkgs/75e28c029ef2605f9841e0baa335d70065fe7ae2?narHash=sha256-P8wF4ag6Srmpb/gwskYpnIsnspbjZlRvu47iN527ABQ%3D' (2024-10-28) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index f175878..4534930 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1727571693, - "narHash": "sha256-b7sFVeqMtz8xntCL3tBY3O8suTg5PeF53LTL3eCcKyc=", + "lastModified": 1729386149, + "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "bb58a3bf239e03fca9d51062e2fe028a4ea5a3d1", + "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1727917377, - "narHash": "sha256-eefXdEPUMuhiV6Vy3ASSyApCseE9OoKDgL/G6qenw/4=", + "lastModified": 1729472750, + "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "9ae128172f823956e54947fe471bc6dfa670ecb4", + "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1728121536, - "narHash": "sha256-9Sp+r9kK3l194lFZdF1s7AghothogNI/xTAduJd6zNI=", + "lastModified": 1730142757, + "narHash": "sha256-O2/v/ocUL0KsACqEIK5eD5XeX46duRIgKdOu6uCKarw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7886208f96bdd147662b47aa4432c013034bb02c", + "rev": "dd6d18bf8d291daca03a444973bd4f9aa5c1f681", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1728140783, - "narHash": "sha256-T5BHSQd388PZEKANzSYFTFFwIZx7EBCnwnLP4oRNqwo=", + "lastModified": 1730209337, + "narHash": "sha256-WPGVR8NW9ctqwLMtYV23b94ExQulTFoTKqD21WI3fbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ffec6dc98b42578b2cfea9b71e118228c46367a4", + "rev": "ec7caabec9679b1a9008e0cbcfa4b14a2b600774", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1728055773, - "narHash": "sha256-Fih2RMPboL+nuY7IEp3ujaCjLXLgFfoDQf+CT/GJdok=", + "lastModified": 1730157240, + "narHash": "sha256-P8wF4ag6Srmpb/gwskYpnIsnspbjZlRvu47iN527ABQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d5f1752ca905354f763f2fab62e6139310b5ce91", + "rev": "75e28c029ef2605f9841e0baa335d70065fe7ae2", "type": "github" }, "original": { From db20161b8030c293e6e1424685595747561d50ae Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 365/386] Update mastodon yarn hash --- config/hosts/mastodon/mastodon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index c4536eb..4bd22c2 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -22,7 +22,7 @@ let "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch" ]; }; - yarnHash = "sha256-qoLesubmSvRsXhKwMEWHHXcpcqRszqcdZgHQqnTpNPE="; + yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg="; }); }; pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; From 82fc222a7545ae0fcb9f772064b38ada1f971c6f Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 366/386] Add mastodon active record encryption secrets --- config/hosts/mastodon/mastodon.nix | 3 +++ config/hosts/mastodon/secrets.nix | 24 ++++++++++++++++++++++++ hosts.nix | 1 + 3 files changed, 28 insertions(+) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 4bd22c2..b895735 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -46,6 +46,9 @@ in fromAddress = "Nekoverse "; }; streamingProcesses = 3; + activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret"; + activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret"; + activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret"; extraConfig = { SMTP_TLS = "true"; ES_PRESET = "single_node_cluster"; diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index f1f9457..950498d 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -41,5 +41,29 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-active-record-encryption-primary-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-active-record-encryption-key-derivation-salt.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-active-record-encryption-deterministic-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/hosts.nix b/hosts.nix index 5de4e6f..363f377 100644 --- a/hosts.nix +++ b/hosts.nix @@ -65,6 +65,7 @@ in environment = "proxmox"; }; mastodon = { + hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; From e48cd858d890c79d62b4bdf933b0c75815223559 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 367/386] Add Tangerine-UI to mastodon --- config/hosts/mastodon/mastodon.nix | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index b895735..ed168ff 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,5 +1,10 @@ -{ pkgs, nixpkgs-unstable, ... }: +{ pkgs, ... }: let + tangerineUI = pkgs.fetchgit { + url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; + rev = "v2.2"; + hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ="; + }; mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU="; @@ -8,10 +13,21 @@ let mastodon = (prev.mastodon.override rec { version = "4.3.1"; srcOverride = final.applyPatches { - src = final.fetchgit { - url = "https://github.com/mastodon/mastodon.git"; - rev = "v${version}"; - sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4="; + src = pkgs.stdenv.mkDerivation { + name = "mastodonWithThemes"; + src = pkgs.fetchgit { + url = "https://github.com/mastodon/mastodon.git"; + rev = "v${version}"; + sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4="; + }; + installPhase = '' + cp -r ./ $out/ + cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/ + echo "tangerineui: styles/tangerineui.scss + tangerineui-purple: styles/tangerineui-purple.scss + tangerineui-cherry: styles/tangerineui-cherry.scss + tangerineui-lagoon: styles/tangerineui-lagoon.scss" >> $out/config/themes.yml + ''; }; patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" @@ -25,7 +41,7 @@ let yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg="; }); }; - pkgs-overlay = nixpkgs-unstable.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; + pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { From a474c73ac08d8351870c5c6cfdd4b5246e795e67 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 368/386] Configure fedifetcher for mastodon --- .../containers/fedifetcher/default.nix | 23 ++++++++++ .../containers/fedifetcher/fedifetcher.nix | 42 +++++++++++++++++++ config/hosts/mastodon/default.nix | 1 + config/hosts/mastodon/secrets.nix | 8 ++++ 4 files changed, 74 insertions(+) create mode 100644 config/hosts/mastodon/containers/fedifetcher/default.nix create mode 100644 config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix diff --git a/config/hosts/mastodon/containers/fedifetcher/default.nix b/config/hosts/mastodon/containers/fedifetcher/default.nix new file mode 100644 index 0000000..3f2617e --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/default.nix @@ -0,0 +1,23 @@ +{ nixpkgs-unstable, ... }: +{ + containers.fedifetcher = { + nixpkgs = nixpkgs-unstable; + autoStart = true; + + bindMounts = { + "/secrets" = { + hostPath = "/secrets-fedifetcher"; + isReadOnly = true; + }; + }; + + config = { ... }: { + imports = [ + ./fedifetcher.nix + ]; + + networking.useHostResolvConf = true; + system.stateVersion = "24.05"; + }; + }; +} diff --git a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix new file mode 100644 index 0000000..7194c25 --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix @@ -0,0 +1,42 @@ +{ pkgs, lib, ... }: +{ + # config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix + systemd.services.fedifetcher = { + path = [ pkgs.fedifetcher ]; + description = "fetch fedi posts"; + script = '' + fedifetcher + ''; + environment = lib.mapAttrs' (n: v: + (lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n) + (builtins.toString v))) { + server = "social.nekover.se"; + state-dir = "/var/lib/fedifetcher"; + lock-file = "/run/fedifetcher/fedifetcher.lock"; + from-lists = 1; + from-notifications = 1; + max-bookmarks = 80; + max-favourites = 40; + max-follow-requests = 80; + max-followers = 80; + max-followings = 80; + remember-hosts-for-days = 30; + remember-users-for-hours = 168; + reply-interval-in-hours = 2; + }; + serviceConfig = { + DynamicUser = true; + User = "fedifetcher"; + RuntimeDirectory = "fedifetcher"; + RuntimeDirectoryPreserve = true; + StateDirectory = "fedifetcher"; + UMask = "0077"; + EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ]; + }; + }; + + systemd.timers.fedifetcher = { + wantedBy = [ "multi-user.target" ]; + timerConfig = { OnCalendar = "*:0/5"; }; + }; +} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix index 5651eb8..dc52ff4 100644 --- a/config/hosts/mastodon/default.nix +++ b/config/hosts/mastodon/default.nix @@ -5,5 +5,6 @@ ./mastodon.nix ./opensearch.nix ./nginx.nix + ./containers/fedifetcher ]; } diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 950498d..1389353 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -65,5 +65,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-fedifetcher-access-token.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ]; + destDir = "/secrets-fedifetcher"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } From 0ef33f3f082c2d496c433052c045431167a94502 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 369/386] Add gameserver-node-1 host --- config/hosts/gameserver-node-1/configuration.nix | 13 +++++++++++++ config/hosts/gameserver-node-1/default.nix | 6 ++++++ flake.nix | 3 ++- hosts.nix | 7 ++++--- 4 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 config/hosts/gameserver-node-1/configuration.nix create mode 100644 config/hosts/gameserver-node-1/default.nix diff --git a/config/hosts/gameserver-node-1/configuration.nix b/config/hosts/gameserver-node-1/configuration.nix new file mode 100644 index 0000000..94a60e2 --- /dev/null +++ b/config/hosts/gameserver-node-1/configuration.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "gameserver-node-1"; + }; + + system.stateVersion = "24.05"; +} diff --git a/config/hosts/gameserver-node-1/default.nix b/config/hosts/gameserver-node-1/default.nix new file mode 100644 index 0000000..0167962 --- /dev/null +++ b/config/hosts/gameserver-node-1/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ]; +} diff --git a/flake.nix b/flake.nix index 5cf2232..326b07b 100644 --- a/flake.nix +++ b/flake.nix @@ -8,9 +8,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; + pterodactyl.url = "git+https://git.nekover.se/fi/pterodactyl.git"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, pterodactyl, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; diff --git a/hosts.nix b/hosts.nix index 363f377..61073ff 100644 --- a/hosts.nix +++ b/hosts.nix @@ -26,9 +26,10 @@ let }) hosts; in generateDefaults { - #fee = { - # site = "wg"; - #}; + gameserver-node-1 = { + site = "vs"; + environment = "proxmox"; + }; hydra = { site = "vs"; environment = "proxmox"; From 211eb736251e5849e94b95ca61dc37245c6a0e50 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 370/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/dd6d18bf8d291daca03a444973bd4f9aa5c1f681?narHash=sha256-O2/v/ocUL0KsACqEIK5eD5XeX46duRIgKdOu6uCKarw%3D' (2024-10-28) → 'github:NixOS/nixpkgs/c128e44a249d6180740d0a979b6480d5b795c013?narHash=sha256-i85DPrhDuvzgvIWCpJlbfM2UFtNYbapo20MtQXsvay4%3D' (2024-11-06) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/ec7caabec9679b1a9008e0cbcfa4b14a2b600774?narHash=sha256-WPGVR8NW9ctqwLMtYV23b94ExQulTFoTKqD21WI3fbg%3D' (2024-10-29) → 'github:NixOS/nixpkgs/a40c3f1a5a8d3fa81fc4edc9dfa4719f8908b1d8?narHash=sha256-JTpBZcKpiz0/Fm5saVrTdPRsywNlBFz5pSdwMaVKwH8%3D' (2024-11-06) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/75e28c029ef2605f9841e0baa335d70065fe7ae2?narHash=sha256-P8wF4ag6Srmpb/gwskYpnIsnspbjZlRvu47iN527ABQ%3D' (2024-10-28) → 'github:NixOS/nixpkgs/1c07b97d2d4302baca8c61fa2d0d4632427972a7?narHash=sha256-OrCMJZ8qZftRplhoB%2BBksvoPLBOZQpH8mnACgPKNuMc%3D' (2024-11-06) • Added input 'pterodactyl': 'git+https://git.nekover.se/fi/pterodactyl.git?ref=refs/heads/main&rev=67dbbc01133790a3a1e892cc4cb147413f5238ee' (2024-10-29) • Added input 'pterodactyl/nixpkgs': 'github:NixOS/nixpkgs/ccc0c2126893dd20963580b6478d1a10a4512185?narHash=sha256-4HQI%2B6LsO3kpWTYuVGIzhJs1cetFcwT7quWCk/6rqeo%3D' (2024-10-18) --- .../hosts/gameserver-node-1/configuration.nix | 15 ++++- flake.lock | 55 +++++++++++++++---- flake.nix | 6 +- 3 files changed, 63 insertions(+), 13 deletions(-) diff --git a/config/hosts/gameserver-node-1/configuration.nix b/config/hosts/gameserver-node-1/configuration.nix index 94a60e2..a16800f 100644 --- a/config/hosts/gameserver-node-1/configuration.nix +++ b/config/hosts/gameserver-node-1/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pterodactyl, ... }: { boot.loader.grub = { enable = true; @@ -9,5 +9,18 @@ hostName = "gameserver-node-1"; }; + environment.systemPackages = [ + pterodactyl.packages."x86_64-linux".pterodactyl-wings + ]; + + imports = [ + pterodactyl.nixosModules.pterodactyl-wings + ]; + + services.wings = { + enable = true; + configuration = ""; + }; + system.stateVersion = "24.05"; } diff --git a/flake.lock b/flake.lock index 4534930..d6dfd27 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730142757, - "narHash": "sha256-O2/v/ocUL0KsACqEIK5eD5XeX46duRIgKdOu6uCKarw=", + "lastModified": 1730891215, + "narHash": "sha256-i85DPrhDuvzgvIWCpJlbfM2UFtNYbapo20MtQXsvay4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dd6d18bf8d291daca03a444973bd4f9aa5c1f681", + "rev": "c128e44a249d6180740d0a979b6480d5b795c013", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1730209337, - "narHash": "sha256-WPGVR8NW9ctqwLMtYV23b94ExQulTFoTKqD21WI3fbg=", + "lastModified": 1730906268, + "narHash": "sha256-JTpBZcKpiz0/Fm5saVrTdPRsywNlBFz5pSdwMaVKwH8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ec7caabec9679b1a9008e0cbcfa4b14a2b600774", + "rev": "a40c3f1a5a8d3fa81fc4edc9dfa4719f8908b1d8", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1730157240, - "narHash": "sha256-P8wF4ag6Srmpb/gwskYpnIsnspbjZlRvu47iN527ABQ=", + "lastModified": 1730902633, + "narHash": "sha256-OrCMJZ8qZftRplhoB+BksvoPLBOZQpH8mnACgPKNuMc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "75e28c029ef2605f9841e0baa335d70065fe7ae2", + "rev": "1c07b97d2d4302baca8c61fa2d0d4632427972a7", "type": "github" }, "original": { @@ -132,6 +132,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1729265718, + "narHash": "sha256-4HQI+6LsO3kpWTYuVGIzhJs1cetFcwT7quWCk/6rqeo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ccc0c2126893dd20963580b6478d1a10a4512185", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1717602782, "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", @@ -146,12 +162,31 @@ "type": "indirect" } }, + "pterodactyl": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1730231313, + "narHash": "sha256-8UdcF5PIHWB+wV/1lt4AgXz3KYk+VQIeDxC6lxLPWno=", + "ref": "refs/heads/main", + "rev": "67dbbc01133790a3a1e892cc4cb147413f5238ee", + "revCount": 3, + "type": "git", + "url": "https://git.nekover.se/fi/pterodactyl.git" + }, + "original": { + "type": "git", + "url": "https://git.nekover.se/fi/pterodactyl.git" + } + }, "root": { "inputs": { "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", + "pterodactyl": "pterodactyl", "simple-nixos-mailserver": "simple-nixos-mailserver" } }, @@ -159,7 +194,7 @@ "inputs": { "blobs": "blobs", "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-24_05": "nixpkgs-24_05", "utils": "utils" }, diff --git a/flake.nix b/flake.nix index 326b07b..3aae2d8 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; - pterodactyl.url = "git+https://git.nekover.se/fi/pterodactyl.git"; + pterodactyl = { + url = "git+https://git.nekover.se/fi/pterodactyl.git"; + }; }; outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, pterodactyl, ... }@inputs: @@ -29,7 +31,7 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver pterodactyl; # Provide environment for secret key command keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; From 7d6aa614d120558d148b147af82be6d686ed79aa Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 371/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/a40c3f1a5a8d3fa81fc4edc9dfa4719f8908b1d8?narHash=sha256-JTpBZcKpiz0/Fm5saVrTdPRsywNlBFz5pSdwMaVKwH8%3D' (2024-11-06) → 'github:NixOS/nixpkgs/d4d2ec47f6fd0eb521f1d14a34c811e1f514de89?narHash=sha256-MP5UtDIWS4KbtM90Ho33UF1RUjQTGbw/ub8JJZuToMg%3D' (2024-11-06) • Updated input 'pterodactyl': 'git+https://git.nekover.se/fi/pterodactyl.git?ref=refs/heads/main&rev=67dbbc01133790a3a1e892cc4cb147413f5238ee' (2024-10-29) → 'git+https://git.nekover.se/fi/pterodactyl.git?ref=refs/heads/main&rev=49d7a9adeb44a295f48cd84d8e7c638ef4be703d' (2024-11-06) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index d6dfd27..d0db56d 100644 --- a/flake.lock +++ b/flake.lock @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1730906268, - "narHash": "sha256-JTpBZcKpiz0/Fm5saVrTdPRsywNlBFz5pSdwMaVKwH8=", + "lastModified": 1730913978, + "narHash": "sha256-MP5UtDIWS4KbtM90Ho33UF1RUjQTGbw/ub8JJZuToMg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a40c3f1a5a8d3fa81fc4edc9dfa4719f8908b1d8", + "rev": "d4d2ec47f6fd0eb521f1d14a34c811e1f514de89", "type": "github" }, "original": { @@ -167,10 +167,10 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1730231313, - "narHash": "sha256-8UdcF5PIHWB+wV/1lt4AgXz3KYk+VQIeDxC6lxLPWno=", + "lastModified": 1730914419, + "narHash": "sha256-S4st1khiOPeCZ0EduaTGKmBUdG97xRku25DUaZ/EIlY=", "ref": "refs/heads/main", - "rev": "67dbbc01133790a3a1e892cc4cb147413f5238ee", + "rev": "49d7a9adeb44a295f48cd84d8e7c638ef4be703d", "revCount": 3, "type": "git", "url": "https://git.nekover.se/fi/pterodactyl.git" From d271c56bcdf24078ab2a25c5d01c1fbf093a16a9 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 372/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'pterodactyl': 'git+https://git.nekover.se/fi/pterodactyl.git?ref=refs/heads/main&rev=49d7a9adeb44a295f48cd84d8e7c638ef4be703d' (2024-11-06) → 'git+https://git.nekover.se/fi/pterodactyl.git?ref=refs/heads/main&rev=c155ae111fb75532b6e8ac7dd7de538f23b51a95' (2024-11-06) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index d0db56d..5fc24f6 100644 --- a/flake.lock +++ b/flake.lock @@ -167,10 +167,10 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1730914419, - "narHash": "sha256-S4st1khiOPeCZ0EduaTGKmBUdG97xRku25DUaZ/EIlY=", + "lastModified": 1730914761, + "narHash": "sha256-j2lruhf2JDagLMiwHAxagXXJUbK0pOHpEWIvLRkHU6A=", "ref": "refs/heads/main", - "rev": "49d7a9adeb44a295f48cd84d8e7c638ef4be703d", + "rev": "c155ae111fb75532b6e8ac7dd7de538f23b51a95", "revCount": 3, "type": "git", "url": "https://git.nekover.se/fi/pterodactyl.git" From 9a5303fbb836b07588e0c43eb50c7084e5ebd88e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 373/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/d4d2ec47f6fd0eb521f1d14a34c811e1f514de89?narHash=sha256-MP5UtDIWS4KbtM90Ho33UF1RUjQTGbw/ub8JJZuToMg%3D' (2024-11-06) → 'github:NixOS/nixpkgs/7cf19f381114cfbd5f1347848efcbf34aec73066?narHash=sha256-kOAok3imaFaor4jCFcpM16h/epnhsMp1TbzGfRF2xfk%3D' (2024-11-06) • Updated input 'pterodactyl': 'git+https://git.nekover.se/fi/pterodactyl.git?ref=refs/heads/main&rev=c155ae111fb75532b6e8ac7dd7de538f23b51a95' (2024-11-06) → 'git+https://git.nekover.se/fi/pterodactyl.git?ref=refs/heads/main&rev=ae698225308107d243f76dc45d1f6fab7ff95120' (2024-11-06) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 5fc24f6..0f13e21 100644 --- a/flake.lock +++ b/flake.lock @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1730913978, - "narHash": "sha256-MP5UtDIWS4KbtM90Ho33UF1RUjQTGbw/ub8JJZuToMg=", + "lastModified": 1730914863, + "narHash": "sha256-kOAok3imaFaor4jCFcpM16h/epnhsMp1TbzGfRF2xfk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d4d2ec47f6fd0eb521f1d14a34c811e1f514de89", + "rev": "7cf19f381114cfbd5f1347848efcbf34aec73066", "type": "github" }, "original": { @@ -167,10 +167,10 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1730914761, - "narHash": "sha256-j2lruhf2JDagLMiwHAxagXXJUbK0pOHpEWIvLRkHU6A=", + "lastModified": 1730915075, + "narHash": "sha256-RM/JJp1d5k1Hb4obydOUkqJpY4xSthBEGPcjh+upF0A=", "ref": "refs/heads/main", - "rev": "c155ae111fb75532b6e8ac7dd7de538f23b51a95", + "rev": "ae698225308107d243f76dc45d1f6fab7ff95120", "revCount": 3, "type": "git", "url": "https://git.nekover.se/fi/pterodactyl.git" From 2ff2752f8a5720acde343d76f240593d48548250 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 374/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'pterodactyl': 'git+https://git.nekover.se/fi/pterodactyl.git?ref=refs/heads/main&rev=ae698225308107d243f76dc45d1f6fab7ff95120' (2024-11-06) → 'git+https://git.nekover.se/fi/pterodactyl.git?ref=refs/heads/main&rev=1eff87119f6e48b6b1d1afef468ee4ff1aebe333' (2024-11-06) --- config/hosts/gameserver-node-1/configuration.nix | 8 ++++---- flake.lock | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/hosts/gameserver-node-1/configuration.nix b/config/hosts/gameserver-node-1/configuration.nix index a16800f..fcdeeae 100644 --- a/config/hosts/gameserver-node-1/configuration.nix +++ b/config/hosts/gameserver-node-1/configuration.nix @@ -9,16 +9,16 @@ hostName = "gameserver-node-1"; }; - environment.systemPackages = [ - pterodactyl.packages."x86_64-linux".pterodactyl-wings - ]; + #environment.systemPackages = [ + # pterodactyl.packages."x86_64-linux".pterodactyl-wings + #]; imports = [ pterodactyl.nixosModules.pterodactyl-wings ]; services.wings = { - enable = true; + enable = false; configuration = ""; }; diff --git a/flake.lock b/flake.lock index 0f13e21..0da5a7b 100644 --- a/flake.lock +++ b/flake.lock @@ -167,10 +167,10 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1730915075, - "narHash": "sha256-RM/JJp1d5k1Hb4obydOUkqJpY4xSthBEGPcjh+upF0A=", + "lastModified": 1730915158, + "narHash": "sha256-qQvhHUbC5yKD6x/G0P2tvHoRf92Nd/QWB76CRnV5oyI=", "ref": "refs/heads/main", - "rev": "ae698225308107d243f76dc45d1f6fab7ff95120", + "rev": "1eff87119f6e48b6b1d1afef468ee4ff1aebe333", "revCount": 3, "type": "git", "url": "https://git.nekover.se/fi/pterodactyl.git" From 8c704c8f8b312d42863d57efd8b172339af5bfb6 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 375/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/c128e44a249d6180740d0a979b6480d5b795c013?narHash=sha256-i85DPrhDuvzgvIWCpJlbfM2UFtNYbapo20MtQXsvay4%3D' (2024-11-06) → 'github:NixOS/nixpkgs/83fb6c028368e465cd19bb127b86f971a5e41ebc?narHash=sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0%3D' (2024-11-07) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/7cf19f381114cfbd5f1347848efcbf34aec73066?narHash=sha256-kOAok3imaFaor4jCFcpM16h/epnhsMp1TbzGfRF2xfk%3D' (2024-11-06) → 'github:NixOS/nixpkgs/f7516232a6bf821825c2bd114abcaec1bcd1e54d?narHash=sha256-u8U89hPPbGu627UNtd3H9/CPifDOrmsNGm2y83C9A0A%3D' (2024-11-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/1c07b97d2d4302baca8c61fa2d0d4632427972a7?narHash=sha256-OrCMJZ8qZftRplhoB%2BBksvoPLBOZQpH8mnACgPKNuMc%3D' (2024-11-06) → 'github:NixOS/nixpkgs/3aea494127aae5d08c4c501ea4ba27e6c185b822?narHash=sha256-5R9m921OhgOUNHVIxTS8%2BjZJokkZRsH7UOecxlchqZ8%3D' (2024-11-07) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 0da5a7b..3a30919 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730891215, - "narHash": "sha256-i85DPrhDuvzgvIWCpJlbfM2UFtNYbapo20MtQXsvay4=", + "lastModified": 1730963269, + "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c128e44a249d6180740d0a979b6480d5b795c013", + "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1730914863, - "narHash": "sha256-kOAok3imaFaor4jCFcpM16h/epnhsMp1TbzGfRF2xfk=", + "lastModified": 1731015792, + "narHash": "sha256-u8U89hPPbGu627UNtd3H9/CPifDOrmsNGm2y83C9A0A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7cf19f381114cfbd5f1347848efcbf34aec73066", + "rev": "f7516232a6bf821825c2bd114abcaec1bcd1e54d", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1730902633, - "narHash": "sha256-OrCMJZ8qZftRplhoB+BksvoPLBOZQpH8mnACgPKNuMc=", + "lastModified": 1730989260, + "narHash": "sha256-5R9m921OhgOUNHVIxTS8+jZJokkZRsH7UOecxlchqZ8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1c07b97d2d4302baca8c61fa2d0d4632427972a7", + "rev": "3aea494127aae5d08c4c501ea4ba27e6c185b822", "type": "github" }, "original": { From 1e34729881eb1b310f93932268c9c8bb61534a34 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 376/386] Set matrix host nixpkgs to unstable --- flake.nix | 2 +- hosts.nix | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 3aae2d8..1b59d82 100644 --- a/flake.nix +++ b/flake.nix @@ -34,7 +34,7 @@ inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver pterodactyl; # Provide environment for secret key command - keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; + keyCommandEnv = [ "env" "GNUPGHOME=$HOME/.passinfra_gnupg" "PASSWORD_STORE_DIR=$HOME/pass/infra" ]; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; diff --git a/hosts.nix b/hosts.nix index 61073ff..f954830 100644 --- a/hosts.nix +++ b/hosts.nix @@ -71,6 +71,7 @@ in environment = "proxmox"; }; matrix = { + hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; From eede43b90575d14c41b52af39617f362a07dbb51 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 377/386] Remove matrix sliding sync options as it is now part of matrix-synapse --- config/hosts/matrix/matrix-synapse.nix | 10 +--------- config/hosts/matrix/secrets.nix | 8 -------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index e719484..7f339bf 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ ... }: { services.matrix-synapse = { enable = true; @@ -55,12 +55,4 @@ "/secrets/matrix-keycloak-client-secret.secret" ]; }; - - services.matrix-sliding-sync = { - enable = true; - settings = { - SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; - }; - environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; - }; } diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 68e4771..a95309e 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -33,14 +33,6 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "matrix-SYNCV3_SECRET.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/SYNCV3_SECRET" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; "matrix-keycloak-client-secret.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ]; destDir = "/secrets"; From 0d4e44acddd1041ad379fb9c7826aa6de06112ce Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 378/386] Switch torrent host to nixpkgs unstable since qbittorrent-nox 4.6.4 is insecure --- hosts.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts.nix b/hosts.nix index f954830..2729070 100644 --- a/hosts.nix +++ b/hosts.nix @@ -110,6 +110,7 @@ in environment = "proxmox"; }; torrent = { + hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; From 0539908261211879ad3ef3339b1ef3680b3ae9a8 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 379/386] Update paperless host stateVersion to 24.05 --- config/hosts/paperless/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix index 494f08c..a48164e 100644 --- a/config/hosts/paperless/configuration.nix +++ b/config/hosts/paperless/configuration.nix @@ -13,5 +13,5 @@ }; }; - system.stateVersion = "23.05"; + system.stateVersion = "24.05"; } From 20bacd802eaa4b4a35fc949e9679eebdd850975d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 380/386] Remove paperless from hosts as vm host is not online anymore --- hosts.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/hosts.nix b/hosts.nix index 2729070..820e5cb 100644 --- a/hosts.nix +++ b/hosts.nix @@ -96,10 +96,6 @@ in site = "vs"; environment = "proxmox"; }; - paperless = { - site = "wg"; - environment = "proxmox"; - }; coturn = { site = "vs"; environment = "proxmox"; From 7125b7e15a162387fafd7cf04e3f667799f9ff8c Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:46:41 +0100 Subject: [PATCH 381/386] Format nginx matrix .well-known json --- .../web-public-2/virtualHosts/nekover.se.nix | 17 ++++++++++++++++- flake.nix | 2 +- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 08a61ea..19a7766 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -16,7 +16,22 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; + return = "200 ' + { + \"m.homeserver\": { + \"base_url\": \"https://matrix.nekover.se\" + }, + \"m.identity_server\": { + \"base_url\": \"https://vector.im\" + }, + \"org.matrix.msc3575.proxy\": { + \"url\": \"https://matrix.nekover.se\" + }, + \"org.matrix.msc2965.authentication\": { + \"issuer\": \"https://nekover.se/\", + \"account\": \"https://matrix-auth.nekover.se/account\" + } + }'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; diff --git a/flake.nix b/flake.nix index 1b59d82..3aae2d8 100644 --- a/flake.nix +++ b/flake.nix @@ -34,7 +34,7 @@ inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver pterodactyl; # Provide environment for secret key command - keyCommandEnv = [ "env" "GNUPGHOME=$HOME/.passinfra_gnupg" "PASSWORD_STORE_DIR=$HOME/pass/infra" ]; + keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; From b51124c2682b51b8d0f319e068621bb130661bbf Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Nov 2024 05:50:37 +0100 Subject: [PATCH 382/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565?narHash=sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg%3D' (2024-10-21) → 'github:nix-community/nixos-generators/15a87ccb45e06d24a9fd5f99a49782efe11b23f0?narHash=sha256-BJtD9NGUWaBe4OZ1JO77w8qBP9yHDJJUjsxkG/milFc%3D' (2024-11-18) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e?narHash=sha256-hUP9oxmnOmNnKcDOf5Y55HQ%2BNnoT0%2BbLWHLQWLLw9Ks%3D' (2024-10-20) → 'github:nix-community/nixpkgs.lib/b9f04e3cf71c23bea21d2768051e6b3068d44734?narHash=sha256-yhEMW4MBi%2BIAyEJyiKbnFvY1uARyMKJpLUhkczI49wk%3D' (2024-11-17) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/83fb6c028368e465cd19bb127b86f971a5e41ebc?narHash=sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0%3D' (2024-11-07) → 'github:NixOS/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682?narHash=sha256-aNc8irVBH7sM5cGDvqdOueg8S%2BfGakf0rEMRGfGwWZw%3D' (2024-11-17) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/f7516232a6bf821825c2bd114abcaec1bcd1e54d?narHash=sha256-u8U89hPPbGu627UNtd3H9/CPifDOrmsNGm2y83C9A0A%3D' (2024-11-07) → 'github:NixOS/nixpkgs/5a27cc051d111db0b33537d80cc2f8b8d2e687f2?narHash=sha256-HxcMSQ0SRjKFyf0vTUuoFbmrZSHPMWwppeAGZ%2BLS4vE%3D' (2024-11-20) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/3aea494127aae5d08c4c501ea4ba27e6c185b822?narHash=sha256-5R9m921OhgOUNHVIxTS8%2BjZJokkZRsH7UOecxlchqZ8%3D' (2024-11-07) → 'github:NixOS/nixpkgs/0705964c881cea8896474610188905ba41b59b08?narHash=sha256-qaWPxgLAvtIHTDcm0qJuc%2BWNYjcy4ZKigOyn2ag4ihM%3D' (2024-11-19) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 3a30919..ac44c20 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1729386149, - "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", + "lastModified": 1731805462, + "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e", + "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1729472750, - "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=", + "lastModified": 1731892054, + "narHash": "sha256-BJtD9NGUWaBe4OZ1JO77w8qBP9yHDJJUjsxkG/milFc=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565", + "rev": "15a87ccb45e06d24a9fd5f99a49782efe11b23f0", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730963269, - "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=", + "lastModified": 1731842749, + "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc", + "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1731015792, - "narHash": "sha256-u8U89hPPbGu627UNtd3H9/CPifDOrmsNGm2y83C9A0A=", + "lastModified": 1732074992, + "narHash": "sha256-HxcMSQ0SRjKFyf0vTUuoFbmrZSHPMWwppeAGZ+LS4vE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f7516232a6bf821825c2bd114abcaec1bcd1e54d", + "rev": "5a27cc051d111db0b33537d80cc2f8b8d2e687f2", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1730989260, - "narHash": "sha256-5R9m921OhgOUNHVIxTS8+jZJokkZRsH7UOecxlchqZ8=", + "lastModified": 1732007104, + "narHash": "sha256-qaWPxgLAvtIHTDcm0qJuc+WNYjcy4ZKigOyn2ag4ihM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3aea494127aae5d08c4c501ea4ba27e6c185b822", + "rev": "0705964c881cea8896474610188905ba41b59b08", "type": "github" }, "original": { From 671cdc16af02fca2570c7e754f4fe33c0c1873c4 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 21 Nov 2024 03:02:40 +0100 Subject: [PATCH 383/386] Remove currently unused hosts from hosts.nix --- hosts.nix | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/hosts.nix b/hosts.nix index 363f377..17e93a6 100644 --- a/hosts.nix +++ b/hosts.nix @@ -26,9 +26,6 @@ let }) hosts; in generateDefaults { - #fee = { - # site = "wg"; - #}; hydra = { site = "vs"; environment = "proxmox"; @@ -60,10 +57,6 @@ in site = "vs"; environment = "proxmox"; }; - mail-2 = { - site = "wg"; - environment = "proxmox"; - }; mastodon = { hostNixpkgs = nixpkgs-unstable; site = "vs"; @@ -77,11 +70,6 @@ in site = "vs"; environment = "proxmox"; }; - navidrome = { - hostNixpkgs = nixpkgs-unstable; - site = "wg"; - environment = "proxmox"; - }; netbox = { site = "vs"; environment = "proxmox"; @@ -94,10 +82,6 @@ in site = "vs"; environment = "proxmox"; }; - paperless = { - site = "wg"; - environment = "proxmox"; - }; coturn = { site = "vs"; environment = "proxmox"; @@ -119,10 +103,6 @@ in site = "af"; environment = "openstack"; }; - web-public-1 = { - site = "wg"; - environment = "proxmox"; - }; web-public-2 = { site = "vs"; environment = "proxmox"; From fffcb38240f1cd8ccfc00822e16c0c1aa4f9db44 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 21 Nov 2024 03:05:53 +0100 Subject: [PATCH 384/386] Use qbittorrent-nox package from unstable, because stable is marked as insecure --- config/hosts/torrent/qbittorrent-nox/services.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/torrent/qbittorrent-nox/services.nix b/config/hosts/torrent/qbittorrent-nox/services.nix index 4050e15..71d22f8 100644 --- a/config/hosts/torrent/qbittorrent-nox/services.nix +++ b/config/hosts/torrent/qbittorrent-nox/services.nix @@ -2,9 +2,9 @@ # - https://github.com/NixOS/nixpkgs/issues/236736#issuecomment-1704670598 # - https://nixos.org/manual/nixos/stable/#sect-nixos-systemd-nixos -{ pkgs, ... }: +{ nixpkgs-unstable, ... }: { - systemd.packages = [ pkgs.qbittorrent-nox ]; + systemd.packages = [ nixpkgs-unstable.legacyPackages."x86_64-linux".qbittorrent-nox ]; systemd.services."qbittorrent-nox@torrent" = { overrideStrategy = "asDropin"; From cfd86a8e87e7cb4096a8c3e71ce4fb1e9533d322 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 21 Nov 2024 03:23:50 +0100 Subject: [PATCH 385/386] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565?narHash=sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg%3D' (2024-10-21) → 'github:nix-community/nixos-generators/3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c?narHash=sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos%3D' (2024-11-21) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e?narHash=sha256-hUP9oxmnOmNnKcDOf5Y55HQ%2BNnoT0%2BbLWHLQWLLw9Ks%3D' (2024-10-20) → 'github:nix-community/nixpkgs.lib/b9f04e3cf71c23bea21d2768051e6b3068d44734?narHash=sha256-yhEMW4MBi%2BIAyEJyiKbnFvY1uARyMKJpLUhkczI49wk%3D' (2024-11-17) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/83fb6c028368e465cd19bb127b86f971a5e41ebc?narHash=sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0%3D' (2024-11-07) → 'github:NixOS/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682?narHash=sha256-aNc8irVBH7sM5cGDvqdOueg8S%2BfGakf0rEMRGfGwWZw%3D' (2024-11-17) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/b651050919c85b9131fa0d2640115ffd9266daad?narHash=sha256-YsODAqOF2xAHyK4%2BpKiS9nmGu%2BvQW%2B9kc5P7uRCirIM%3D' (2024-11-07) → 'github:NixOS/nixpkgs/516819d9b5b97ee1f461aecb4caed7aa6b769d5d?narHash=sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g%3D' (2024-11-21) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/0093b93ec307d42f51ced7ce90dda6c37516e98a?narHash=sha256-fhkxOv9RGEoPZNyl7VOpHf0Xoqc%2Bbu0J/uW3BSg7tOs%3D' (2024-11-07) → 'github:NixOS/nixpkgs/e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2?narHash=sha256-622zKMMp0mw2a%2BfJJoVQdNmxwRGDkWsDTn5OSPK8DLk%3D' (2024-11-20) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 8912e2b..8e74f17 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1729386149, - "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", + "lastModified": 1731805462, + "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e", + "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1729472750, - "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=", + "lastModified": 1732151224, + "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565", + "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730963269, - "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=", + "lastModified": 1731842749, + "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc", + "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1730992357, - "narHash": "sha256-YsODAqOF2xAHyK4+pKiS9nmGu+vQW+9kc5P7uRCirIM=", + "lastModified": 1732154639, + "narHash": "sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b651050919c85b9131fa0d2640115ffd9266daad", + "rev": "516819d9b5b97ee1f461aecb4caed7aa6b769d5d", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1730945957, - "narHash": "sha256-fhkxOv9RGEoPZNyl7VOpHf0Xoqc+bu0J/uW3BSg7tOs=", + "lastModified": 1732136765, + "narHash": "sha256-622zKMMp0mw2a+fJJoVQdNmxwRGDkWsDTn5OSPK8DLk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0093b93ec307d42f51ced7ce90dda6c37516e98a", + "rev": "e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2", "type": "github" }, "original": { From e3d8f98e5c571078c10ada733717bf1968665657 Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 21 Nov 2024 03:25:25 +0100 Subject: [PATCH 386/386] Remove matrix sliding sync options as it is now part of matrix-synapse --- config/hosts/matrix/matrix-synapse.nix | 10 +--------- config/hosts/matrix/secrets.nix | 8 -------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index e719484..7f339bf 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ ... }: { services.matrix-synapse = { enable = true; @@ -55,12 +55,4 @@ "/secrets/matrix-keycloak-client-secret.secret" ]; }; - - services.matrix-sliding-sync = { - enable = true; - settings = { - SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; - }; - environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; - }; } diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 68e4771..a95309e 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -33,14 +33,6 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "matrix-SYNCV3_SECRET.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/SYNCV3_SECRET" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; "matrix-keycloak-client-secret.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ]; destDir = "/secrets";