Setup ikiwiki host

2024-11-21 05:19:26 +01:00
14 changed files with 107 additions and 83 deletions
--- a/config/hosts/forgejo/forgejo.nix
+++ b/config/hosts/forgejo/forgejo.nix
@ -3,6 +3,7 @@
  services.forgejo = {
    enable = true;
    database.type = "postgres";
+    mailerPasswordFile = "/secrets/forgejo-mailer-password.secret";

    settings = {
      DEFAULT = {
@ -59,6 +60,5 @@
        HOST = "redis+socket:///run/redis-forgejo/redis.sock";
      };
    };
-    secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret";
  };
 }
--- a/config/hosts/ikiwiki/ikiwiki.nix
+++ b/config/hosts/ikiwiki/ikiwiki.nix
@ -133,4 +133,26 @@ in
      "multi-user.target"
    ];
  };
+
+  systemd.services.ikiwiki-auth-setup = {
+    description = "Setup auth subdirectory for ikiwiki.cgi";
+
+    script = ''
+      mkdir -p ${ikiwikiSettings.destdir}/auth
+      if [ ! -f ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi ]; then
+        ln -s ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi
+      fi
+    '';
+
+    serviceConfig = {
+      Type = "simple";
+      User = config.users.users.ikiwiki.name;
+      Group = config.users.users.ikiwiki.group;
+      Requires = [ "ikiwiki-settings-setup.service" ];
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
 }
--- a/config/hosts/keycloak/keycloak.nix
+++ b/config/hosts/keycloak/keycloak.nix
@ -3,10 +3,10 @@
  services.keycloak = {
    enable = true;
    settings = {
-      hostname = "https://id.nekover.se";
-      hostname-admin = "https://keycloak-admin.nekover.se";
-      proxy-headers = "forwarded";
-      http-enabled = true;
+      hostname = "id.nekover.se";
+      hostname-admin = "keycloak-admin.nekover.se";
+      hostname-strict-backchannel = true;
+      proxy = "edge";
      http-host = "127.0.0.1";
      http-port = 8080;
    };
--- a/config/hosts/mail-1/configuration.nix
+++ b/config/hosts/mail-1/configuration.nix
@ -15,20 +15,28 @@
        ];
        routes = [
          {
-            Gateway = "10.202.41.1";
-            Destination = "10.201.0.0/16";
+            routeConfig = {
+              Gateway = "10.202.41.1";
+              Destination = "10.201.0.0/16";
+            };
          }
          {
-            Gateway = "10.202.41.1";
-            Destination = "10.202.0.0/16";
+            routeConfig = {
+              Gateway = "10.202.41.1";
+              Destination = "10.202.0.0/16";
+            };
          }
          {
-            Gateway = "10.202.41.1";
-            Destination = "172.21.87.0/24";
+            routeConfig = {
+              Gateway = "10.202.41.1";
+              Destination = "172.21.87.0/24";
+            };
          }
          {
-            Gateway = "10.202.41.1";
-            Destination = "212.53.203.19/32";
+            routeConfig = {
+              Gateway = "10.202.41.1";
+              Destination = "212.53.203.19/32";
+            };
          }
        ];
        linkConfig.RequiredForOnline = "routable";
@ -54,11 +62,13 @@
          PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
        };
        wireguardPeers = [{
-          PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
-          PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
-          Endpoint = "212.53.203.19:51822";
-          AllowedIPs = [ "0.0.0.0/0" ];
-          PersistentKeepalive = 25;
+          wireguardPeerConfig = {
+            PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
+            PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
+            Endpoint = "212.53.203.19:51822";
+            AllowedIPs = [ "0.0.0.0/0" ];
+            PersistentKeepalive = 25;
+          };
        }];
      };
    };
--- a/config/hosts/mail-2/configuration.nix
+++ b/config/hosts/mail-2/configuration.nix
@ -15,20 +15,28 @@
        ];
        routes = [
          {
-            Gateway = "10.201.41.1";
-            Destination = "10.201.0.0/16";
+            routeConfig = {
+              Gateway = "10.201.41.1";
+              Destination = "10.201.0.0/16";
+            };
          }
          {
-            Gateway = "10.201.41.1";
-            Destination = "10.202.0.0/16";
+            routeConfig = {
+              Gateway = "10.201.41.1";
+              Destination = "10.202.0.0/16";
+            };
          }
          {
-            Gateway = "10.201.41.1";
-            Destination = "172.21.87.0/24";
+            routeConfig = {
+              Gateway = "10.201.41.1";
+              Destination = "172.21.87.0/24";
+            };
          }
          {
-            Gateway = "10.201.41.1";
-            Destination = "217.160.117.160/32";
+            routeConfig = {
+              Gateway = "10.201.41.1";
+              Destination = "217.160.117.160/32";
+            };
          }
        ];
        linkConfig.RequiredForOnline = "routable";
@ -54,11 +62,13 @@
          PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret";
        };
        wireguardPeers = [{
-          PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
-          PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
-          Endpoint = "217.160.117.160:51820";
-          AllowedIPs = [ "0.0.0.0/0" ];
-          PersistentKeepalive = 25;
+          wireguardPeerConfig = {
+            PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
+            PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
+            Endpoint = "217.160.117.160:51820";
+            AllowedIPs = [ "0.0.0.0/0" ];
+            PersistentKeepalive = 25;
+          };
        }];
      };
    };
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@ -5,37 +5,28 @@ let
    rev = "v2.2";
    hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ=";
  };
-  mastodonModern = pkgs.fetchgit {
-    url = "https://git.gay/freeplay/Mastodon-Modern.git";
-    rev = "e9e53496789234d5782b5b3d97ed66a130b1678a";
-    hash = "sha256-lUq57Gbr1UCMVGoO4xTT3wYPNwohdepxSPCX+WP6AS8=";
-  };
  mastodonNekoversePatches = pkgs.fetchgit {
    url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git";
    hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU=";
  };
  mastodonNekoverseOverlay = final: prev: {
    mastodon = (prev.mastodon.override rec {
-      version = "4.3.2";
+      version = "4.3.1";
      srcOverride = final.applyPatches {
        src = pkgs.stdenv.mkDerivation {
          name = "mastodonWithThemes";
          src = pkgs.fetchgit {
            url = "https://github.com/mastodon/mastodon.git";
            rev = "v${version}";
-            sha256 = "sha256-A1sSUBtlztKFsZ3TY/c9CXFV8LhttRW2JmSU0QSVOIg=";
+            sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4=";
          };
          installPhase = ''
            cp -r ./ $out/
            cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/
-            echo "@import 'mastodon/variables';
-            @import 'application';" >> $out/app/javascript/styles/modern-dark.scss
-            cat ${mastodonModern}/modern.css >> $out/app/javascript/styles/modern-dark.scss
            echo "tangerineui: styles/tangerineui.scss
            tangerineui-purple: styles/tangerineui-purple.scss
            tangerineui-cherry: styles/tangerineui-cherry.scss
-            tangerineui-lagoon: styles/tangerineui-lagoon.scss
-            modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml
+            tangerineui-lagoon: styles/tangerineui-lagoon.scss" >> $out/config/themes.yml
          '';
        };
        patches = [
--- a/config/hosts/nextcloud/nextcloud.nix
+++ b/config/hosts/nextcloud/nextcloud.nix
@ -2,7 +2,7 @@
 {
  services.nextcloud = {
    enable = true;
-    package = pkgs.nextcloud30;
+    package = pkgs.nextcloud29;
    hostName = "cloud.nekover.se";
    https = true;
    config = {
--- a/config/hosts/torrent/configuration.nix
+++ b/config/hosts/torrent/configuration.nix
@ -25,5 +25,5 @@
    };
  };

-  system.stateVersion = "24.11";
+  system.stateVersion = "23.11";
 }
--- a/config/hosts/torrent/jackett.nix
+++ b/config/hosts/torrent/jackett.nix
@ -1,8 +1,8 @@
-{ nixpkgs-master, ... }:
+{ nixpkgs-unstable, ... }:
 {
  services.jackett = {
    enable = true;
-    # use package from master to work around faulty test in older jackett version
-    package = nixpkgs-master.legacyPackages."x86_64-linux".jackett;
+    # use package from unstable to work around faulty test in older jackett version
+    package = nixpkgs-unstable.legacyPackages."x86_64-linux".jackett;
  };
 }
--- a/config/hosts/torrent/sonarr.nix
+++ b/config/hosts/torrent/sonarr.nix
@ -1,17 +1,5 @@
 { ... }:
 {
-  # The sonarr package is dependend on .NET 6 which is marked as insecure.
-  # It doesn't seem to build with the later .NET versions.
-  # In the meantime allow the installation of these insecure packages since sonarr is only reachable locally.
-  nixpkgs.config = {
-    permittedInsecurePackages = [
-      "aspnetcore-runtime-wrapped-6.0.36"
-      "aspnetcore-runtime-6.0.36"
-      "dotnet-sdk-wrapped-6.0.428"
-      "dotnet-sdk-6.0.428"
-    ];
-  };
-
  services.sonarr = {
    enable = true;
    user = "torrent";
--- a/config/nixos-generators/default.nix
+++ b/config/nixos-generators/default.nix
@ -10,5 +10,5 @@
    firewall.enable = true;
  };

-  system.stateVersion = "24.11";
+  system.stateVersion = "23.05";
 }
--- a/flake.lock
+++ b/flake.lock
@ -34,11 +34,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1734829460,
-        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
+        "lastModified": 1731805462,
+        "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
+        "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734",
        "type": "github"
      },
      "original": {
@ -55,11 +55,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734915500,
-        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
+        "lastModified": 1732151224,
+        "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
+        "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
        "type": "github"
      },
      "original": {
@ -70,16 +70,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1736167739,
-        "narHash": "sha256-vL6dGj+0w+l1cK4duEokolgmx4Hu3O1TPjpD6Dfd7oY=",
+        "lastModified": 1731842749,
+        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bd27be8c9381a66288504d5266db495de571d7bf",
+        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.11-small",
+        "ref": "nixos-24.05-small",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -101,11 +101,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1736204625,
-        "narHash": "sha256-y1OxajWQrxP7naHYPoUCrf4AAhEqOGwpNbj+qBXSn5s=",
+        "lastModified": 1732154639,
+        "narHash": "sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6199c32fe66a688ce7c3483de2b05b358ab7a0a6",
+        "rev": "516819d9b5b97ee1f461aecb4caed7aa6b769d5d",
        "type": "github"
      },
      "original": {
@ -117,11 +117,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1736165148,
-        "narHash": "sha256-AdKOlljgcTLOrJb3HFpaaoHWJhFrkVeT9HbRm0JvcwE=",
+        "lastModified": 1732136765,
+        "narHash": "sha256-622zKMMp0mw2a+fJJoVQdNmxwRGDkWsDTn5OSPK8DLk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9f46f57b78d2ef865cd8c58eff8d430bb62a471a",
+        "rev": "e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2",
        "type": "github"
      },
      "original": {
@ -164,11 +164,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1734885828,
-        "narHash": "sha256-G0fB1YBlkalu8lLGRB07K8CpUWNVd+unfrjNomSL7SM=",
+        "lastModified": 1718084203,
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "636b82f4175e3f6b1e80d2189bb0469e2ae01a55",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
        "type": "gitlab"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,6 +1,6 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
    nixpkgs-master.url = "github:NixOS/nixpkgs/master";
    nixos-generators = {
@ -31,7 +31,7 @@
          inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver;

          # Provide environment for secret key command
-          keyCommandEnv = [ "env" "GNUPGHOME=/home/fi/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/fi/pass/infra" ];
+          keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ];
        };
      };
    } // builtins.mapAttrs (helper.generateColmenaHost) hosts;
--- a/hosts.nix
+++ b/hosts.nix
@ -82,6 +82,10 @@ in
      site = "vs";
      environment = "proxmox";
    };
+    nitter = {
+      site = "vs";
+      environment = "proxmox";
+    };
    coturn = {
      site = "vs";
      environment = "proxmox";
@ -92,7 +96,6 @@ in
      environment = "proxmox";
    };
    torrent = {
-      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };