fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: fi:main
Branches Tags
fi:main
fi:ikiwiki
fi:mas
june:main
..
compare: june:main
Branches Tags
june:main
fi:main
fi:ikiwiki
fi:mas

No commits in common. "main" and "main" have entirely different histories.
main ... main

142 changed files with 1479 additions and 1280 deletions
Download patch file Download diff file Expand all files Collapse all files

96
.sops.yaml
View file

@ -1,96 +0,0 @@
keys:
- &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- &host_age_coturn age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l
- &host_age_forgejo age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk
- &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0
- &host_age_jellyfin age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt
- &host_age_keycloak age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd
- &host_age_lifeline age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua
- &host_age_mail-1 age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp
- &host_age_mastodon age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30
- &host_age_matrix age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5
- &host_age_metrics age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n
- &host_age_metrics-nekomesh age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse
- &host_age_nextcloud age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu
- &host_age_searx age17h3js5v8s5vezcankky6kqxcrvtfxanmvhp3axmnqs4y9s2lr9yqvc6zrn
- &host_age_torrent age1m37wtvp7fpavaygn2jc6kq2gtuvgvf0jgwwhd3p5862djv5segqs97mg7c
- &host_age_valkyrie age1guqc5pnajp2whkla6vws4yqnpe5hq4z89w6te3n5yql5pugzfqlqczjlee
creation_rules:
- path_regex: config/hosts/coturn/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_coturn
- path_regex: config/hosts/forgejo/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_forgejo
- path_regex: config/hosts/ikiwiki/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_ikiwiki
- path_regex: config/hosts/jellyfin/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_jellyfin
- path_regex: config/hosts/keycloak/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_keycloak
- path_regex: config/hosts/lifeline/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_lifeline
- path_regex: config/hosts/mail-1/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_mail-1
- path_regex: config/hosts/mastodon/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_mastodon
- path_regex: config/hosts/matrix/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_matrix
- path_regex: config/hosts/metrics/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_metrics
- path_regex: config/hosts/metrics-nekomesh/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_metrics-nekomesh
- path_regex: config/hosts/nextcloud/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_nextcloud
- path_regex: config/hosts/searx/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_searx
- path_regex: config/hosts/torrent/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_torrent
- path_regex: config/hosts/valkyrie/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_valkyrie
stores:
yaml:
indent: 2

1
config/common/default.nix
View file

@ -35,7 +35,6 @@
parted
tmux
nano
ssh-to-age
tcpdump
];

9
config/hosts/coturn/coturn.nix
View file

@ -5,7 +5,7 @@
min-port = 49200;
max-port = 49500;
use-auth-secret = true;
static-auth-secret-file = "/run/secrets/static-auth-secret";
static-auth-secret-file = "/secrets/static-auth-secret.secret";
realm = "turn.nekover.se";
cert = "${config.security.acme.certs."turn.nekover.se".directory}/fullchain.pem";
pkey = "${config.security.acme.certs."turn.nekover.se".directory}/key.pem";
@ -42,11 +42,4 @@
total-quota=1200
'';
};
sops.secrets."static-auth-secret" = {
mode = "0440";
owner = "turnserver";
group = "turnserver";
restartUnits = [ "coturn.service" ];
};
}

1
config/hosts/coturn/default.nix
View file

@ -4,6 +4,5 @@
./configuration.nix
./acme.nix
./coturn.nix
./sops.nix
];
}

11
config/hosts/coturn/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ keyCommandEnv,... }:
{
deployment.keys."static-auth-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ];
destDir = "/secrets";
user = "turnserver";
group = "turnserver";
permissions = "0640";
uploadAt = "pre-activation";
};
}

25
config/hosts/coturn/secrets.yaml
View file

@ -1,25 +0,0 @@
static-auth-secret: ENC[AES256_GCM,data:af5cjUSeiCEtYki85h+XoJW5FKY4X18i6zOBZnH64Ju/LwA/yUemA8co17TG5cQnc/sw1pz6LySL2DOq/Gj42g==,iv:Yne84/VLN0jCSulA5OQ0UKbQWkqWBmHYogDuAngAp48=,tag:wJ/4yGnbypjTo/akV3P9ZA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMXRScDR1NzhzZGRXYUZQ
ZGpRYUlOUWZTVHQvdUlrSG5SRWM2ME9sdUVZCldCZkZ0SXdqUjBVNlRnckg3N0dS
S0s2NkRnQys2SGJKSTdiUWlnbTg1dkEKLS0tIGthb0FESjAyMjlEbnV4S0lPOHda
S1ZBOWdTSmNRQXMvUGJnd05sK1Q2Qk0KHseEBDVLeSWHdgrYyITRuJyp3orrjwwS
04ORMniHR7ymHzRPvm3oX/jkFD0iJEmk8clgm/Gcn2AQ7xXeJO7Vnw==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmemxWRnFLMFVEcVZCb3BT
MStWU21kcnF5enpleWt3dFdaMHo3RzJGaENNClU2M2tmdE0zd2pXWUJHQkV5Mkhi
a0lIbHJmWDN6UXhVeTZId3RhcEd5TWcKLS0tIFRlSUNQN0pGYmtiOGxJS0pJY0tQ
YjFzS205QklRZWdPbklIRzVzbFFPT2sKCXra+DUchbomy9pe2HJAbhAF1mstgUcv
NalettWmuLXe2B0WjC9fAy2AAJS6kysEbUh960suzSPLTqTce0MGfA==
-----END AGE ENCRYPTED FILE-----
recipient: age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l
lastmodified: "2026-05-16T23:13:15Z"
mac: ENC[AES256_GCM,data:PxX20JAaYhj3DE1KjakVmVucL7jjZU0vh5vnSNmKLgqedJiV2ZqEXpF4s1WPgYTY723aLiWDLw/8kTF/VmvMs8zOdGSkIhojWIWFE6I2yq1MjlawXuUhGpe6C1XGQ+w0KTqzyJLxyIsUSH24GqPHmLRMStE7bYdr0a4lRBHEyqE=,iv:6tXoqhG1XqDAz4SZSIxFCi01Be76/dV4vFPwv3lkcps=,tag:ytLoh7gJ+Iuqv5AwhDElrw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/coturn/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/forgejo/default.nix
View file

@ -5,6 +5,5 @@
./forgejo.nix
./redis.nix
./nginx.nix
./sops.nix
];
}

16
config/hosts/forgejo/forgejo.nix
View file

@ -4,7 +4,6 @@
enable = true;
package = pkgs.forgejo;
database.type = "postgres";
lfs.enable = true;
settings = {
DEFAULT = {
@ -18,7 +17,6 @@
ROOT_URL = "https://git.nekover.se/";
# LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
# Doesn't need to be set.
OFFLINE_MODE = true;
};
admin = {
DISABLE_REGULAR_ORG_CREATION = false;
@ -36,10 +34,11 @@
DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
ENABLE_NOTIFY_MAIL = true;
};
repo = {
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
};
repository = {
DEFAULT_REPO_UNITS = "repo.code";
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};
@ -61,13 +60,6 @@
HOST = "redis+socket:///run/redis-forgejo/redis.sock";
};
};
secrets.mailer.PASSWD = "/run/secrets/forgejo-mailer-password";
};
sops.secrets."forgejo-mailer-password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret";
};
}

3
config/hosts/forgejo/nginx.nix
View file

@ -29,8 +29,7 @@
};
extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};

13
config/hosts/forgejo/secrets.nix Normal file
View file

@ -0,0 +1,13 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"forgejo-mailer-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
destDir = "/secrets";
user = "forgejo";
group = "forgejo";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

25
config/hosts/forgejo/secrets.yaml
View file

@ -1,25 +0,0 @@
forgejo-mailer-password: ENC[AES256_GCM,data:bFUrFyE/reeTtKZCrb1T1CG8Ng9QbDwZo9AdxU67i8uNmKcn93k3dqY70tSqBTAc9hpsXyW3UTKnPpk+ffb0mw==,iv:p16td5KV0rTmrrtX8FMojotEa+2oiFmVizkc6mt9QyI=,tag:czg/IlNLkx75m2iSddUkUw==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNjVaNlFWeG9vMW4vM2R3
bWQyVk9jN1VkUUczbTBzUmdpZ2NyWlV4aVFjCmZwa0lDcXUzVDM4d1Mwa1B4Qm9q
WjVKMXJBRVNtc0JzcmE0Y20zdCtzM3cKLS0tIEJWanpwZHdPMGJiL0lkME9yVGQ1
a3ZvRGV3VENIbmlubG16MWF3SkdyQ00KZj5vuzVyCqbLH5gnQjhRpOfHtIB3RVZC
m+VdnnAFIfShrxwfOekVavffaHmG3PWS7RUKoeZNSdtz1ScuwfazPw==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYOEdadnQvSW1mcE9hSmFL
aFlqdHpTejNZRXJCbTh4WjQyQXVobitaa2hFCjV1RU9UOGlqaXhIckNLMmYwb0s2
eHY2VVpiQThzQUNuS1FLbFd3V2NGZk0KLS0tIGdOK3VEOUlNcldBQ1haRHhVS0cw
N3ZoNWlVK2trVkJLQlhnaHFueFdqVEkK800paYmP1opnW7o2V8f2zzWNR5tOVYGs
fl+SA7hE7uTpRrrGfuZq0jQgWOaeAbJ3+PzRuSrVlrXdWIyipcZM2Q==
-----END AGE ENCRYPTED FILE-----
recipient: age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk
lastmodified: "2026-05-17T00:50:59Z"
mac: ENC[AES256_GCM,data:I3a9s9i6sFVTRQIAj94YZNyxQsDIWIvRhy9M/e6iMYpvoQyxFvMD3xAE0NQ1uX1QgMoi+6njTc8AmTXFJvSfoiqtVfHQH+HkLPMR27DZUY6kgZGMvUVswioSKfaF8fZxGEyWRPAuTDlynfOsGpr4Tqt5U8NBiYL1FDD6CPALaiY=,iv:RUbSPPTR6cTWwzvbnQRA/f9AjjjOpQUiEBrWvxqCpTQ=,tag:GcGsBgxWU/AXm06FkUI1LA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/forgejo/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

51
config/hosts/hydra/configuration.nix Normal file
View file

@ -0,0 +1,51 @@
{ ... }:
{
boot = {
loader.grub = {
enable = true;
device = "/dev/vda";
};
binfmt.emulatedSystems = [
"armv6l-linux"
"armv7l-linux"
"aarch64-linux"
];
};
networking = {
hostName = "hydra";
firewall = {
enable = true;
allowedTCPPorts = [ 8443 ];
};
};
users.users.builder = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/plZfxF/RtB+pJsUYx9HUgRcB56EoO0uj+j3AGzZta root@cherry"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara"
];
};
nix = {
settings = {
trusted-users = [ "builder" ];
allowed-uris = "http:// https://";
};
buildMachines = [
{
hostName = "localhost";
systems = [
"x86_64-linux"
"armv6l-linux"
"armv7l-linux"
"aarch64-linux"
];
}
];
};
system.stateVersion = "23.05";
}

9
config/hosts/hydra/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
imports = [
./configuration.nix
./hydra.nix
./nix-serve.nix
./nginx.nix
];
}

14
config/hosts/hydra/hydra.nix Normal file
View file

@ -0,0 +1,14 @@
{ ... }:
{
services.hydra = {
enable = true;
hydraURL = "https://hydra.nekover.se";
listenHost = "localhost";
port = 3001;
useSubstitutes = true;
notificationSender = "hydra@robot.grzb.de";
extraConfig = "
binary_cache_public_uri = https://nix-cache.nekover.se
";
};
}

42
config/hosts/hydra/nginx.nix Normal file
View file

@ -0,0 +1,42 @@
{ ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
"hydra.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."/" = {
proxyPass = "http://localhost:3001";
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
"nix-cache.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [ {
addr = "0.0.0.0";
port = 80;
}];
locations."/" = {
proxyPass = "http://localhost:5005";
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
};
}

9
config/hosts/hydra/nix-serve.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
services.nix-serve = {
enable = true;
port = 5005;
bindAddress = "localhost";
secretKeyFile = "/secrets/signing-key.secret";
};
}

11
config/hosts/hydra/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ keyCommandEnv, ... }:
{
deployment.keys."signing-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

1
config/hosts/ikiwiki/default.nix
View file

@ -4,6 +4,5 @@
./configuration.nix
./ikiwiki.nix
./nginx.nix
./sops.nix
];
}

12
config/hosts/ikiwiki/nginx.nix
View file

@ -26,7 +26,7 @@ in
tryFiles = "$uri $uri/ =404";
};
"~ .cgi" = {
basicAuthFile = "/run/secrets/auth_file";
basicAuthFile = "/secrets/ikiwiki-auth-file.secret";
extraConfig = ''
gzip off;
fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address};
@ -39,17 +39,9 @@ in
};
};
extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
sops.secrets."auth_file" = {
mode = "0440";
owner = "nginx";
group = "nginx";
restartUnits = [ "nginx.service" ];
};
}

11
config/hosts/ikiwiki/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ keyCommandEnv, ... }:
{
deployment.keys."ikiwiki-auth-file.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ];
destDir = "/secrets";
user = "nginx";
group = "nginx";
permissions = "0640";
uploadAt = "pre-activation";
};
}

25
config/hosts/ikiwiki/secrets.yaml
View file

@ -1,25 +0,0 @@
auth_file: ENC[AES256_GCM,data:5/uT1sIOI95LNA9YFWh3I9J2PCZmz/J38YxVsKVWFHfJdZUOQpSW6ekjX7StP/svtv6Tp0AonnvcKfRcyPYn,iv:NKdWae+EihasTMV24Hk+dKJG8032mWu+RWItWs0b6RE=,tag:WBM6pXlKaDXOMnBWGBLJWg==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNDZLcEFGRHczMHg3S0w3
eTNvNGI5TXBWTTc1eXAzZStlSmZTQ3NkdTA4CmlYVEF1NWhldVZuZmwzTUU0NG5j
UFhvU3Q3Q1BvVHhrODJWc296UUo0TmMKLS0tIFFlUGRYVDNNYm40cXhlZ004eFk5
b3BnLzBjZFpjVDN2clZaTGlWV29NVUEKsdK4V5Og+bK26Gl6HTkOBtFrHfr1RFYu
zWNGQ3skkvATO/ypa0zFf3+qnupCTTO5emwscoRK8ZZFVgSswdnbIA==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUJXWW95OXlEZFFwbHlp
RzJJMDFJU2pUTjltZ1JaWjE5c0xPY0hvNUdZCk5uWk9kdlRWNTNVUUVmT3VVeE9j
ajNNeVlZcEw4WFdqZ2QwTXl2MlhVZ2cKLS0tIFVVUXJtWkhtREFsdXp5ODZkOTA1
b1h3THFYSU1yblM0WmdxTUVtZG1OYVUK5tmcOX+jOdbSD1YCPqcAeoGF8ny61lWY
xwguejMeVZ/pCjO/qf3tb+MUlInPMXva59FelGd3nz6cbVqbeWtxSQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0
lastmodified: "2026-05-16T22:13:21Z"
mac: ENC[AES256_GCM,data:McAN1DueAhDBAY8kloB5l8M0pLIeswtnCxBtMYFyzBaY2Z43gNetBwdpzs5sL4nEmAZGPJ9AjXJVSmjb1tOn3BF8X5n6/9F7DzvHT7ukpIjumGC0KeB0QfaIGgKJyo7koISIVlGFZAwgcf1fQwaKZsYzfOGelj7UNrzFCjArK+Y=,iv:oZUmzcEr08jROw24J2fXQ4EjEJH3vzYysdy51vEtUNM=,tag:QJjNb/YvuZrZtQD9QE1Z3g==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/ikiwiki/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/jellyfin/default.nix
View file

@ -5,6 +5,5 @@
./hardware-configuration.nix
./jellyfin.nix
./nginx.nix
./sops.nix
];
}

8
config/hosts/jellyfin/hardware-configuration.nix
View file

@ -5,7 +5,7 @@
fsType = "cifs";
options = [
"username=jellyfin"
"credentials=/run/secrets/samba-credentials"
"credentials=/secrets/samba-credentials.secret"
"iocharset=utf8"
"vers=3.1.1"
"uid=jellyfin"
@ -13,10 +13,4 @@
"_netdev"
];
};
sops.secrets."samba-credentials" = {
mode = "0440";
owner = "root";
group = "root";
};
}

11
config/hosts/jellyfin/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ keyCommandEnv, ... }:
{
deployment.keys."samba-credentials.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

25
config/hosts/jellyfin/secrets.yaml
View file

@ -1,25 +0,0 @@
samba-credentials: ENC[AES256_GCM,data:9txZMLLwlyAMzI3Naag3tUD1zSXLAf/zoJFoJZYTChhmkPpuhuuaIANFcYmH2sUYSsvZLXlbBuLXRryjTix0zK9ZfkZW8/R1vg==,iv:cF3S9S2+Vk+VAb8gyFyxZ12fqmohHSD3GG0fTILrxRM=,tag:m4BqpUlKmUoPbXTEjFmjaA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb3dQYWM4SHVraHFPZEx6
aGpDcTEyVjZ6Y0h6YzM4aVliRXpqZFpLcnprCmNEOHFrby9IdEE1MTZIYWxrS3BS
ZHZTSmYxUW9pek5XblIyZ2FDVlV0TEkKLS0tIEN6NnErRXI3ejc3cVBiSVR6NlpC
a2tnWWxDaXgwQ3hmc0dreTNIRnl0cTAKCSaj/epLw16tVDX4OMCzutxlnARL8MDf
pUVDonkZ7sB7d1+mnyG+gMQuFDhiDcV9WS2h3M83xoSKoHnCkca9Ew==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbUdFMlZvVXlzc3FPSmE4
Rk1jeUpDVUJMeUlJZDlYeHhwK2l6UkJNRVFVCjNUVS9ZMjI2ME9qTFM0Umc3dXZC
Z0todzhYSXZ5Yk5odUdOZGg3VnE3QW8KLS0tIGd1emhUMFVHT3JiZ1JhY0FWOU1i
cW9PWk9oRHZGeFlSdlVLSlJ6TVg4WnMKikUhDJNyuKdiazCUcKBo834NO3U6ZfjB
GbDn3wUKb465CDYw7GPcvZtM2mNufsoInZh+Oq/07Hi+seAXfX2y7A==
-----END AGE ENCRYPTED FILE-----
recipient: age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt
lastmodified: "2026-05-17T00:58:22Z"
mac: ENC[AES256_GCM,data:0WF8JU4d+5nHHB5iBmqdS6TkZem2AHrYNx6zDm4yoIKip7ZVTfCPCyhZ4c3QseEBn1G2IXsTMEtIk6RVI2JigSJPLjyXOTJOeWjVtPD5+1I+mrU7z+YWN+sK5i4F1hQX7/E4JbTDh/h+NbqZ6I9pBq7Nm12QUtZdp/7R5qChXs4=,iv:DBdSDx/X8fh7SXiC073AtDMPDB9idKItzEz2fl7xe+g=,tag:0O1pZp6+Y2Uf2DlijwZLeg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/jellyfin/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/keycloak/default.nix
View file

@ -4,6 +4,5 @@
./configuration.nix
./keycloak.nix
./nginx.nix
./sops.nix
];
}

9
config/hosts/keycloak/keycloak.nix
View file

@ -10,13 +10,6 @@
http-host = "127.0.0.1";
http-port = 8080;
};
database.passwordFile = "/run/secrets/keycloak-database-password";
};
sops.secrets."keycloak-database-password" = {
mode = "0440";
owner = "root";
group = "systemd-network";
restartUnits = [ "keycloak.service" ];
database.passwordFile = "/secrets/keycloak-database-password.secret";
};
}

3
config/hosts/keycloak/nginx.nix
View file

@ -27,8 +27,7 @@
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
add_header Strict-Transport-Security "max-age=63072000" always;

13
config/hosts/keycloak/secrets.nix Normal file
View file

@ -0,0 +1,13 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"keycloak-database-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

25
config/hosts/keycloak/secrets.yaml
View file

@ -1,25 +0,0 @@
keycloak-database-password: ENC[AES256_GCM,data:2Jk0wskmlpdpaZj05MX4YRRDR75eAkk5eDNNOTSA9+dN8OGkUWdI0CX9ZdQFUB31GiRaLZQ4I9gwnIc2sIxzuA==,iv:4fq+safzIGC21NFTaHsIfgZwuKelQyxttEeW7Pp09v8=,tag:c7LO34hJqi1yEwQ+cQc0Dg==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArR0Y2ZVg4S1FDYmRlS0xL
VWlJVzNvdHVXanBMN043QjcxVjd5bFk5d21JCnVzYVcwT2tnQS9jblhVQUFaNWZD
L0owQ1hhUFdhNVAzaVJNbWhQaEdXZlUKLS0tIFZFOFpKUklKNVJFRS9ZY1JaeS9D
RnF5YjRmbXRaY3h1MU5PWEZETGh0N2cKIwZg6mMY8c3VpE9hAk9bcFXLyzl7J/4M
BIh7C+yZbD7bL92TEP3gTpW+EsGiJl2LCq7NVVuDkboYuJ6kAqLppg==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS25mcEErQ1pUMTV6U1h4
WXduajlyTFFncXdhZ09BdXg4amV4V0xMalFNCm85dk1ldUlHTytXRDJLcjIyN2M2
ZmVFVG1YcWhnTmwySmFRUDhEMkVyb1EKLS0tIHVDVkc3QytPU3pQTWxMSG1TRFdI
LzVUdGUrZmVTa1RqRHNWaFFhY09ySEUKFrN7X2ir3gwL/S91mychdjXi2oBPEPr9
aizXtIk0JX6SzrP/Oy0mYROeEEEUfPVBBypEUlBjlyeSyathmEoVLQ==
-----END AGE ENCRYPTED FILE-----
recipient: age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd
lastmodified: "2026-05-17T01:07:49Z"
mac: ENC[AES256_GCM,data:fAOsq2jrl8dTvQSn+Cp0sxuU5AuOdnm97LBIyPY71KbxMAY0vn/RDvhszvskMIE25JWGuZROnFoYmrkUqSp/pxG9gvcPQ6keW9WMr09YFli4u1tvADl6Ag+OkcgDe2UP1aPRkW6i7sGpq7Wfv/3G8HNMLgywhyiAA2XICymbDBI=,iv:ChOk26gheG2ErLVqt/rrMw1MxuOmEA595fay6pGUCcc=,tag:8wGA4YZa+ZyNDIBz/d1DUg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/keycloak/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

18
config/hosts/lifeline/configuration.nix
View file

@ -26,7 +26,7 @@
{
name = "mail-2";
publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM=";
presharedKeyFile = "/run/secrets/wireguard-lifeline-mail-2-lifeline-psk";
presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret";
allowedIPs = [ "172.18.50.2/32" ];
}
];
@ -38,7 +38,7 @@
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE
'';
privateKeyFile = "/run/secrets/wireguard-lifeline-wg0-privatekey";
privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret";
};
};
nat = {
@ -62,19 +62,5 @@
services.prometheus.exporters.node.enable = false;
sops.secrets."wireguard-lifeline-mail-2-lifeline-psk" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
sops.secrets."wireguard-lifeline-wg0-privatekey" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
system.stateVersion = "23.05";
}

1
config/hosts/lifeline/default.nix
View file

@ -3,6 +3,5 @@
imports = [
./configuration.nix
./hardware-configuration.nix
./sops.nix
];
}

21
config/hosts/lifeline/secrets.nix Normal file
View file

@ -0,0 +1,21 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-lifeline-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-lifeline-mail-2-lifeline-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

26
config/hosts/lifeline/secrets.yaml
View file

@ -1,26 +0,0 @@
wireguard-lifeline-wg0-privatekey: ENC[AES256_GCM,data:yUIu+AC24/84w0GQPko64E89ZjzMoaa0Z8J2IFY8wDmCw+z1Als0h42XB5U=,iv:2pmy0FyeyvHbRRYnog9mth7hWfMt4mNe8/dSK3eYd2E=,tag:/gRbYT8EnbDRiFN0Ohu4ng==,type:str]
wireguard-lifeline-mail-2-lifeline-psk: ENC[AES256_GCM,data:IvgVTsgFfONCm3OJ8iKtwRUY6uTEZfpyGubm/iysOySebPuDg+/AGNUu5ZQ=,iv:HZpAqLLt/cDQo51+koS3nZ1mkN0ZmqCY7gedx6PHthM=,tag:klM8lxBmZvXn3XUD/duGMA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLcGo4RTJsQnZWWXBadjAz
YW5VcFBwWUxUR2N2d092WmN6LzdkaStaVVNJCkdWLzF4ZU4rY3pPLzc1YUZUb2hM
bHNiRkhabG1ON2YzemdCMjQwOW5hdG8KLS0tIER4RGdZNkN4U0dTekx6MURpY0oz
ZURQbEF0c2VXNFFRVEI5YjUydzNQVTQK6Q3yE+P41Ukay2h2RVXHcCbE19piBwHa
Gdxok7ObnjTBpFxWuz4Sqvozb4R9dbkTPtSp72Yjv78QBinLmWGJ/A==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemExaHpsTFBEYjJURjNp
WmluaHcwaUtyNmRINEJ6NXlFVWplZm9YeEJvCktMM2N0dWFxYUFKM25EdVo0RmNG
MDYzcFFnOG95SXdrU3VzWmdqQ3U0L2cKLS0tIGhHUmNNS0w0bzhhdHgzL1hYQjRr
SEczcDdWMnh3aThXK3JrLzkrTEZ0TkUKexB+HBUOWSsel9sNgUHnj5NJdj8zZX/C
XB4W6fwzMxPHHknk1y/4z/F8oNnUzXmh3QfT/15glDmmCpyM3PGWVw==
-----END AGE ENCRYPTED FILE-----
recipient: age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua
lastmodified: "2026-05-17T01:24:39Z"
mac: ENC[AES256_GCM,data:JyTfrwkD8GxbzzuK1CsBRr8+Hxheu1gvB2KP3jGJkvLktzzNLYH7qq7JJu2oP6X18MMa+dlMuY9lHosoWy+wA34kgrtBVqtCfTnOx3jafwfLdNVBVTORN8h7so1N0KKwuSJnFL6BqMWhiQiPVOENGThqlIqKDwSiP3hyfFLDBuM=,iv:0IkM76X2Ly3hil7XneURzQk4wVUJy/bs/9zX3r9cTVo=,tag:vC7HDnB6WCTTy5MSh4tDDg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/lifeline/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

17
config/hosts/mail-1/configuration.nix
View file

@ -51,11 +51,11 @@
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = "/run/secrets/wireguard-mail-1-wg0-privatekey";
PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
};
wireguardPeers = [{
PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
PresharedKeyFile = "/run/secrets/wireguard-valkyrie-mail-1-mail-1-psk";
PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
Endpoint = "212.53.203.19:51822";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
@ -77,18 +77,5 @@
wireguard-tools
];
sops.secrets."wireguard-valkyrie-mail-1-mail-1-psk" = {
mode = "0440";
owner = "systemd-network";
group = "systemd-network";
restartUnits = [ "systemd-networkd.service" ];
};
sops.secrets."wireguard-mail-1-wg0-privatekey" = {
mode = "0440";
owner = "systemd-network";
group = "systemd-network";
restartUnits = [ "systemd-networkd.service" ];
};
system.stateVersion = "23.05";
}

1
config/hosts/mail-1/default.nix
View file

@ -3,6 +3,5 @@
imports = [
./configuration.nix
./simple-nixos-mailserver.nix
./sops.nix
];
}

109
config/hosts/mail-1/secrets.nix Normal file
View file

@ -0,0 +1,109 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-valkyrie-mail-1-mail-1-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-mail-1-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fiona-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-yuri-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-mio-vs-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fubuki-wg-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-cloud-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-status-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-matrix-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-nekomesh-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-social-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-id-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/id-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-forgejo-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

37
config/hosts/mail-1/secrets.yaml
View file

@ -1,37 +0,0 @@
wireguard-valkyrie-mail-1-mail-1-psk: ENC[AES256_GCM,data:qlmzG+qatZCGFqD2Yf9Nlc7tUUMr5JGIvwFcaBqmgwSFoRjVpObjpTn9h6Q=,iv:8kukGi7FyKY7Un5bfmD+xOrt57Zr4uGEho3GGFyy8KY=,tag:0SqD/4OCYC1gRcsDAK8oBw==,type:str]
wireguard-mail-1-wg0-privatekey: ENC[AES256_GCM,data:oI3NZ3QBaGsWPx8ajLtP2MUdVTpWlnmOF1j3aex+0rI5fixwtNwJvUZD3mA=,iv:ecO78C4upN99mm9ZosIxXR0RsZJRsL97FFvh6ktpczA=,tag:obxoVfxh49XznQykp1ROuA==,type:str]
mail-fiona-grzb-de: ENC[AES256_GCM,data:igpnhygXhe1kIMc+Dvj0LB+PFrJOJu53ZS5svt+B2qpXAk5kD9zQIRoU5TdHLyOdIOSSb2XBPkKgbShv,iv:MPgHxNvZGZ/NtflrxpazgryT+T1Qy/5z0klZ/BQ/mGA=,tag:8huvfd1eLJTQrKdDxFDsDw==,type:str]
mail-yuri-nekover-se: ENC[AES256_GCM,data:XsFmWttVmDnI9+q/7ZN0bDlRiYue1XPonQTfWMkkHfZ7mk1ZXlDjC3oYR3V3a3yEQrS4Jz0fAc/N4lnR,iv:RPqs8Q3QSGSJ0zSClKyIo5JmW5UEE6xYjEnqvmFE5C8=,tag:DZaDfFc+3RG9L0oIpj9f3Q==,type:str]
mail-mio-vs-grzb-de: ENC[AES256_GCM,data:R+eq1w3a6NLD20sMBejlnQ9asEGOxGBgPqQ+oLTwfryYu0b0by3rF0a7StCtSzsFMkzpAWw+En4Zreuw,iv:r7VLjix8sRSXbnpRS+9XzXI0qjklOXuQU77kU2LF7zA=,tag:BhqSLiMvnGHagq9Jg5852A==,type:str]
mail-fubuki-wg-grzb-de: ENC[AES256_GCM,data:pFPmrMtF33P3ANpnWB+qcTfEfAMJ0w4/fE/zAsVYKjEO1nhZtWSMQfyorYSq5GdbXuitIYdjx/IBCj0r,iv:FZtnyp90pB9R0nYaHsudnE7IyDi26UE+vxIpzZm0Q4s=,tag:XJcIP9LyYwbzw21QLpHfCA==,type:str]
mail-cloud-nekover-se: ENC[AES256_GCM,data:lY7ufbNOS+GPHAi1fJGhZNT0dMv1B7k+6BzGTb1IxWvvHmFv7u6NKGBmyQQD57Qvt2EwdtnGDJ2XugCD,iv:NZLdBFNHSkSj9pau0vWQzwznOjkFvhZcGalcfWoKI9w=,tag:8dn5ULJzaTYtnT3CBfpp8g==,type:str]
mail-status-nekover-se: ENC[AES256_GCM,data:blaHK5q8mJKQMo/UYf2NG2x7IsIkZD5cxaVv56Z7PFrn+pua821j8pwNGXCnmuGJFhDj16PkvfOuRXU7,iv:+Q2J73Af27qjta5xYtuF/mrwL45fyTV+K5GDpnA11Lo=,tag:OKhLFQfgKTAvg5wvID5RGA==,type:str]
mail-matrix-nekover-se: ENC[AES256_GCM,data:9Fs5Un2DI2ZHm1zLkbAsQ3tsuff9LjvuJkysxVWc1pdQuQsMHCNTHfioBMqJ1dH1E8ilkqCqljEmHh9+,iv:F73WEWyq7o06n0zkuu2cNYWUdmpX7YX4BGcR4Hgep2Y=,tag:+7BPbiCNM0QdBTBx6RKkHQ==,type:str]
mail-nekomesh-nekover-se: ENC[AES256_GCM,data:k25S+W3t4gn8HuUs4xge5iLjxtayB82y9PNs3lxxg3En7W4CbiSt1ccoiP4h9v9iN5rMHqiF8wg2ONlBJwQ6qA==,iv:LqjOUza0cioak0qeuBBkmRl3Kg8z05kqTeZCrgEX9qY=,tag:NkqrRxJp0c+h/C0+jfiQqg==,type:str]
mail-social-nekover-se: ENC[AES256_GCM,data:b+7hmL8yiqABkf5NFUQVTSBmj1EjImzB58Q0xpDkxSU9DVkhhURTzoi+HdgFgOOzDtkegzprokXA+I+j,iv:LtOn8+dx5Nhes4t5qpqWsnaOfD07IBZEaCXKIniJlJc=,tag:ipLZNPRN7YCkvVJYKonXmQ==,type:str]
mail-id-nekover-se: ENC[AES256_GCM,data:5odIPSrJEVoT95hch48lu4pmb0PVnjtTUOo3eohfbX1I8CNpwIuhz4Mjk5lam5q3toIKtXMhtA73RAup,iv:bvpCkS4Tz0/oorStgip0XXnsxkBMAoFJrTFAzrjPLYU=,tag:KOVNkURmuwb+8VRxfTxEDQ==,type:str]
mail-forgejo-nekover-se: ENC[AES256_GCM,data:PLZFl5aokzJorTCKD8/qJs0N1BlDLPl1tW23roMMCRkn9tAupaNwZASp1pKrPJBVBCAH4Ijj84WDIhsHdQzNhg==,iv:CExDJ2uwe0juL0f+SCyTGOfUHuEwPTHduHUkh8WAQMo=,tag:pf0QArVKBNh1F4TMxsJyRA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1ppWG1iZzJaaTJxMi9I
MTNvWUFWU1JRakpWbGxYQU9zdk5rVWMzZHdzCktRL1NEN01EY0lvVVJuQ3V2eTBZ
OFVnN1FiVTJndHZZeDBNQmloNndLY1EKLS0tIE5Lc0NqYzI4U29zamJaK2FiL1BZ
UTc2MkpZRmpVVVpvVSsxUkdpdVMzYW8KnCIMs31S6/SSx+vUAOYfjO21pGl/AMQa
iunevrTybuTFB2F/xePkdeIVvXLTLcj0XiAIw+qzAl/GvIWp7DDnTw==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZVdRK214bVQyNVRWMXVI
dmNOWk9VMXRUWnpZaXRJQVIydmRTeDJrUzMwCi95VWVGU2t3U0dqTHVWbTVjakh6
a2luYVZVdlFpVDRKeWpUZnpTY1J0eEkKLS0tIEtqTjBMY3UxU09jN2RuSzNGU3hX
UndxdWMyTVkzTUYzU3h6VjlyMjl6emsKNs+ED4FRI/+wrD3TUsQYyzuFvVEyrnBD
dsyjzSv8WubSloRUHkV7hwfHxgVzg37A5nlQo/qSdJC6TtfWmoXpsg==
-----END AGE ENCRYPTED FILE-----
recipient: age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp
lastmodified: "2026-05-24T00:23:52Z"
mac: ENC[AES256_GCM,data:QH4MalhMoA5CyNmGPksMRzn6LOfxxRSBlufJ6ejcDx+l6owNT3xqKAYE9EfIUMh8z7Sw+btHhn8q02K2FnWlYD2FUY187cCcoykGRU+juJEDZH6yQ5PCqrBKXDB0wv8IBI/xTeFS7mUOzlvZfHtnLKULNZBfojN9f9jDoZCUhYo=,iv:S0AU8Ox62kk3nwL31QzYT0CGDaYNYbG/ONaQhiUbGD4=,tag:qKUkkxNouKaDb/1ptXSobg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

89
config/hosts/mail-1/simple-nixos-mailserver.nix
View file

@ -15,55 +15,55 @@
domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
loginAccounts = {
"fiona@grzb.de" = {
hashedPasswordFile = "/run/secrets/mail-fiona-grzb-de";
hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret";
aliases = [ "@grzb.de" ];
catchAll = [ "grzb.de" ];
};
"yuri@nekover.se" = {
hashedPasswordFile = "/run/secrets/mail-yuri-nekover-se";
hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret";
aliases = [ "@nekover.se" ];
catchAll = [ "nekover.se" ];
};
"mio@vs.grzb.de" = {
hashedPasswordFile = "/run/secrets/mail-mio-vs-grzb-de";
hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret";
sendOnly = true;
aliases = [ "root@vs.grzb.de" ];
};
"fubuki@wg.grzb.de" = {
hashedPasswordFile = "/run/secrets/mail-fubuki-wg-grzb-de";
hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret";
sendOnly = true;
aliases = [ "root@wg.grzb.de" ];
};
"cloud@nekover.se" = {
hashedPasswordFile = "/run/secrets/mail-cloud-nekover-se";
hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret";
sendOnly = true;
};
"status@nekover.se" = {
hashedPasswordFile = "/run/secrets/mail-status-nekover-se";
hashedPasswordFile = "/secrets/mail-status-nekover-se.secret";
sendOnly = true;
};
"matrix@nekover.se" = {
hashedPasswordFile = "/run/secrets/mail-matrix-nekover-se";
hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"nekomesh@nekover.se" = {
hashedPasswordFile = "/run/secrets/mail-nekomesh-nekover-se";
hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"social@nekover.se" = {
hashedPasswordFile = "/run/secrets/mail-social-nekover-se";
hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"id@nekover.se" = {
hashedPasswordFile = "/run/secrets/mail-id-nekover-se";
hashedPasswordFile = "/secrets/mail-id-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"forgejo@nekover.se" = {
hashedPasswordFile = "/run/secrets/mail-forgejo-nekover-se";
hashedPasswordFile = "/secrets/mail-forgejo-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
@ -79,71 +79,4 @@
proxy_interfaces = "212.53.203.19";
};
};
sops.secrets."mail-fiona-grzb-de" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-yuri-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-mio-vs-grzb-de" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-fubuki-wg-grzb-de" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-cloud-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-status-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-matrix-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-nekomesh-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-social-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-id-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-forgejo-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
}

6
config/hosts/mail-1/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

9
config/hosts/mail-2/acme.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
security.acme.certs = {
"mail-2.grzb.de" = {
listenHTTP = ":80";
reloadServices = [ "postfix.service" ];
};
};
}

81
config/hosts/mail-2/configuration.nix Normal file
View file

@ -0,0 +1,81 @@
{ pkgs, ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
systemd.network = {
enable = true;
networks = {
"enp6s18" = {
matchConfig.Name = "enp6s18";
address = [
"10.201.41.100/24"
];
routes = [
{
Gateway = "10.201.41.1";
Destination = "10.201.0.0/16";
}
{
Gateway = "10.201.41.1";
Destination = "10.202.0.0/16";
}
{
Gateway = "10.201.41.1";
Destination = "172.21.87.0/24";
}
{
Gateway = "10.201.41.1";
Destination = "217.160.117.160/32";
}
];
linkConfig.RequiredForOnline = "routable";
};
"wg0" = {
matchConfig.Name = "wg0";
address = [
"172.18.50.2/24"
];
DHCP = "no";
gateway = [
"172.18.50.1"
];
};
};
netdevs = {
"wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret";
};
wireguardPeers = [{
PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
Endpoint = "217.160.117.160:51820";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
}];
};
};
};
networking = {
hostName = "mail-2";
useDHCP = false;
firewall = {
enable = true;
allowedTCPPorts = [ 25 80 ];
};
};
environment.systemPackages = with pkgs; [
wireguard-tools
];
system.stateVersion = "23.05";
}

8
config/hosts/mail-2/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./configuration.nix
./postfix.nix
./acme.nix
];
}

37
config/hosts/mail-2/postfix.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, ... }:
{
# Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
services.postfix = {
enable = true;
hostname = "mail-2.grzb.de";
relayDomains = [
"grzb.de"
"nekover.se"
];
sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem";
sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem";
extraConfig = ''
message_size_limit = 20971520
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
proxy_interfaces = 217.160.117.160
relay_recipient_maps =
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
'';
};
}

21
config/hosts/mail-2/secrets.nix Normal file
View file

@ -0,0 +1,21 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-mail-2-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-lifeline-mail-2-mail-2-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

23
config/hosts/mastodon/containers/fedifetcher/default.nix Normal file
View file

@ -0,0 +1,23 @@
{ nixpkgs-unstable, ... }:
{
containers.fedifetcher = {
nixpkgs = nixpkgs-unstable;
autoStart = true;
bindMounts = {
"/secrets" = {
hostPath = "/secrets-fedifetcher";
isReadOnly = true;
};
};
config = { ... }: {
imports = [
./fedifetcher.nix
];
networking.useHostResolvConf = true;
system.stateVersion = "24.05";
};
};
}

42
config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix Normal file
View file

@ -0,0 +1,42 @@
{ pkgs, lib, ... }:
{
# config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix
systemd.services.fedifetcher = {
path = [ pkgs.fedifetcher ];
description = "fetch fedi posts";
script = ''
fedifetcher
'';
environment = lib.mapAttrs' (n: v:
(lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n)
(builtins.toString v))) {
server = "social.nekover.se";
state-dir = "/var/lib/fedifetcher";
lock-file = "/run/fedifetcher/fedifetcher.lock";
from-lists = 1;
from-notifications = 1;
max-bookmarks = 80;
max-favourites = 40;
max-follow-requests = 80;
max-followers = 80;
max-followings = 80;
remember-hosts-for-days = 30;
remember-users-for-hours = 168;
reply-interval-in-hours = 2;
};
serviceConfig = {
DynamicUser = true;
User = "fedifetcher";
RuntimeDirectory = "fedifetcher";
RuntimeDirectoryPreserve = true;
StateDirectory = "fedifetcher";
UMask = "0077";
EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ];
};
};
systemd.timers.fedifetcher = {
wantedBy = [ "multi-user.target" ];
timerConfig = { OnCalendar = "*:0/5"; };
};
}

2
config/hosts/mastodon/default.nix
View file

@ -5,6 +5,6 @@
./mastodon.nix
./opensearch.nix
./nginx.nix
./sops.nix
./containers/fedifetcher
];
}

72
config/hosts/mastodon/mastodon.nix
View file

@ -1,9 +1,9 @@
{ pkgs, nixpkgs-unstable, nixpkgs-master, ... }:
{ pkgs, ... }:
let
tangerineUI = pkgs.fetchgit {
url = "https://github.com/nileane/TangerineUI-for-Mastodon.git";
rev = "v2.5.3";
hash = "sha256-fs/pwIwXZvSNVmlSG304CMT/hSW/RtrzraMsrhg/TbE=";
rev = "v2.5.2";
hash = "sha256-RJPP3QynE42cr9Km8twyZrHiZnhMdNcYOOJ7nW0mx1c=";
};
mastodonModern = pkgs.fetchgit {
url = "https://git.gay/freeplay/Mastodon-Modern.git";
@ -16,14 +16,14 @@ let
};
mastodonNekoverseOverlay = final: prev: {
mastodon = (prev.mastodon.override rec {
version = "4.5.10";
version = "4.5.2";
srcOverride = final.applyPatches {
src = pkgs.stdenv.mkDerivation {
name = "mastodonWithThemes";
src = pkgs.fetchgit {
url = "https://github.com/mastodon/mastodon.git";
rev = "v${version}";
sha256 = "sha256-aW5WMmhfV+q/ddebSuEuCL5Mdwav+qocMPBnbvXFBk4=";
sha256 = "sha256-LePly+CcM+Dv6ipX9jIWWKhy2PiF1j8vgc9CXn2o+DQ=";
};
# mastodon ships with broken symlinks, disable the check for that for now
dontCheckForBrokenSymlinks = true;
@ -40,7 +40,7 @@ let
modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml
'';
};
patches = prev.mastodon.src.patches ++ [
patches = [
"${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch"
"${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch"
"${mastodonNekoversePatches}/patches/003_make_toot_cute.patch"
@ -53,7 +53,7 @@ let
yarnMissingHashes = prev.mastodon.src.yarnMissingHashes;
});
};
pkgs-overlay = nixpkgs-master.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay;
pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;
vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU=";
in
{
@ -61,21 +61,21 @@ in
enable = true;
package = pkgs-overlay.mastodon;
localDomain = "social.nekover.se";
secretKeyBaseFile = "/run/secrets/mastodon-secret-key-base";
secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret";
vapidPublicKeyFile = "${vapidPublicKey}";
vapidPrivateKeyFile = "/run/secrets/mastodon-vapid-private-key";
vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret";
smtp = {
authenticate = true;
host = "mail-1.grzb.de";
port = 465;
user = "social@nekover.se";
passwordFile = "/run/secrets/mastodon-email-smtp-pass";
passwordFile = "/secrets/mastodon-email-smtp-pass.secret";
fromAddress = "Nekoverse <nyareply@nekover.se>";
};
streamingProcesses = 3;
activeRecordEncryptionPrimaryKeyFile = "/run/secrets/mastodon-active-record-encryption-primary-key";
activeRecordEncryptionKeyDerivationSaltFile = "/run/secrets/mastodon-active-record-encryption-key-derivation-salt";
activeRecordEncryptionDeterministicKeyFile = "/run/secrets/mastodon-active-record-encryption-deterministic-key";
activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret";
activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret";
activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret";
extraConfig = {
SMTP_TLS = "true";
ES_PRESET = "single_node_cluster";
@ -94,52 +94,8 @@ in
AUTHORIZED_FETCH = "true";
};
extraEnvFiles = [
"/run/secrets/mastodon-keycloak-client-secret"
"/secrets/mastodon-keycloak-client-secret.secret"
];
elasticsearch.host = "127.0.0.1";
};
sops.secrets."mastodon-secret-key-base" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-vapid-private-key" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-email-smtp-pass" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-active-record-encryption-primary-key" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-active-record-encryption-key-derivation-salt" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-active-record-encryption-deterministic-key" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-keycloak-client-secret" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
}

3
config/hosts/mastodon/nginx.nix
View file

@ -57,8 +57,7 @@
};
extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};

69
config/hosts/mastodon/secrets.nix Normal file
View file

@ -0,0 +1,69 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"mastodon-secret-key-base.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-vapid-private-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-email-smtp-pass.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-keycloak-client-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-active-record-encryption-primary-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-active-record-encryption-key-derivation-salt.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-active-record-encryption-deterministic-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-fedifetcher-access-token.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ];
destDir = "/secrets-fedifetcher";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

31
config/hosts/mastodon/secrets.yaml
View file

@ -1,31 +0,0 @@
mastodon-secret-key-base: ENC[AES256_GCM,data:GP8mtL5hkDqNjbiqONXJNDX+e9RuOejnAxX0fk1gvVR+Xkb99/wNPun1p85AVOv1rn8n0H4X8aZwPK/P2lljyGWs4RSwYaLOMMoowSu+QwDYzK2+uf2lsiM5esOAr/rfuX1BZIEnrJPYAIZYtTIBTyrMN9zTtPvyBaPn4cL0sKQ=,iv:jxy37Sa3ywLhVSYhgiC1spky6psxZzso74es5CnBObw=,tag:+nW6SxoYJgcSU2r6d2J00g==,type:str]
mastodon-vapid-private-key: ENC[AES256_GCM,data:mE29UuQGzQ/LPrvop0zODM3tI/DOXsCPemh/5Y7VribAUq25Fftoo3tWEbk=,iv:qJTJL4g9AOcPJIP9IWnSso6ECs3sSiubW9SNUaYIcXE=,tag:OnhsJeWYLDFMlmVsLf4syw==,type:str]
mastodon-email-smtp-pass: ENC[AES256_GCM,data:8UcjUSZMuUPZvc1hM79XGjor0LuKcGg8qLr/oFggcTMtQ9+ff2QHGaZFiHRcNFibdp0IexO2PDy0yMF5qivxJA==,iv:fd3vv21PnC2M/Ptdwy2j6vn+juWrEnZKtTtzhS71igI=,tag:8nmdu2TD0TTmCfA+kIkb4Q==,type:str]
mastodon-keycloak-client-secret: ENC[AES256_GCM,data:jLDVhGhUUI5o2UjHolahncXXiqHHyFT/SavQTaUTlaSje3l2khvAIzmEn8TfC6FrF8BMjzI=,iv:Hq5XrtpnFYnIxrIb8rX5PDL7z7bLuOrtTTubm7HsE88=,tag:ayNJWs3UROd/sBQ5rnuv6w==,type:str]
mastodon-active-record-encryption-primary-key: ENC[AES256_GCM,data:H45LQ1gXCaepRe1ftap5ruWwC7ThI8m/EBtKdqP8QHQ=,iv:wAYQW7INq36GscjdaldCCS0RpjYuemtveoNdeqS1wz0=,tag:hjlXqo9WmE57fENQZaRCXA==,type:str]
mastodon-active-record-encryption-key-derivation-salt: ENC[AES256_GCM,data:DeeXCelirIcDyTDdPeKoaAeD2jzWGLU3p28e5JX8m9E=,iv:yQcddWeesrMWgIAj/MnBwPUwikk2VHAbNDFs0r5Fp0Q=,tag:H6boQ5IEGEhx5Ha15eEUhw==,type:str]
mastodon-active-record-encryption-deterministic-key: ENC[AES256_GCM,data:yrakH+MxQ8/SmAtLOvGcyIAjfbVdb8NgqYqpm+ALKA0=,iv:ZbagvnAPTLBmzxAdXZ0Ecat0jTpeRWiudpk3U+1hEXE=,tag:pnF87Gg4nTRC1YVK1bbGCw==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTDB3d1FFWjY2LzhZUmVP
S1BicjRhc2ZzWWMvb2xjT1lzVVY3Z2hqYW53CndNaGJ6NXkyamg0a1BIdzlVL214
dk5SbDFDdVNGNnp1citjZkQ3UTNHcUUKLS0tIGwvOHl4RUErRjR3Nm1paGVmZEhX
a1N2SlZlY05aN2hEcXlGdnA0ZndlUjgK01enGoJvkN5YMbm38wcRYaM1ogzybJIL
OTig1Fg2CopEmaE/Y6bpuMFIyCFXZDhJQ3LaI+0kydzPGB2nZyWZ2g==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbnFPOEJVWXAxTEpiNUgw
SDliL3hZeWpaK3JMN0hyV09jUTBSV2pYN2gwCmd2STBsYzhNYlpWRzhCUWZhZ1Rw
Yzdta25vN0NKeTFXWXRiUWZsTGVaY28KLS0tIC8yUERNWHNqTTFQazQzRkYvNk9K
TjlQaVRFdXJ6WVRIVnczYmlFc2t6S2MK5wnjZnhL+GK1eXnANSDe5zcsZdb5N715
odb/rjaIvUKaSUkmJfQK954pCBsiJXnURt5FKLnOGHtlQmt0kyg8dQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30
lastmodified: "2026-05-17T01:44:58Z"
mac: ENC[AES256_GCM,data:DV91qRrbXxS+yvknPuLjRWYdsJdWtODy9q2onrSpWv6P7YR1siNFNpDyioMLKLRby80kY1R1zSofiaepVmP/nWtqtSDsq/plNWIZi7FR7X0TG0hNc3S6GJ0UatXVxOGp6LxvO2doVIMUs3LKd4+16FFMQYEQJ35VbuYFVhWw5SU=,iv:zVmZ7Ho28I9y7IvCULWehzJB64FSLLaspa/Rj+EJpX0=,tag:HRBTVgvm8pZvUgFBqjCEoQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/mastodon/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/matrix/default.nix
View file

@ -8,6 +8,5 @@
./matrix-authentication-service.nix
./matrix-synapse.nix
./nginx.nix
./sops.nix
];
}

14
config/hosts/matrix/element-call.nix
View file

@ -4,22 +4,12 @@
enable = true;
settings.rtc.use_external_ip = true;
openFirewall = true;
keyFile = "/run/secrets/matrix-livekit-secret-key";
keyFile = "/secrets/matrix-livekit-secret-key.secret";
};
services.lk-jwt-service = {
enable = true;
port = 8082;
livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu";
keyFile = "/run/secrets/matrix-livekit-secret-key";
};
systemd.services.lk-jwt-service.environment = {
LIVEKIT_FULL_ACCESS_HOMESERVERS = "nekover.se";
};
sops.secrets."matrix-livekit-secret-key" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "livekit.service" "lk-jwt-service.service" ];
keyFile = "/secrets/matrix-livekit-secret-key.secret";
};
}

25
config/hosts/matrix/matrix-authentication-service.nix
View file

@ -11,7 +11,7 @@ let
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
{
name = "assets";
path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
}
@ -33,17 +33,6 @@ let
}];
proxy_protocol = false;
}
{
name = "admin";
resources = [{
name = "adminapi";
}];
binds = [{
host = "localhost";
port = 8083;
}];
proxy_protocol = false;
}
];
trusted_proxies = [
"192.168.0.0/16"
@ -74,7 +63,8 @@ let
version = 2;
algorithm = "argon2id";
}
];
];
minimum_complexity = 8;
};
};
masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
@ -92,7 +82,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/run/secrets/matrix-mas-secret-config";
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret";
WorkingDirectory = "${pkgs.matrix-authentication-service}";
User = "matrix-synapse";
Group = "matrix-synapse";
@ -102,11 +92,4 @@ in
"multi-user.target"
];
};
sops.secrets."matrix-mas-secret-config" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-authentication-service.service" ];
};
}

41
config/hosts/matrix/matrix-synapse.nix
View file

@ -51,7 +51,7 @@
notif_from = "Nekoverse Matrix Server <nyareply@nekover.se>";
};
max_upload_size = "500M";
signing_key_path = "/run/secrets/matrix-homeserver-signing-key";
signing_key_path = "/secrets/matrix-homeserver-signing-key.secret";
admin_contact = "mailto:admin@nekover.se";
web_client_location = "https://element.nekover.se";
enable_metrics = true;
@ -86,41 +86,10 @@
};
extras = [ "oidc" ];
extraConfigFiles = [
"/run/secrets/matrix-registration-shared-secret"
"/run/secrets/matrix-turn-shared-secret"
"/run/secrets/matrix-email-smtp-pass"
"/run/secrets/matrix-homeserver-mas-config"
"/secrets/matrix-registration-shared-secret.secret"
"/secrets/matrix-turn-shared-secret.secret"
"/secrets/matrix-email-smtp-pass.secret"
"/secrets/matrix-homeserver-mas-config.secret"
];
};
sops.secrets."matrix-homeserver-signing-key" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
sops.secrets."matrix-registration-shared-secret" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
sops.secrets."matrix-turn-shared-secret" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
sops.secrets."matrix-email-smtp-pass" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
sops.secrets."matrix-homeserver-mas-config" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
}

61
config/hosts/matrix/nginx.nix
View file

@ -11,17 +11,10 @@
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
proxyProtocol = true;
}
];
locations = {
@ -41,23 +34,11 @@
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
"~ ^/_synapse/admin" = {
# Only proxy to the local host on IPv4, because localhost doesn't seem to work
# even if matrix-synapse is listening on ::1 as well.
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Restrict access to admin API.
allow 172.21.87.0/24; # management VPN
deny all;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
@ -69,29 +50,14 @@
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations = {
"/" = {
proxyPass = "http://localhost:8080";
};
"~ ^/api/admin" = {
proxyPass = "http://localhost:8083";
extraConfig = ''
# Restrict access to admin API.
allow 172.21.87.0/24; # management VPN
deny all;
'';
};
locations."/" = {
proxyPass = "http://localhost:8080";
};
extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
@ -103,12 +69,6 @@
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."^~ /livekit/jwt/" = {
proxyPass = "http://localhost:8082/";
@ -118,8 +78,9 @@
proxyWebsockets = true;
};
extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};

61
config/hosts/matrix/secrets.nix Normal file
View file

@ -0,0 +1,61 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"matrix-registration-shared-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-turn-shared-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-email-smtp-pass.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-homeserver-signing-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-homeserver-mas-config.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-mas-secret-config.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-livekit-secret-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

31
config/hosts/matrix/secrets.yaml
View file

File diff suppressed because one or more lines are too long

6
config/hosts/matrix/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/metrics-nekomesh/default.nix
View file

@ -6,6 +6,5 @@
./neo4j.nix
./prometheus.nix
./nginx.nix
./sops.nix
];
}

32
config/hosts/metrics-nekomesh/grafana.nix
View file

@ -11,15 +11,14 @@
cookie_secure = true;
cookie_samesite = "strict";
admin_user = "admin";
admin_password = "$__file{/run/secrets/metrics-nekomesh-grafana-admin-password}";
admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}";
admin_email = "fi@nekover.se";
secret_key = "$__file{/run/secrets/metrics-nekomesh-grafana-secret-key}";
};
smtp = {
enabled = true;
host = "mail.grzb.de:465";
user = "nekomesh@grzb.de";
password = "$__file{/run/secrets/mail-nekomesh-nekover-se}";
password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}";
from_address = "nyareply@nekover.se";
from_name = "Nekomesh";
startTLS_policy = "NoStartTLS";
@ -29,7 +28,7 @@
name = "Nekoverse ID";
allow_sign_up = true;
client_id = "nekomesh";
client_secret = "$__file{/run/secrets/metrics-nekomesh-grafana-keycloak-client-secret}";
client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}";
scopes = "openid email profile offline_access roles";
email_attribute_path = "email";
login_attribute_path = "preferred_username";
@ -52,29 +51,4 @@
}
];
};
sops.secrets."metrics-nekomesh-grafana-admin-password" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
sops.secrets."metrics-nekomesh-grafana-keycloak-client-secret" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
sops.secrets."metrics-nekomesh-grafana-secret-key" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
sops.secrets."mail-nekomesh-nekover-se" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
}

3
config/hosts/metrics-nekomesh/nginx.nix
View file

@ -23,8 +23,7 @@
proxyWebsockets = true;
};
extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};

29
config/hosts/metrics-nekomesh/secrets.nix Normal file
View file

@ -0,0 +1,29 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"metrics-nekomesh-grafana-admin-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"metrics-nekomesh-grafana-keycloak-client-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-nekomesh-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

28
config/hosts/metrics-nekomesh/secrets.yaml
View file

@ -1,28 +0,0 @@
metrics-nekomesh-grafana-admin-password: ENC[AES256_GCM,data:7Ji5Bb+/ekFtptG6JQBViocqozol7vdTRxAgYuRpicO3v7UFswLBkFd/+asaCKkYTrYjDFcOOSjSMr2Yp+9IhQ==,iv:VjpntKn3PdIX56DjHlkhYmx05MZtvTinGcO0vz4BFkQ=,tag:Lcat3LbXJyWcEOq6pmTx9w==,type:str]
metrics-nekomesh-grafana-keycloak-client-secret: ENC[AES256_GCM,data:6SHmMy0gbT6rYC9i60TzCcP0q4eSzC3Srse9O3La1Ag=,iv:H6wEzy6MgX2Ft+D3rWzyWwnh8ZmNmMlcEQLuKrkSwoU=,tag:M7pGHOKq0fglHGyj5jFoYg==,type:str]
metrics-nekomesh-grafana-secret-key: ENC[AES256_GCM,data:5+aUdzNAy0nDuGW8g2e7LdT9woo=,iv:rSn+XTJA46Eq4FcKUQaph/WPLXC4vxnRulpSjls1QZg=,tag:aXSgUUzxe8tQV+oqXnidPA==,type:str]
mail-nekomesh-nekover-se: ENC[AES256_GCM,data:vuyDjtvCT0D8aYftcGiA59i7mriqLNoqeHy0+LQ3awUt4d//p81LpPNdb/EQMuUnCp2QZgdsy4rU5ktDa1Ewfg==,iv:+pqVQfWxSQF4fTJ0gMuAf4EjyvsUVFUxpRa2BHpvZ3Q=,tag:UlHzONbcfeCJuJjamKV39w==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOVFIckQ3R2FsYXl4NkRW
RGdSRmNaMURIUkYrSGtnWmdxVGJMOUFta0JJCnN1blNoaG9PUVJNN1RJcUhnYlFq
WTlhcGx3cUUwbkREMVVleDZNazJ2dm8KLS0tIFl5NGhFeHZKaENmQjRwZ0hiS3Jl
TTRMVloxK25uUVVMcE56M1RMKzlDb2cKuNKexzjC9eefQHCjVAY4rS7wqTSqs0uO
PvSvxs4tY5d2nUJuORGn25MU9Y65UFTvTzuxgqg9Z37NTEjVfvnrYA==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTzErWVY1V3ZrMHBYTjRm
M1IwTG9DZmhBTFpGSkwyTVJJYndsRnRSOTJrClhFWi9TbGhRWkQ1VjhLaE4wd3Bi
WlpSUUcxU3A4dmZUYmNJYnlyQnMwK00KLS0tIDZqdU1DcXc3YmpDMThRMzQwQWk4
TnFKNS9xcXdKZXo0cThpbjd2NEQ3NTgK4XTrXdaHVveeXwsEuGx5+Y2bu/F6jooo
auWtrm7z3rxzCxePxNs6LCYr/ppoE7J8nEFKnFmT0vyUGryhzlbo9A==
-----END AGE ENCRYPTED FILE-----
recipient: age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse
lastmodified: "2026-05-23T22:38:11Z"
mac: ENC[AES256_GCM,data:VWo7UFRey2w/2x/wn/XfFW9gCpogO9Igxt/xEBngHBTkSJh0p6HhbZlmA3iv3QmYKui74cHSfQUOq2IOc96CLsfWKUWhMQVw5z/be7OEoY3cIG8V1WRTixQB5a0284jPXcGHPreLdMdAQW5nvJJRwx6Pysm7+rTzdxi8VGmOKyE=,iv:l4KBomWzPfOw1UiVpMwWg68OdYc85FtrRcVygfbEoeU=,tag:EeboepV+hDkA9QNmi/Ao+w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/metrics-nekomesh/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/metrics/default.nix
View file

@ -5,6 +5,5 @@
./grafana.nix
./prometheus.nix
./nginx.nix
./sops.nix
];
}

17
config/hosts/metrics/grafana.nix
View file

@ -11,14 +11,14 @@
cookie_secure = true;
cookie_samesite = "strict";
admin_user = "yuri";
admin_password = "$__file{/run/secrets/metrics-grafana-admin-password}";
admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}";
admin_email = "yuri@nekover.se";
};
smtp = {
enabled = true;
host = "mail.grzb.de:465";
user = "grafana";
password = "$__file{/run/secrets/metrics-grafana-smtp-password}";
password = "$__file{/secrets/metrics-grafana-smtp-password.secret}";
from_address = "grafana@robot.grzb.de";
from_name = "Grafana";
startTLS_policy = "NoStartTLS";
@ -33,17 +33,4 @@
}
];
};
sops.secrets."metrics-grafana-admin-password" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
sops.secrets."metrics-grafana-smtp-password" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
}

21
config/hosts/metrics/secrets.nix Normal file
View file

@ -0,0 +1,21 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"metrics-grafana-admin-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"metrics-grafana-smtp-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

26
config/hosts/metrics/secrets.yaml
View file

@ -1,26 +0,0 @@
metrics-grafana-admin-password: ENC[AES256_GCM,data:vk5KwDxDvTtI/vycl+2XItCFadUQL7rDHZ+0e3WAXynkHq/gmP0Q4VBBjQQNnFwxumF/dIj+CxEqEDdCL6HpSqEOZm/SJCfBARSCxyNCXoYiI/0+NTlUdfhscrDVleLJcMNrBxmxKt3cnDotPWS8rwF5oA1A79OW6+eZm1RC8hA=,iv:JtV0/vZIIzIF+WtD9KRPmyfLI4sMSe7ff5KHG7PEXjY=,tag:A1RgqOOd6M2m1ueXWPxw2w==,type:str]
metrics-grafana-smtp-password: ENC[AES256_GCM,data:ledR3mYQaQndiXgWJSZCqwrar1d5LvnwfdAb0EYI40M=,iv:T6yV0KKz5MK8pLWQoO0xi/ZAdhpFgNvER17X5ZfCCe0=,tag:16lt0z4Gn4Gcc54ssF0W5w==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVWd2NHNWTElaTk42R1Qx
bmZxYnhoT3NqQ0I5ZWVsS0N4eHdWMDhRU0hFCmhlQ1hrZ3R5REt2ODV0dTA4VWl0
R0dtNWIydzhCUmVMYk85d0ZETk8wQkEKLS0tIElFbXRhYWprVER4ZGZocTNzcGNv
RHN2MWJVTXFEZnhKeXNQdUlnQ0ZiYmMKXicuiR0ZlDNb4EX49y3NmAOk7onTcDEV
Ohe+Enl0dM+dMfCdcojIkdTln74KZ+h6yxVr5jDU3EnDZVZpczY5wQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bkFiY0x1TUFGYnExWnYz
QldDOW1oaWVEUDMvbUN2TmwxZVZEOVpZbW5JCjlnYklSSjV1OExObDl1QUhoZFls
V3cyVVBkYWwyT0lpTlVnb1kxTG9IM0UKLS0tIENGak1HaFZYT2ZCL0hleUVVUDZu
MTI5ZkhUK0RZdGhSYVFZMDNHaS9QaFEKyptwQi4pYw0zZ2F9LvwX4F18UUdjqVrz
aB4hZkakAI94qVz3JvIVlslWzsDtIKoBTobl3dBNFId7M8TQwwZUvg==
-----END AGE ENCRYPTED FILE-----
recipient: age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n
lastmodified: "2026-05-23T22:14:10Z"
mac: ENC[AES256_GCM,data:w1pNlY6g/PxQcpY/0Jt02TL5oZ0gwB5fYIzd99PgJTU0X76tmvlAF1i58SubnyR6TWiO0Q4TYJcqgeKHHvWYkYtQZzV4MGc0UwY1+Ipw3q38fRTHqVNbiaCorYbWBMXUnewE4eXictnFfq+vIfFeWktoGws/NTrZEIQ4lY+NSiE=,iv:vP7vujgXGRSr/adBJu1SATryPbqF3Obcg885EZahMTg=,tag:HuRqc8wS1+geWmJMdRWNSA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/metrics/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

33
config/hosts/navidrome/configuration.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "navidrome";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
fileSystems = {
"/mnt/music" = {
device = "//10.202.40.5/music-ro";
fsType = "cifs";
options = [
"username=navidrome"
"credentials=/secrets/navidrome-samba-credentials.secret"
"iocharset=utf8"
"vers=3.1.1"
"uid=navidrome"
"gid=navidrome"
"_netdev"
];
};
};
system.stateVersion = "23.05";
}

7
config/hosts/navidrome/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }: {
imports = [
./configuration.nix
./navidrome.nix
./nginx.nix
];
}

9
config/hosts/navidrome/navidrome.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }: {
services.navidrome = {
enable = true;
settings = {
Address = "unix:/run/navidrome/navidrome.socket";
MusicFolder = "/mnt/music";
};
};
}

24
config/hosts/navidrome/nginx.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }: {
services.nginx = {
enable = true;
user = "navidrome";
virtualHosts."navidrome.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/" = {
proxyPass = "http://unix:/run/navidrome/navidrome.socket";
};
};
};
}

13
config/hosts/navidrome/secrets.nix Normal file
View file

@ -0,0 +1,13 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"navidrome-samba-credentials.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

17
config/hosts/netbox/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "netbox";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
system.stateVersion = "23.05";
}

8
config/hosts/netbox/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./configuration.nix
./netbox.nix
./nginx.nix
];
}

8
config/hosts/netbox/netbox.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }:
{
services.netbox = {
enable = true;
package = pkgs.netbox;
secretKeyFile = "/secrets/netbox-secret-key.secret";
};
}

29
config/hosts/netbox/nginx.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, ... }:
{
services.nginx = {
enable = true;
clientMaxBodySize = "25m";
user = "netbox";
virtualHosts."netbox.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/static/" = {
alias = "${config.services.netbox.dataDir}/static/";
};
locations."/" = {
proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
};
};
};
}

11
config/hosts/netbox/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ keyCommandEnv, ... }:
{
deployment.keys."netbox-secret-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ];
destDir = "/secrets";
user = "netbox";
group = "netbox";
permissions = "0640";
uploadAt = "pre-activation";
};
}

1
config/hosts/nextcloud/default.nix
View file

@ -4,6 +4,5 @@
./configuration.nix
./hardware-configuration.nix
./nextcloud.nix
./sops.nix
];
}

18
config/hosts/nextcloud/nextcloud.nix
View file

@ -7,7 +7,7 @@
https = true;
config = {
dbtype = "pgsql";
adminpassFile = "/run/secrets/nextcloud-adminpass";
adminpassFile = "/secrets/nextcloud-adminpass.secret";
};
database.createLocally = true;
configureRedis = true;
@ -30,7 +30,7 @@
default_phone_region = "DE";
};
# Only contains mail_smtppassword
secretFile = "/run/secrets/nextcloud-secretfile";
secretFile = "/secrets/nextcloud-secretfile.secret";
phpOptions = {
# The amount of memory for interned strings in Mbytes
"opcache.interned_strings_buffer" = "64";
@ -44,21 +44,9 @@
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
sops.secrets."nextcloud-adminpass" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
};
sops.secrets."nextcloud-secretfile" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
};
}

21
config/hosts/nextcloud/secrets.nix Normal file
View file

@ -0,0 +1,21 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"nextcloud-adminpass.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ];
destDir = "/secrets";
user = "nextcloud";
group = "nextcloud";
permissions = "0640";
uploadAt = "pre-activation";
};
"nextcloud-secretfile.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ];
destDir = "/secrets";
user = "nextcloud";
group = "nextcloud";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

26
config/hosts/nextcloud/secrets.yaml
View file

@ -1,26 +0,0 @@
nextcloud-adminpass: ENC[AES256_GCM,data:9hjeHUMNBg3fCN80mGCXarXEMOySEdyfnFIL8ivGb2Vi8LKbzZ2fHZZUzMO5/7XYRpNKWtBz1yzn2fj/ZeLiMw==,iv:38bucE+hmU/hZXw67fc34s1uZefXpWdY5vaTpvDfpUI=,tag:vKI6DrBYekjVU8Va/7BT8A==,type:str]
nextcloud-secretfile: ENC[AES256_GCM,data:PaX7jAFBNweVwyG9nNU/TTHlGrQvPfgc92uCS1s1UwrHH8KlbKGed6NpTPvulwgMQ5cjwUMy5OuOt15kGRS03LQNcWJ+mlu2TQ2Hjsza+SV/ahtxzs/NiA==,iv:An3LZG9gnnna8TuNYlXDGxyter/Sj5DbIjZyGedqteU=,tag:2VbInjBoiv+w3nhh6AAQng==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bDNNZnh5UTFtei84YXdC
SFJONFdHNE1WZ1FvSFZoSW4rMkh3ZC9tbWljClA0RWlRTFA1K2pSMTAyY0I0d01a
cHlUK3ZTd0lydm82VnpBbUdCQmFRYWcKLS0tIEhicldwUFc0cEt2aFVKeVhSeEtS
eFNBbUY1UXZMSEVzL3YyZDUrWVlxd0EKy5TnMyh7WxWK9lO7MKLINRbwMQuFlN4l
E01+FXAUiVSHO4aJW4CsqeegTAAux3FUWB1tL2myZskOFkJPws3boQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAra3A4ZDQzZEZCRGErVFBK
bUFqS0ZSTjJFYm00cnVuei85MldCU25MV0VrCnMwVTJndWNQbUUwWmJnMUR3MjJp
VXUwV1RaZElaN2l1S3JxQVVoOXhweEkKLS0tIFFndXpaRlRKdzRvUUxUZVN1cXVr
TTFFYmx5OVU4Q3BWaFpWNFlPdGJZSzQKMLLZzESV0JdlNbMGpdDaorJnDKaSuax0
YQT/+G702pjqOjg8kRbHH8BZ3pK/3wApJBUW5iilAAxIzIm1zU/0Hw==
-----END AGE ENCRYPTED FILE-----
recipient: age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu
lastmodified: "2026-05-23T23:09:29Z"
mac: ENC[AES256_GCM,data:dPYCQ7hfToQptTlbeA22MQ7EEtn9NyYvdshG9d24h2kLkPKpq/i0bcmG3o6xfyDsofTPZOOzRjCVUlxRukWuhHODPpyOronoDv3hrJNtj1YHsMzeMEK1xK1hpNtJeYkWx12SBZw4zZ7Vw3tLxc5Ay95LD7ZWCsCTqawbMufMjwc=,iv:3LeWH8eU0vTtnJRr0ZqUHHNdifzb++i6Y3CB6J/2wdA=,tag:40tOjuZZ+0Ww2wOwIXkcUQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/nextcloud/sops.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

17
config/hosts/nitter/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "nitter";
firewall = {
enable = true;
allowedTCPPorts = [ 8443 ];
};
};
system.stateVersion = "23.05";
}

8
config/hosts/nitter/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./configuration.nix
./nginx.nix
./nitter.nix
];
}

23
config/hosts/nitter/nginx.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts."birdsite.nekover.se" = {
forceSSL = true;
enableACME = true;
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: /\\n\"";
};
locations."/" = {
proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}";
proxyWebsockets = true;
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
}

21
config/hosts/nitter/nitter.nix Normal file
View file

@ -0,0 +1,21 @@
{ ... }:
{
services.nitter = {
enable = true;
server = {
title = "Birdsite";
https = true;
address = "127.0.0.1";
port = 8080;
hostname = "birdsite.nekover.se";
};
preferences = {
theme = "Mastodon";
replaceTwitter = "birdsite.nekover.se";
infiniteScroll = true;
hlsPlayback = true;
};
};
}

17
config/hosts/paperless/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "paperless";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
system.stateVersion = "23.05";
}

9
config/hosts/paperless/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix
./nginx.nix
./paperless.nix
];
}

30
config/hosts/paperless/hardware-configuration.nix Normal file
View file

@ -0,0 +1,30 @@
{ ... }:
{
fileSystems = {
"/mnt/data" = {
device = "/dev/disk/by-label/data";
fsType = "ext4";
autoFormat = true;
autoResize = true;
};
"/mnt/paperless-consume" = {
device = "//10.201.40.10/paperless-consume";
fsType = "cifs";
options = [
"username=paperless"
"credentials=/secrets/paperless-samba-credentials.secret"
"iocharset=utf8"
"vers=3.1.1"
"uid=paperless"
"gid=paperless"
"_netdev"
];
};
"/var/lib/paperless" = {
depends = [ "/mnt/data" ];
device = "/mnt/data/paperless";
fsType = "none";
options = [ "bind" ];
};
};
}

Some files were not shown because too many files have changed in this diff Show more