fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

..

1 commit
main ... ikiwiki

Author SHA1 Message Date
fi
b54be988cc Setup ikiwiki host 2024-11-21 05:19:26 +01:00
32 changed files with 204 additions and 459 deletions

2
config/hosts/forgejo/forgejo.nix
View file

@ -3,6 +3,7 @@
services.forgejo = {
enable = true;
database.type = "postgres";
mailerPasswordFile = "/secrets/forgejo-mailer-password.secret";
settings = {
DEFAULT = {
@ -59,6 +60,5 @@
HOST = "redis+socket:///run/redis-forgejo/redis.sock";
};
};
secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret";
};
}

22
config/hosts/ikiwiki/ikiwiki.nix
View file

@ -133,4 +133,26 @@ in
"multi-user.target"
];
};
systemd.services.ikiwiki-auth-setup = {
description = "Setup auth subdirectory for ikiwiki.cgi";
script = ''
mkdir -p ${ikiwikiSettings.destdir}/auth
if [ ! -f ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi ]; then
ln -s ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi
fi
'';
serviceConfig = {
Type = "simple";
User = config.users.users.ikiwiki.name;
Group = config.users.users.ikiwiki.group;
Requires = [ "ikiwiki-settings-setup.service" ];
};
wantedBy = [
"multi-user.target"
];
};
}

6
config/hosts/jellyseerr/configuration.nix
View file

@ -10,7 +10,6 @@
firewall = {
allowedTCPPorts = [ 80 443 ];
};
nameservers = [ "193.138.218.74" ];
extraHosts =
''
10.202.46.101 jellyfin.grzb.de
@ -19,10 +18,5 @@
'';
};
services.resolved = {
enable = true;
fallbackDns = [ ];
};
system.stateVersion = "23.11";
}

11
config/hosts/jellyseerr/jellyseerr.nix
View file

@ -1,15 +1,6 @@
{ pkgs, ... }:
let
jellyseerrOverlay = final: prev: {
jellyseerr = prev.jellyseerr.overrideAttrs (finalAttr: previousAttr: {
dontCheckForBrokenSymlinks = true;
});
};
pkgs-overlay = pkgs.extend jellyseerrOverlay;
in
{ ... }:
{
services.jellyseerr = {
enable = true;
package = pkgs-overlay.jellyseerr;
};
}

8
config/hosts/keycloak/keycloak.nix
View file

@ -3,10 +3,10 @@
services.keycloak = {
enable = true;
settings = {
hostname = "https://id.nekover.se";
hostname-admin = "https://keycloak-admin.nekover.se";
proxy-headers = "xforwarded";
http-enabled = true;
hostname = "id.nekover.se";
hostname-admin = "keycloak-admin.nekover.se";
hostname-strict-backchannel = true;
proxy = "edge";
http-host = "127.0.0.1";
http-port = 8080;
};

14
config/hosts/keycloak/nginx.nix
View file

@ -41,13 +41,6 @@
proxy_buffer_size 128k;
proxy_buffers 8 128k;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
@ -103,13 +96,6 @@
proxy_buffer_size 128k;
proxy_buffers 8 128k;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that

36
config/hosts/mail-1/configuration.nix
View file

@ -15,20 +15,28 @@
];
routes = [
{
Gateway = "10.202.41.1";
Destination = "10.201.0.0/16";
routeConfig = {
Gateway = "10.202.41.1";
Destination = "10.201.0.0/16";
};
}
{
Gateway = "10.202.41.1";
Destination = "10.202.0.0/16";
routeConfig = {
Gateway = "10.202.41.1";
Destination = "10.202.0.0/16";
};
}
{
Gateway = "10.202.41.1";
Destination = "172.21.87.0/24";
routeConfig = {
Gateway = "10.202.41.1";
Destination = "172.21.87.0/24";
};
}
{
Gateway = "10.202.41.1";
Destination = "212.53.203.19/32";
routeConfig = {
Gateway = "10.202.41.1";
Destination = "212.53.203.19/32";
};
}
];
linkConfig.RequiredForOnline = "routable";
@ -54,11 +62,13 @@
PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
};
wireguardPeers = [{
PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
Endpoint = "212.53.203.19:51822";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
wireguardPeerConfig = {
PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
Endpoint = "212.53.203.19:51822";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
};
}];
};
};

36
config/hosts/mail-2/configuration.nix
View file

@ -15,20 +15,28 @@
];
routes = [
{
Gateway = "10.201.41.1";
Destination = "10.201.0.0/16";
routeConfig = {
Gateway = "10.201.41.1";
Destination = "10.201.0.0/16";
};
}
{
Gateway = "10.201.41.1";
Destination = "10.202.0.0/16";
routeConfig = {
Gateway = "10.201.41.1";
Destination = "10.202.0.0/16";
};
}
{
Gateway = "10.201.41.1";
Destination = "172.21.87.0/24";
routeConfig = {
Gateway = "10.201.41.1";
Destination = "172.21.87.0/24";
};
}
{
Gateway = "10.201.41.1";
Destination = "217.160.117.160/32";
routeConfig = {
Gateway = "10.201.41.1";
Destination = "217.160.117.160/32";
};
}
];
linkConfig.RequiredForOnline = "routable";
@ -54,11 +62,13 @@
PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret";
};
wireguardPeers = [{
PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
Endpoint = "217.160.117.160:51820";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
wireguardPeerConfig = {
PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
Endpoint = "217.160.117.160:51820";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
};
}];
};
};

24
config/hosts/mastodon/mastodon.nix
View file

@ -2,13 +2,8 @@
let
tangerineUI = pkgs.fetchgit {
url = "https://github.com/nileane/TangerineUI-for-Mastodon.git";
rev = "v2.3";
hash = "sha256-Yl5UOjcp0Q3WpiLgfjQFVVEQs4WlVUSBCS7kuO+39wQ=";
};
mastodonModern = pkgs.fetchgit {
url = "https://git.gay/freeplay/Mastodon-Modern.git";
rev = "5dc82786107bfb4dc4786571160d63a59cc609d6";
hash = "sha256-0qr+PN1eTR2iqicJEEUskm0DchpZhocEVwoHfwOvHMw=";
rev = "v2.2";
hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ=";
};
mastodonNekoversePatches = pkgs.fetchgit {
url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git";
@ -16,28 +11,22 @@ let
};
mastodonNekoverseOverlay = final: prev: {
mastodon = (prev.mastodon.override rec {
version = "4.3.9";
version = "4.3.1";
srcOverride = final.applyPatches {
src = pkgs.stdenv.mkDerivation {
name = "mastodonWithThemes";
src = pkgs.fetchgit {
url = "https://github.com/mastodon/mastodon.git";
rev = "v${version}";
sha256 = "sha256-A2WxVwaarT866s97uwfStBVtv7T5czF7ymRswtZ2K4M=";
sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4=";
};
# mastodon ships with broken symlinks, disable the check for that for now
dontCheckForBrokenSymlinks = true;
installPhase = ''
cp -r ./ $out/
cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/
echo "@import 'mastodon/variables';
@import 'application';" >> $out/app/javascript/styles/modern-dark.scss
cat ${mastodonModern}/modern.css >> $out/app/javascript/styles/modern-dark.scss
echo "tangerineui: styles/tangerineui.scss
tangerineui-purple: styles/tangerineui-purple.scss
tangerineui-cherry: styles/tangerineui-cherry.scss
tangerineui-lagoon: styles/tangerineui-lagoon.scss
modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml
tangerineui-lagoon: styles/tangerineui-lagoon.scss" >> $out/config/themes.yml
'';
};
patches = [
@ -49,8 +38,7 @@ let
"${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch"
];
};
yarnHash = "sha256-IC4d/skIHEzJPuKlq4rMAqV+ydqquA6toq4WWCfuDxo=";
yarnMissingHashes = null;
yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg=";
});
};
pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;

2
config/hosts/matrix/default.nix
View file

@ -2,10 +2,8 @@
{
imports = [
./configuration.nix
./element-call.nix
./hardware-configuration.nix
./postgresql.nix
./matrix-authentication-service.nix
./matrix-synapse.nix
./nginx.nix
];

15
config/hosts/matrix/element-call.nix
View file

@ -1,15 +0,0 @@
{ ... }:
{
services.livekit = {
enable = true;
settings.rtc.use_external_ip = true;
openFirewall = true;
keyFile = "/secrets/matrix-livekit-secret-key.secret";
};
services.lk-jwt-service = {
enable = true;
port = 8082;
livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu";
keyFile = "/secrets/matrix-livekit-secret-key.secret";
};
}

97
config/hosts/matrix/matrix-authentication-service.nix
View file

@ -1,97 +0,0 @@
{ pkgs, ... }:
let
masSettings = {
http = {
listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
name = "assets";
path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
}
];
binds = [{
host = "localhost";
port = 8080;
}];
proxy_protocol = false;
}
{
name = "internal";
resources = [{
name = "health";
}];
binds = [{
host = "localhost";
port = 8081;
}];
proxy_protocol = false;
}
];
trusted_proxies = [
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/10"
"127.0.0.1/8"
"fd00::/8"
"::1/128"
];
public_base = "https://mas.nekover.se";
};
database = {
uri = "postgresql://mas_user:mas@localhost/mas";
max_connections = 10;
min_connections = 0;
connect_timeout = 30;
idle_timeout = 600;
max_lifetime = 1800;
};
passwords = {
enabled = true;
schemes = [
{
version = 1;
algorithm = "bcrypt";
}
{
version = 2;
algorithm = "argon2id";
}
];
minimum_complexity = 8;
};
};
masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
in
{
environment.systemPackages = with pkgs; [
matrix-authentication-service
syn2mas
];
systemd.services.matrix-authentication-service = {
description = "Matrix Authentication Service";
after = [ "network-online.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret";
WorkingDirectory = "${pkgs.matrix-authentication-service}";
User = "matrix-synapse";
Group = "matrix-synapse";
};
wantedBy = [
"multi-user.target"
];
};
}

24
config/hosts/matrix/matrix-synapse.nix
View file

@ -46,35 +46,13 @@
];
turn_user_lifetime = 86400000;
turn_allow_guests = true;
experimental_features = {
# MSC3266: Room summary API. Used for knocking over federation
msc3266_enabled = true;
# MSC4222 needed for syncv2 state_after. This allow clients to
# correctly track the state of the room.
msc4222_enabled = true;
};
# The maximum allowed duration by which sent events can be delayed, as
# per MSC4140.
max_event_delay_duration = "24h";
rc_message = {
# This needs to match at least e2ee key sharing frequency plus a bit of headroom
# Note key sharing events are bursty
per_second = 0.5;
burst_count = 30;
};
rc_delayed_event_mgmt = {
# This needs to match at least the heart-beat frequency plus a bit of headroom
# Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
per_second = 1;
burst_count = 20;
};
};
extras = [ "oidc" ];
extraConfigFiles = [
"/secrets/matrix-registration-shared-secret.secret"
"/secrets/matrix-turn-shared-secret.secret"
"/secrets/matrix-email-smtp-pass.secret"
"/secrets/matrix-homeserver-mas-config.secret"
"/secrets/matrix-keycloak-client-secret.secret"
];
};
}

110
config/hosts/matrix/nginx.nix
View file

@ -2,88 +2,40 @@
{
services.nginx = {
enable = true;
virtualHosts = {
"matrix.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
];
locations = {
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://localhost:8009";
priority = 998;
};
"~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
proxyPass = "http://localhost:8080";
priority = 999;
};
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://localhost:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
virtualHosts."matrix.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
];
locations = {
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://127.0.0.1:8009";
priority = 999;
};
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
"mas.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
locations."/" = {
proxyPass = "http://localhost:8080";
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
"matrix-rtc.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
locations."^~ /livekit/jwt/" = {
proxyPass = "http://localhost:8082/";
};
locations."^~ /livekit/sfu/" = {
proxyPass = "http://localhost:7880/";
proxyWebsockets = true;
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
}

5
config/hosts/matrix/postgresql.nix
View file

@ -8,11 +8,6 @@
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas';
CREATE DATABASE "mas" WITH OWNER "mas_user"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
}

20
config/hosts/matrix/secrets.nix
View file

@ -33,29 +33,13 @@
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-homeserver-mas-config.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ];
"matrix-keycloak-client-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-mas-secret-config.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-livekit-secret-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

19
config/hosts/metrics/nginx.nix
View file

@ -22,25 +22,6 @@
proxyWebsockets = true;
};
};
"alertmanager.grzb.de"= {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${config.services.prometheus.alertmanager.listenAddress}:${builtins.toString config.services.prometheus.alertmanager.port}";
proxyWebsockets = true;
};
};
};
};
}

1
config/hosts/metrics/prometheus.nix
View file

@ -2,7 +2,6 @@
{
services.prometheus = {
enable = true;
retentionTime = "90d";
scrapeConfigs = [
{
job_name = "node";

2
config/hosts/nextcloud/nextcloud.nix
View file

@ -2,7 +2,7 @@
{
services.nextcloud = {
enable = true;
package = pkgs.nextcloud31;
package = pkgs.nextcloud29;
hostName = "cloud.nekover.se";
https = true;
config = {

2
config/hosts/torrent/configuration.nix
View file

@ -25,5 +25,5 @@
};
};
system.stateVersion = "24.11";
system.stateVersion = "23.11";
}

6
config/hosts/torrent/jackett.nix
View file

@ -1,8 +1,8 @@
{ nixpkgs-master, ... }:
{ nixpkgs-unstable, ... }:
{
services.jackett = {
enable = true;
# use package from master to work around faulty test in older jackett version
package = nixpkgs-master.legacyPackages."x86_64-linux".jackett;
# use package from unstable to work around faulty test in older jackett version
package = nixpkgs-unstable.legacyPackages."x86_64-linux".jackett;
};
}

12
config/hosts/torrent/sonarr.nix
View file

@ -1,17 +1,5 @@
{ ... }:
{
# The sonarr package is dependend on .NET 6 which is marked as insecure.
# It doesn't seem to build with the later .NET versions.
# In the meantime allow the installation of these insecure packages since sonarr is only reachable locally.
nixpkgs.config = {
permittedInsecurePackages = [
"aspnetcore-runtime-wrapped-6.0.36"
"aspnetcore-runtime-6.0.36"
"dotnet-sdk-wrapped-6.0.428"
"dotnet-sdk-6.0.428"
];
};
services.sonarr = {
enable = true;
user = "torrent";

2
config/hosts/valkyrie/configuration.nix
View file

@ -96,5 +96,5 @@
services.prometheus.exporters.node.enable = false;
system.stateVersion = "24.11";
system.stateVersion = "23.05";
}

3
config/hosts/valkyrie/containers/uptime-kuma/default.nix
View file

@ -1,6 +1,7 @@
{ ... }:
{ nixpkgs-unstable, ... }:
{
containers.uptime-kuma = {
nixpkgs = nixpkgs-unstable;
autoStart = true;
config = { ... }: {
networking.useHostResolvConf = true;

3
config/hosts/web-public-2/nginx.nix
View file

@ -17,6 +17,7 @@
stream {
map $ssl_preread_server_name $address {
anisync.grzb.de 127.0.0.1:8443;
birdsite.nekover.se 10.202.41.107:8443;
cloud.nekover.se 10.202.41.122:8443;
element.nekover.se 127.0.0.1:8443;
fi.nekover.se 10.202.41.125:8443;
@ -25,9 +26,7 @@
git.nekover.se 10.202.41.106:8443;
hydra.nekover.se 10.202.41.121:8443;
id.nekover.se 10.202.41.124:8443;
mas.nekover.se 10.202.41.112:8443;
matrix.nekover.se 10.202.41.112:8443;
matrix-rtc.nekover.se 10.202.41.112:8443;
mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443;
nix-cache.nekover.se 10.202.41.121:8443;

3
config/hosts/web-public-2/virtualHosts/acme-challenge.nix
View file

@ -1,12 +1,9 @@
{ ... }:
let
acmeDomainMap = {
"alertmanager.grzb.de" = "metrics.vs.grzb.de";
"jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
"mail-1.grzb.de" = "mail-1.vs.grzb.de";
"mas.nekover.se" = "matrix.vs.grzb.de";
"matrix.nekover.se" = "matrix.vs.grzb.de";
"matrix-rtc.nekover.se" = "matrix.vs.grzb.de";
"netbox.grzb.de" = "netbox.vs.grzb.de";
"git.nekover.se" = "forgejo.vs.grzb.de";
"grafana.grzb.de" = "metrics.vs.grzb.de";

4
config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
View file

@ -1,9 +1,9 @@
{ pkgs, ... }:
let
elementWebVersion = "1.11.96";
elementWebVersion = "1.11.77";
element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
sha256 = "sha256-zm+mpcHF2rLk2ejwzCOpqHe2mnegHm3ZtJ2v7KC4oxU=";
sha256 = "sha256-O5Dt54fBoKalaeevBn7px/06Kiuhf6mvogLk4Bvvnrg=";
};
elementWebSecurityHeaders = ''
# Configuration best practices

2
config/hosts/web-public-2/virtualHosts/nekover.se.nix
View file

@ -16,7 +16,7 @@
'';
};
locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"},\"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix-rtc.nekover.se/livekit/jwt\"}, {\"type\": \"nextgen_new_foci_type\", \"props_for_nextgen_foci\": \"val\"}]}'";
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;

2
config/nixos-generators/default.nix
View file

@ -10,5 +10,5 @@
firewall.enable = true;
};
system.stateVersion = "24.11";
system.stateVersion = "23.05";
}

157
flake.lock generated
View file

@ -19,11 +19,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -32,61 +32,13 @@
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": [
"simple-nixos-mailserver",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"simple-nixos-mailserver",
"nixpkgs"
]
},
"locked": {
"lastModified": 1742649964,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"simple-nixos-mailserver",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1736643958,
"narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
"lastModified": 1731805462,
"narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
"rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734",
"type": "github"
},
"original": {
@ -103,11 +55,11 @@
]
},
"locked": {
"lastModified": 1747663185,
"narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
"lastModified": 1732151224,
"narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
"rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
"type": "github"
},
"original": {
@ -118,43 +70,42 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1751582995,
"narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
"lastModified": 1731842749,
"narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
"rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05-small",
"ref": "nixos-24.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-25_05": {
"nixpkgs-24_05": {
"locked": {
"lastModified": 1747610100,
"narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
"id": "nixpkgs",
"ref": "nixos-24.05",
"type": "indirect"
}
},
"nixpkgs-master": {
"locked": {
"lastModified": 1751655236,
"narHash": "sha256-2QDfhYjPFui9iQNTXBLcbffWVWbYLntm9EM/eFU3kX8=",
"lastModified": 1732154639,
"narHash": "sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e1dca425c33650ae9ea15e577012d49586f29cef",
"rev": "516819d9b5b97ee1f461aecb4caed7aa6b769d5d",
"type": "github"
},
"original": {
@ -166,11 +117,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1751619433,
"narHash": "sha256-5aZFBHQNQzrfCisewtYBDNbiKcHbxPYChiP4dkEcSXQ=",
"lastModified": 1732136765,
"narHash": "sha256-622zKMMp0mw2a+fJJoVQdNmxwRGDkWsDTn5OSPK8DLk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a2867cc3f8acc944cb19fe0b73c840e9fa1ba589",
"rev": "e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2",
"type": "github"
},
"original": {
@ -182,18 +133,17 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1747179050,
"narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
"lastModified": 1717602782,
"narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
"rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
"type": "github"
},
"original": {
"owner": "NixOS",
"id": "nixpkgs",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
"type": "indirect"
}
},
"root": {
@ -209,24 +159,57 @@
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"git-hooks": "git-hooks",
"nixpkgs": "nixpkgs_2",
"nixpkgs-25_05": "nixpkgs-25_05"
"nixpkgs-24_05": "nixpkgs-24_05",
"utils": "utils"
},
"locked": {
"lastModified": 1747965231,
"narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
"lastModified": 1718084203,
"narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "53007af63fade28853408370c4c600a63dd97f41",
"rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-25.05",
"ref": "nixos-24.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

6
flake.nix
View file

@ -1,13 +1,13 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05-small";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs-master.url = "github:NixOS/nixpkgs/master";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
};
outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs:
@ -31,7 +31,7 @@
inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver;
# Provide environment for secret key command
keyCommandEnv = [ "env" "GNUPGHOME=/home/fi/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/fi/pass/infra" ];
keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ];
};
};
} // builtins.mapAttrs (helper.generateColmenaHost) hosts;

7
hosts.nix
View file

@ -39,7 +39,6 @@ in
environment = "proxmox";
};
jellyfin = {
hostNixpkgs = nixpkgs-unstable;
site = "vs";
environment = "proxmox";
};
@ -68,7 +67,6 @@ in
environment = "proxmox";
};
matrix = {
hostNixpkgs = nixpkgs-unstable;
site = "vs";
environment = "proxmox";
};
@ -84,6 +82,10 @@ in
site = "vs";
environment = "proxmox";
};
nitter = {
site = "vs";
environment = "proxmox";
};
coturn = {
site = "vs";
environment = "proxmox";
@ -94,7 +96,6 @@ in
environment = "proxmox";
};
torrent = {
hostNixpkgs = nixpkgs-unstable;
site = "vs";
environment = "proxmox";
};