Setup ikiwiki host

2024-11-21 05:19:26 +01:00
43 changed files with 239 additions and 675 deletions
--- a/config/common/default.nix
+++ b/config/common/default.nix
@ -41,6 +41,7 @@
  security.acme = {
    defaults.email = "acme@grzb.de";
    acceptTerms = true;
    preliminarySelfsigned = true;
  };
  # Print the ed25519 public ssh host key to console when booting
--- a/config/hosts/forgejo/forgejo.nix
+++ b/config/hosts/forgejo/forgejo.nix
@ -1,9 +1,9 @@
-{ pkgs, ... }:
+{ ... }:
 {
  services.forgejo = {
    enable = true;
    package = pkgs.forgejo;
    database.type = "postgres";
    mailerPasswordFile = "/secrets/forgejo-mailer-password.secret";
    settings = {
      DEFAULT = {
@ -60,6 +60,5 @@
        HOST = "redis+socket:///run/redis-forgejo/redis.sock";
      };
    };
    secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret";
  };
 }
--- a/config/hosts/ikiwiki/ikiwiki.nix
+++ b/config/hosts/ikiwiki/ikiwiki.nix
@ -133,4 +133,26 @@ in
      "multi-user.target"
    ];
  };
  systemd.services.ikiwiki-auth-setup = {
    description = "Setup auth subdirectory for ikiwiki.cgi";
    script = ''
      mkdir -p ${ikiwikiSettings.destdir}/auth
      if [ ! -f ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi ]; then
        ln -s ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi
      fi
    '';
    serviceConfig = {
      Type = "simple";
      User = config.users.users.ikiwiki.name;
      Group = config.users.users.ikiwiki.group;
      Requires = [ "ikiwiki-settings-setup.service" ];
    };
    wantedBy = [
      "multi-user.target"
    ];
  };
 }
--- a/config/hosts/jellyseerr/configuration.nix
+++ b/config/hosts/jellyseerr/configuration.nix
@ -10,7 +10,6 @@
    firewall = {
      allowedTCPPorts = [ 80 443 ];
    };
    nameservers = [ "193.138.218.74" ];
    extraHosts =
      ''
        10.202.46.101 jellyfin.grzb.de
@ -19,10 +18,5 @@
      '';
  };
  services.resolved = {
    enable = true;
    fallbackDns = [ ];
  };
  system.stateVersion = "23.11";
 }
--- a/config/hosts/jellyseerr/jellyseerr.nix
+++ b/config/hosts/jellyseerr/jellyseerr.nix
@ -1,15 +1,6 @@
-{ pkgs, ... }:
+{ ... }:
 let
  jellyseerrOverlay = final: prev: {
    jellyseerr = prev.jellyseerr.overrideAttrs (finalAttr: previousAttr: {
      dontCheckForBrokenSymlinks = true;
    });
  };
  pkgs-overlay = pkgs.extend jellyseerrOverlay;
 in
 {
  services.jellyseerr = {
    enable = true;
    package = pkgs-overlay.jellyseerr;
  };
 }
--- a/config/hosts/keycloak/keycloak.nix
+++ b/config/hosts/keycloak/keycloak.nix
@ -3,10 +3,10 @@
  services.keycloak = {
    enable = true;
    settings = {
-      hostname = "https://id.nekover.se";
+      hostname = "id.nekover.se";
-      hostname-admin = "https://keycloak-admin.nekover.se";
+      hostname-admin = "keycloak-admin.nekover.se";
-      proxy-headers = "xforwarded";
+      hostname-strict-backchannel = true;
-      http-enabled = true;
+      proxy = "edge";
      http-host = "127.0.0.1";
      http-port = 8080;
    };
--- a/config/hosts/keycloak/nginx.nix
+++ b/config/hosts/keycloak/nginx.nix
@ -41,13 +41,6 @@
          proxy_buffer_size 128k;
          proxy_buffers 8 128k;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Port 443;
          # This is https in any case.
          proxy_set_header X-Forwarded-Proto https;
          # Hide the X-Forwarded header.
          proxy_hide_header X-Forwarded;
          # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
@ -103,13 +96,6 @@
          proxy_buffer_size 128k;
          proxy_buffers 8 128k;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Port 443;
          # This is https in any case.
          proxy_set_header X-Forwarded-Proto https;
          # Hide the X-Forwarded header.
          proxy_hide_header X-Forwarded;
          # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
--- a/config/hosts/mail-1/configuration.nix
+++ b/config/hosts/mail-1/configuration.nix
@ -15,20 +15,28 @@
        ];
        routes = [
          {
-            Gateway = "10.202.41.1";
+            routeConfig = {
-            Destination = "10.201.0.0/16";
+              Gateway = "10.202.41.1";
              Destination = "10.201.0.0/16";
            };
          }
          {
-            Gateway = "10.202.41.1";
+            routeConfig = {
-            Destination = "10.202.0.0/16";
+              Gateway = "10.202.41.1";
              Destination = "10.202.0.0/16";
            };
          }
          {
-            Gateway = "10.202.41.1";
+            routeConfig = {
-            Destination = "172.21.87.0/24";
+              Gateway = "10.202.41.1";
              Destination = "172.21.87.0/24";
            };
          }
          {
-            Gateway = "10.202.41.1";
+            routeConfig = {
-            Destination = "212.53.203.19/32";
+              Gateway = "10.202.41.1";
              Destination = "212.53.203.19/32";
            };
          }
        ];
        linkConfig.RequiredForOnline = "routable";
@ -54,11 +62,13 @@
          PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
        };
        wireguardPeers = [{
-          PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
+          wireguardPeerConfig = {
-          PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
+            PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
-          Endpoint = "212.53.203.19:51822";
+            PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
-          AllowedIPs = [ "0.0.0.0/0" ];
+            Endpoint = "212.53.203.19:51822";
-          PersistentKeepalive = 25;
+            AllowedIPs = [ "0.0.0.0/0" ];
            PersistentKeepalive = 25;
          };
        }];
      };
    };
--- a/config/hosts/mail-1/secrets.nix
+++ b/config/hosts/mail-1/secrets.nix
@ -73,14 +73,6 @@
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-nekomesh-nekover-se.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-social-nekover-se.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
      destDir = "/secrets";
--- a/config/hosts/mail-1/simple-nixos-mailserver.nix
+++ b/config/hosts/mail-1/simple-nixos-mailserver.nix
@ -46,11 +46,6 @@
            sendOnly = true;
            aliases = [ "nyareply@nekover.se" ];
          };
          "nekomesh@nekover.se" = {
            hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret";
            sendOnly = true;
            aliases = [ "nyareply@nekover.se" ];
          };
          "social@nekover.se" = {
            hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
            sendOnly = true;
--- a/config/hosts/mail-2/configuration.nix
+++ b/config/hosts/mail-2/configuration.nix
@ -15,20 +15,28 @@
        ];
        routes = [
          {
-            Gateway = "10.201.41.1";
+            routeConfig = {
-            Destination = "10.201.0.0/16";
+              Gateway = "10.201.41.1";
              Destination = "10.201.0.0/16";
            };
          }
          {
-            Gateway = "10.201.41.1";
+            routeConfig = {
-            Destination = "10.202.0.0/16";
+              Gateway = "10.201.41.1";
              Destination = "10.202.0.0/16";
            };
          }
          {
-            Gateway = "10.201.41.1";
+            routeConfig = {
-            Destination = "172.21.87.0/24";
+              Gateway = "10.201.41.1";
              Destination = "172.21.87.0/24";
            };
          }
          {
-            Gateway = "10.201.41.1";
+            routeConfig = {
-            Destination = "217.160.117.160/32";
+              Gateway = "10.201.41.1";
              Destination = "217.160.117.160/32";
            };
          }
        ];
        linkConfig.RequiredForOnline = "routable";
@ -54,11 +62,13 @@
          PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret";
        };
        wireguardPeers = [{
-          PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
+          wireguardPeerConfig = {
-          PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
+            PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
-          Endpoint = "217.160.117.160:51820";
+            PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
-          AllowedIPs = [ "0.0.0.0/0" ];
+            Endpoint = "217.160.117.160:51820";
-          PersistentKeepalive = 25;
+            AllowedIPs = [ "0.0.0.0/0" ];
            PersistentKeepalive = 25;
          };
        }];
      };
    };
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@ -2,42 +2,31 @@
 let
  tangerineUI = pkgs.fetchgit {
    url = "https://github.com/nileane/TangerineUI-for-Mastodon.git";
-    rev = "v2.4.4";
+    rev = "v2.2";
-    hash = "sha256-58xiS2yzv4z24IULJQWpkqV1Op6e+U6SFd1XjpAB6Go=";
+    hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ=";
  };
  mastodonModern = pkgs.fetchgit {
    url = "https://git.gay/freeplay/Mastodon-Modern.git";
    rev = "9f8db85eda2a65aa020ab6b81d100a121d39d4c4";
    hash = "sha256-W6zwjAjBGARiRPM0hWCnq63nIT2Or0SOQq82bpNtqAk=";
  };
  mastodonNekoversePatches = pkgs.fetchgit {
    url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git";
-    hash = "sha256-NtdJWMi8/siduX2iFD+GAsK9J+Y6T/tZ/fXqb/QH284=";
+    hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU=";
  };
  mastodonNekoverseOverlay = final: prev: {
    mastodon = (prev.mastodon.override rec {
-      version = "4.4.8";
+      version = "4.3.1";
      srcOverride = final.applyPatches {
        src = pkgs.stdenv.mkDerivation {
          name = "mastodonWithThemes";
          src = pkgs.fetchgit {
            url = "https://github.com/mastodon/mastodon.git";
            rev = "v${version}";
-            sha256 = "sha256-EE0A9EH+8ND9Whig2dhM27EONjJfdVtd9g+Mo0/2iHo=";
+            sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4=";
          };
          # mastodon ships with broken symlinks, disable the check for that for now
          dontCheckForBrokenSymlinks = true;
          installPhase = ''
            cp -r ./ $out/
            cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/
            echo "@import 'mastodon/variables';
            @import 'application';" >> $out/app/javascript/styles/modern-dark.scss
            cat ${mastodonModern}/modern.css >> $out/app/javascript/styles/modern-dark.scss
            echo "tangerineui: styles/tangerineui.scss
            tangerineui-purple: styles/tangerineui-purple.scss
            tangerineui-cherry: styles/tangerineui-cherry.scss
-            tangerineui-lagoon: styles/tangerineui-lagoon.scss
+            tangerineui-lagoon: styles/tangerineui-lagoon.scss" >> $out/config/themes.yml
            modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml
          '';
        };
        patches = [
@ -49,8 +38,7 @@ let
          "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch"
        ];
      };
-      yarnHash = prev.mastodon.src.yarnHash;
+      yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg=";
      yarnMissingHashes = prev.mastodon.src.yarnMissingHashes;
    });
  };
  pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;
@ -62,6 +50,7 @@ in
    package = pkgs-overlay.mastodon;
    localDomain = "social.nekover.se";
    secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret";
    otpSecretFile = "/secrets/mastodon-otp-secret.secret";
    vapidPublicKeyFile = "${vapidPublicKey}";
    vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret";
    smtp = {
@ -90,8 +79,6 @@ in
      OIDC_REDIRECT_URI = "https://social.nekover.se/auth/auth/openid_connect/callback";
      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
      OIDC_END_SESSION_ENDPOINT = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/logout";
      FETCH_REPLIES_ENABLED = "true";
      AUTHORIZED_FETCH = "true";
    };
    extraEnvFiles = [
      "/secrets/mastodon-keycloak-client-secret.secret"
--- a/config/hosts/mastodon/secrets.nix
+++ b/config/hosts/mastodon/secrets.nix
@ -9,6 +9,14 @@
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mastodon-otp-secret.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ];
      destDir = "/secrets";
      user = "mastodon";
      group = "mastodon";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mastodon-vapid-private-key.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ];
      destDir = "/secrets";
--- a/config/hosts/matrix/configuration.nix
+++ b/config/hosts/matrix/configuration.nix
@ -9,7 +9,7 @@
    hostName = "matrix";
    firewall = {
      enable = true;
-      allowedTCPPorts = [ 80 8443 8448 9000 ];
+      allowedTCPPorts = [ 80 8443 8448 ];
    };
  };
--- a/config/hosts/matrix/default.nix
+++ b/config/hosts/matrix/default.nix
@ -2,10 +2,8 @@
 {
  imports = [
    ./configuration.nix
    ./element-call.nix
    ./hardware-configuration.nix
    ./postgresql.nix
    ./matrix-authentication-service.nix
    ./matrix-synapse.nix
    ./nginx.nix
  ];
--- a/config/hosts/matrix/element-call.nix
+++ b/config/hosts/matrix/element-call.nix
@ -1,15 +0,0 @@
 { ... }:
 {
  services.livekit = {
    enable = true;
    settings.rtc.use_external_ip = true;
    openFirewall = true;
    keyFile = "/secrets/matrix-livekit-secret-key.secret";
  };
  services.lk-jwt-service = {
    enable = true;
    port = 8082;
    livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu";
    keyFile = "/secrets/matrix-livekit-secret-key.secret";
  };
 }
--- a/config/hosts/matrix/matrix-authentication-service.nix
+++ b/config/hosts/matrix/matrix-authentication-service.nix
@ -1,95 +0,0 @@
 { pkgs, ... }:
 let
  masSettings = {
    http = {
      listeners = [
        {
          name = "web";
          resources = [
            { name = "discovery"; }
            { name = "human"; }
            { name = "oauth"; }
            { name = "compat"; }
            { name = "graphql"; }
            { 
              name = "assets";
              path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
            }
          ];
          binds = [{
            host = "localhost";
            port = 8080;
          }];
          proxy_protocol = false;
        }
        {
          name = "internal";
          resources = [{
            name = "health";
          }];
          binds = [{
            host = "localhost";
            port = 8081;
          }];
          proxy_protocol = false;
        }
      ];
      trusted_proxies = [
        "192.168.0.0/16"
        "172.16.0.0/12"
        "10.0.0.0/10"
        "127.0.0.1/8"
        "fd00::/8"
        "::1/128"
      ];
      public_base = "https://mas.nekover.se";
    };
    database = {
      uri = "postgresql://mas_user:mas@localhost/mas";
      max_connections = 10;
      min_connections = 0;
      connect_timeout = 30;
      idle_timeout = 600;
      max_lifetime = 1800;
    };
    passwords = {
      enabled = true;
      schemes = [
        {
          version = 1;
          algorithm = "bcrypt";
        }
        {
          version = 2;
          algorithm = "argon2id";
        }
      ]; 
      minimum_complexity = 8;
    };
  };
  masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
 in
 {
  environment.systemPackages = with pkgs; [
    matrix-authentication-service
  ];
  systemd.services.matrix-authentication-service = {
    description = "Matrix Authentication Service";
    after = [ "network-online.target" "postgresql.service" ];
    requires = [ "postgresql.service" ];
    wants = [ "network-online.target" ];
    serviceConfig = {
      Type = "simple";
      ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret";
      WorkingDirectory = "${pkgs.matrix-authentication-service}";
      User = "matrix-synapse";
      Group = "matrix-synapse";
    };
    wantedBy = [
      "multi-user.target"
    ];
  };
 }
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@ -3,40 +3,26 @@
  services.matrix-synapse = {
    enable = true;
    settings = {
-      listeners = [
+      listeners = [{
-        {
+        port = 8008;
-          port = 8008;
+        bind_addresses = [
-          bind_addresses = [
+          "::1"
-            "::1"
+          "127.0.0.1"
-            "127.0.0.1"
+        ];
-          ];
+        type = "http";
-          type = "http";
+        tls = false;
-          tls = false;
+        x_forwarded = true;
-          x_forwarded = true;
+        resources = [
-          resources = [
+          {
-            {
+            compress = true;
-              compress = true;
+            names = [ "client" ];
-              names = [ "client" ];
+          }
-            }
+          {
            {
              compress = false;
              names = [ "federation" ];
            }
          ];
        }
        {
          port = 9000;
          type = "http";
          tls = false;
          bind_addresses = [
            "0.0.0.0"
          ];
          resources = [{
            names = [ "metrics" ];
            compress = false;
-          }];
+            names = [ "federation" ];
-        }
+          }
-      ];
+        ];
      }];
      server_name = "nekover.se";
      public_baseurl = "https://matrix.nekover.se";
      database = {
@ -54,42 +40,19 @@
      signing_key_path = "/secrets/matrix-homeserver-signing-key.secret";
      admin_contact = "mailto:admin@nekover.se";
      web_client_location = "https://element.nekover.se";
      enable_metrics = true;
      turn_uris = [
        "turns:turn.nekover.se?transport=udp"
        "turns:turn.nekover.se?transport=tcp"
      ];
      turn_user_lifetime = 86400000;
      turn_allow_guests = true;
      experimental_features = {
        # MSC3266: Room summary API. Used for knocking over federation
        msc3266_enabled = true;
        # MSC4222 needed for syncv2 state_after. This allow clients to
        # correctly track the state of the room.
        msc4222_enabled = true;
      };
      # The maximum allowed duration by which sent events can be delayed, as
      # per MSC4140.
      max_event_delay_duration = "24h";
      rc_message = {
        # This needs to match at least e2ee key sharing frequency plus a bit of headroom
        # Note key sharing events are bursty
        per_second = 0.5;
        burst_count = 30;
      };
      rc_delayed_event_mgmt = {
        # This needs to match at least the heart-beat frequency plus a bit of headroom
        # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
        per_second = 1;
        burst_count = 20;
      };
    };
    extras = [ "oidc" ];
    extraConfigFiles = [
      "/secrets/matrix-registration-shared-secret.secret"
      "/secrets/matrix-turn-shared-secret.secret"
      "/secrets/matrix-email-smtp-pass.secret"
-      "/secrets/matrix-homeserver-mas-config.secret"
+      "/secrets/matrix-keycloak-client-secret.secret"
    ];
  };
 }
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@ -2,88 +2,40 @@
 {
  services.nginx = {
    enable = true;
-    virtualHosts = {
+    virtualHosts."matrix.nekover.se" = {
-      "matrix.nekover.se" = {
+      forceSSL = true;
-        forceSSL = true;
+      enableACME = true;
-        enableACME = true;
+      listen = [
-        listen = [
+        {
-          {
+          addr = "0.0.0.0";
-            addr = "0.0.0.0";
+          port = 80;
-            port = 80;
+        }
-          }
+        {
-          {
+          addr = "0.0.0.0";
-            addr = "0.0.0.0";
+          port = 8448;
-            port = 8448;
+          ssl = true;
-            ssl = true;
+        }
-          }
+      ];
-        ];
+      locations = {
-        locations = {
+        "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
-          "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+          proxyPass = "http://127.0.0.1:8009";
-            proxyPass = "http://localhost:8009";
+          priority = 999;
-            priority = 998;
+        };
-          };
+        "~ ^(/_matrix|/_synapse/client)" = {
-          "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
+          proxyPass = "http://127.0.0.1:8008";
-            proxyPass = "http://localhost:8080";
+          extraConfig = ''
-            priority = 999;
+            # Nginx by default only allows file uploads up to 1M in size
-          };
+            # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
-          "~ ^(/_matrix|/_synapse/client)" = {
+            client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
-            proxyPass = "http://localhost:8008";
+          '';
            extraConfig = ''
              # Nginx by default only allows file uploads up to 1M in size
              # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
              client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
            '';
          };
        };
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
          set_real_ip_from 10.202.41.100;
          real_ip_header proxy_protocol;
        '';
      };
-      "mas.nekover.se" = {
+      extraConfig = ''
-        forceSSL = true;
+        listen 0.0.0.0:8443 http2 ssl proxy_protocol;
        enableACME = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
        ];
        locations."/" = {
          proxyPass = "http://localhost:8080";
        };
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-          set_real_ip_from 10.202.41.100;
+        set_real_ip_from 10.202.41.100;
-          real_ip_header proxy_protocol;
+        real_ip_header proxy_protocol;
-        '';
+      '';
      };
      "matrix-rtc.nekover.se" = {
        forceSSL = true;
        enableACME = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
        ];
        locations."^~ /livekit/jwt/" = {
          proxyPass = "http://localhost:8082/";
        };
        locations."^~ /livekit/sfu/" = {
          proxyPass = "http://localhost:7880/";
          proxyWebsockets = true;
        };
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
          set_real_ip_from 10.202.41.100;
          real_ip_header proxy_protocol;
        '';
      };
    };
  };
 }
--- a/config/hosts/matrix/postgresql.nix
+++ b/config/hosts/matrix/postgresql.nix
@ -8,11 +8,6 @@
        TEMPLATE template0
        LC_COLLATE = "C"
        LC_CTYPE = "C";
      CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas';
      CREATE DATABASE "mas" WITH OWNER "mas_user"
        TEMPLATE template0
        LC_COLLATE = "C"
        LC_CTYPE = "C";
    '';
  };
 }
--- a/config/hosts/matrix/secrets.nix
+++ b/config/hosts/matrix/secrets.nix
@ -33,29 +33,13 @@
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-    "matrix-homeserver-mas-config.secret" = {
+    "matrix-keycloak-client-secret.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ];
      destDir = "/secrets";
      user = "matrix-synapse";
      group = "matrix-synapse";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "matrix-mas-secret-config.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ];
      destDir = "/secrets";
      user = "matrix-synapse";
      group = "matrix-synapse";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "matrix-livekit-secret-key.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/metrics-nekomesh/configuration.nix
+++ b/config/hosts/metrics-nekomesh/configuration.nix
@ -1,17 +0,0 @@
 { ... }:
 {
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };
  networking = {
    hostName = "metrics-nekomesh";
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 8443 9091 ];
    };
  };
  system.stateVersion = "25.11";
 }
--- a/config/hosts/metrics-nekomesh/default.nix
+++ b/config/hosts/metrics-nekomesh/default.nix
@ -1,9 +0,0 @@
 { ... }:
 {
  imports = [
    ./configuration.nix
    ./grafana.nix
    ./prometheus.nix
    ./nginx.nix
  ];
 }
--- a/config/hosts/metrics-nekomesh/grafana.nix
+++ b/config/hosts/metrics-nekomesh/grafana.nix
@ -1,54 +0,0 @@
 { config, ... }:
 {
  services.grafana = {
    enable = true;
    settings = {
      server = {
        domain = "mesh.nekover.se";
        root_url = "https://${config.services.grafana.settings.server.domain}";
      };
      security = {
        cookie_secure = true;
        cookie_samesite = "strict";
        admin_user = "admin";
        admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}";
        admin_email = "fi@nekover.se";
      };
      smtp = {
        enabled = true;
        host = "mail.grzb.de:465";
        user = "nekomesh@grzb.de";
        password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}";
        from_address = "nyareply@nekover.se";
        from_name = "Nekomesh";
        startTLS_policy = "NoStartTLS";
      };
      "auth.generic_oauth" = {
        enabled = true;
        name = "Nekoverse ID";
        allow_sign_up = true;
        client_id = "nekomesh";
        client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}";
        scopes = "openid email profile offline_access roles";
        email_attribute_path = "email";
        login_attribute_path = "preferred_username";
        name_attribute_path = "preferred_username";
        auth_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/auth";
        token_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/token";
        api_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/userinfo";
        use_refresh_token = true;
        allow_assign_grafana_admin = true;
        role_attribute_strict = true;
        role_attribute_path = "contains(resource_access.nekomesh.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.nekomesh.roles[*], 'admin') && 'Admin' || contains(resource_access.nekomesh.roles[*], 'editor') && 'Editor' || 'Viewer'";
      };
    };
    provision.datasources.settings.datasources = [
      {
        name = "Prometheus";
        type = "prometheus";
        url = "http://localhost:${builtins.toString config.services.prometheus.port}";
        isDefault = true;
      }
    ];
  };
 }
--- a/config/hosts/metrics-nekomesh/nginx.nix
+++ b/config/hosts/metrics-nekomesh/nginx.nix
@ -1,32 +0,0 @@
 { config, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      ${config.services.grafana.settings.server.domain} = {
        forceSSL = true;
        enableACME = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            extraParameters = [ "proxy_protocol" ];
          }
        ];
        locations."/" = {
          proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}";
          proxyWebsockets = true;
        };
        extraConfig = ''
          set_real_ip_from 10.202.41.100;
          real_ip_header proxy_protocol;
        '';
      };
    };
  };
 }
--- a/config/hosts/metrics-nekomesh/prometheus.nix
+++ b/config/hosts/metrics-nekomesh/prometheus.nix
@ -1,20 +0,0 @@
 { ... }:
 {
  services.prometheus = {
    enable = true;
    retentionTime = "2y";
    scrapeConfigs = [
      {
        job_name = "meshcore_repeater_telemetry";
        scrape_interval = "15m";
        static_configs = [{
          targets = [ "localhost:9091" ];
        }];
      }
    ];
    pushgateway = {
      enable = true;
      web.external-url = "metrics-nekomesh.vs.grzb.de:9091";
    };
  };
 }
--- a/config/hosts/metrics-nekomesh/secrets.nix
+++ b/config/hosts/metrics-nekomesh/secrets.nix
@ -1,29 +0,0 @@
 { keyCommandEnv, ... }:
 {
  deployment.keys = {
    "metrics-nekomesh-grafana-admin-password.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ];
      destDir = "/secrets";
      user = "grafana";
      group = "grafana";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "metrics-nekomesh-grafana-keycloak-client-secret.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ];
      destDir = "/secrets";
      user = "grafana";
      group = "grafana";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-nekomesh-nekover-se.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
      destDir = "/secrets";
      user = "grafana";
      group = "grafana";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/metrics/prometheus.nix
+++ b/config/hosts/metrics/prometheus.nix
@ -1,16 +1,7 @@
-{ hosts, pkgs, ... }:
+{ hosts, ... }:
 let
  # https://github.com/element-hq/synapse/tree/master/contrib/prometheus/
  synapseRules = pkgs.fetchurl {
    url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/prometheus/synapse-v2.rules";
    hash = "sha256-WldlBdCMzul49OlFhJMsrx4MYFakHTa36Y9HnV22EwI=";
  };
 in
 {
  services.prometheus = {
    enable = true;
    retentionTime = "90d";
    ruleFiles = [ synapseRules ];
    scrapeConfigs = [
      {
        job_name = "node";
@ -23,14 +14,6 @@ in
          };
        }) (builtins.attrNames hosts);
      }
      {
        job_name = "synapse";
        scrape_interval = "15s";
        metrics_path = "/_synapse/metrics";
        static_configs = [{
          targets = [ "matrix.vs.grzb.de:9000" ];
        }];
      }
    ];
  };
 }
--- a/config/hosts/nextcloud/nextcloud.nix
+++ b/config/hosts/nextcloud/nextcloud.nix
@ -2,7 +2,7 @@
 {
  services.nextcloud = {
    enable = true;
-    package = pkgs.nextcloud32;
+    package = pkgs.nextcloud29;
    hostName = "cloud.nekover.se";
    https = true;
    config = {
--- a/config/hosts/torrent/configuration.nix
+++ b/config/hosts/torrent/configuration.nix
@ -25,5 +25,5 @@
    };
  };
-  system.stateVersion = "24.11";
+  system.stateVersion = "23.11";
 }
--- a/config/hosts/torrent/jackett.nix
+++ b/config/hosts/torrent/jackett.nix
@ -1,8 +1,8 @@
-{ nixpkgs-master, ... }:
+{ nixpkgs-unstable, ... }:
 {
  services.jackett = {
    enable = true;
-    # use package from master to work around faulty test in older jackett version
+    # use package from unstable to work around faulty test in older jackett version
-    package = nixpkgs-master.legacyPackages."x86_64-linux".jackett;
+    package = nixpkgs-unstable.legacyPackages."x86_64-linux".jackett;
  };
 }
--- a/config/hosts/torrent/sonarr.nix
+++ b/config/hosts/torrent/sonarr.nix
@ -1,17 +1,5 @@
 { ... }:
 {
  # The sonarr package is dependend on .NET 6 which is marked as insecure.
  # It doesn't seem to build with the later .NET versions.
  # In the meantime allow the installation of these insecure packages since sonarr is only reachable locally.
  nixpkgs.config = {
    permittedInsecurePackages = [
      "aspnetcore-runtime-wrapped-6.0.36"
      "aspnetcore-runtime-6.0.36"
      "dotnet-sdk-wrapped-6.0.428"
      "dotnet-sdk-6.0.428"
    ];
  };
  services.sonarr = {
    enable = true;
    user = "torrent";
--- a/config/hosts/valkyrie/configuration.nix
+++ b/config/hosts/valkyrie/configuration.nix
@ -96,5 +96,5 @@
  services.prometheus.exporters.node.enable = false;
-  system.stateVersion = "24.11";
+  system.stateVersion = "23.05";
 }
--- a/config/hosts/valkyrie/containers/uptime-kuma/default.nix
+++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix
@ -1,6 +1,7 @@
-{ ... }:
+{ nixpkgs-unstable, ... }:
 {
  containers.uptime-kuma = {
    nixpkgs = nixpkgs-unstable;
    autoStart = true;
    config = { ... }: {
      networking.useHostResolvConf = true;
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@ -17,6 +17,7 @@
      stream {
        map $ssl_preread_server_name $address {
          anisync.grzb.de 127.0.0.1:8443;
          birdsite.nekover.se 10.202.41.107:8443;
          cloud.nekover.se 10.202.41.122:8443;
          element.nekover.se 127.0.0.1:8443;
          fi.nekover.se 10.202.41.125:8443;
@ -25,12 +26,9 @@
          git.nekover.se 10.202.41.106:8443;
          hydra.nekover.se 10.202.41.121:8443;
          id.nekover.se 10.202.41.124:8443;
          mas.nekover.se 10.202.41.112:8443;
          matrix.nekover.se 10.202.41.112:8443;
          matrix-rtc.nekover.se 10.202.41.112:8443;
          mewtube.nekover.se 127.0.0.1:8443;
          nekover.se 127.0.0.1:8443;
          mesh.nekover.se 10.202.41.126:8443;
          nix-cache.nekover.se 10.202.41.121:8443;
          searx.nekover.se 10.202.41.105:8443;
          social.nekover.se 10.202.41.104:8443;
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@ -1,13 +1,9 @@
 { ... }:
 let
  acmeDomainMap = {
    "alertmanager.grzb.de" = "metrics.vs.grzb.de";
    "jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
    "mail-1.grzb.de" = "mail-1.vs.grzb.de";
    "mas.nekover.se" = "matrix.vs.grzb.de";
    "matrix.nekover.se" = "matrix.vs.grzb.de";
    "matrix-rtc.nekover.se" = "matrix.vs.grzb.de";
    "mesh.nekover.se" = "metrics-nekomesh.vs.grzb.de";
    "netbox.grzb.de" = "netbox.vs.grzb.de";
    "git.nekover.se" = "forgejo.vs.grzb.de";
    "grafana.grzb.de" = "metrics.vs.grzb.de";
--- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
@ -1,9 +1,9 @@
 { pkgs, ... }:
 let
-  elementWebVersion = "1.12.2";
+  elementWebVersion = "1.11.77";
  element-web = pkgs.fetchzip {
    url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-EZtySIQHgb+Boq97LhzFYKTEO///6YMH3O2DrAy+7Fs=";
+    sha256 = "sha256-O5Dt54fBoKalaeevBn7px/06Kiuhf6mvogLk4Bvvnrg=";
  };
  elementWebSecurityHeaders = ''
  	# Configuration best practices
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@ -16,7 +16,7 @@
      '';
    };
    locations."/.well-known/matrix/client" = {
-      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"},\"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix-rtc.nekover.se/livekit/jwt\"}, {\"type\": \"nextgen_new_foci_type\", \"props_for_nextgen_foci\": \"val\"}]}'";
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'";
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
--- a/config/nixos-generators/default.nix
+++ b/config/nixos-generators/default.nix
@ -10,5 +10,5 @@
    firewall.enable = true;
  };
-  system.stateVersion = "24.11";
+  system.stateVersion = "23.05";
 }
--- a/config/users/fi/default.nix
+++ b/config/users/fi/default.nix
@ -7,7 +7,6 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE95OjEez/yE+GIaeIoz3OwkXboLboPY4ss9nkt4FLyW fi@kiara"
    ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -19,11 +19,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1747046372,
+        "lastModified": 1696426674,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@ -32,61 +32,13 @@
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": [
          "simple-nixos-mailserver",
          "flake-compat"
        ],
        "gitignore": "gitignore",
        "nixpkgs": [
          "simple-nixos-mailserver",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1742649964,
        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "simple-nixos-mailserver",
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1736643958,
+        "lastModified": 1731805462,
-        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
+        "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
+        "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734",
        "type": "github"
      },
      "original": {
@ -103,11 +55,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1751903740,
+        "lastModified": 1732151224,
-        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
+        "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
+        "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
        "type": "github"
      },
      "original": {
@ -118,43 +70,42 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1762098551,
+        "lastModified": 1731842749,
-        "narHash": "sha256-SchwrZR0pUgTCY10IxC4Lf40u3gLmbAdVeGNyomVxaE=",
+        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0257fc3c4a1ba60fb2a9d19c2915e7315bad41db",
+        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-25.05-small",
+        "ref": "nixos-24.05-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs-25_05": {
+    "nixpkgs-24_05": {
      "locked": {
-        "lastModified": 1747610100,
+        "lastModified": 1717144377,
-        "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "id": "nixpkgs",
-        "ref": "nixos-25.05",
+        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
+        "type": "indirect"
        "type": "github"
      }
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1762113106,
+        "lastModified": 1732154639,
-        "narHash": "sha256-iiv03ogrvPXanFWJIBM2/wQn/3mKAYNpN/1bxWELhUE=",
+        "narHash": "sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "134fe04e1dad764124c515007533cdd3c9a01aaf",
+        "rev": "516819d9b5b97ee1f461aecb4caed7aa6b769d5d",
        "type": "github"
      },
      "original": {
@ -166,11 +117,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1762080734,
+        "lastModified": 1732136765,
-        "narHash": "sha256-fFunzA7ITlPHRr7dECaFGTBucNiWYEVDNPBw/9gFmII=",
+        "narHash": "sha256-622zKMMp0mw2a+fJJoVQdNmxwRGDkWsDTn5OSPK8DLk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bc7f6fa86de9b208edf4ea7bbf40bcd8cc7d70a5",
+        "rev": "e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2",
        "type": "github"
      },
      "original": {
@ -182,18 +133,17 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1747179050,
+        "lastModified": 1717602782,
-        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
+        "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
+        "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "id": "nixpkgs",
        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
+        "type": "indirect"
        "type": "github"
      }
    },
    "root": {
@ -209,24 +159,57 @@
      "inputs": {
        "blobs": "blobs",
        "flake-compat": "flake-compat",
        "git-hooks": "git-hooks",
        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-25_05": "nixpkgs-25_05"
+        "nixpkgs-24_05": "nixpkgs-24_05",
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1755110674,
+        "lastModified": 1718084203,
-        "narHash": "sha256-PigqTAGkdBYXVFWsJnqcirrLeFqRFN4PFigLA8FzxeI=",
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "f5936247dbdb8501221978562ab0b302dd75456c",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
-        "ref": "nixos-25.05",
+        "ref": "nixos-24.05",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1709126324,
        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -1,13 +1,13 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
    nixpkgs-master.url = "github:NixOS/nixpkgs/master";
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
  };
  outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs:
@ -31,7 +31,7 @@
          inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver;
          # Provide environment for secret key command
-          keyCommandEnv = [ "env" "GNUPGHOME=/home/fi/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/fi/pass/infra" ];
+          keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ];
        };
      };
    } // builtins.mapAttrs (helper.generateColmenaHost) hosts;
--- a/hosts.nix
+++ b/hosts.nix
@ -1,4 +1,4 @@
-{ nixpkgs, nixpkgs-unstable, nixpkgs-master, ... }:
+{ nixpkgs, nixpkgs-unstable, ... }:
 let
  # Set of environment specific modules
  environments = {
@ -39,7 +39,6 @@ in
      environment = "proxmox";
    };
    jellyfin = {
      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };
@ -68,7 +67,6 @@ in
      environment = "proxmox";
    };
    matrix = {
      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };
@ -76,8 +74,7 @@ in
      site = "vs";
      environment = "proxmox";
    };
-    metrics-nekomesh = {
+    netbox = {
      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };
@ -85,6 +82,10 @@ in
      site = "vs";
      environment = "proxmox";
    };
    nitter = {
      site = "vs";
      environment = "proxmox";
    };
    coturn = {
      site = "vs";
      environment = "proxmox";
@ -95,7 +96,6 @@ in
      environment = "proxmox";
    };
    torrent = {
      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };