diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index c60c00f..2b2aea8 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -4,6 +4,7 @@ enable = true; package = pkgs.forgejo; database.type = "postgres"; + lfs.enable = true; settings = { DEFAULT = { @@ -17,6 +18,7 @@ ROOT_URL = "https://git.nekover.se/"; # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. # Doesn't need to be set. + OFFLINE_MODE = true; }; admin = { DISABLE_REGULAR_ORG_CREATION = false; @@ -34,11 +36,10 @@ DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; - }; - repo = { - DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; + ENABLE_NOTIFY_MAIL = true; }; repository = { + DEFAULT_REPO_UNITS = "repo.code"; ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix index 6df90b1..3602209 100644 --- a/config/hosts/forgejo/nginx.nix +++ b/config/hosts/forgejo/nginx.nix @@ -29,7 +29,8 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix index 5a15fe1..9aadd25 100644 --- a/config/hosts/hydra/nginx.nix +++ b/config/hosts/hydra/nginx.nix @@ -16,7 +16,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -33,7 +34,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 4bbcf0a..9f6462e 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -39,7 +39,8 @@ in }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix index c82597d..e9b46cd 100644 --- a/config/hosts/keycloak/nginx.nix +++ b/config/hosts/keycloak/nginx.nix @@ -27,7 +27,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/config/hosts/mastodon/containers/fedifetcher/default.nix b/config/hosts/mastodon/containers/fedifetcher/default.nix deleted file mode 100644 index 3f2617e..0000000 --- a/config/hosts/mastodon/containers/fedifetcher/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ nixpkgs-unstable, ... }: -{ - containers.fedifetcher = { - nixpkgs = nixpkgs-unstable; - autoStart = true; - - bindMounts = { - "/secrets" = { - hostPath = "/secrets-fedifetcher"; - isReadOnly = true; - }; - }; - - config = { ... }: { - imports = [ - ./fedifetcher.nix - ]; - - networking.useHostResolvConf = true; - system.stateVersion = "24.05"; - }; - }; -} diff --git a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix deleted file mode 100644 index 7194c25..0000000 --- a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ pkgs, lib, ... }: -{ - # config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix - systemd.services.fedifetcher = { - path = [ pkgs.fedifetcher ]; - description = "fetch fedi posts"; - script = '' - fedifetcher - ''; - environment = lib.mapAttrs' (n: v: - (lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n) - (builtins.toString v))) { - server = "social.nekover.se"; - state-dir = "/var/lib/fedifetcher"; - lock-file = "/run/fedifetcher/fedifetcher.lock"; - from-lists = 1; - from-notifications = 1; - max-bookmarks = 80; - max-favourites = 40; - max-follow-requests = 80; - max-followers = 80; - max-followings = 80; - remember-hosts-for-days = 30; - remember-users-for-hours = 168; - reply-interval-in-hours = 2; - }; - serviceConfig = { - DynamicUser = true; - User = "fedifetcher"; - RuntimeDirectory = "fedifetcher"; - RuntimeDirectoryPreserve = true; - StateDirectory = "fedifetcher"; - UMask = "0077"; - EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ]; - }; - }; - - systemd.timers.fedifetcher = { - wantedBy = [ "multi-user.target" ]; - timerConfig = { OnCalendar = "*:0/5"; }; - }; -} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix index dc52ff4..5651eb8 100644 --- a/config/hosts/mastodon/default.nix +++ b/config/hosts/mastodon/default.nix @@ -5,6 +5,5 @@ ./mastodon.nix ./opensearch.nix ./nginx.nix - ./containers/fedifetcher ]; } diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index aa4fea4..dcb2498 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,8 +2,8 @@ let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; - rev = "v2.5.2"; - hash = "sha256-RJPP3QynE42cr9Km8twyZrHiZnhMdNcYOOJ7nW0mx1c="; + rev = "v2.5.3"; + hash = "sha256-fs/pwIwXZvSNVmlSG304CMT/hSW/RtrzraMsrhg/TbE="; }; mastodonModern = pkgs.fetchgit { url = "https://git.gay/freeplay/Mastodon-Modern.git"; @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.2"; + version = "4.5.8"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-LePly+CcM+Dv6ipX9jIWWKhy2PiF1j8vgc9CXn2o+DQ="; + sha256 = "sha256-03PdAB9KOvMgQJPx+7ik13QE18fjdLIab7zEXaPc4nk="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index 72aec08..02a0d0a 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -57,7 +57,8 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 986a64b..88413c7 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -57,13 +57,5 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "mastodon-fedifetcher-access-token.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ]; - destDir = "/secrets-fedifetcher"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; }; } diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix index 53674ad..e13bdd9 100644 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ b/config/hosts/matrix/matrix-authentication-service.nix @@ -33,6 +33,17 @@ let }]; proxy_protocol = false; } + { + name = "admin"; + resources = [{ + name = "adminapi"; + }]; + binds = [{ + host = "localhost"; + port = 8083; + }]; + proxy_protocol = false; + } ]; trusted_proxies = [ "192.168.0.0/16" @@ -63,8 +74,7 @@ let version = 2; algorithm = "argon2id"; } - ]; - minimum_complexity = 8; + ]; }; }; masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings); diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index ce3ab3d..c9548b2 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -34,11 +34,25 @@ client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; ''; }; + "~ ^/_synapse/admin" = { + # Only proxy to the local host on IPv4, because localhost doesn't seem to work + # even if matrix-synapse is listening on ::1 as well. + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Restrict access to admin API. + allow 172.21.87.0/24; # management VPN + deny all; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -51,13 +65,24 @@ port = 80; } ]; - locations."/" = { - proxyPass = "http://localhost:8080"; + locations = { + "/" = { + proxyPass = "http://localhost:8080"; + }; + "~ ^/api/admin" = { + proxyPass = "http://localhost:8083"; + extraConfig = '' + # Restrict access to admin API. + allow 172.21.87.0/24; # management VPN + deny all; + ''; + }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -80,7 +105,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix index 7697748..8c4255d 100644 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -13,6 +13,7 @@ admin_user = "admin"; admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; admin_email = "fi@nekover.se"; + secret_key = "$__file{/secrets/metrics-nekomesh-grafana-secret-key.secret}"; }; smtp = { enabled = true; diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index e2fc483..a754cb6 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -23,7 +23,8 @@ proxyWebsockets = true; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix index ef6bcec..8014354 100644 --- a/config/hosts/metrics-nekomesh/secrets.nix +++ b/config/hosts/metrics-nekomesh/secrets.nix @@ -17,6 +17,14 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "metrics-nekomesh-grafana-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/secret-key" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; "mail-nekomesh-nekover-se.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; destDir = "/secrets"; diff --git a/config/hosts/navidrome/configuration.nix b/config/hosts/navidrome/configuration.nix deleted file mode 100644 index 581a631..0000000 --- a/config/hosts/navidrome/configuration.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "navidrome"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - fileSystems = { - "/mnt/music" = { - device = "//10.202.40.5/music-ro"; - fsType = "cifs"; - options = [ - "username=navidrome" - "credentials=/secrets/navidrome-samba-credentials.secret" - "iocharset=utf8" - "vers=3.1.1" - "uid=navidrome" - "gid=navidrome" - "_netdev" - ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/navidrome/default.nix b/config/hosts/navidrome/default.nix deleted file mode 100644 index 00d4a90..0000000 --- a/config/hosts/navidrome/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: { - imports = [ - ./configuration.nix - ./navidrome.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/navidrome/navidrome.nix b/config/hosts/navidrome/navidrome.nix deleted file mode 100644 index 74e3a1d..0000000 --- a/config/hosts/navidrome/navidrome.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: { - services.navidrome = { - enable = true; - settings = { - Address = "unix:/run/navidrome/navidrome.socket"; - MusicFolder = "/mnt/music"; - }; - }; -} diff --git a/config/hosts/navidrome/nginx.nix b/config/hosts/navidrome/nginx.nix deleted file mode 100644 index eef60dd..0000000 --- a/config/hosts/navidrome/nginx.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ ... }: { - services.nginx = { - enable = true; - user = "navidrome"; - virtualHosts."navidrome.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://unix:/run/navidrome/navidrome.socket"; - }; - }; - }; -} diff --git a/config/hosts/navidrome/secrets.nix b/config/hosts/navidrome/secrets.nix deleted file mode 100644 index a11e957..0000000 --- a/config/hosts/navidrome/secrets.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "navidrome-samba-credentials.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix deleted file mode 100644 index 5bf8422..0000000 --- a/config/hosts/netbox/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "netbox"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix deleted file mode 100644 index 5dd147b..0000000 --- a/config/hosts/netbox/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./netbox.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix deleted file mode 100644 index b9ba2ad..0000000 --- a/config/hosts/netbox/netbox.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - services.netbox = { - enable = true; - package = pkgs.netbox; - secretKeyFile = "/secrets/netbox-secret-key.secret"; - }; -} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix deleted file mode 100644 index a2d1782..0000000 --- a/config/hosts/netbox/nginx.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - clientMaxBodySize = "25m"; - user = "netbox"; - virtualHosts."netbox.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/static/" = { - alias = "${config.services.netbox.dataDir}/static/"; - }; - locations."/" = { - proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; - }; - }; - }; -} diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix deleted file mode 100644 index 216aca4..0000000 --- a/config/hosts/netbox/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys."netbox-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; - destDir = "/secrets"; - user = "netbox"; - group = "netbox"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; -} diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 88b842a..f27c9a6 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -44,7 +44,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix deleted file mode 100644 index bc54db7..0000000 --- a/config/hosts/nitter/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "nitter"; - firewall = { - enable = true; - allowedTCPPorts = [ 8443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/nitter/default.nix b/config/hosts/nitter/default.nix deleted file mode 100644 index 6aae884..0000000 --- a/config/hosts/nitter/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./nginx.nix - ./nitter.nix - ]; -} diff --git a/config/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix deleted file mode 100644 index 862405c..0000000 --- a/config/hosts/nitter/nginx.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - virtualHosts."birdsite.nekover.se" = { - forceSSL = true; - enableACME = true; - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - locations."/" = { - proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; - proxyWebsockets = true; - }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - - set_real_ip_from 10.202.41.100; - real_ip_header proxy_protocol; - ''; - }; - }; -} diff --git a/config/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix deleted file mode 100644 index 94165c4..0000000 --- a/config/hosts/nitter/nitter.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: -{ - services.nitter = { - enable = true; - - server = { - title = "Birdsite"; - https = true; - address = "127.0.0.1"; - port = 8080; - hostname = "birdsite.nekover.se"; - }; - - preferences = { - theme = "Mastodon"; - replaceTwitter = "birdsite.nekover.se"; - infiniteScroll = true; - hlsPlayback = true; - }; - }; -} diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix deleted file mode 100644 index 494f08c..0000000 --- a/config/hosts/paperless/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "paperless"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix deleted file mode 100644 index e6ebeed..0000000 --- a/config/hosts/paperless/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./hardware-configuration.nix - ./nginx.nix - ./paperless.nix - ]; -} diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix deleted file mode 100644 index 17b9b66..0000000 --- a/config/hosts/paperless/hardware-configuration.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -{ - fileSystems = { - "/mnt/data" = { - device = "/dev/disk/by-label/data"; - fsType = "ext4"; - autoFormat = true; - autoResize = true; - }; - "/mnt/paperless-consume" = { - device = "//10.201.40.10/paperless-consume"; - fsType = "cifs"; - options = [ - "username=paperless" - "credentials=/secrets/paperless-samba-credentials.secret" - "iocharset=utf8" - "vers=3.1.1" - "uid=paperless" - "gid=paperless" - "_netdev" - ]; - }; - "/var/lib/paperless" = { - depends = [ "/mnt/data" ]; - device = "/mnt/data/paperless"; - fsType = "none"; - options = [ "bind" ]; - }; - }; -} diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix deleted file mode 100644 index e4a2131..0000000 --- a/config/hosts/paperless/nginx.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - virtualHosts."paperless.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}"; - proxyWebsockets = true; - extraConfig = '' - add_header Referrer-Policy "strict-origin-when-cross-origin"; - ''; - }; - extraConfig = '' - client_max_body_size 100M; - ''; - }; - }; -} diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix deleted file mode 100644 index 1def83d..0000000 --- a/config/hosts/paperless/paperless.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - services.paperless = { - enable = true; - consumptionDir = "/mnt/paperless-consume"; - passwordFile = "/secrets/paperless-admin-password.secret"; - }; -} diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix deleted file mode 100644 index 6726881..0000000 --- a/config/hosts/paperless/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "paperless-admin-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; - destDir = "/secrets"; - user = "paperless"; - group = "paperless"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "paperless-samba-credentials.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix index a84c171..9283018 100644 --- a/config/hosts/searx/nginx.nix +++ b/config/hosts/searx/nginx.nix @@ -21,7 +21,8 @@ proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index fae78f0..dae48ad 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -33,5 +33,31 @@ }; }; }; + + streamConfig = '' + map $ssl_preread_server_name $address { + cloud.nekover.se 10.202.41.122:8443; + element.nekover.se 10.202.41.100:8443; + element-admin.nekover.se 10.202.41.100:8443; + fi.nekover.se 10.202.41.125:8443; + git.nekover.se 10.202.41.106:8443; + hydra.nekover.se 10.202.41.121:8443; + id.nekover.se 10.202.41.124:8443; + mas.nekover.se 10.202.41.112:8443; + matrix.nekover.se 10.202.41.112:8443; + matrix-rtc.nekover.se 10.202.41.112:8443; + mesh.nekover.se 10.202.41.126:8443; + nekover.se 10.202.41.100:8443; + nix-cache.nekover.se 10.202.41.121:8443; + searx.nekover.se 10.202.41.105:8443; + social.nekover.se 10.202.41.104:8443; + } + server { + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; }; } diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix deleted file mode 100644 index 7f3b8fa..0000000 --- a/config/hosts/web-public-1/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "web-public-1"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix deleted file mode 100644 index 3db73ca..0000000 --- a/config/hosts/web-public-1/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix deleted file mode 100644 index 0453a73..0000000 --- a/config/hosts/web-public-1/nginx.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: -{ - imports = [ - ./virtualHosts - ]; - - services.nginx = { - enable = true; - }; -} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix deleted file mode 100644 index c9b7e61..0000000 --- a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: -let - acmeDomainMap = { - "paperless.grzb.de" = "paperless.wg.grzb.de"; - "navidrome.grzb.de" = "navidrome.wg.grzb.de"; - }; -in -{ - services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://${target}:80"; - }; - }) acmeDomainMap); -} diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix deleted file mode 100644 index e191a9c..0000000 --- a/config/hosts/web-public-1/virtualHosts/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: -{ - imports = [ - ./acme-challenge.nix - ]; - - services.nginx.virtualHosts."_" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."/" = { - return = "301 https://$host$request_uri"; - }; - }; -} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 608d6a7..1e51d61 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -16,19 +16,16 @@ stream { map $ssl_preread_server_name $address { - anisync.grzb.de 127.0.0.1:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; + element-admin.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; - gameserver.grzb.de 127.0.0.1:8443; - git.grzb.de 127.0.0.1:8443; git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443; - mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; mesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; @@ -37,7 +34,6 @@ } server { listen 0.0.0.0:443; - listen [::]:443; proxy_pass $address; ssl_preread on; proxy_protocol on; diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix deleted file mode 100644 index 9a3950a..0000000 --- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."anisync.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://anisync.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - extraConfig = '' - add_header X-Content-Type-Options nosniff; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index 53294f7..fc2b409 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -2,11 +2,8 @@ { imports = [ ./acme-challenge.nix - ./anisync.grzb.de.nix ./element.nekover.se.nix - ./gameserver.grzb.de.nix - ./git.grzb.de.nix - ./mewtube.nekover.se.nix + ./element-admin.nekover.se.nix ./nekover.se.nix ]; diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix new file mode 100644 index 0000000..d6af438 --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix @@ -0,0 +1,96 @@ +{ config, pkgs, ... }: + +let + elementAdminVersion = "0.1.10"; + elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { + pname = "element-admin"; + version = elementAdminVersion; + + src = pkgs.fetchzip { + url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; + sha256 = "sha256-dh7tmzAaTfKB9FuOVhLHpOIsTZK1qMvNq16HeObHOqI="; + }; + + nativeBuildInputs = [ + pkgs.nodejs + pkgs.pnpm.configHook + ]; + + pnpmDeps = pkgs.pnpm.fetchDeps { + inherit (finalAttrs) pname version src; + fetcherVersion = 2; + hash = "sha256-S/MdfUv6q+PaAKWYHxVY80BcpL81dOfpPVhNxEPQVE4="; + }; + + buildPhase = '' + pnpm build + ''; + + installPhase = '' + cp -a dist $out + ''; + }); +in +{ + services.nginx.virtualHosts."element-admin.nekover.se" = { + forceSSL = true; + enableACME = true; + + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + + root = elementAdmin; + + locations."/assets" = { + extraConfig = '' + expires 1y; + add_header Cache-Control "public, max-age=31536000, immutable"; + # Security headers. + add_header X-Frame-Options "DENY" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; + add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; + ''; + }; + + locations."/" = { + index = "/index.html"; + tryFiles = "$uri $uri/ /"; + extraConfig = '' + # Security headers. + add_header X-Frame-Options "DENY" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; + add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; + ''; + }; + + extraConfig = '' + # Security headers. + add_header X-Frame-Options "DENY" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; + add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; + + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 7576beb..6e61d6c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.12.2"; + elementWebVersion = "1.12.10"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-EZtySIQHgb+Boq97LhzFYKTEO///6YMH3O2DrAy+7Fs="; + sha256 = "sha256-YpxfV4BCXh2fffQvVsZGOfK82TpGzg6uOx7iUPqiXVE="; }; elementWebSecurityHeaders = '' # Configuration best practices @@ -28,7 +28,7 @@ in ]; }; listen = [{ - addr = "localhost"; + addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -60,7 +60,8 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix deleted file mode 100644 index c746f3d..0000000 --- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."gameserver.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://pterodactyl.vs.grzb.de"; - extraConfig = '' - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Content-Type-Options nosniff; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix deleted file mode 100644 index ac9eefb..0000000 --- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."git.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://gitlab.vs.grzb.de:80"; - extraConfig = '' - gzip off; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix deleted file mode 100644 index 1ab842a..0000000 --- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."mewtube.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://cloudtube.vs.grzb.de:10412"; - }; - extraConfig = '' - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 40ee30d..233a49c 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -23,7 +23,8 @@ ''; }; extraConfig = '' - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix index cc4029b..2ebb9a8 100644 --- a/config/users/colmena-deploy/default.nix +++ b/config/users/colmena-deploy/default.nix @@ -8,6 +8,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix index 6aed7cf..54881d6 100644 --- a/config/users/fi/default.nix +++ b/config/users/fi/default.nix @@ -8,6 +8,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE95OjEez/yE+GIaeIoz3OwkXboLboPY4ss9nkt4FLyW fi@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/yuri/default.nix b/config/users/yuri/default.nix index 4b2b8ac..f4ca1c7 100644 --- a/config/users/yuri/default.nix +++ b/config/users/yuri/default.nix @@ -7,6 +7,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/flake.lock b/flake.lock index 1ba87cf..895cec4 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1761588595, - "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", "owner": "edolstra", "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { @@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1763319842, - "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", + "lastModified": 1772893680, + "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", + "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", "type": "github" }, "original": { @@ -103,11 +103,11 @@ ] }, "locked": { - "lastModified": 1764234087, - "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", + "lastModified": 1769813415, + "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", + "rev": "8946737ff703382fda7623b9fab071d037e897d5", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1765178948, - "narHash": "sha256-Kb3mIrj4xLg2LeMvok0tpiGPis1VnrNJO0l4kW+0xmc=", + "lastModified": 1775189162, + "narHash": "sha256-fjEpcsJ0KDZ363xd+3OhOGq3AC1juI23Xas548ZPZEk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f376a52d0dc796aec60b5606a2676240ff1565b9", + "rev": "0aecba5a03727e1ac2d66378907d9a6e9c8266d0", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1765227377, - "narHash": "sha256-OeTF3YNuXZxN4TxluVEdCG32e5/0pYDb5exWe0RrQBY=", + "lastModified": 1775248990, + "narHash": "sha256-H/G80K7f3ZrPP8PAmSCG/pJh59zMscPA6UaiWdKgTdg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a0ea537a4fc4c49fb1e226317829c8b32ed95d0e", + "rev": "942d1c86a6642bff0c4a440d30a7669a7a18a903", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1765183668, - "narHash": "sha256-TBA7CE44IHYfvOPBWcyLncpVrrKEiXWPdOrF8CD6W84=", + "lastModified": 1775231746, + "narHash": "sha256-EFaDQ0rnuSjKfC/DUKHS4toV4rEBuWhSgyX2Yy0kp00=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fc2de1563f89f0843eba27f14576d261df0e3b80", + "rev": "0eac666efaa8a9afea2821f9efc7921b4ef39b4e", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1764020296, - "narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=", + "lastModified": 1773831496, + "narHash": "sha256-JW2/QPyCVzmouqEp1H9kNa8JXd7xEhlam9sy3TYfhDY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829", + "rev": "826430a188181a750ffa5948daff334039c5d741", "type": "github" }, "original": { @@ -197,11 +197,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1764185122, - "narHash": "sha256-+HUOwSIFLoyett2cvRjuFIbhobpHallfP9J2cia1apo=", + "lastModified": 1773912645, + "narHash": "sha256-QHzRqq6gh+t3F/QU9DkP7X63dDDcuIQmaDz12p7ANTg=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "a14fe3b293ec2720e5b7fc72ad136d22967e12ba", + "rev": "25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5", "type": "gitlab" }, "original": {