From 954f7d4d086cdefbcdc954c74e3e81187b34b842 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 5 Jan 2026 20:21:52 +0100 Subject: [PATCH 01/55] tweak forgejo service configuration a bit making it nicer - Enable Git LFS support, since it's nice to have. - Enable offline mode to avoid relying on CDNs (and to not use Gravatar). - Enable notification mails for repo activity. - Put setting for default repo units into "repository" category as the "repo" category doesn't exist. - Also disable all repo units except code, as they mostly aren't needed for private repos and can be easily enabled on-demand. --- config/hosts/forgejo/forgejo.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index c60c00f..2b2aea8 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -4,6 +4,7 @@ enable = true; package = pkgs.forgejo; database.type = "postgres"; + lfs.enable = true; settings = { DEFAULT = { @@ -17,6 +18,7 @@ ROOT_URL = "https://git.nekover.se/"; # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. # Doesn't need to be set. + OFFLINE_MODE = true; }; admin = { DISABLE_REGULAR_ORG_CREATION = false; @@ -34,11 +36,10 @@ DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; - }; - repo = { - DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; + ENABLE_NOTIFY_MAIL = true; }; repository = { + DEFAULT_REPO_UNITS = "repo.code"; ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; From 399f53fc3e9acbbecc77ee9c58c171e4baf9da65 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 6 Jan 2026 00:25:12 +0100 Subject: [PATCH 02/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/f376a52d0dc796aec60b5606a2676240ff1565b9' (2025-12-08) → 'github:NixOS/nixpkgs/044f759a4f4629f2be41e59b859753a091e3c089' (2026-01-04) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/a0ea537a4fc4c49fb1e226317829c8b32ed95d0e' (2025-12-08) → 'github:NixOS/nixpkgs/4220734816a0091405c33fe4c113be021c8e9c34' (2026-01-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/fc2de1563f89f0843eba27f14576d261df0e3b80' (2025-12-08) → 'github:NixOS/nixpkgs/1e46161ce72e20c156dd2225d7517421236c0f22' (2026-01-05) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/a14fe3b293ec2720e5b7fc72ad136d22967e12ba' (2025-11-26) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/23f0a53ca6e58e61e1ea2b86791c69b79c91656d' (2025-12-24) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 1ba87cf..e969f1e 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1765178948, - "narHash": "sha256-Kb3mIrj4xLg2LeMvok0tpiGPis1VnrNJO0l4kW+0xmc=", + "lastModified": 1767563445, + "narHash": "sha256-GIyPDpWOR7a3k3yY9cPz5ymyFGxZmOG4e/FseY6e33A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f376a52d0dc796aec60b5606a2676240ff1565b9", + "rev": "044f759a4f4629f2be41e59b859753a091e3c089", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1765227377, - "narHash": "sha256-OeTF3YNuXZxN4TxluVEdCG32e5/0pYDb5exWe0RrQBY=", + "lastModified": 1767655107, + "narHash": "sha256-tor/rdUa5baQBwPXnYI+hi7BbISEE7888OUMtNfV2Pk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a0ea537a4fc4c49fb1e226317829c8b32ed95d0e", + "rev": "4220734816a0091405c33fe4c113be021c8e9c34", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1765183668, - "narHash": "sha256-TBA7CE44IHYfvOPBWcyLncpVrrKEiXWPdOrF8CD6W84=", + "lastModified": 1767636954, + "narHash": "sha256-YTRtm37AfpZTQj+3LmNpPVAJ9aTmpiPKvHhtF7EFulE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fc2de1563f89f0843eba27f14576d261df0e3b80", + "rev": "1e46161ce72e20c156dd2225d7517421236c0f22", "type": "github" }, "original": { @@ -197,11 +197,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1764185122, - "narHash": "sha256-+HUOwSIFLoyett2cvRjuFIbhobpHallfP9J2cia1apo=", + "lastModified": 1766537863, + "narHash": "sha256-HEt+wbazRgJYeY+lgj65bxhPyVc4x7NEB2bs5NU6DF8=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "a14fe3b293ec2720e5b7fc72ad136d22967e12ba", + "rev": "23f0a53ca6e58e61e1ea2b86791c69b79c91656d", "type": "gitlab" }, "original": { From 770ba36ffcf6aec809acd63903e25fabbd02397e Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 17:19:30 +0100 Subject: [PATCH 03/55] Remove invalid password complexity setting in MAS config Should be a value between 0 and 4. Default is 3. --- config/hosts/matrix/matrix-authentication-service.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix index 53674ad..3e307f7 100644 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ b/config/hosts/matrix/matrix-authentication-service.nix @@ -63,8 +63,7 @@ let version = 2; algorithm = "argon2id"; } - ]; - minimum_complexity = 8; + ]; }; }; masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings); From 8fe546c3fe4af3fb6f556eebf3637d980df582fd Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 17:39:39 +0100 Subject: [PATCH 04/55] Enable MAS admin cli --- config/hosts/matrix/matrix-authentication-service.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix index 3e307f7..e13bdd9 100644 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ b/config/hosts/matrix/matrix-authentication-service.nix @@ -33,6 +33,17 @@ let }]; proxy_protocol = false; } + { + name = "admin"; + resources = [{ + name = "adminapi"; + }]; + binds = [{ + host = "localhost"; + port = 8083; + }]; + proxy_protocol = false; + } ]; trusted_proxies = [ "192.168.0.0/16" From 4bfcfe355c47d2719b4820fce5460e50ad96030e Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 17:56:04 +0100 Subject: [PATCH 05/55] Expose matrix admin api on management VPN --- config/hosts/matrix/nginx.nix | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index ce3ab3d..ab35ad3 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -34,6 +34,19 @@ client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; ''; }; + "~ ^/_synapse/admin" = { + # Only proxy to the local host on IPv4, because localhost doesn't seem to work + # even if matrix-synapse is listening on ::1 as well. + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Restrict access to admin API. + allow 172.21.87.0/24; # management VPN + deny all; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; @@ -51,8 +64,18 @@ port = 80; } ]; - locations."/" = { - proxyPass = "http://localhost:8080"; + locations = { + "/" = { + proxyPass = "http://localhost:8080"; + }; + "~ ^/api/admin" = { + proxyPass = "http://localhost:8082"; + extraConfig = '' + # Restrict access to admin API. + allow 172.21.87.0/24; # management VPN + deny all; + ''; + }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; From 98b3e14bd6ba088799f0fe2e68dc9e837d5f1645 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 18:05:04 +0100 Subject: [PATCH 06/55] Host element-admin on web-public-2 --- config/hosts/matrix/nginx.nix | 2 +- config/hosts/web-public-2/nginx.nix | 1 + .../web-public-2/virtualHosts/default.nix | 1 + .../virtualHosts/element-admin.nekover.se.nix | 95 +++++++++++++++++++ 4 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index ab35ad3..f4ddec6 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -69,7 +69,7 @@ proxyPass = "http://localhost:8080"; }; "~ ^/api/admin" = { - proxyPass = "http://localhost:8082"; + proxyPass = "http://localhost:8083"; extraConfig = '' # Restrict access to admin API. allow 172.21.87.0/24; # management VPN diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 608d6a7..066f3d2 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -19,6 +19,7 @@ anisync.grzb.de 127.0.0.1:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; + element-admin.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index 53294f7..445a087 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -4,6 +4,7 @@ ./acme-challenge.nix ./anisync.grzb.de.nix ./element.nekover.se.nix + ./element-admin.nekover.se.nix ./gameserver.grzb.de.nix ./git.grzb.de.nix ./mewtube.nekover.se.nix diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix new file mode 100644 index 0000000..69c3a9a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix @@ -0,0 +1,95 @@ +{ config, pkgs, ... }: + +let + elementAdminVersion = "0.1.10"; + elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { + pname = "element-admin"; + version = elementAdminVersion; + + src = pkgs.fetchzip { + url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; + sha256 = "sha256-dh7tmzAaTfKB9FuOVhLHpOIsTZK1qMvNq16HeObHOqI="; + }; + + nativeBuildInputs = [ + pkgs.nodejs + pkgs.pnpm.configHook + ]; + + pnpmDeps = pkgs.pnpm.fetchDeps { + inherit (finalAttrs) pname version src; + fetcherVersion = 2; + hash = "sha256-S/MdfUv6q+PaAKWYHxVY80BcpL81dOfpPVhNxEPQVE4="; + }; + + buildPhase = '' + pnpm build + ''; + + installPhase = '' + cp -a dist $out + ''; + }); +in +{ + services.nginx.virtualHosts."element-admin.nekover.se" = { + forceSSL = true; + enableACME = true; + + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + + root = elementAdmin; + + locations."/assets" = { + extraConfig = '' + expires 1y; + add_header Cache-Control "public, max-age=31536000, immutable"; + # Security headers. + add_header X-Frame-Options "DENY" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; + add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; + ''; + }; + + locations."/" = { + index = "/index.html"; + tryFiles = "$uri $uri/ /"; + extraConfig = '' + # Security headers. + add_header X-Frame-Options "DENY" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; + add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; + ''; + }; + + extraConfig = '' + # Security headers. + add_header X-Frame-Options "DENY" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; + add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; + + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 127.0.0.1; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; +} From 6daef62b6047f10e304b9229034ea052428810b9 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 11 Feb 2026 17:16:34 +0100 Subject: [PATCH 07/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/032a1878682fafe829edfcf5fdfad635a2efe748' (2025-11-27) → 'github:nix-community/nixos-generators/8946737ff703382fda7623b9fab071d037e897d5' (2026-01-30) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/044f759a4f4629f2be41e59b859753a091e3c089' (2026-01-04) → 'github:NixOS/nixpkgs/08ebc444a070153227d6f45acf979f4d5f1f97f9' (2026-02-11) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/4220734816a0091405c33fe4c113be021c8e9c34' (2026-01-05) → 'github:NixOS/nixpkgs/8605a9be3795437e3717dab6c542d2d571369e70' (2026-02-11) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/1e46161ce72e20c156dd2225d7517421236c0f22' (2026-01-05) → 'github:NixOS/nixpkgs/d9ca3a4b73f19ea147c9d977d3dde8f612ac648f' (2026-02-11) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index e969f1e..06a3d59 100644 --- a/flake.lock +++ b/flake.lock @@ -103,11 +103,11 @@ ] }, "locked": { - "lastModified": 1764234087, - "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", + "lastModified": 1769813415, + "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", + "rev": "8946737ff703382fda7623b9fab071d037e897d5", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1767563445, - "narHash": "sha256-GIyPDpWOR7a3k3yY9cPz5ymyFGxZmOG4e/FseY6e33A=", + "lastModified": 1770802195, + "narHash": "sha256-vabHY4acHLmaB7Ak9FKzk2wSEKhAS/yXL7SBySB/S5U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "044f759a4f4629f2be41e59b859753a091e3c089", + "rev": "08ebc444a070153227d6f45acf979f4d5f1f97f9", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1767655107, - "narHash": "sha256-tor/rdUa5baQBwPXnYI+hi7BbISEE7888OUMtNfV2Pk=", + "lastModified": 1770824979, + "narHash": "sha256-OedDmV9we3oOdiz9xjLiQCajwRa8WWcE/rOF3y/VlVc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4220734816a0091405c33fe4c113be021c8e9c34", + "rev": "8605a9be3795437e3717dab6c542d2d571369e70", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1767636954, - "narHash": "sha256-YTRtm37AfpZTQj+3LmNpPVAJ9aTmpiPKvHhtF7EFulE=", + "lastModified": 1770818322, + "narHash": "sha256-tttCN+yrhM7svQW6DqtS3JV9POrRJAaS/e0xuUHBTEM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1e46161ce72e20c156dd2225d7517421236c0f22", + "rev": "d9ca3a4b73f19ea147c9d977d3dde8f612ac648f", "type": "github" }, "original": { From 459ac4c3143de7127634c7b91c4eeb363978c37e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 11 Feb 2026 17:18:55 +0100 Subject: [PATCH 08/55] Update mastodon to 4.5.6 and remove fedi fetcher --- .../containers/fedifetcher/default.nix | 23 ---------- .../containers/fedifetcher/fedifetcher.nix | 42 ------------------- config/hosts/mastodon/default.nix | 1 - config/hosts/mastodon/mastodon.nix | 8 ++-- config/hosts/mastodon/secrets.nix | 8 ---- 5 files changed, 4 insertions(+), 78 deletions(-) delete mode 100644 config/hosts/mastodon/containers/fedifetcher/default.nix delete mode 100644 config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix diff --git a/config/hosts/mastodon/containers/fedifetcher/default.nix b/config/hosts/mastodon/containers/fedifetcher/default.nix deleted file mode 100644 index 3f2617e..0000000 --- a/config/hosts/mastodon/containers/fedifetcher/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ nixpkgs-unstable, ... }: -{ - containers.fedifetcher = { - nixpkgs = nixpkgs-unstable; - autoStart = true; - - bindMounts = { - "/secrets" = { - hostPath = "/secrets-fedifetcher"; - isReadOnly = true; - }; - }; - - config = { ... }: { - imports = [ - ./fedifetcher.nix - ]; - - networking.useHostResolvConf = true; - system.stateVersion = "24.05"; - }; - }; -} diff --git a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix deleted file mode 100644 index 7194c25..0000000 --- a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ pkgs, lib, ... }: -{ - # config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix - systemd.services.fedifetcher = { - path = [ pkgs.fedifetcher ]; - description = "fetch fedi posts"; - script = '' - fedifetcher - ''; - environment = lib.mapAttrs' (n: v: - (lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n) - (builtins.toString v))) { - server = "social.nekover.se"; - state-dir = "/var/lib/fedifetcher"; - lock-file = "/run/fedifetcher/fedifetcher.lock"; - from-lists = 1; - from-notifications = 1; - max-bookmarks = 80; - max-favourites = 40; - max-follow-requests = 80; - max-followers = 80; - max-followings = 80; - remember-hosts-for-days = 30; - remember-users-for-hours = 168; - reply-interval-in-hours = 2; - }; - serviceConfig = { - DynamicUser = true; - User = "fedifetcher"; - RuntimeDirectory = "fedifetcher"; - RuntimeDirectoryPreserve = true; - StateDirectory = "fedifetcher"; - UMask = "0077"; - EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ]; - }; - }; - - systemd.timers.fedifetcher = { - wantedBy = [ "multi-user.target" ]; - timerConfig = { OnCalendar = "*:0/5"; }; - }; -} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix index dc52ff4..5651eb8 100644 --- a/config/hosts/mastodon/default.nix +++ b/config/hosts/mastodon/default.nix @@ -5,6 +5,5 @@ ./mastodon.nix ./opensearch.nix ./nginx.nix - ./containers/fedifetcher ]; } diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index aa4fea4..06d516d 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,8 +2,8 @@ let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; - rev = "v2.5.2"; - hash = "sha256-RJPP3QynE42cr9Km8twyZrHiZnhMdNcYOOJ7nW0mx1c="; + rev = "v2.5.3"; + hash = "sha256-fs/pwIwXZvSNVmlSG304CMT/hSW/RtrzraMsrhg/TbE="; }; mastodonModern = pkgs.fetchgit { url = "https://git.gay/freeplay/Mastodon-Modern.git"; @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.2"; + version = "4.5.6"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-LePly+CcM+Dv6ipX9jIWWKhy2PiF1j8vgc9CXn2o+DQ="; + sha256 = "sha256-m2LDNyv2jxsp5zPKOfQWvtBG8bD8iuBWBEoz+L0OvNk="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 986a64b..88413c7 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -57,13 +57,5 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "mastodon-fedifetcher-access-token.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ]; - destDir = "/secrets-fedifetcher"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; }; } From 9862a9d21be5e7539a3ac5d50aac19a8f60b74d3 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 11 Feb 2026 18:01:46 +0100 Subject: [PATCH 09/55] Update element-web to 1.12.10 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 7576beb..74b7820 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.12.2"; + elementWebVersion = "1.12.10"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-EZtySIQHgb+Boq97LhzFYKTEO///6YMH3O2DrAy+7Fs="; + sha256 = "sha256-YpxfV4BCXh2fffQvVsZGOfK82TpGzg6uOx7iUPqiXVE="; }; elementWebSecurityHeaders = '' # Configuration best practices From 17ddc2f9c9ae8a22dea2b43ec51c60d93d29c9b6 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 30 Mar 2026 22:25:39 +0200 Subject: [PATCH 10/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/08ebc444a070153227d6f45acf979f4d5f1f97f9' (2026-02-11) → 'github:NixOS/nixpkgs/56ed9a39b84feaee9624111dc86869d19f4c22f3' (2026-03-30) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/8605a9be3795437e3717dab6c542d2d571369e70' (2026-02-11) → 'github:NixOS/nixpkgs/98ce05a593c5d9655ddbd09fd81f7679381b5392' (2026-03-30) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/d9ca3a4b73f19ea147c9d977d3dde8f612ac648f' (2026-02-11) → 'github:NixOS/nixpkgs/318977b8e175faba256cb35e0ca6810c7d87edf2' (2026-03-30) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/23f0a53ca6e58e61e1ea2b86791c69b79c91656d' (2025-12-24) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5' (2026-03-19) • Updated input 'simple-nixos-mailserver/flake-compat': 'github:edolstra/flake-compat/f387cd2afec9419c8ee37694406ca490c3f34ee5' (2025-10-27) → 'github:edolstra/flake-compat/5edf11c44bc78a0d334f6334cdaf7d60d732daab' (2025-12-29) • Updated input 'simple-nixos-mailserver/git-hooks': 'github:cachix/git-hooks.nix/7275fa67fbbb75891c16d9dee7d88e58aea2d761' (2025-11-16) → 'github:cachix/git-hooks.nix/8baab586afc9c9b57645a734c820e4ac0a604af9' (2026-03-07) • Updated input 'simple-nixos-mailserver/nixpkgs': 'github:NixOS/nixpkgs/a320ce8e6e2cc6b4397eef214d202a50a4583829' (2025-11-24) → 'github:NixOS/nixpkgs/826430a188181a750ffa5948daff334039c5d741' (2026-03-18) --- flake.lock | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index 06a3d59..5799be2 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1761588595, - "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", "owner": "edolstra", "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { @@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1763319842, - "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", + "lastModified": 1772893680, + "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", + "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1770802195, - "narHash": "sha256-vabHY4acHLmaB7Ak9FKzk2wSEKhAS/yXL7SBySB/S5U=", + "lastModified": 1774874205, + "narHash": "sha256-VE0in9sSq+lG7CnUuTmTDN40x9yro31jbbKf278KfEI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "08ebc444a070153227d6f45acf979f4d5f1f97f9", + "rev": "56ed9a39b84feaee9624111dc86869d19f4c22f3", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1770824979, - "narHash": "sha256-OedDmV9we3oOdiz9xjLiQCajwRa8WWcE/rOF3y/VlVc=", + "lastModified": 1774901935, + "narHash": "sha256-fOCFYA0KrRAFyktwwkDXCSwaBRKu3iGS1ohC0oW7Ge0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8605a9be3795437e3717dab6c542d2d571369e70", + "rev": "98ce05a593c5d9655ddbd09fd81f7679381b5392", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1770818322, - "narHash": "sha256-tttCN+yrhM7svQW6DqtS3JV9POrRJAaS/e0xuUHBTEM=", + "lastModified": 1774890975, + "narHash": "sha256-pj6ACZ2cgiTPTlJ/QgXmJxREsP41m8bHZ41aNr3nK1g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d9ca3a4b73f19ea147c9d977d3dde8f612ac648f", + "rev": "318977b8e175faba256cb35e0ca6810c7d87edf2", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1764020296, - "narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=", + "lastModified": 1773831496, + "narHash": "sha256-JW2/QPyCVzmouqEp1H9kNa8JXd7xEhlam9sy3TYfhDY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829", + "rev": "826430a188181a750ffa5948daff334039c5d741", "type": "github" }, "original": { @@ -197,11 +197,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1766537863, - "narHash": "sha256-HEt+wbazRgJYeY+lgj65bxhPyVc4x7NEB2bs5NU6DF8=", + "lastModified": 1773912645, + "narHash": "sha256-QHzRqq6gh+t3F/QU9DkP7X63dDDcuIQmaDz12p7ANTg=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "23f0a53ca6e58e61e1ea2b86791c69b79c91656d", + "rev": "25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5", "type": "gitlab" }, "original": { From 39be09bb6b3b2142f770ba394f79057afe886b13 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 3 Apr 2026 22:51:49 +0200 Subject: [PATCH 11/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/56ed9a39b84feaee9624111dc86869d19f4c22f3' (2026-03-30) → 'github:NixOS/nixpkgs/0aecba5a03727e1ac2d66378907d9a6e9c8266d0' (2026-04-03) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/98ce05a593c5d9655ddbd09fd81f7679381b5392' (2026-03-30) → 'github:NixOS/nixpkgs/942d1c86a6642bff0c4a440d30a7669a7a18a903' (2026-04-03) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/318977b8e175faba256cb35e0ca6810c7d87edf2' (2026-03-30) → 'github:NixOS/nixpkgs/0eac666efaa8a9afea2821f9efc7921b4ef39b4e' (2026-04-03) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 5799be2..895cec4 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1774874205, - "narHash": "sha256-VE0in9sSq+lG7CnUuTmTDN40x9yro31jbbKf278KfEI=", + "lastModified": 1775189162, + "narHash": "sha256-fjEpcsJ0KDZ363xd+3OhOGq3AC1juI23Xas548ZPZEk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "56ed9a39b84feaee9624111dc86869d19f4c22f3", + "rev": "0aecba5a03727e1ac2d66378907d9a6e9c8266d0", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1774901935, - "narHash": "sha256-fOCFYA0KrRAFyktwwkDXCSwaBRKu3iGS1ohC0oW7Ge0=", + "lastModified": 1775248990, + "narHash": "sha256-H/G80K7f3ZrPP8PAmSCG/pJh59zMscPA6UaiWdKgTdg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "98ce05a593c5d9655ddbd09fd81f7679381b5392", + "rev": "942d1c86a6642bff0c4a440d30a7669a7a18a903", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1774890975, - "narHash": "sha256-pj6ACZ2cgiTPTlJ/QgXmJxREsP41m8bHZ41aNr3nK1g=", + "lastModified": 1775231746, + "narHash": "sha256-EFaDQ0rnuSjKfC/DUKHS4toV4rEBuWhSgyX2Yy0kp00=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "318977b8e175faba256cb35e0ca6810c7d87edf2", + "rev": "0eac666efaa8a9afea2821f9efc7921b4ef39b4e", "type": "github" }, "original": { From 5e2c28fd13670aeb9d8f51db9aaa2a5d3ee3066a Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 3 Apr 2026 22:55:02 +0200 Subject: [PATCH 12/55] Update mastodon to 4.5.8 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 06d516d..dcb2498 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.6"; + version = "4.5.8"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-m2LDNyv2jxsp5zPKOfQWvtBG8bD8iuBWBEoz+L0OvNk="; + sha256 = "sha256-03PdAB9KOvMgQJPx+7ik13QE18fjdLIab7zEXaPc4nk="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; From 051571d200c9baf235d61ca51704a3cbd4f32a38 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 4 Apr 2026 00:02:07 +0200 Subject: [PATCH 13/55] Add default grafana secret key for metrics-nekomesh --- config/hosts/metrics-nekomesh/grafana.nix | 1 + config/hosts/metrics-nekomesh/secrets.nix | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix index 7697748..8c4255d 100644 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -13,6 +13,7 @@ admin_user = "admin"; admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; admin_email = "fi@nekover.se"; + secret_key = "$__file{/secrets/metrics-nekomesh-grafana-secret-key.secret}"; }; smtp = { enabled = true; diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix index ef6bcec..8014354 100644 --- a/config/hosts/metrics-nekomesh/secrets.nix +++ b/config/hosts/metrics-nekomesh/secrets.nix @@ -17,6 +17,14 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "metrics-nekomesh-grafana-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/secret-key" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; "mail-nekomesh-nekover-se.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; destDir = "/secrets"; From d793308ebef77258c7a0f7cc2718a28971d0e9b3 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 4 Apr 2026 00:38:54 +0200 Subject: [PATCH 14/55] Add stardew ssh key --- config/users/colmena-deploy/default.nix | 1 + config/users/fi/default.nix | 1 + config/users/yuri/default.nix | 1 + 3 files changed, 3 insertions(+) diff --git a/config/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix index cc4029b..2ebb9a8 100644 --- a/config/users/colmena-deploy/default.nix +++ b/config/users/colmena-deploy/default.nix @@ -8,6 +8,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix index 6aed7cf..54881d6 100644 --- a/config/users/fi/default.nix +++ b/config/users/fi/default.nix @@ -8,6 +8,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE95OjEez/yE+GIaeIoz3OwkXboLboPY4ss9nkt4FLyW fi@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/yuri/default.nix b/config/users/yuri/default.nix index 4b2b8ac..f4ca1c7 100644 --- a/config/users/yuri/default.nix +++ b/config/users/yuri/default.nix @@ -7,6 +7,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } From 654a8459ebbbbc49eccdc5b4ea4c7ff4b382e16d Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 5 Apr 2026 18:31:16 +0200 Subject: [PATCH 15/55] Route IPv6 traffic via valkyrie --- config/hosts/forgejo/nginx.nix | 3 ++- config/hosts/hydra/nginx.nix | 6 +++-- config/hosts/ikiwiki/nginx.nix | 3 ++- config/hosts/keycloak/nginx.nix | 3 ++- config/hosts/mastodon/nginx.nix | 3 ++- config/hosts/matrix/nginx.nix | 9 ++++--- config/hosts/metrics-nekomesh/nginx.nix | 3 ++- config/hosts/nextcloud/nextcloud.nix | 3 ++- config/hosts/searx/nginx.nix | 3 ++- config/hosts/valkyrie/nginx.nix | 26 +++++++++++++++++++ config/hosts/web-public-2/nginx.nix | 1 - .../virtualHosts/element-admin.nekover.se.nix | 5 ++-- .../virtualHosts/element.nekover.se.nix | 5 ++-- .../web-public-2/virtualHosts/nekover.se.nix | 3 ++- 14 files changed, 58 insertions(+), 18 deletions(-) diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix index 6df90b1..3602209 100644 --- a/config/hosts/forgejo/nginx.nix +++ b/config/hosts/forgejo/nginx.nix @@ -29,7 +29,8 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix index 5a15fe1..9aadd25 100644 --- a/config/hosts/hydra/nginx.nix +++ b/config/hosts/hydra/nginx.nix @@ -16,7 +16,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -33,7 +34,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 4bbcf0a..9f6462e 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -39,7 +39,8 @@ in }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix index c82597d..e9b46cd 100644 --- a/config/hosts/keycloak/nginx.nix +++ b/config/hosts/keycloak/nginx.nix @@ -27,7 +27,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index 72aec08..02a0d0a 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -57,7 +57,8 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index f4ddec6..c9548b2 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -51,7 +51,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -80,7 +81,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -103,7 +105,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index e2fc483..a754cb6 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -23,7 +23,8 @@ proxyWebsockets = true; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 88b842a..f27c9a6 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -44,7 +44,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix index a84c171..9283018 100644 --- a/config/hosts/searx/nginx.nix +++ b/config/hosts/searx/nginx.nix @@ -21,7 +21,8 @@ proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index fae78f0..dae48ad 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -33,5 +33,31 @@ }; }; }; + + streamConfig = '' + map $ssl_preread_server_name $address { + cloud.nekover.se 10.202.41.122:8443; + element.nekover.se 10.202.41.100:8443; + element-admin.nekover.se 10.202.41.100:8443; + fi.nekover.se 10.202.41.125:8443; + git.nekover.se 10.202.41.106:8443; + hydra.nekover.se 10.202.41.121:8443; + id.nekover.se 10.202.41.124:8443; + mas.nekover.se 10.202.41.112:8443; + matrix.nekover.se 10.202.41.112:8443; + matrix-rtc.nekover.se 10.202.41.112:8443; + mesh.nekover.se 10.202.41.126:8443; + nekover.se 10.202.41.100:8443; + nix-cache.nekover.se 10.202.41.121:8443; + searx.nekover.se 10.202.41.105:8443; + social.nekover.se 10.202.41.104:8443; + } + server { + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 066f3d2..45e48f8 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -38,7 +38,6 @@ } server { listen 0.0.0.0:443; - listen [::]:443; proxy_pass $address; ssl_preread on; proxy_protocol on; diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix index 69c3a9a..d6af438 100644 --- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix @@ -37,7 +37,7 @@ in enableACME = true; listen = [{ - addr = "localhost"; + addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -86,7 +86,8 @@ in # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 74b7820..6e61d6c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -28,7 +28,7 @@ in ]; }; listen = [{ - addr = "localhost"; + addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -60,7 +60,8 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 40ee30d..233a49c 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -23,7 +23,8 @@ ''; }; extraConfig = '' - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; From 44215ecfc92054f69f230348071b01639eb050b8 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 5 Apr 2026 23:59:35 +0200 Subject: [PATCH 16/55] Remove obsolete configuration --- config/hosts/navidrome/configuration.nix | 33 ------------------- config/hosts/navidrome/default.nix | 7 ---- config/hosts/navidrome/navidrome.nix | 9 ----- config/hosts/navidrome/nginx.nix | 24 -------------- config/hosts/navidrome/secrets.nix | 13 -------- config/hosts/netbox/configuration.nix | 17 ---------- config/hosts/netbox/default.nix | 8 ----- config/hosts/netbox/netbox.nix | 8 ----- config/hosts/netbox/nginx.nix | 29 ---------------- config/hosts/netbox/secrets.nix | 11 ------- config/hosts/nitter/configuration.nix | 17 ---------- config/hosts/nitter/default.nix | 8 ----- config/hosts/nitter/nginx.nix | 23 ------------- config/hosts/nitter/nitter.nix | 21 ------------ config/hosts/paperless/configuration.nix | 17 ---------- config/hosts/paperless/default.nix | 9 ----- .../paperless/hardware-configuration.nix | 30 ----------------- config/hosts/paperless/nginx.nix | 31 ----------------- config/hosts/paperless/paperless.nix | 8 ----- config/hosts/paperless/secrets.nix | 21 ------------ config/hosts/web-public-1/configuration.nix | 17 ---------- config/hosts/web-public-1/default.nix | 7 ---- config/hosts/web-public-1/nginx.nix | 10 ------ .../virtualHosts/acme-challenge.nix | 18 ---------- .../web-public-1/virtualHosts/default.nix | 16 --------- config/hosts/web-public-2/nginx.nix | 4 --- .../virtualHosts/anisync.grzb.de.nix | 23 ------------- .../web-public-2/virtualHosts/default.nix | 4 --- .../virtualHosts/gameserver.grzb.de.nix | 28 ---------------- .../web-public-2/virtualHosts/git.grzb.de.nix | 30 ----------------- .../virtualHosts/mewtube.nekover.se.nix | 20 ----------- 31 files changed, 521 deletions(-) delete mode 100644 config/hosts/navidrome/configuration.nix delete mode 100644 config/hosts/navidrome/default.nix delete mode 100644 config/hosts/navidrome/navidrome.nix delete mode 100644 config/hosts/navidrome/nginx.nix delete mode 100644 config/hosts/navidrome/secrets.nix delete mode 100644 config/hosts/netbox/configuration.nix delete mode 100644 config/hosts/netbox/default.nix delete mode 100644 config/hosts/netbox/netbox.nix delete mode 100644 config/hosts/netbox/nginx.nix delete mode 100644 config/hosts/netbox/secrets.nix delete mode 100644 config/hosts/nitter/configuration.nix delete mode 100644 config/hosts/nitter/default.nix delete mode 100644 config/hosts/nitter/nginx.nix delete mode 100644 config/hosts/nitter/nitter.nix delete mode 100644 config/hosts/paperless/configuration.nix delete mode 100644 config/hosts/paperless/default.nix delete mode 100644 config/hosts/paperless/hardware-configuration.nix delete mode 100644 config/hosts/paperless/nginx.nix delete mode 100644 config/hosts/paperless/paperless.nix delete mode 100644 config/hosts/paperless/secrets.nix delete mode 100644 config/hosts/web-public-1/configuration.nix delete mode 100644 config/hosts/web-public-1/default.nix delete mode 100644 config/hosts/web-public-1/nginx.nix delete mode 100644 config/hosts/web-public-1/virtualHosts/acme-challenge.nix delete mode 100644 config/hosts/web-public-1/virtualHosts/default.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/git.grzb.de.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix diff --git a/config/hosts/navidrome/configuration.nix b/config/hosts/navidrome/configuration.nix deleted file mode 100644 index 581a631..0000000 --- a/config/hosts/navidrome/configuration.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "navidrome"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - fileSystems = { - "/mnt/music" = { - device = "//10.202.40.5/music-ro"; - fsType = "cifs"; - options = [ - "username=navidrome" - "credentials=/secrets/navidrome-samba-credentials.secret" - "iocharset=utf8" - "vers=3.1.1" - "uid=navidrome" - "gid=navidrome" - "_netdev" - ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/navidrome/default.nix b/config/hosts/navidrome/default.nix deleted file mode 100644 index 00d4a90..0000000 --- a/config/hosts/navidrome/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: { - imports = [ - ./configuration.nix - ./navidrome.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/navidrome/navidrome.nix b/config/hosts/navidrome/navidrome.nix deleted file mode 100644 index 74e3a1d..0000000 --- a/config/hosts/navidrome/navidrome.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: { - services.navidrome = { - enable = true; - settings = { - Address = "unix:/run/navidrome/navidrome.socket"; - MusicFolder = "/mnt/music"; - }; - }; -} diff --git a/config/hosts/navidrome/nginx.nix b/config/hosts/navidrome/nginx.nix deleted file mode 100644 index eef60dd..0000000 --- a/config/hosts/navidrome/nginx.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ ... }: { - services.nginx = { - enable = true; - user = "navidrome"; - virtualHosts."navidrome.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://unix:/run/navidrome/navidrome.socket"; - }; - }; - }; -} diff --git a/config/hosts/navidrome/secrets.nix b/config/hosts/navidrome/secrets.nix deleted file mode 100644 index a11e957..0000000 --- a/config/hosts/navidrome/secrets.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "navidrome-samba-credentials.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix deleted file mode 100644 index 5bf8422..0000000 --- a/config/hosts/netbox/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "netbox"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix deleted file mode 100644 index 5dd147b..0000000 --- a/config/hosts/netbox/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./netbox.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix deleted file mode 100644 index b9ba2ad..0000000 --- a/config/hosts/netbox/netbox.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - services.netbox = { - enable = true; - package = pkgs.netbox; - secretKeyFile = "/secrets/netbox-secret-key.secret"; - }; -} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix deleted file mode 100644 index a2d1782..0000000 --- a/config/hosts/netbox/nginx.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - clientMaxBodySize = "25m"; - user = "netbox"; - virtualHosts."netbox.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/static/" = { - alias = "${config.services.netbox.dataDir}/static/"; - }; - locations."/" = { - proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; - }; - }; - }; -} diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix deleted file mode 100644 index 216aca4..0000000 --- a/config/hosts/netbox/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys."netbox-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; - destDir = "/secrets"; - user = "netbox"; - group = "netbox"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; -} diff --git a/config/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix deleted file mode 100644 index bc54db7..0000000 --- a/config/hosts/nitter/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "nitter"; - firewall = { - enable = true; - allowedTCPPorts = [ 8443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/nitter/default.nix b/config/hosts/nitter/default.nix deleted file mode 100644 index 6aae884..0000000 --- a/config/hosts/nitter/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./nginx.nix - ./nitter.nix - ]; -} diff --git a/config/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix deleted file mode 100644 index 862405c..0000000 --- a/config/hosts/nitter/nginx.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - virtualHosts."birdsite.nekover.se" = { - forceSSL = true; - enableACME = true; - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - locations."/" = { - proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; - proxyWebsockets = true; - }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - - set_real_ip_from 10.202.41.100; - real_ip_header proxy_protocol; - ''; - }; - }; -} diff --git a/config/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix deleted file mode 100644 index 94165c4..0000000 --- a/config/hosts/nitter/nitter.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: -{ - services.nitter = { - enable = true; - - server = { - title = "Birdsite"; - https = true; - address = "127.0.0.1"; - port = 8080; - hostname = "birdsite.nekover.se"; - }; - - preferences = { - theme = "Mastodon"; - replaceTwitter = "birdsite.nekover.se"; - infiniteScroll = true; - hlsPlayback = true; - }; - }; -} diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix deleted file mode 100644 index 494f08c..0000000 --- a/config/hosts/paperless/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "paperless"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix deleted file mode 100644 index e6ebeed..0000000 --- a/config/hosts/paperless/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./hardware-configuration.nix - ./nginx.nix - ./paperless.nix - ]; -} diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix deleted file mode 100644 index 17b9b66..0000000 --- a/config/hosts/paperless/hardware-configuration.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -{ - fileSystems = { - "/mnt/data" = { - device = "/dev/disk/by-label/data"; - fsType = "ext4"; - autoFormat = true; - autoResize = true; - }; - "/mnt/paperless-consume" = { - device = "//10.201.40.10/paperless-consume"; - fsType = "cifs"; - options = [ - "username=paperless" - "credentials=/secrets/paperless-samba-credentials.secret" - "iocharset=utf8" - "vers=3.1.1" - "uid=paperless" - "gid=paperless" - "_netdev" - ]; - }; - "/var/lib/paperless" = { - depends = [ "/mnt/data" ]; - device = "/mnt/data/paperless"; - fsType = "none"; - options = [ "bind" ]; - }; - }; -} diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix deleted file mode 100644 index e4a2131..0000000 --- a/config/hosts/paperless/nginx.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - virtualHosts."paperless.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}"; - proxyWebsockets = true; - extraConfig = '' - add_header Referrer-Policy "strict-origin-when-cross-origin"; - ''; - }; - extraConfig = '' - client_max_body_size 100M; - ''; - }; - }; -} diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix deleted file mode 100644 index 1def83d..0000000 --- a/config/hosts/paperless/paperless.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - services.paperless = { - enable = true; - consumptionDir = "/mnt/paperless-consume"; - passwordFile = "/secrets/paperless-admin-password.secret"; - }; -} diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix deleted file mode 100644 index 6726881..0000000 --- a/config/hosts/paperless/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "paperless-admin-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; - destDir = "/secrets"; - user = "paperless"; - group = "paperless"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "paperless-samba-credentials.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix deleted file mode 100644 index 7f3b8fa..0000000 --- a/config/hosts/web-public-1/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "web-public-1"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix deleted file mode 100644 index 3db73ca..0000000 --- a/config/hosts/web-public-1/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix deleted file mode 100644 index 0453a73..0000000 --- a/config/hosts/web-public-1/nginx.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: -{ - imports = [ - ./virtualHosts - ]; - - services.nginx = { - enable = true; - }; -} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix deleted file mode 100644 index c9b7e61..0000000 --- a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: -let - acmeDomainMap = { - "paperless.grzb.de" = "paperless.wg.grzb.de"; - "navidrome.grzb.de" = "navidrome.wg.grzb.de"; - }; -in -{ - services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://${target}:80"; - }; - }) acmeDomainMap); -} diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix deleted file mode 100644 index e191a9c..0000000 --- a/config/hosts/web-public-1/virtualHosts/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: -{ - imports = [ - ./acme-challenge.nix - ]; - - services.nginx.virtualHosts."_" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."/" = { - return = "301 https://$host$request_uri"; - }; - }; -} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 45e48f8..1e51d61 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -16,20 +16,16 @@ stream { map $ssl_preread_server_name $address { - anisync.grzb.de 127.0.0.1:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; element-admin.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; - gameserver.grzb.de 127.0.0.1:8443; - git.grzb.de 127.0.0.1:8443; git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443; - mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; mesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix deleted file mode 100644 index 9a3950a..0000000 --- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."anisync.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://anisync.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - extraConfig = '' - add_header X-Content-Type-Options nosniff; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index 445a087..fc2b409 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -2,12 +2,8 @@ { imports = [ ./acme-challenge.nix - ./anisync.grzb.de.nix ./element.nekover.se.nix ./element-admin.nekover.se.nix - ./gameserver.grzb.de.nix - ./git.grzb.de.nix - ./mewtube.nekover.se.nix ./nekover.se.nix ]; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix deleted file mode 100644 index c746f3d..0000000 --- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."gameserver.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://pterodactyl.vs.grzb.de"; - extraConfig = '' - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Content-Type-Options nosniff; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix deleted file mode 100644 index ac9eefb..0000000 --- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."git.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://gitlab.vs.grzb.de:80"; - extraConfig = '' - gzip off; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix deleted file mode 100644 index 1ab842a..0000000 --- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."mewtube.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://cloudtube.vs.grzb.de:10412"; - }; - extraConfig = '' - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} From fe86c128ed6df25dfbe87ae405cedcbbdc5b9d89 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 7 Apr 2026 21:32:12 +0200 Subject: [PATCH 17/55] Put matrix federation behind reverse proxy --- config/hosts/matrix/nginx.nix | 25 +++++++++++++++++++------ config/hosts/valkyrie/configuration.nix | 2 +- config/hosts/valkyrie/nginx.nix | 5 +++++ config/hosts/web-public-2/nginx.nix | 5 +++++ 4 files changed, 30 insertions(+), 7 deletions(-) diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index c9548b2..0e419bc 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -11,10 +11,17 @@ addr = "0.0.0.0"; port = 80; } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8448; ssl = true; + proxyProtocol = true; } ]; locations = { @@ -49,8 +56,6 @@ }; }; extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; @@ -64,6 +69,12 @@ addr = "0.0.0.0"; port = 80; } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } ]; locations = { "/" = { @@ -79,8 +90,6 @@ }; }; extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; @@ -94,6 +103,12 @@ addr = "0.0.0.0"; port = 80; } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } ]; locations."^~ /livekit/jwt/" = { proxyPass = "http://localhost:8082/"; @@ -103,8 +118,6 @@ proxyWebsockets = true; }; extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index aca6e04..e581f8c 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -7,7 +7,7 @@ nftables.enable = true; firewall = { enable = true; - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ 80 443 8448 ]; allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ]; }; wireguard = { diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index dae48ad..ab96419 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -58,6 +58,11 @@ ssl_preread on; proxy_protocol on; } + server { + listen [::]:8448; + proxy_pass 10.202.41.112:8448; # matrix federation port + proxy_protocol on; + } ''; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 1e51d61..01d6fae 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -38,6 +38,11 @@ ssl_preread on; proxy_protocol on; } + server { + listen 0.0.0.0:8448; + proxy_pass 10.202.41.112:8448; # matrix federation port + proxy_protocol on; + } } ''; From f19436b1786c70af02a8edd58755d3cb1e4b2788 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 7 Apr 2026 21:51:50 +0200 Subject: [PATCH 18/55] Allow proxy protocol to reverse proxy --- config/hosts/web-public-2/configuration.nix | 2 +- .../virtualHosts/element.nekover.se.nix | 18 ++++++++++++------ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/config/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix index 94e74b6..e942787 100644 --- a/config/hosts/web-public-2/configuration.nix +++ b/config/hosts/web-public-2/configuration.nix @@ -21,7 +21,7 @@ hostName = "web-public-2"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 5000 8448 ]; + allowedTCPPorts = [ 80 443 5000 8443 8448 ]; }; }; diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 6e61d6c..23a3212 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -27,12 +27,18 @@ in ./element-web-config ]; }; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; # Set no-cache for the version, config and index.html # so that browsers always check for a new copy of Element Web. From f73990a4278b861ffc5a0077f81b15c0b32f4c24 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 7 Apr 2026 22:20:28 +0200 Subject: [PATCH 19/55] WIP --- config/hosts/web-public-2/nginx.nix | 6 +++--- .../virtualHosts/element.nekover.se.nix | 18 ++++++------------ .../web-public-2/virtualHosts/nekover.se.nix | 2 +- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 01d6fae..3217be8 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -17,8 +17,8 @@ stream { map $ssl_preread_server_name $address { cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 127.0.0.1:8443; - element-admin.nekover.se 127.0.0.1:8443; + element.nekover.se 10.202.41.100:8443; + element-admin.nekover.se 10.202.41.100:8443; fi.nekover.se 10.202.41.125:8443; git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; @@ -26,7 +26,7 @@ mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443; - nekover.se 127.0.0.1:8443; + nekover.se 10.202.41.100:8443; mesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; searx.nekover.se 10.202.41.105:8443; diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 23a3212..6e61d6c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -27,18 +27,12 @@ in ./element-web-config ]; }; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; # Set no-cache for the version, config and index.html # so that browsers always check for a new copy of Element Web. diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 233a49c..4629365 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -4,7 +4,7 @@ forceSSL = true; enableACME = true; listen = [{ - addr = "localhost"; + addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; From 3a4ce8d0eb0f5c767f930a1224fe4c1b8133df87 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 1 May 2026 01:50:20 +0200 Subject: [PATCH 20/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/0aecba5a03727e1ac2d66378907d9a6e9c8266d0' (2026-04-03) → 'github:NixOS/nixpkgs/7fea5ede44b70af67136a82b41e39878cfb3a51b' (2026-04-30) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/942d1c86a6642bff0c4a440d30a7669a7a18a903' (2026-04-03) → 'github:NixOS/nixpkgs/6d457375d24d7d6c8b537a161660173ca225dfdf' (2026-04-30) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/0eac666efaa8a9afea2821f9efc7921b4ef39b4e' (2026-04-03) → 'github:NixOS/nixpkgs/417335fe04072fe234d9a566b72d7955df681844' (2026-04-30) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 895cec4..fa8e70b 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1775189162, - "narHash": "sha256-fjEpcsJ0KDZ363xd+3OhOGq3AC1juI23Xas548ZPZEk=", + "lastModified": 1777554940, + "narHash": "sha256-adRHzYRN0huy51aAykoXC4xxBe84AupPMp81lmoNJHM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0aecba5a03727e1ac2d66378907d9a6e9c8266d0", + "rev": "7fea5ede44b70af67136a82b41e39878cfb3a51b", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1775248990, - "narHash": "sha256-H/G80K7f3ZrPP8PAmSCG/pJh59zMscPA6UaiWdKgTdg=", + "lastModified": 1777592373, + "narHash": "sha256-/H8BBZdwWPVS9mzK5a8XskmLI+wMf6Zf8d22ZLeWSc4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "942d1c86a6642bff0c4a440d30a7669a7a18a903", + "rev": "6d457375d24d7d6c8b537a161660173ca225dfdf", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1775231746, - "narHash": "sha256-EFaDQ0rnuSjKfC/DUKHS4toV4rEBuWhSgyX2Yy0kp00=", + "lastModified": 1777586718, + "narHash": "sha256-XqqAel6imMLIA8ZeX5CNydzOaokD6GIoUf02DuFeWr4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0eac666efaa8a9afea2821f9efc7921b4ef39b4e", + "rev": "417335fe04072fe234d9a566b72d7955df681844", "type": "github" }, "original": { From ae2a4c91fd360457015727083bb12b493d958a4f Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 1 May 2026 02:32:57 +0200 Subject: [PATCH 21/55] Set LIVEKIT_FULL_ACCESS_HOMESERVERS --- config/hosts/matrix/element-call.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/hosts/matrix/element-call.nix b/config/hosts/matrix/element-call.nix index 1c8b442..db988b9 100644 --- a/config/hosts/matrix/element-call.nix +++ b/config/hosts/matrix/element-call.nix @@ -12,4 +12,7 @@ livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu"; keyFile = "/secrets/matrix-livekit-secret-key.secret"; }; + systemd.services.lk-jwt-service.environment = { + LIVEKIT_FULL_ACCESS_HOMESERVERS = "nekover.se"; + }; } From 9ba87803fce2affaad916d1259ed5a5c9f604647 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 1 May 2026 16:18:28 +0200 Subject: [PATCH 22/55] Add /.well-known/matrix/support endpoint --- config/hosts/web-public-2/virtualHosts/nekover.se.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 4629365..f33a3b9 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -22,6 +22,13 @@ add_header Access-Control-Allow-Origin *; ''; }; + locations."/.well-known/matrix/support" = { + return = "200 '{\"contacts\": [{\"email_address\": \"admin@nekover.se\", \"role\": \"m.role.admin\"}]}'"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; extraConfig = '' set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.203.10.3; # IPv6 from valkyrie From 618b6ba170063643a5fedb1245705f7988e82e93 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 1 May 2026 16:20:05 +0200 Subject: [PATCH 23/55] Update mastodon to 4.5.9 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index dcb2498..fd5fa64 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.8"; + version = "4.5.9"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-03PdAB9KOvMgQJPx+7ik13QE18fjdLIab7zEXaPc4nk="; + sha256 = "sha256-EXMJWdcuvQWe2cXONlcN/oB4b0nXwDqRT+miIB7P7js="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; From cbfe669ad408be23b43cd61b6a2bd45e00ebf0cf Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 1 May 2026 16:28:22 +0200 Subject: [PATCH 24/55] Update element-admin to 0.1.11 --- .../web-public-2/virtualHosts/element-admin.nekover.se.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix index d6af438..cb8a45a 100644 --- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix @@ -1,14 +1,14 @@ { config, pkgs, ... }: let - elementAdminVersion = "0.1.10"; + elementAdminVersion = "0.1.11"; elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { pname = "element-admin"; version = elementAdminVersion; src = pkgs.fetchzip { url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; - sha256 = "sha256-dh7tmzAaTfKB9FuOVhLHpOIsTZK1qMvNq16HeObHOqI="; + sha256 = "sha256-tSUTDPspQJjvP1KN4nUr4LYyjNQFj4pKMMA8JmavIxo="; }; nativeBuildInputs = [ @@ -19,7 +19,7 @@ let pnpmDeps = pkgs.pnpm.fetchDeps { inherit (finalAttrs) pname version src; fetcherVersion = 2; - hash = "sha256-S/MdfUv6q+PaAKWYHxVY80BcpL81dOfpPVhNxEPQVE4="; + hash = "sha256-Hf4PWey5bczSNbc3QQ9z9X3OVUZ7VHXw7BHGQqJWPac="; }; buildPhase = '' From df36846fb2e5c8e1ea9cfaf7daa4079bb8449f76 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 1 May 2026 16:34:52 +0200 Subject: [PATCH 25/55] Update element-web to 1.12.17 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 6e61d6c..d60f70b 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.12.10"; + elementWebVersion = "1.12.17"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-YpxfV4BCXh2fffQvVsZGOfK82TpGzg6uOx7iUPqiXVE="; + sha256 = "sha256-ZlL4lQar/nEqA/1Js/aQvlnscWfb41oPbK69jSL9584="; }; elementWebSecurityHeaders = '' # Configuration best practices From 80916c6b8544ff0f341f946945a18d1578b41180 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Fri, 15 May 2026 22:38:20 +0200 Subject: [PATCH 26/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/7fea5ede44b70af67136a82b41e39878cfb3a51b?narHash=sha256-adRHzYRN0huy51aAykoXC4xxBe84AupPMp81lmoNJHM%3D' (2026-04-30) → 'github:NixOS/nixpkgs/a3c34a1dd63140ab2150ebb4fa290bbbae58193b?narHash=sha256-wVKu7ZYV3ikh7RVDY1TVlaKwPTFvfkYnOzQGn3IqT4o%3D' (2026-05-15) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/6d457375d24d7d6c8b537a161660173ca225dfdf?narHash=sha256-/H8BBZdwWPVS9mzK5a8XskmLI%2BwMf6Zf8d22ZLeWSc4%3D' (2026-04-30) → 'github:NixOS/nixpkgs/b0415a300a8d2daf19019ef418f0b019ee38cf47?narHash=sha256-NZ9yg%2BVJy6RftGD3YXeqCEEVsPZH9hPu6yWm/bAuqLM%3D' (2026-05-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/417335fe04072fe234d9a566b72d7955df681844?narHash=sha256-XqqAel6imMLIA8ZeX5CNydzOaokD6GIoUf02DuFeWr4%3D' (2026-04-30) → 'github:NixOS/nixpkgs/758b562bc257084aef30b8e3efbdd61d292806c3?narHash=sha256-BxYhb8H0aVtiM1kGRt%2BS49NbsJMUMIHvOXxziE9u0nY%3D' (2026-05-15) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index fa8e70b..4ef9f2a 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1777554940, - "narHash": "sha256-adRHzYRN0huy51aAykoXC4xxBe84AupPMp81lmoNJHM=", + "lastModified": 1778830137, + "narHash": "sha256-wVKu7ZYV3ikh7RVDY1TVlaKwPTFvfkYnOzQGn3IqT4o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7fea5ede44b70af67136a82b41e39878cfb3a51b", + "rev": "a3c34a1dd63140ab2150ebb4fa290bbbae58193b", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1777592373, - "narHash": "sha256-/H8BBZdwWPVS9mzK5a8XskmLI+wMf6Zf8d22ZLeWSc4=", + "lastModified": 1778877216, + "narHash": "sha256-NZ9yg+VJy6RftGD3YXeqCEEVsPZH9hPu6yWm/bAuqLM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6d457375d24d7d6c8b537a161660173ca225dfdf", + "rev": "b0415a300a8d2daf19019ef418f0b019ee38cf47", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1777586718, - "narHash": "sha256-XqqAel6imMLIA8ZeX5CNydzOaokD6GIoUf02DuFeWr4=", + "lastModified": 1778843877, + "narHash": "sha256-BxYhb8H0aVtiM1kGRt+S49NbsJMUMIHvOXxziE9u0nY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "417335fe04072fe234d9a566b72d7955df681844", + "rev": "758b562bc257084aef30b8e3efbdd61d292806c3", "type": "github" }, "original": { From b2079ab04d60fdb67b13a5e786b529dc21558d80 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sat, 16 May 2026 19:42:42 +0200 Subject: [PATCH 27/55] Add mastodon default patches for yarn-4.14-support.patch --- config/hosts/mastodon/mastodon.nix | 4 ++-- config/hosts/mastodon/yarn.patch | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 config/hosts/mastodon/yarn.patch diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index fd5fa64..51b3afe 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, nixpkgs-unstable, ... }: let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; @@ -40,7 +40,7 @@ let modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml ''; }; - patches = [ + patches = prev.mastodon.src.patches ++ [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" diff --git a/config/hosts/mastodon/yarn.patch b/config/hosts/mastodon/yarn.patch new file mode 100644 index 0000000..82a2f77 --- /dev/null +++ b/config/hosts/mastodon/yarn.patch @@ -0,0 +1,21 @@ +diff --git a/.yarnrc.yml b/.yarnrc.yml +--- a/.yarnrc.yml ++++ b/.yarnrc.yml +@@ -1 +1,6 @@ + nodeLinker: node-modules ++ ++approvedGitRepositories: ++ - "**" ++ ++enableScripts: true +diff --git a/yarn.lock b/yarn.lock +--- a/yarn.lock ++++ b/yarn.lock +@@ -2,6 +2,6 @@ + # Manual changes might be lost - proceed with caution! + + __metadata: +- version: 8 ++ version: 9 + cacheKey: 10c0 + \ No newline at end of file From 2a8f0b0564172c7e00c2c1bb3172127a3509bdbb Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sat, 16 May 2026 22:49:13 +0200 Subject: [PATCH 28/55] Add sops-nix --- flake.nix | 6 +++++- hosts.nix | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 2841638..7ea486c 100644 --- a/flake.nix +++ b/flake.nix @@ -8,9 +8,13 @@ inputs.nixpkgs.follows = "nixpkgs"; }; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.11"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, sops-nix, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; diff --git a/hosts.nix b/hosts.nix index b59e3d5..86d65e2 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,4 +1,4 @@ -{ nixpkgs, nixpkgs-unstable, nixpkgs-master, ... }: +{ nixpkgs, nixpkgs-unstable, nixpkgs-master, sops-nix, ... }: let # Set of environment specific modules environments = { @@ -22,6 +22,7 @@ let modules = [ ./config/common ./config/hosts/${name} + sops-nix.nixosModules.sops ] ++ (if environment != "" then environments.${environment} else []); }) hosts; in From 37df75b8cb0b39adf06b488e316510a1ba9301e9 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sat, 16 May 2026 22:50:29 +0200 Subject: [PATCH 29/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/a3c34a1dd63140ab2150ebb4fa290bbbae58193b?narHash=sha256-wVKu7ZYV3ikh7RVDY1TVlaKwPTFvfkYnOzQGn3IqT4o%3D' (2026-05-15) → 'github:NixOS/nixpkgs/30f30521f3fce93c4c22bb43941cdf8e2d90d311?narHash=sha256-/VER73JyDAsvWXmEk6Qph%2Bq1cXLof4iXtxgwKsj3cP8%3D' (2026-05-16) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/b0415a300a8d2daf19019ef418f0b019ee38cf47?narHash=sha256-NZ9yg%2BVJy6RftGD3YXeqCEEVsPZH9hPu6yWm/bAuqLM%3D' (2026-05-15) → 'github:NixOS/nixpkgs/183fe40a77b6860ddd8ed01433d0f4f2f5343e7b?narHash=sha256-W9Dm45lszeihc0BZIHeLMVAJzOETAZtgQQbPhqyLPA0%3D' (2026-05-16) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/758b562bc257084aef30b8e3efbdd61d292806c3?narHash=sha256-BxYhb8H0aVtiM1kGRt%2BS49NbsJMUMIHvOXxziE9u0nY%3D' (2026-05-15) → 'github:NixOS/nixpkgs/5a51fe22e18a6ce886b3cffa4c255378c151323c?narHash=sha256-FqqcYr0c5in/HRL5bkRWykAGp/Q10Vj/zUiSr1P8URE%3D' (2026-05-16) • Added input 'sops-nix': 'github:Mic92/sops-nix/c591bf665727040c6cc5cb409079acb22dcce33c?narHash=sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8%3D' (2026-05-05) • Added input 'sops-nix/nixpkgs': follows 'nixpkgs' --- flake.lock | 41 +++++++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index 4ef9f2a..9140b1e 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1778830137, - "narHash": "sha256-wVKu7ZYV3ikh7RVDY1TVlaKwPTFvfkYnOzQGn3IqT4o=", + "lastModified": 1778917931, + "narHash": "sha256-/VER73JyDAsvWXmEk6Qph+q1cXLof4iXtxgwKsj3cP8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a3c34a1dd63140ab2150ebb4fa290bbbae58193b", + "rev": "30f30521f3fce93c4c22bb43941cdf8e2d90d311", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1778877216, - "narHash": "sha256-NZ9yg+VJy6RftGD3YXeqCEEVsPZH9hPu6yWm/bAuqLM=", + "lastModified": 1778964530, + "narHash": "sha256-W9Dm45lszeihc0BZIHeLMVAJzOETAZtgQQbPhqyLPA0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b0415a300a8d2daf19019ef418f0b019ee38cf47", + "rev": "183fe40a77b6860ddd8ed01433d0f4f2f5343e7b", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1778843877, - "narHash": "sha256-BxYhb8H0aVtiM1kGRt+S49NbsJMUMIHvOXxziE9u0nY=", + "lastModified": 1778930970, + "narHash": "sha256-FqqcYr0c5in/HRL5bkRWykAGp/Q10Vj/zUiSr1P8URE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "758b562bc257084aef30b8e3efbdd61d292806c3", + "rev": "5a51fe22e18a6ce886b3cffa4c255378c151323c", "type": "github" }, "original": { @@ -186,7 +186,8 @@ "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", - "simple-nixos-mailserver": "simple-nixos-mailserver" + "simple-nixos-mailserver": "simple-nixos-mailserver", + "sops-nix": "sops-nix" } }, "simple-nixos-mailserver": { @@ -210,6 +211,26 @@ "repo": "nixos-mailserver", "type": "gitlab" } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1777944972, + "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c591bf665727040c6cc5cb409079acb22dcce33c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } } }, "root": "root", From 668f2ef4d87b27cae4825242a08356094da5d0f2 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sat, 16 May 2026 23:41:15 +0200 Subject: [PATCH 30/55] Add ssh-to-age --- config/common/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/common/default.nix b/config/common/default.nix index 459289f..0fa2d0b 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -35,6 +35,7 @@ parted tmux nano + ssh-to-age tcpdump ]; From bff3401adaf70282958dc867d968c09c86baa4c7 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 00:19:55 +0200 Subject: [PATCH 31/55] Migrate ikiwiki to sops-nix --- .sops.yaml | 12 ++++++++++++ config/hosts/ikiwiki/default.nix | 1 + config/hosts/ikiwiki/nginx.nix | 9 ++++++++- config/hosts/ikiwiki/secrets.nix | 11 ----------- config/hosts/ikiwiki/secrets.yaml | 25 +++++++++++++++++++++++++ config/hosts/ikiwiki/sops.nix | 6 ++++++ 6 files changed, 52 insertions(+), 12 deletions(-) create mode 100644 .sops.yaml delete mode 100644 config/hosts/ikiwiki/secrets.nix create mode 100644 config/hosts/ikiwiki/secrets.yaml create mode 100644 config/hosts/ikiwiki/sops.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..76cda7e --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,12 @@ +keys: + - &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 +creation_rules: + - path_regex: config/hosts/ikiwiki/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_ikiwiki +stores: + yaml: + indent: 2 diff --git a/config/hosts/ikiwiki/default.nix b/config/hosts/ikiwiki/default.nix index bc9766c..32d16c7 100644 --- a/config/hosts/ikiwiki/default.nix +++ b/config/hosts/ikiwiki/default.nix @@ -4,5 +4,6 @@ ./configuration.nix ./ikiwiki.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 9f6462e..6b09cb0 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -26,7 +26,7 @@ in tryFiles = "$uri $uri/ =404"; }; "~ .cgi" = { - basicAuthFile = "/secrets/ikiwiki-auth-file.secret"; + basicAuthFile = "/run/secrets/auth_file"; extraConfig = '' gzip off; fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address}; @@ -45,4 +45,11 @@ in ''; }; }; + + sops.secrets."auth_file" = { + mode = "0440"; + owner = "nginx"; + group = "nginx"; + restartUnits = [ "nginx.service" ]; + }; } diff --git a/config/hosts/ikiwiki/secrets.nix b/config/hosts/ikiwiki/secrets.nix deleted file mode 100644 index d366c75..0000000 --- a/config/hosts/ikiwiki/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys."ikiwiki-auth-file.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ]; - destDir = "/secrets"; - user = "nginx"; - group = "nginx"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; -} diff --git a/config/hosts/ikiwiki/secrets.yaml b/config/hosts/ikiwiki/secrets.yaml new file mode 100644 index 0000000..a707f57 --- /dev/null +++ b/config/hosts/ikiwiki/secrets.yaml @@ -0,0 +1,25 @@ +auth_file: ENC[AES256_GCM,data:5/uT1sIOI95LNA9YFWh3I9J2PCZmz/J38YxVsKVWFHfJdZUOQpSW6ekjX7StP/svtv6Tp0AonnvcKfRcyPYn,iv:NKdWae+EihasTMV24Hk+dKJG8032mWu+RWItWs0b6RE=,tag:WBM6pXlKaDXOMnBWGBLJWg==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNDZLcEFGRHczMHg3S0w3 + eTNvNGI5TXBWTTc1eXAzZStlSmZTQ3NkdTA4CmlYVEF1NWhldVZuZmwzTUU0NG5j + UFhvU3Q3Q1BvVHhrODJWc296UUo0TmMKLS0tIFFlUGRYVDNNYm40cXhlZ004eFk5 + b3BnLzBjZFpjVDN2clZaTGlWV29NVUEKsdK4V5Og+bK26Gl6HTkOBtFrHfr1RFYu + zWNGQ3skkvATO/ypa0zFf3+qnupCTTO5emwscoRK8ZZFVgSswdnbIA== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUJXWW95OXlEZFFwbHlp + RzJJMDFJU2pUTjltZ1JaWjE5c0xPY0hvNUdZCk5uWk9kdlRWNTNVUUVmT3VVeE9j + ajNNeVlZcEw4WFdqZ2QwTXl2MlhVZ2cKLS0tIFVVUXJtWkhtREFsdXp5ODZkOTA1 + b1h3THFYSU1yblM0WmdxTUVtZG1OYVUK5tmcOX+jOdbSD1YCPqcAeoGF8ny61lWY + xwguejMeVZ/pCjO/qf3tb+MUlInPMXva59FelGd3nz6cbVqbeWtxSQ== + -----END AGE ENCRYPTED FILE----- + recipient: age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 + lastmodified: "2026-05-16T22:13:21Z" + mac: ENC[AES256_GCM,data:McAN1DueAhDBAY8kloB5l8M0pLIeswtnCxBtMYFyzBaY2Z43gNetBwdpzs5sL4nEmAZGPJ9AjXJVSmjb1tOn3BF8X5n6/9F7DzvHT7ukpIjumGC0KeB0QfaIGgKJyo7koISIVlGFZAwgcf1fQwaKZsYzfOGelj7UNrzFCjArK+Y=,iv:oZUmzcEr08jROw24J2fXQ4EjEJH3vzYysdy51vEtUNM=,tag:QJjNb/YvuZrZtQD9QE1Z3g==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 diff --git a/config/hosts/ikiwiki/sops.nix b/config/hosts/ikiwiki/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/ikiwiki/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} From a28f7a5848b95dc08a96eaa38511963aef5ca722 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 01:17:20 +0200 Subject: [PATCH 32/55] Migrate coturn to sops-nix --- .sops.yaml | 6 ++++++ config/hosts/coturn/coturn.nix | 9 ++++++++- config/hosts/coturn/default.nix | 1 + config/hosts/coturn/secrets.nix | 11 ----------- config/hosts/coturn/secrets.yaml | 25 +++++++++++++++++++++++++ config/hosts/coturn/sops.nix | 6 ++++++ 6 files changed, 46 insertions(+), 12 deletions(-) delete mode 100644 config/hosts/coturn/secrets.nix create mode 100644 config/hosts/coturn/secrets.yaml create mode 100644 config/hosts/coturn/sops.nix diff --git a/.sops.yaml b/.sops.yaml index 76cda7e..a0912e8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,13 @@ keys: - &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - &host_age_coturn age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l - &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 creation_rules: + - path_regex: config/hosts/coturn/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_coturn - path_regex: config/hosts/ikiwiki/.* key_groups: - age: diff --git a/config/hosts/coturn/coturn.nix b/config/hosts/coturn/coturn.nix index 719c872..0b266ba 100644 --- a/config/hosts/coturn/coturn.nix +++ b/config/hosts/coturn/coturn.nix @@ -5,7 +5,7 @@ min-port = 49200; max-port = 49500; use-auth-secret = true; - static-auth-secret-file = "/secrets/static-auth-secret.secret"; + static-auth-secret-file = "/run/secrets/static-auth-secret"; realm = "turn.nekover.se"; cert = "${config.security.acme.certs."turn.nekover.se".directory}/fullchain.pem"; pkey = "${config.security.acme.certs."turn.nekover.se".directory}/key.pem"; @@ -42,4 +42,11 @@ total-quota=1200 ''; }; + + sops.secrets."static-auth-secret" = { + mode = "0440"; + owner = "turnserver"; + group = "turnserver"; + restartUnits = [ "coturn.service" ]; + }; } diff --git a/config/hosts/coturn/default.nix b/config/hosts/coturn/default.nix index bc32a3d..36644a0 100644 --- a/config/hosts/coturn/default.nix +++ b/config/hosts/coturn/default.nix @@ -4,5 +4,6 @@ ./configuration.nix ./acme.nix ./coturn.nix + ./sops.nix ]; } diff --git a/config/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix deleted file mode 100644 index 48fd211..0000000 --- a/config/hosts/coturn/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ keyCommandEnv,... }: -{ - deployment.keys."static-auth-secret.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ]; - destDir = "/secrets"; - user = "turnserver"; - group = "turnserver"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; -} diff --git a/config/hosts/coturn/secrets.yaml b/config/hosts/coturn/secrets.yaml new file mode 100644 index 0000000..d90c1c5 --- /dev/null +++ b/config/hosts/coturn/secrets.yaml @@ -0,0 +1,25 @@ +static-auth-secret: ENC[AES256_GCM,data:af5cjUSeiCEtYki85h+XoJW5FKY4X18i6zOBZnH64Ju/LwA/yUemA8co17TG5cQnc/sw1pz6LySL2DOq/Gj42g==,iv:Yne84/VLN0jCSulA5OQ0UKbQWkqWBmHYogDuAngAp48=,tag:wJ/4yGnbypjTo/akV3P9ZA==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMXRScDR1NzhzZGRXYUZQ + ZGpRYUlOUWZTVHQvdUlrSG5SRWM2ME9sdUVZCldCZkZ0SXdqUjBVNlRnckg3N0dS + S0s2NkRnQys2SGJKSTdiUWlnbTg1dkEKLS0tIGthb0FESjAyMjlEbnV4S0lPOHda + S1ZBOWdTSmNRQXMvUGJnd05sK1Q2Qk0KHseEBDVLeSWHdgrYyITRuJyp3orrjwwS + 04ORMniHR7ymHzRPvm3oX/jkFD0iJEmk8clgm/Gcn2AQ7xXeJO7Vnw== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmemxWRnFLMFVEcVZCb3BT + MStWU21kcnF5enpleWt3dFdaMHo3RzJGaENNClU2M2tmdE0zd2pXWUJHQkV5Mkhi + a0lIbHJmWDN6UXhVeTZId3RhcEd5TWcKLS0tIFRlSUNQN0pGYmtiOGxJS0pJY0tQ + YjFzS205QklRZWdPbklIRzVzbFFPT2sKCXra+DUchbomy9pe2HJAbhAF1mstgUcv + NalettWmuLXe2B0WjC9fAy2AAJS6kysEbUh960suzSPLTqTce0MGfA== + -----END AGE ENCRYPTED FILE----- + recipient: age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l + lastmodified: "2026-05-16T23:13:15Z" + mac: ENC[AES256_GCM,data:PxX20JAaYhj3DE1KjakVmVucL7jjZU0vh5vnSNmKLgqedJiV2ZqEXpF4s1WPgYTY723aLiWDLw/8kTF/VmvMs8zOdGSkIhojWIWFE6I2yq1MjlawXuUhGpe6C1XGQ+w0KTqzyJLxyIsUSH24GqPHmLRMStE7bYdr0a4lRBHEyqE=,iv:6tXoqhG1XqDAz4SZSIxFCi01Be76/dV4vFPwv3lkcps=,tag:ytLoh7gJ+Iuqv5AwhDElrw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 diff --git a/config/hosts/coturn/sops.nix b/config/hosts/coturn/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/coturn/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} From 5b44c4516cad957ff76448f09566c6d5bbab23bb Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 01:24:09 +0200 Subject: [PATCH 33/55] Remove hydra host --- config/hosts/hydra/configuration.nix | 51 ---------------------------- config/hosts/hydra/default.nix | 9 ----- config/hosts/hydra/hydra.nix | 14 -------- config/hosts/hydra/nginx.nix | 44 ------------------------ config/hosts/hydra/nix-serve.nix | 9 ----- config/hosts/hydra/secrets.nix | 11 ------ config/hosts/valkyrie/nginx.nix | 1 - config/hosts/web-public-2/nginx.nix | 1 - flake.nix | 6 ---- hosts.nix | 4 --- 10 files changed, 150 deletions(-) delete mode 100644 config/hosts/hydra/configuration.nix delete mode 100644 config/hosts/hydra/default.nix delete mode 100644 config/hosts/hydra/hydra.nix delete mode 100644 config/hosts/hydra/nginx.nix delete mode 100644 config/hosts/hydra/nix-serve.nix delete mode 100644 config/hosts/hydra/secrets.nix diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix deleted file mode 100644 index 9b554d8..0000000 --- a/config/hosts/hydra/configuration.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ ... }: -{ - boot = { - loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - binfmt.emulatedSystems = [ - "armv6l-linux" - "armv7l-linux" - "aarch64-linux" - ]; - }; - - networking = { - hostName = "hydra"; - firewall = { - enable = true; - allowedTCPPorts = [ 8443 ]; - }; - }; - - users.users.builder = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/plZfxF/RtB+pJsUYx9HUgRcB56EoO0uj+j3AGzZta root@cherry" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara" - ]; - }; - - nix = { - settings = { - trusted-users = [ "builder" ]; - allowed-uris = "http:// https://"; - }; - buildMachines = [ - { - hostName = "localhost"; - systems = [ - "x86_64-linux" - "armv6l-linux" - "armv7l-linux" - "aarch64-linux" - ]; - } - ]; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix deleted file mode 100644 index aeffee1..0000000 --- a/config/hosts/hydra/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./hydra.nix - ./nix-serve.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix deleted file mode 100644 index c8d4c3f..0000000 --- a/config/hosts/hydra/hydra.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ ... }: -{ - services.hydra = { - enable = true; - hydraURL = "https://hydra.nekover.se"; - listenHost = "localhost"; - port = 3001; - useSubstitutes = true; - notificationSender = "hydra@robot.grzb.de"; - extraConfig = " - binary_cache_public_uri = https://nix-cache.nekover.se - "; - }; -} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix deleted file mode 100644 index 9aadd25..0000000 --- a/config/hosts/hydra/nginx.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ ... }: -{ - services.nginx = { - enable = true; - virtualHosts = { - "hydra.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."/" = { - proxyPass = "http://localhost:3001"; - }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie - real_ip_header proxy_protocol; - ''; - }; - "nix-cache.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ { - addr = "0.0.0.0"; - port = 80; - }]; - locations."/" = { - proxyPass = "http://localhost:5005"; - }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie - real_ip_header proxy_protocol; - ''; - }; - }; - }; -} diff --git a/config/hosts/hydra/nix-serve.nix b/config/hosts/hydra/nix-serve.nix deleted file mode 100644 index 75c18cb..0000000 --- a/config/hosts/hydra/nix-serve.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - services.nix-serve = { - enable = true; - port = 5005; - bindAddress = "localhost"; - secretKeyFile = "/secrets/signing-key.secret"; - }; -} diff --git a/config/hosts/hydra/secrets.nix b/config/hosts/hydra/secrets.nix deleted file mode 100644 index 43329f7..0000000 --- a/config/hosts/hydra/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys."signing-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; -} diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index ab96419..2ea8db8 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -41,7 +41,6 @@ element-admin.nekover.se 10.202.41.100:8443; fi.nekover.se 10.202.41.125:8443; git.nekover.se 10.202.41.106:8443; - hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 3217be8..87a1ec9 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -21,7 +21,6 @@ element-admin.nekover.se 10.202.41.100:8443; fi.nekover.se 10.202.41.125:8443; git.nekover.se 10.202.41.106:8443; - hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; diff --git a/flake.nix b/flake.nix index 7ea486c..0e09394 100644 --- a/flake.nix +++ b/flake.nix @@ -40,12 +40,6 @@ }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; - hydraJobs = { - nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { - inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; - }) hosts; - }; - # Generate a base VM image for Proxmox with `nix build .#base-proxmox` packages.x86_64-linux = { base-proxmox = nixos-generators.nixosGenerate { diff --git a/hosts.nix b/hosts.nix index 86d65e2..83e3a63 100644 --- a/hosts.nix +++ b/hosts.nix @@ -27,10 +27,6 @@ let }) hosts; in generateDefaults { - hydra = { - site = "vs"; - environment = "proxmox"; - }; ikiwiki = { site = "vs"; environment = "proxmox"; From 8d107286a9792bb4e63389541895f780d0be5389 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 01:26:48 +0200 Subject: [PATCH 34/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/30f30521f3fce93c4c22bb43941cdf8e2d90d311?narHash=sha256-/VER73JyDAsvWXmEk6Qph%2Bq1cXLof4iXtxgwKsj3cP8%3D' (2026-05-16) → 'github:NixOS/nixpkgs/ff5e747c5f45865599ba7387244212420558e83c?narHash=sha256-z1PIyRIm5nlh6sB4I4ObT42O6IT5zuFzQK0RtvRoL/c%3D' (2026-05-16) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/183fe40a77b6860ddd8ed01433d0f4f2f5343e7b?narHash=sha256-W9Dm45lszeihc0BZIHeLMVAJzOETAZtgQQbPhqyLPA0%3D' (2026-05-16) → 'github:NixOS/nixpkgs/b6aac1076920329e7863e9fb607d4d1811ea16f3?narHash=sha256-gnglqTdKUK1UlKfq%2BZRXmxWW%2BMRhbpOi3DzjTp2zqRU%3D' (2026-05-16) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 9140b1e..548d0bc 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1778917931, - "narHash": "sha256-/VER73JyDAsvWXmEk6Qph+q1cXLof4iXtxgwKsj3cP8=", + "lastModified": 1778947228, + "narHash": "sha256-z1PIyRIm5nlh6sB4I4ObT42O6IT5zuFzQK0RtvRoL/c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "30f30521f3fce93c4c22bb43941cdf8e2d90d311", + "rev": "ff5e747c5f45865599ba7387244212420558e83c", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1778964530, - "narHash": "sha256-W9Dm45lszeihc0BZIHeLMVAJzOETAZtgQQbPhqyLPA0=", + "lastModified": 1778973839, + "narHash": "sha256-gnglqTdKUK1UlKfq+ZRXmxWW+MRhbpOi3DzjTp2zqRU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "183fe40a77b6860ddd8ed01433d0f4f2f5343e7b", + "rev": "b6aac1076920329e7863e9fb607d4d1811ea16f3", "type": "github" }, "original": { From b3f6e37765d4eaa4624fc466a8595ed721bff599 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 02:12:42 +0200 Subject: [PATCH 35/55] Remove mail-2 --- config/hosts/mail-2/acme.nix | 9 --- config/hosts/mail-2/configuration.nix | 81 --------------------------- config/hosts/mail-2/default.nix | 8 --- config/hosts/mail-2/postfix.nix | 37 ------------ config/hosts/mail-2/secrets.nix | 21 ------- 5 files changed, 156 deletions(-) delete mode 100644 config/hosts/mail-2/acme.nix delete mode 100644 config/hosts/mail-2/configuration.nix delete mode 100644 config/hosts/mail-2/default.nix delete mode 100644 config/hosts/mail-2/postfix.nix delete mode 100644 config/hosts/mail-2/secrets.nix diff --git a/config/hosts/mail-2/acme.nix b/config/hosts/mail-2/acme.nix deleted file mode 100644 index c6a353c..0000000 --- a/config/hosts/mail-2/acme.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - security.acme.certs = { - "mail-2.grzb.de" = { - listenHTTP = ":80"; - reloadServices = [ "postfix.service" ]; - }; - }; -} diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix deleted file mode 100644 index f1fa002..0000000 --- a/config/hosts/mail-2/configuration.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ pkgs, ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - systemd.network = { - enable = true; - networks = { - "enp6s18" = { - matchConfig.Name = "enp6s18"; - address = [ - "10.201.41.100/24" - ]; - routes = [ - { - Gateway = "10.201.41.1"; - Destination = "10.201.0.0/16"; - } - { - Gateway = "10.201.41.1"; - Destination = "10.202.0.0/16"; - } - { - Gateway = "10.201.41.1"; - Destination = "172.21.87.0/24"; - } - { - Gateway = "10.201.41.1"; - Destination = "217.160.117.160/32"; - } - ]; - linkConfig.RequiredForOnline = "routable"; - }; - "wg0" = { - matchConfig.Name = "wg0"; - address = [ - "172.18.50.2/24" - ]; - DHCP = "no"; - gateway = [ - "172.18.50.1" - ]; - }; - }; - netdevs = { - "wg0" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg0"; - }; - wireguardConfig = { - PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret"; - }; - wireguardPeers = [{ - PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4="; - PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret"; - Endpoint = "217.160.117.160:51820"; - AllowedIPs = [ "0.0.0.0/0" ]; - PersistentKeepalive = 25; - }]; - }; - }; - }; - - networking = { - hostName = "mail-2"; - useDHCP = false; - firewall = { - enable = true; - allowedTCPPorts = [ 25 80 ]; - }; - }; - - environment.systemPackages = with pkgs; [ - wireguard-tools - ]; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/mail-2/default.nix b/config/hosts/mail-2/default.nix deleted file mode 100644 index ab5c757..0000000 --- a/config/hosts/mail-2/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./postfix.nix - ./acme.nix - ]; -} diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix deleted file mode 100644 index b7e54f3..0000000 --- a/config/hosts/mail-2/postfix.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, ... }: -{ - # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup - services.postfix = { - enable = true; - hostname = "mail-2.grzb.de"; - relayDomains = [ - "grzb.de" - "nekover.se" - ]; - sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem"; - sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem"; - extraConfig = '' - message_size_limit = 20971520 - smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination - proxy_interfaces = 217.160.117.160 - relay_recipient_maps = - smtp_tls_ciphers = high - smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL - smtp_tls_mandatory_ciphers = high - smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL - smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 - smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 - smtpd_tls_auth_only = yes - smtpd_tls_ciphers = high - smtpd_tls_eecdh_grade = ultra - smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL - smtpd_tls_loglevel = 1 - smtpd_tls_mandatory_ciphers = high - smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL - smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 - smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 - tls_preempt_cipherlist = yes - tls_random_source = dev:/dev/urandom - ''; - }; -} diff --git a/config/hosts/mail-2/secrets.nix b/config/hosts/mail-2/secrets.nix deleted file mode 100644 index 67beb5b..0000000 --- a/config/hosts/mail-2/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "wireguard-mail-2-wg0-privatekey.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-lifeline-mail-2-mail-2-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} From 408bbe2de2c928adc975e6d0c7b769ccfea381d4 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 02:33:39 +0200 Subject: [PATCH 36/55] Add all host age keys --- .sops.yaml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/.sops.yaml b/.sops.yaml index a0912e8..b5d0211 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,18 +1,96 @@ keys: - &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - &host_age_coturn age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l + - &host_age_forgejo age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk - &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 + - &host_age_jellyfin age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt + - &host_age_keycloak age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd + - &host_age_lifeline age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua + - &host_age_mail-1 age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp + - &host_age_mastodon age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30 + - &host_age_matrix age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5 + - &host_age_metrics age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n + - &host_age_metrics-nekomesh age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse + - &host_age_nextcloud age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu + - &host_age_searx age17h3js5v8s5vezcankky6kqxcrvtfxanmvhp3axmnqs4y9s2lr9yqvc6zrn + - &host_age_torrent age1m37wtvp7fpavaygn2jc6kq2gtuvgvf0jgwwhd3p5862djv5segqs97mg7c + - &host_age_valkyrie age1guqc5pnajp2whkla6vws4yqnpe5hq4z89w6te3n5yql5pugzfqlqczjlee creation_rules: - path_regex: config/hosts/coturn/.* key_groups: - age: - *admin_age_fi - *host_age_coturn + - path_regex: config/hosts/forgejo/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_forgejo - path_regex: config/hosts/ikiwiki/.* key_groups: - age: - *admin_age_fi - *host_age_ikiwiki + - path_regex: config/hosts/jellyfin/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_jellyfin + - path_regex: config/hosts/keycloak/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_keycloak + - path_regex: config/hosts/lifeline/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_lifeline + - path_regex: config/hosts/mail-1/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_mail-1 + - path_regex: config/hosts/mastodon/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_mastodon + - path_regex: config/hosts/matrix/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_matrix + - path_regex: config/hosts/metrics/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_metrics + - path_regex: config/hosts/metrics-nekomesh/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_metrics-nekomesh + - path_regex: config/hosts/nextcloud/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_nextcloud + - path_regex: config/hosts/searx/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_searx + - path_regex: config/hosts/torrent/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_torrent + - path_regex: config/hosts/valkyrie/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_valkyrie stores: yaml: indent: 2 From 679f815d605b3ddea2f4241513fa14d2eea74eab Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 02:41:04 +0200 Subject: [PATCH 37/55] Add sops.nix to every host --- config/hosts/forgejo/default.nix | 1 + config/hosts/forgejo/sops.nix | 6 ++++++ config/hosts/jellyfin/default.nix | 1 + config/hosts/jellyfin/sops.nix | 6 ++++++ config/hosts/keycloak/default.nix | 1 + config/hosts/keycloak/sops.nix | 6 ++++++ config/hosts/lifeline/default.nix | 1 + config/hosts/lifeline/sops.nix | 6 ++++++ config/hosts/mail-1/default.nix | 1 + config/hosts/mail-1/sops.nix | 6 ++++++ config/hosts/mastodon/default.nix | 1 + config/hosts/mastodon/sops.nix | 6 ++++++ config/hosts/mastodon/yarn.patch | 21 --------------------- config/hosts/matrix/default.nix | 1 + config/hosts/matrix/sops.nix | 6 ++++++ config/hosts/metrics-nekomesh/default.nix | 1 + config/hosts/metrics-nekomesh/sops.nix | 6 ++++++ config/hosts/metrics/default.nix | 1 + config/hosts/metrics/sops.nix | 6 ++++++ config/hosts/nextcloud/default.nix | 1 + config/hosts/nextcloud/sops.nix | 6 ++++++ config/hosts/searx/default.nix | 1 + config/hosts/searx/sops.nix | 6 ++++++ config/hosts/torrent/default.nix | 1 + config/hosts/torrent/sops.nix | 6 ++++++ config/hosts/valkyrie/default.nix | 1 + config/hosts/valkyrie/sops.nix | 6 ++++++ 27 files changed, 91 insertions(+), 21 deletions(-) create mode 100644 config/hosts/forgejo/sops.nix create mode 100644 config/hosts/jellyfin/sops.nix create mode 100644 config/hosts/keycloak/sops.nix create mode 100644 config/hosts/lifeline/sops.nix create mode 100644 config/hosts/mail-1/sops.nix create mode 100644 config/hosts/mastodon/sops.nix delete mode 100644 config/hosts/mastodon/yarn.patch create mode 100644 config/hosts/matrix/sops.nix create mode 100644 config/hosts/metrics-nekomesh/sops.nix create mode 100644 config/hosts/metrics/sops.nix create mode 100644 config/hosts/nextcloud/sops.nix create mode 100644 config/hosts/searx/sops.nix create mode 100644 config/hosts/torrent/sops.nix create mode 100644 config/hosts/valkyrie/sops.nix diff --git a/config/hosts/forgejo/default.nix b/config/hosts/forgejo/default.nix index d71bcad..7de3a33 100644 --- a/config/hosts/forgejo/default.nix +++ b/config/hosts/forgejo/default.nix @@ -5,5 +5,6 @@ ./forgejo.nix ./redis.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/forgejo/sops.nix b/config/hosts/forgejo/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/forgejo/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/jellyfin/default.nix b/config/hosts/jellyfin/default.nix index 33e2290..70a20a7 100644 --- a/config/hosts/jellyfin/default.nix +++ b/config/hosts/jellyfin/default.nix @@ -5,5 +5,6 @@ ./hardware-configuration.nix ./jellyfin.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/jellyfin/sops.nix b/config/hosts/jellyfin/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/jellyfin/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/keycloak/default.nix b/config/hosts/keycloak/default.nix index 6289ce6..83d170e 100644 --- a/config/hosts/keycloak/default.nix +++ b/config/hosts/keycloak/default.nix @@ -4,5 +4,6 @@ ./configuration.nix ./keycloak.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/keycloak/sops.nix b/config/hosts/keycloak/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/keycloak/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/lifeline/default.nix b/config/hosts/lifeline/default.nix index 9d284a8..36dea6d 100644 --- a/config/hosts/lifeline/default.nix +++ b/config/hosts/lifeline/default.nix @@ -3,5 +3,6 @@ imports = [ ./configuration.nix ./hardware-configuration.nix + ./sops.nix ]; } diff --git a/config/hosts/lifeline/sops.nix b/config/hosts/lifeline/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/lifeline/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/mail-1/default.nix b/config/hosts/mail-1/default.nix index 5537841..28a5bdc 100644 --- a/config/hosts/mail-1/default.nix +++ b/config/hosts/mail-1/default.nix @@ -3,5 +3,6 @@ imports = [ ./configuration.nix ./simple-nixos-mailserver.nix + ./sops.nix ]; } diff --git a/config/hosts/mail-1/sops.nix b/config/hosts/mail-1/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/mail-1/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix index 5651eb8..5166081 100644 --- a/config/hosts/mastodon/default.nix +++ b/config/hosts/mastodon/default.nix @@ -5,5 +5,6 @@ ./mastodon.nix ./opensearch.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/mastodon/sops.nix b/config/hosts/mastodon/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/mastodon/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/mastodon/yarn.patch b/config/hosts/mastodon/yarn.patch deleted file mode 100644 index 82a2f77..0000000 --- a/config/hosts/mastodon/yarn.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/.yarnrc.yml b/.yarnrc.yml ---- a/.yarnrc.yml -+++ b/.yarnrc.yml -@@ -1 +1,6 @@ - nodeLinker: node-modules -+ -+approvedGitRepositories: -+ - "**" -+ -+enableScripts: true -diff --git a/yarn.lock b/yarn.lock ---- a/yarn.lock -+++ b/yarn.lock -@@ -2,6 +2,6 @@ - # Manual changes might be lost - proceed with caution! - - __metadata: -- version: 8 -+ version: 9 - cacheKey: 10c0 - \ No newline at end of file diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix index c6cd79a..8dbb1ac 100644 --- a/config/hosts/matrix/default.nix +++ b/config/hosts/matrix/default.nix @@ -8,5 +8,6 @@ ./matrix-authentication-service.nix ./matrix-synapse.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/matrix/sops.nix b/config/hosts/matrix/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/matrix/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/metrics-nekomesh/default.nix b/config/hosts/metrics-nekomesh/default.nix index c2d39a4..cc0af5c 100644 --- a/config/hosts/metrics-nekomesh/default.nix +++ b/config/hosts/metrics-nekomesh/default.nix @@ -6,5 +6,6 @@ ./neo4j.nix ./prometheus.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/metrics-nekomesh/sops.nix b/config/hosts/metrics-nekomesh/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/metrics-nekomesh/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/metrics/default.nix b/config/hosts/metrics/default.nix index ef5c25c..ea9bd08 100644 --- a/config/hosts/metrics/default.nix +++ b/config/hosts/metrics/default.nix @@ -5,5 +5,6 @@ ./grafana.nix ./prometheus.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/metrics/sops.nix b/config/hosts/metrics/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/metrics/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/nextcloud/default.nix b/config/hosts/nextcloud/default.nix index 9677aef..5c78b7a 100644 --- a/config/hosts/nextcloud/default.nix +++ b/config/hosts/nextcloud/default.nix @@ -4,5 +4,6 @@ ./configuration.nix ./hardware-configuration.nix ./nextcloud.nix + ./sops.nix ]; } diff --git a/config/hosts/nextcloud/sops.nix b/config/hosts/nextcloud/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/nextcloud/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/searx/default.nix b/config/hosts/searx/default.nix index ee2a678..ab8d68f 100644 --- a/config/hosts/searx/default.nix +++ b/config/hosts/searx/default.nix @@ -4,5 +4,6 @@ ./configuration.nix ./nginx.nix ./searx.nix + ./sops.nix ]; } diff --git a/config/hosts/searx/sops.nix b/config/hosts/searx/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/searx/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/torrent/default.nix b/config/hosts/torrent/default.nix index dc6a854..d10522c 100644 --- a/config/hosts/torrent/default.nix +++ b/config/hosts/torrent/default.nix @@ -7,5 +7,6 @@ ./radarr.nix ./sonarr.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/torrent/sops.nix b/config/hosts/torrent/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/torrent/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/valkyrie/default.nix b/config/hosts/valkyrie/default.nix index 68a1b85..1f91238 100644 --- a/config/hosts/valkyrie/default.nix +++ b/config/hosts/valkyrie/default.nix @@ -5,5 +5,6 @@ ./nginx.nix ./containers/uptime-kuma ./services.nix + ./sops.nix ]; } diff --git a/config/hosts/valkyrie/sops.nix b/config/hosts/valkyrie/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/valkyrie/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} From 74f35e704c076e77561f927c9fffee88a1e2c579 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 02:53:13 +0200 Subject: [PATCH 38/55] Migrate forgejo to sops-nix --- config/hosts/forgejo/forgejo.nix | 9 ++++++++- config/hosts/forgejo/secrets.nix | 13 ------------- config/hosts/forgejo/secrets.yaml | 25 +++++++++++++++++++++++++ 3 files changed, 33 insertions(+), 14 deletions(-) delete mode 100644 config/hosts/forgejo/secrets.nix create mode 100644 config/hosts/forgejo/secrets.yaml diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index 2b2aea8..21e9269 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -61,6 +61,13 @@ HOST = "redis+socket:///run/redis-forgejo/redis.sock"; }; }; - secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret"; + secrets.mailer.PASSWD = "/run/secrets/forgejo-mailer-password"; + }; + + sops.secrets."forgejo-mailer-password" = { + mode = "0440"; + owner = "forgejo"; + group = "forgejo"; + restartUnits = [ "forgejo.service" ]; }; } diff --git a/config/hosts/forgejo/secrets.nix b/config/hosts/forgejo/secrets.nix deleted file mode 100644 index 5c23295..0000000 --- a/config/hosts/forgejo/secrets.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "forgejo-mailer-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ]; - destDir = "/secrets"; - user = "forgejo"; - group = "forgejo"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/forgejo/secrets.yaml b/config/hosts/forgejo/secrets.yaml new file mode 100644 index 0000000..e4a1309 --- /dev/null +++ b/config/hosts/forgejo/secrets.yaml @@ -0,0 +1,25 @@ +forgejo-mailer-password: ENC[AES256_GCM,data:bFUrFyE/reeTtKZCrb1T1CG8Ng9QbDwZo9AdxU67i8uNmKcn93k3dqY70tSqBTAc9hpsXyW3UTKnPpk+ffb0mw==,iv:p16td5KV0rTmrrtX8FMojotEa+2oiFmVizkc6mt9QyI=,tag:czg/IlNLkx75m2iSddUkUw==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNjVaNlFWeG9vMW4vM2R3 + bWQyVk9jN1VkUUczbTBzUmdpZ2NyWlV4aVFjCmZwa0lDcXUzVDM4d1Mwa1B4Qm9q + WjVKMXJBRVNtc0JzcmE0Y20zdCtzM3cKLS0tIEJWanpwZHdPMGJiL0lkME9yVGQ1 + a3ZvRGV3VENIbmlubG16MWF3SkdyQ00KZj5vuzVyCqbLH5gnQjhRpOfHtIB3RVZC + m+VdnnAFIfShrxwfOekVavffaHmG3PWS7RUKoeZNSdtz1ScuwfazPw== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYOEdadnQvSW1mcE9hSmFL + aFlqdHpTejNZRXJCbTh4WjQyQXVobitaa2hFCjV1RU9UOGlqaXhIckNLMmYwb0s2 + eHY2VVpiQThzQUNuS1FLbFd3V2NGZk0KLS0tIGdOK3VEOUlNcldBQ1haRHhVS0cw + N3ZoNWlVK2trVkJLQlhnaHFueFdqVEkK800paYmP1opnW7o2V8f2zzWNR5tOVYGs + fl+SA7hE7uTpRrrGfuZq0jQgWOaeAbJ3+PzRuSrVlrXdWIyipcZM2Q== + -----END AGE ENCRYPTED FILE----- + recipient: age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk + lastmodified: "2026-05-17T00:50:59Z" + mac: ENC[AES256_GCM,data:I3a9s9i6sFVTRQIAj94YZNyxQsDIWIvRhy9M/e6iMYpvoQyxFvMD3xAE0NQ1uX1QgMoi+6njTc8AmTXFJvSfoiqtVfHQH+HkLPMR27DZUY6kgZGMvUVswioSKfaF8fZxGEyWRPAuTDlynfOsGpr4Tqt5U8NBiYL1FDD6CPALaiY=,iv:RUbSPPTR6cTWwzvbnQRA/f9AjjjOpQUiEBrWvxqCpTQ=,tag:GcGsBgxWU/AXm06FkUI1LA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From 985c4c904037ec5f60781b89ed863c6c1aae225d Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 03:00:35 +0200 Subject: [PATCH 39/55] Migrate jellyfin to sops-nix --- .../hosts/jellyfin/hardware-configuration.nix | 8 +++++- config/hosts/jellyfin/secrets.nix | 11 -------- config/hosts/jellyfin/secrets.yaml | 25 +++++++++++++++++++ 3 files changed, 32 insertions(+), 12 deletions(-) delete mode 100644 config/hosts/jellyfin/secrets.nix create mode 100644 config/hosts/jellyfin/secrets.yaml diff --git a/config/hosts/jellyfin/hardware-configuration.nix b/config/hosts/jellyfin/hardware-configuration.nix index 764a903..f89a9e5 100644 --- a/config/hosts/jellyfin/hardware-configuration.nix +++ b/config/hosts/jellyfin/hardware-configuration.nix @@ -5,7 +5,7 @@ fsType = "cifs"; options = [ "username=jellyfin" - "credentials=/secrets/samba-credentials.secret" + "credentials=/run/secrets/samba-credentials" "iocharset=utf8" "vers=3.1.1" "uid=jellyfin" @@ -13,4 +13,10 @@ "_netdev" ]; }; + + sops.secrets."samba-credentials" = { + mode = "0440"; + owner = "root"; + group = "root"; + }; } diff --git a/config/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix deleted file mode 100644 index 922d4c4..0000000 --- a/config/hosts/jellyfin/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys."samba-credentials.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; -} diff --git a/config/hosts/jellyfin/secrets.yaml b/config/hosts/jellyfin/secrets.yaml new file mode 100644 index 0000000..c4653bc --- /dev/null +++ b/config/hosts/jellyfin/secrets.yaml @@ -0,0 +1,25 @@ +samba-credentials: ENC[AES256_GCM,data:9txZMLLwlyAMzI3Naag3tUD1zSXLAf/zoJFoJZYTChhmkPpuhuuaIANFcYmH2sUYSsvZLXlbBuLXRryjTix0zK9ZfkZW8/R1vg==,iv:cF3S9S2+Vk+VAb8gyFyxZ12fqmohHSD3GG0fTILrxRM=,tag:m4BqpUlKmUoPbXTEjFmjaA==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb3dQYWM4SHVraHFPZEx6 + aGpDcTEyVjZ6Y0h6YzM4aVliRXpqZFpLcnprCmNEOHFrby9IdEE1MTZIYWxrS3BS + ZHZTSmYxUW9pek5XblIyZ2FDVlV0TEkKLS0tIEN6NnErRXI3ejc3cVBiSVR6NlpC + a2tnWWxDaXgwQ3hmc0dreTNIRnl0cTAKCSaj/epLw16tVDX4OMCzutxlnARL8MDf + pUVDonkZ7sB7d1+mnyG+gMQuFDhiDcV9WS2h3M83xoSKoHnCkca9Ew== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbUdFMlZvVXlzc3FPSmE4 + Rk1jeUpDVUJMeUlJZDlYeHhwK2l6UkJNRVFVCjNUVS9ZMjI2ME9qTFM0Umc3dXZC + Z0todzhYSXZ5Yk5odUdOZGg3VnE3QW8KLS0tIGd1emhUMFVHT3JiZ1JhY0FWOU1i + cW9PWk9oRHZGeFlSdlVLSlJ6TVg4WnMKikUhDJNyuKdiazCUcKBo834NO3U6ZfjB + GbDn3wUKb465CDYw7GPcvZtM2mNufsoInZh+Oq/07Hi+seAXfX2y7A== + -----END AGE ENCRYPTED FILE----- + recipient: age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt + lastmodified: "2026-05-17T00:58:22Z" + mac: ENC[AES256_GCM,data:0WF8JU4d+5nHHB5iBmqdS6TkZem2AHrYNx6zDm4yoIKip7ZVTfCPCyhZ4c3QseEBn1G2IXsTMEtIk6RVI2JigSJPLjyXOTJOeWjVtPD5+1I+mrU7z+YWN+sK5i4F1hQX7/E4JbTDh/h+NbqZ6I9pBq7Nm12QUtZdp/7R5qChXs4=,iv:DBdSDx/X8fh7SXiC073AtDMPDB9idKItzEz2fl7xe+g=,tag:0O1pZp6+Y2Uf2DlijwZLeg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From 5d1fc8bbc337d7f25a3b430caae31397e6b46382 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 03:10:06 +0200 Subject: [PATCH 40/55] Migrate keycloak to sops-nix --- config/hosts/keycloak/keycloak.nix | 9 ++++++++- config/hosts/keycloak/secrets.nix | 13 ------------- config/hosts/keycloak/secrets.yaml | 25 +++++++++++++++++++++++++ 3 files changed, 33 insertions(+), 14 deletions(-) delete mode 100644 config/hosts/keycloak/secrets.nix create mode 100644 config/hosts/keycloak/secrets.yaml diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix index 2ae957b..a069fd1 100644 --- a/config/hosts/keycloak/keycloak.nix +++ b/config/hosts/keycloak/keycloak.nix @@ -10,6 +10,13 @@ http-host = "127.0.0.1"; http-port = 8080; }; - database.passwordFile = "/secrets/keycloak-database-password.secret"; + database.passwordFile = "/run/secrets/keycloak-database-password"; + }; + + sops.secrets."keycloak-database-password" = { + mode = "0440"; + owner = "root"; + group = "systemd-network"; + restartUnits = [ "keycloak.service" ]; }; } diff --git a/config/hosts/keycloak/secrets.nix b/config/hosts/keycloak/secrets.nix deleted file mode 100644 index 984e9ad..0000000 --- a/config/hosts/keycloak/secrets.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "keycloak-database-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/keycloak/secrets.yaml b/config/hosts/keycloak/secrets.yaml new file mode 100644 index 0000000..a84ab28 --- /dev/null +++ b/config/hosts/keycloak/secrets.yaml @@ -0,0 +1,25 @@ +keycloak-database-password: ENC[AES256_GCM,data:2Jk0wskmlpdpaZj05MX4YRRDR75eAkk5eDNNOTSA9+dN8OGkUWdI0CX9ZdQFUB31GiRaLZQ4I9gwnIc2sIxzuA==,iv:4fq+safzIGC21NFTaHsIfgZwuKelQyxttEeW7Pp09v8=,tag:c7LO34hJqi1yEwQ+cQc0Dg==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArR0Y2ZVg4S1FDYmRlS0xL + VWlJVzNvdHVXanBMN043QjcxVjd5bFk5d21JCnVzYVcwT2tnQS9jblhVQUFaNWZD + L0owQ1hhUFdhNVAzaVJNbWhQaEdXZlUKLS0tIFZFOFpKUklKNVJFRS9ZY1JaeS9D + RnF5YjRmbXRaY3h1MU5PWEZETGh0N2cKIwZg6mMY8c3VpE9hAk9bcFXLyzl7J/4M + BIh7C+yZbD7bL92TEP3gTpW+EsGiJl2LCq7NVVuDkboYuJ6kAqLppg== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS25mcEErQ1pUMTV6U1h4 + WXduajlyTFFncXdhZ09BdXg4amV4V0xMalFNCm85dk1ldUlHTytXRDJLcjIyN2M2 + ZmVFVG1YcWhnTmwySmFRUDhEMkVyb1EKLS0tIHVDVkc3QytPU3pQTWxMSG1TRFdI + LzVUdGUrZmVTa1RqRHNWaFFhY09ySEUKFrN7X2ir3gwL/S91mychdjXi2oBPEPr9 + aizXtIk0JX6SzrP/Oy0mYROeEEEUfPVBBypEUlBjlyeSyathmEoVLQ== + -----END AGE ENCRYPTED FILE----- + recipient: age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd + lastmodified: "2026-05-17T01:07:49Z" + mac: ENC[AES256_GCM,data:fAOsq2jrl8dTvQSn+Cp0sxuU5AuOdnm97LBIyPY71KbxMAY0vn/RDvhszvskMIE25JWGuZROnFoYmrkUqSp/pxG9gvcPQ6keW9WMr09YFli4u1tvADl6Ag+OkcgDe2UP1aPRkW6i7sGpq7Wfv/3G8HNMLgywhyiAA2XICymbDBI=,iv:ChOk26gheG2ErLVqt/rrMw1MxuOmEA595fay6pGUCcc=,tag:8wGA4YZa+ZyNDIBz/d1DUg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From 8784537a380c6faa1bb4a30365797079aa849244 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 03:25:55 +0200 Subject: [PATCH 41/55] Migrate lifeline to sops-nix --- config/hosts/lifeline/configuration.nix | 18 +++++++++++++++-- config/hosts/lifeline/secrets.nix | 21 -------------------- config/hosts/lifeline/secrets.yaml | 26 +++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 23 deletions(-) delete mode 100644 config/hosts/lifeline/secrets.nix create mode 100644 config/hosts/lifeline/secrets.yaml diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index 500c407..788c3fc 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -26,7 +26,7 @@ { name = "mail-2"; publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM="; - presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret"; + presharedKeyFile = "/run/secrets/wireguard-lifeline-mail-2-lifeline-psk"; allowedIPs = [ "172.18.50.2/32" ]; } ]; @@ -38,7 +38,7 @@ ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE ''; - privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret"; + privateKeyFile = "/run/secrets/wireguard-lifeline-wg0-privatekey"; }; }; nat = { @@ -62,5 +62,19 @@ services.prometheus.exporters.node.enable = false; + sops.secrets."wireguard-lifeline-mail-2-lifeline-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + + sops.secrets."wireguard-lifeline-wg0-privatekey" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + system.stateVersion = "23.05"; } diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix deleted file mode 100644 index f2b6e23..0000000 --- a/config/hosts/lifeline/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "wireguard-lifeline-wg0-privatekey.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-lifeline-mail-2-lifeline-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/lifeline/secrets.yaml b/config/hosts/lifeline/secrets.yaml new file mode 100644 index 0000000..01b2010 --- /dev/null +++ b/config/hosts/lifeline/secrets.yaml @@ -0,0 +1,26 @@ +wireguard-lifeline-wg0-privatekey: ENC[AES256_GCM,data:yUIu+AC24/84w0GQPko64E89ZjzMoaa0Z8J2IFY8wDmCw+z1Als0h42XB5U=,iv:2pmy0FyeyvHbRRYnog9mth7hWfMt4mNe8/dSK3eYd2E=,tag:/gRbYT8EnbDRiFN0Ohu4ng==,type:str] +wireguard-lifeline-mail-2-lifeline-psk: ENC[AES256_GCM,data:IvgVTsgFfONCm3OJ8iKtwRUY6uTEZfpyGubm/iysOySebPuDg+/AGNUu5ZQ=,iv:HZpAqLLt/cDQo51+koS3nZ1mkN0ZmqCY7gedx6PHthM=,tag:klM8lxBmZvXn3XUD/duGMA==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLcGo4RTJsQnZWWXBadjAz + YW5VcFBwWUxUR2N2d092WmN6LzdkaStaVVNJCkdWLzF4ZU4rY3pPLzc1YUZUb2hM + bHNiRkhabG1ON2YzemdCMjQwOW5hdG8KLS0tIER4RGdZNkN4U0dTekx6MURpY0oz + ZURQbEF0c2VXNFFRVEI5YjUydzNQVTQK6Q3yE+P41Ukay2h2RVXHcCbE19piBwHa + Gdxok7ObnjTBpFxWuz4Sqvozb4R9dbkTPtSp72Yjv78QBinLmWGJ/A== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemExaHpsTFBEYjJURjNp + WmluaHcwaUtyNmRINEJ6NXlFVWplZm9YeEJvCktMM2N0dWFxYUFKM25EdVo0RmNG + MDYzcFFnOG95SXdrU3VzWmdqQ3U0L2cKLS0tIGhHUmNNS0w0bzhhdHgzL1hYQjRr + SEczcDdWMnh3aThXK3JrLzkrTEZ0TkUKexB+HBUOWSsel9sNgUHnj5NJdj8zZX/C + XB4W6fwzMxPHHknk1y/4z/F8oNnUzXmh3QfT/15glDmmCpyM3PGWVw== + -----END AGE ENCRYPTED FILE----- + recipient: age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua + lastmodified: "2026-05-17T01:24:39Z" + mac: ENC[AES256_GCM,data:JyTfrwkD8GxbzzuK1CsBRr8+Hxheu1gvB2KP3jGJkvLktzzNLYH7qq7JJu2oP6X18MMa+dlMuY9lHosoWy+wA34kgrtBVqtCfTnOx3jafwfLdNVBVTORN8h7so1N0KKwuSJnFL6BqMWhiQiPVOENGThqlIqKDwSiP3hyfFLDBuM=,iv:0IkM76X2Ly3hil7XneURzQk4wVUJy/bs/9zX3r9cTVo=,tag:vC7HDnB6WCTTy5MSh4tDDg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From 88ce33c5044043b59978109b65e34fcb197799ab Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 03:45:18 +0200 Subject: [PATCH 42/55] Add secrets for mastodon --- config/hosts/mastodon/secrets.yaml | 31 ++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 config/hosts/mastodon/secrets.yaml diff --git a/config/hosts/mastodon/secrets.yaml b/config/hosts/mastodon/secrets.yaml new file mode 100644 index 0000000..0858aac --- /dev/null +++ b/config/hosts/mastodon/secrets.yaml @@ -0,0 +1,31 @@ +mastodon-secret-key-base: ENC[AES256_GCM,data:GP8mtL5hkDqNjbiqONXJNDX+e9RuOejnAxX0fk1gvVR+Xkb99/wNPun1p85AVOv1rn8n0H4X8aZwPK/P2lljyGWs4RSwYaLOMMoowSu+QwDYzK2+uf2lsiM5esOAr/rfuX1BZIEnrJPYAIZYtTIBTyrMN9zTtPvyBaPn4cL0sKQ=,iv:jxy37Sa3ywLhVSYhgiC1spky6psxZzso74es5CnBObw=,tag:+nW6SxoYJgcSU2r6d2J00g==,type:str] +mastodon-vapid-private-key: ENC[AES256_GCM,data:mE29UuQGzQ/LPrvop0zODM3tI/DOXsCPemh/5Y7VribAUq25Fftoo3tWEbk=,iv:qJTJL4g9AOcPJIP9IWnSso6ECs3sSiubW9SNUaYIcXE=,tag:OnhsJeWYLDFMlmVsLf4syw==,type:str] +mastodon-email-smtp-pass: ENC[AES256_GCM,data:8UcjUSZMuUPZvc1hM79XGjor0LuKcGg8qLr/oFggcTMtQ9+ff2QHGaZFiHRcNFibdp0IexO2PDy0yMF5qivxJA==,iv:fd3vv21PnC2M/Ptdwy2j6vn+juWrEnZKtTtzhS71igI=,tag:8nmdu2TD0TTmCfA+kIkb4Q==,type:str] +mastodon-keycloak-client-secret: ENC[AES256_GCM,data:jLDVhGhUUI5o2UjHolahncXXiqHHyFT/SavQTaUTlaSje3l2khvAIzmEn8TfC6FrF8BMjzI=,iv:Hq5XrtpnFYnIxrIb8rX5PDL7z7bLuOrtTTubm7HsE88=,tag:ayNJWs3UROd/sBQ5rnuv6w==,type:str] +mastodon-active-record-encryption-primary-key: ENC[AES256_GCM,data:H45LQ1gXCaepRe1ftap5ruWwC7ThI8m/EBtKdqP8QHQ=,iv:wAYQW7INq36GscjdaldCCS0RpjYuemtveoNdeqS1wz0=,tag:hjlXqo9WmE57fENQZaRCXA==,type:str] +mastodon-active-record-encryption-key-derivation-salt: ENC[AES256_GCM,data:DeeXCelirIcDyTDdPeKoaAeD2jzWGLU3p28e5JX8m9E=,iv:yQcddWeesrMWgIAj/MnBwPUwikk2VHAbNDFs0r5Fp0Q=,tag:H6boQ5IEGEhx5Ha15eEUhw==,type:str] +mastodon-active-record-encryption-deterministic-key: ENC[AES256_GCM,data:yrakH+MxQ8/SmAtLOvGcyIAjfbVdb8NgqYqpm+ALKA0=,iv:ZbagvnAPTLBmzxAdXZ0Ecat0jTpeRWiudpk3U+1hEXE=,tag:pnF87Gg4nTRC1YVK1bbGCw==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTDB3d1FFWjY2LzhZUmVP + S1BicjRhc2ZzWWMvb2xjT1lzVVY3Z2hqYW53CndNaGJ6NXkyamg0a1BIdzlVL214 + dk5SbDFDdVNGNnp1citjZkQ3UTNHcUUKLS0tIGwvOHl4RUErRjR3Nm1paGVmZEhX + a1N2SlZlY05aN2hEcXlGdnA0ZndlUjgK01enGoJvkN5YMbm38wcRYaM1ogzybJIL + OTig1Fg2CopEmaE/Y6bpuMFIyCFXZDhJQ3LaI+0kydzPGB2nZyWZ2g== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbnFPOEJVWXAxTEpiNUgw + SDliL3hZeWpaK3JMN0hyV09jUTBSV2pYN2gwCmd2STBsYzhNYlpWRzhCUWZhZ1Rw + Yzdta25vN0NKeTFXWXRiUWZsTGVaY28KLS0tIC8yUERNWHNqTTFQazQzRkYvNk9K + TjlQaVRFdXJ6WVRIVnczYmlFc2t6S2MK5wnjZnhL+GK1eXnANSDe5zcsZdb5N715 + odb/rjaIvUKaSUkmJfQK954pCBsiJXnURt5FKLnOGHtlQmt0kyg8dQ== + -----END AGE ENCRYPTED FILE----- + recipient: age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30 + lastmodified: "2026-05-17T01:44:58Z" + mac: ENC[AES256_GCM,data:DV91qRrbXxS+yvknPuLjRWYdsJdWtODy9q2onrSpWv6P7YR1siNFNpDyioMLKLRby80kY1R1zSofiaepVmP/nWtqtSDsq/plNWIZi7FR7X0TG0hNc3S6GJ0UatXVxOGp6LxvO2doVIMUs3LKd4+16FFMQYEQJ35VbuYFVhWw5SU=,iv:zVmZ7Ho28I9y7IvCULWehzJB64FSLLaspa/Rj+EJpX0=,tag:HRBTVgvm8pZvUgFBqjCEoQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From dc965c33290ef7fca815394bc4acfc9337c0e3a7 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 18:46:41 +0200 Subject: [PATCH 43/55] Migrate mastodon to sops-nix --- config/hosts/mastodon/mastodon.nix | 58 ++++++++++++++++++++++++---- config/hosts/mastodon/secrets.nix | 61 ------------------------------ 2 files changed, 51 insertions(+), 68 deletions(-) delete mode 100644 config/hosts/mastodon/secrets.nix diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 51b3afe..56cdd00 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -61,21 +61,21 @@ in enable = true; package = pkgs-overlay.mastodon; localDomain = "social.nekover.se"; - secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; + secretKeyBaseFile = "/run/secrets/mastodon-secret-key-base"; vapidPublicKeyFile = "${vapidPublicKey}"; - vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; + vapidPrivateKeyFile = "/run/secrets/mastodon-vapid-private-key"; smtp = { authenticate = true; host = "mail-1.grzb.de"; port = 465; user = "social@nekover.se"; - passwordFile = "/secrets/mastodon-email-smtp-pass.secret"; + passwordFile = "/run/secrets/mastodon-email-smtp-pass"; fromAddress = "Nekoverse "; }; streamingProcesses = 3; - activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret"; - activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret"; - activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret"; + activeRecordEncryptionPrimaryKeyFile = "/run/secrets/mastodon-active-record-encryption-primary-key"; + activeRecordEncryptionKeyDerivationSaltFile = "/run/secrets/mastodon-active-record-encryption-key-derivation-salt"; + activeRecordEncryptionDeterministicKeyFile = "/run/secrets/mastodon-active-record-encryption-deterministic-key"; extraConfig = { SMTP_TLS = "true"; ES_PRESET = "single_node_cluster"; @@ -94,8 +94,52 @@ in AUTHORIZED_FETCH = "true"; }; extraEnvFiles = [ - "/secrets/mastodon-keycloak-client-secret.secret" + "/run/secrets/mastodon-keycloak-client-secret" ]; elasticsearch.host = "127.0.0.1"; }; + + sops.secrets."mastodon-secret-key-base" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-vapid-private-key" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-email-smtp-pass" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-active-record-encryption-primary-key" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-active-record-encryption-key-derivation-salt" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-active-record-encryption-deterministic-key" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-keycloak-client-secret" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; } + diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix deleted file mode 100644 index 88413c7..0000000 --- a/config/hosts/mastodon/secrets.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "mastodon-secret-key-base.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-vapid-private-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-email-smtp-pass.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-keycloak-client-secret.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-active-record-encryption-primary-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-active-record-encryption-key-derivation-salt.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-active-record-encryption-deterministic-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} From a01a891495ed2590a6fc74b3a5d8967f5f6ad6f8 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 18 May 2026 21:21:20 +0200 Subject: [PATCH 44/55] Migrate matrix to sops-nix --- config/hosts/matrix/element-call.nix | 11 +++- .../matrix/matrix-authentication-service.nix | 11 +++- config/hosts/matrix/matrix-synapse.nix | 41 +++++++++++-- config/hosts/matrix/secrets.nix | 61 ------------------- config/hosts/matrix/secrets.yaml | 31 ++++++++++ 5 files changed, 85 insertions(+), 70 deletions(-) delete mode 100644 config/hosts/matrix/secrets.nix create mode 100644 config/hosts/matrix/secrets.yaml diff --git a/config/hosts/matrix/element-call.nix b/config/hosts/matrix/element-call.nix index db988b9..7bfc32f 100644 --- a/config/hosts/matrix/element-call.nix +++ b/config/hosts/matrix/element-call.nix @@ -4,15 +4,22 @@ enable = true; settings.rtc.use_external_ip = true; openFirewall = true; - keyFile = "/secrets/matrix-livekit-secret-key.secret"; + keyFile = "/run/secrets/matrix-livekit-secret-key"; }; services.lk-jwt-service = { enable = true; port = 8082; livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu"; - keyFile = "/secrets/matrix-livekit-secret-key.secret"; + keyFile = "/run/secrets/matrix-livekit-secret-key"; }; systemd.services.lk-jwt-service.environment = { LIVEKIT_FULL_ACCESS_HOMESERVERS = "nekover.se"; }; + + sops.secrets."matrix-livekit-secret-key" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "livekit.service" "lk-jwt-service.service" ]; + }; } diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix index e13bdd9..8fada3a 100644 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ b/config/hosts/matrix/matrix-authentication-service.nix @@ -11,7 +11,7 @@ let { name = "oauth"; } { name = "compat"; } { name = "graphql"; } - { + { name = "assets"; path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/"; } @@ -92,7 +92,7 @@ in serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret"; + ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/run/secrets/matrix-mas-secret-config"; WorkingDirectory = "${pkgs.matrix-authentication-service}"; User = "matrix-synapse"; Group = "matrix-synapse"; @@ -102,4 +102,11 @@ in "multi-user.target" ]; }; + + sops.secrets."matrix-mas-secret-config" = { + mode = "0440"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + restartUnits = [ "matrix-authentication-service.service" ]; + }; } diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 371eb95..df9c6af 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -51,7 +51,7 @@ notif_from = "Nekoverse Matrix Server "; }; max_upload_size = "500M"; - signing_key_path = "/secrets/matrix-homeserver-signing-key.secret"; + signing_key_path = "/run/secrets/matrix-homeserver-signing-key"; admin_contact = "mailto:admin@nekover.se"; web_client_location = "https://element.nekover.se"; enable_metrics = true; @@ -86,10 +86,41 @@ }; extras = [ "oidc" ]; extraConfigFiles = [ - "/secrets/matrix-registration-shared-secret.secret" - "/secrets/matrix-turn-shared-secret.secret" - "/secrets/matrix-email-smtp-pass.secret" - "/secrets/matrix-homeserver-mas-config.secret" + "/run/secrets/matrix-registration-shared-secret" + "/run/secrets/matrix-turn-shared-secret" + "/run/secrets/matrix-email-smtp-pass" + "/run/secrets/matrix-homeserver-mas-config" ]; }; + + sops.secrets."matrix-homeserver-signing-key" = { + mode = "0440"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + restartUnits = [ "matrix-synapse.service" ]; + }; + sops.secrets."matrix-registration-shared-secret" = { + mode = "0440"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + restartUnits = [ "matrix-synapse.service" ]; + }; + sops.secrets."matrix-turn-shared-secret" = { + mode = "0440"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + restartUnits = [ "matrix-synapse.service" ]; + }; + sops.secrets."matrix-email-smtp-pass" = { + mode = "0440"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + restartUnits = [ "matrix-synapse.service" ]; + }; + sops.secrets."matrix-homeserver-mas-config" = { + mode = "0440"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + restartUnits = [ "matrix-synapse.service" ]; + }; } diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix deleted file mode 100644 index 5121ded..0000000 --- a/config/hosts/matrix/secrets.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "matrix-registration-shared-secret.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "matrix-turn-shared-secret.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "matrix-email-smtp-pass.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "matrix-homeserver-signing-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "matrix-homeserver-mas-config.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "matrix-mas-secret-config.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "matrix-livekit-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/matrix/secrets.yaml b/config/hosts/matrix/secrets.yaml new file mode 100644 index 0000000..39f4078 --- /dev/null +++ b/config/hosts/matrix/secrets.yaml @@ -0,0 +1,31 @@ +matrix-registration-shared-secret: ENC[AES256_GCM,data:7ECdyhXVwDJW23eh2l8kJhQJoKeMeEQYzV1dbT72/9cqVtB7nAzGtiDDCh3YQlHp8Z6UuNddzhmLI204LrSf8QESqcwUc7I4DzUd2ufN5gAVfVFfNC/imqCnzro=,iv:eUhXcvYyYoRsiW6k54e654yfu6Kclx3EIls12RG4W6s=,tag:Ep3KV/O7xZF87ScOa1sB5w==,type:str] +matrix-turn-shared-secret: ENC[AES256_GCM,data:A7+1pogcH4V+3WnGhsaTN1TMn7NheFkc/vRoHKh/DMBC7L6b9Lfv1HvdJjSXs8kRI6R2gTxDWuvc6iKYOo80HfP/iPEv92b7AF2KT3EzyCKpaoPA,iv:0xztkTQHP9GhaZ9Y60XujMNUrcDr0H9xcnDa9dDH0kk=,tag:1e6HKoLiWOzKURZBA98CKw==,type:str] +matrix-email-smtp-pass: ENC[AES256_GCM,data:kr/5n3YGAoA7GTCpEgkIlp2v/ciN+TgjKuiHk3tkjhwGqStdIKPcFn1tqXtmDUIbQzQDYhSIx3UmfCLJteIUYI4JlIZig174K0ON,iv:4MP+Y20yv9CaCvqPeqAyOzaaJN728cqIh5b5siIEcJM=,tag:JXmpP6ivc1b/osIc5UaRyA==,type:str] +matrix-homeserver-signing-key: ENC[AES256_GCM,data:FyKkSncgQZRWJnEsFrxgMI3uorQSGntWaPpjfPzV0uIV3p+ESgTygDjd0ordwZIXcZ+mCasd5TCATw==,iv:WWtaCwwAJLI8UeQFWFnK0WlWDGsbwj+rULlJd4nJ1Cw=,tag:7t3jLu+Y2Ad2Wf5N2i2pxA==,type:str] +matrix-homeserver-mas-config: ENC[AES256_GCM,data:4Pypt1WasiRAOLeUfrEE4mo79w5NCv6cUBCSineyY79zdC0kaN319fIIDTA1Xfr39+jwA0TAvZ2BuKkfKzb4FgtOCLuQM6RFtVXVPHMksZ7W453pjcCQDkILr8GIW+GtYw0tupu8w+0k+alwgGCt0D83kOA2dF8RZOdLIfTenWdFkxpT0la2hoW0I/Orq8R4zudCmV1T24yHQDfMFRerygFScPyzaE3RVHbziahq4w67kBaVJc35+7+4M+z1IazEkWMZcFEHj4mwWFddHKbWdVw0UGXqnDJyYX35W1C06qX2qsc1+RfEH2EJzQFO6GQQpZNRPpezf6STAdcILWYckSDpcxEwvUO9FUBmLUMzHg5ZEToLJPqMnEFdvT/2dEmMwlK6QKW0RWg4Rk+fp3JOveuW30ZNP/oN2Id4ZCn7ckdPEVjlCSlrXRwxKC7U4jnQCTHPal9+nadge2Nqbp7zbEc+LeDP8pyjbUS3enZhT/I3Kz8SR6AAr0Zg9YqkCCakNye1gSxIkO5OuINFcx5YVx7hffj8aWT1cedigFcsNmoWMuULTuO/goSvhUg+Jm70xdjtuYhRO6cqhuWjkj9fIFiOmVUoQi7as06/H0mmQpeD0MQ/z8Q06RudJRBJa69TU8Gjc/EKSL54fGECPtsnmsej2cVXRNaWAXGl3saGndND5JvKyGFJ4ER79GtU1dpfFnPDZJ6eUNN8Aw2SKjsroXI+W7j81AwsOjv489MwjvK3Ni6drdZCI4gj28niaf39NvCyDcTwTkWrLaYImtnSJFM3C7UaDOmlGGqLWSzKK7jUBtIlPeYyZkIVSNAOXPSGR6YKtk1EH3ZFknd24v4vWVHN5Q+tmsKNMIT5ZREAsykTy2x8QNzjbFWDgJ0btkV4ftDbm58PTqflx2dxy3xUM840pLe8eIL12AwRhtHuDHcgLkA7QBmUQlrUzpNAVhyQaWTPoMR4+K4cBdm4P/e9CnqxJfPEUI4d0+he+P8Ambus9Axyp1HZsXKPjsV0lgqkSiMn0kFHv7G4+xWwnmxE8EEgtgdk+m/p9Za0Rd+mocoafqw2+KledaCeKHncYpbCWlBYVuZ5IrkIwuaW/GkykXZz+xuP0G2F8H+9D+kJkk0r9G1+53kHSZvI9JsSuqhKpptg2Nw/1Osr+QvNnu4PqzBdNNoPHeLIt7qbRmTGzC1g+GE4aP4JLr5hLiqJS4b991d8M+cCqe9gG9RS5YtS9ATYZKMwx8aMU0xSwwFUY16oMgJL6ew6DsKNFSdr9YjTGjjspv9gDoe5Oj8WPzZIkq8cK68TGqdlnkB1M1hHWz1iI4DJ2nQdwhLrjfG6vONLI7SNNFOn9uGKq/ew6TOAYwVGS2JRCB6nAbUlgUDfnxLIdwDnMYrUNZIOJW0uQP9NeRZ4Hl/lyo2bVCJ5hAMeB/zx0FUAUBZGZoYe/yCmKXkrJvgwDxliSZ7uuKLt8t1XsXqRezSkKe/x2rb+teeJopsnAi88l3LlhaBdfqGPibtjQ7ndIl49QES1S137T8HZxoshcOb0/Nmr/giwo3a28YAV2bWcNb64Jiz9/uXH+vPJjNaxdOBCUWsEDdXmQffnsPDwoAPyzuax7r+skzObCjreOMeKLQk1IrM5IyIUy56FbRbk69rkHqMd,iv:WnI2PUw4BTvyYU+POGI5bgxVrJfDsORIwbYPQwVnSRc=,tag:uguLxZ8UbXz5rhmbpeuXBA==,type:str] +matrix-mas-secret-config: ENC[AES256_GCM,data:L7OAEy0XXpPdeP9jTYGB3jBbm1NkNJzQ2s3SH9/YiT4anhNzryHj+Pzy66cCZ+nCzrw4j9Uthzc8MSMsrtRmikm4huCsUp7XEkJuiHYMq+h31WZC+wLu+h/QWsuBbdB+bdT94LeOdrY2gR9DX8NBIhUa8n5ztu4CNTdiH2aSV9wdI3+hUpgDf9n2fmrkla2k+iGcL6buy6w4pQgruXWXUGS2raRMOOdIo+qxlxqW66x669oc7nqAe60YAUfraHapICvIRb+oExBHeg5XYygXDXyAdCUFuOch4HDAsiTlYwErqalnped1qKFX1F9+iPDQ4LIb87xBaX+GqFeJSYFkb0Ls8wVcMoDgHTPo8VWSwOnEqh9ZpcM4/yluco8eqluYF/25TDxpOvRGWuCxTzKEfFdrNsng9inbPjQiyV91iJuHf2e2Nl3+GQJZ4iX5R8TTU2KuOoaUA3gxns9NPQxtEwViH5eLepHwszB0O+71chDID1WSFjFndDPeQEXJ7n5bgBQ4X5EEqXbWwUPdrPyng53gOgz7YHZpdJsPa15UZUJb/PR6u0rhPgudRt0rTqXFo0JTF40AjHq+61gBY+7O9LPwF+x+JlCDbwRiYljg+4dM85VzB43BR6Srn1hQO5dxUhG3PWXVjMCDXb2ozqdjBnhmwsaAZi3XxgyeRSh0qhRRp0lRraWArSxyKKT1yQfbbDNa7ct8llGJOS6xRi7cRSJzD2RQLnoLPcuchRj3cfYs26VW/yMy+uIy8sQaRMuwdmQsoNU1kj9/uazITWPtfpCy5r3R9w8m++DoxBWIJ3G6pSIPIAStqGH6oFSsTbRpsnb3BfLtUb7YbJqI8nLKqUziHjBB+mvUnKJCy+F42WFJ7oj6Y0hH0e6R88PPXAUEhgPGjMKOOXj4bdes+S1ilucr9tVEuhC2CE0jObyxKkN4CIVAcdupGsYAk+G/dbgLRRWeI0Dr95oM5nKlzZXjVdP6MFPGWcwBdhYWoD05xxP9ZH9GstWnposxA51otDKto5yljVCYpzl+Vo7OdxYpsVI1AKWpYhp0RqAQupu136XN5jh0EXLCTM2HpOXwFX77j5OCxtwFkBFDLFCFQiFvc8OMCo4LRbCoX4WZStWAXyhfFALCqd5VQ10/dOLXiWEmgt+dyuMBWkcrSWX2Cg6tN0fR2qzPQ+P7u0CUH3Yk40gUEBLDmhDFOzAQfAE0KXFb4F/jYkCILNsSHg+Dt7aupu9m70DVxLuWlzgVC0Lb9WcH9Wwcewek1VVLeJ1pBH5J/jXAm57Q6XQmAHz25tzI+rloNhS7vkIJJoSTi+2rJhEWyuupR+KizH7UYl21ya0meOzDLNDS6lqOx1qsFzSlWbrH3+Qu8boWgzEodJ1RBzj7lJ8AFrcoqJCesdnae7RsY6odiQ17/lIyij6s34rdWX2Aq9yQZeMP4FSbOXuzdJzoQDSoQ+iaAGamIsielIewC0CPHQLBQdQrcLix6V0EKlPL5WRk+sV7zNLA3hZwBtgYlpIktcSk7uc3DrNkRLZTZOMDPUW1LjkeUS72EZzhwM09pCTSoKMa6Roqpzbclv0450kbW0mWLv7hCB1S+Z7FGySvf8lacDnj5z3X+784NrqhDPNH3Bm2titcBkpZgG1DrHgz4QwS8pd+/CKKf/gvmvMdg6ewATTVj7NAK/2CbR4/AbyV18bHDQ5m55eRXQ8jEUCNj1eBPPRZXybEU9j/srjwe+WlbNrsOZNsFooNlyPLumcVwrqIWgOPOG23h9tF/s6J6OzpDJlMBPAkC2966Fb2YlUDR6GV+miiXhuEAOnRnrgdly3LPAhXdFByZGGTfUBn5iP3vNOQd36WUSpRUXblKInbH1Y+/JEje8V9kqvOR667yxKfwmMfcKZih61rmhIjWaBs0WZH0leQDRZ7XL85WNHlPBo3f26rfuYR8ESihABPcIvOCKSlJBVHep9ggGLgaouOw7gbruiqE+BC8fZBLQuywxZtA0uDXNKouYF0tMnnrn/Vx4J3fY9a+msNocXjBBt7pt7UejmcO16RREjVLq6BvF0Hc3kPXnnvyP4cJfnbZwD6fq9YnTQBqz70I3eXDhyPYEk8XuFT5h+WCPGEGykr2pbEGgULjQGWk+mN00L5xlotO/qbAGIe4p04FoqMWgVk4LYIRTxDwMig5bjEYJDsjDeptJilwXr6Ae/RnHp0PENKWMCc2n8pq291i1VzHWqsKOmXzkHdN2cSRdjJ4cDZRx6c/u/kiTkHYQnDChQpBcdvE+YvAFZwVuzfjPWzKqYwH19/9ROtoMLAxE26WN6vaS/gtwRkGOf/Q4HY5CXJmRY/LBLVlysRAUcboQaIue+Cehy1ExD8WkO2NjeuEIqR1WhyDBSB4Vy0wNXnyBpgOIssdBIEfIvmGrJj7G9qXJDirTJvgCRoRJi7Wy3K8s1DYKM9Jc1uFhKXaNf2aRWlsLF/bI6WEk/0kw5T/mm516K6LRVZGkfpDsEyEQ6GqoVbaBnvYG4S9eTX7RFuUoh7RXqHBBfZNlIijINllJR6nwBlmWtlW42568xR7bYi6XakTtKxAOag60DWlMUghFkZBmS1TX69K+pgVj780Ew3jSiwIbDBTpup3p5w/4zVd4K34/C5OE/woxjcZp7VVkSbjUCiGgw0wf0paD5A1rmooUaxsx6Aso/9xAmC1b06qdIPXXO7DXSN1EeYn9yrC8rT8AX2Z1opAH5sW3Pf+QyfPR8KHWKitU3M9LssFoy3/wX5XocSv6vO0u1/VwnvhZp2t4FBVyvpc+qaSaMABnEUnseaFMqTmOpIZTz01gRjYwIESoLMTCjjMzKmiSW/y+T4phtfMBg0QJGLY6ZgvQWky3Le/XKMdKwHe8BxUHZJiyFMrAwdmmjuhvrwhpls2LEUWIoZBNZ8s1+cfUjFGTedvvdR/sD9kxXZLrRFrKuLq3eNd41XrQFzmvqSQ/i+hS9lxIyLmGkn3Gfn6z0DawvudsVFiP7VYWONE7SdUrV81H8b4uE8gehkWRY/H1D9pT9i05EmEpoW/AZGWcg7zz/KuHMsMb8zuQeFZJ0LguZaGWFd/xvLCei/4NPCFwlz9NIpP33cUsYDAlnJkG8bzuyQROpvNIZX6ywMptRhH2eV2Xy1G2csXpc3NGkG1pOcncx951T2dPvonzmUoX3DT0tg5BueLmqghBA086kXIthyxRUKWEoyo9zs6c+V+lAbDfSdAtfVjAk3/rnpcF6PIfsniHsRjuJQ3xJwQ2zhypWQAd/pKdbuipYqUFOAMo2twxv7wUMKP2U6SLcEsmWzZLATQxfH+52g98Mwu54Vg+RwUao9LkvPraDXxeGwdyCFKJYGC36I4Co6g7oYNEeYMaVOcihiE7/CEzD7HqRvoSeL5k5xsly3J5hNpT0BbNxb2A54qJt81Akx7epDKXVoSqg8Rnjs8Hu4QQur4fvkHTbQaPm+LRzjNnUQwL5ZThTgsEpxOQcP8NPastEq0j9GROdSLO7HGDehYc1Ohg/oe2W5wXz4/z6Q0zU1IqC4jHOoXXR0qP1+yBkKoLuiPRwxrlx6c+IxcwGIvDp5mfh99xYORImp2m6spKooTjL7lKLAuMsxkIFkfsW5tbm2WJqBYtEHqGEphmHc9xLBPfVTh7g7jjOJVXjmKZtoaLQSBV6rxd78deblqhWkEpAfZUOWC+PvuYUSnGLah4u8HhM23VbalrN9Zn32lwucwMj5xWm+N8+v9X2TxdljA7u9JivRXzrqCjESd/ged9XKKkuQ9RsjNgylXP/hreD/0KDwSNgEy5UwGS1FKMWcs5xCuaRVy1WX6/tHX7ag5xUlE9vqrVkuvq5scjPuWd948xy5HVa9Yde3y5JBoiLSj7LReO0+3VsCdIu/N24tRhaNkcbu9VrJLR45eCLaiAghz5uHdJ4taO9xHTD9Twqx1/KP8iQZ6gN5AgxZMNkHgVusMF/0vFMRCAk3vDAOBPzpr0F504OmC/FRzEqz7PrFlXR/oxWYHPqpvclS8ot0TDAny3jVLI9S+WFPUp3m1r9kWFVisD5IpvBjEDm3+rF42PQG+HlBETV/ZCga5MOLt/123nUzTpT8JO2s4YT9TwWpWs6lZGImxydTTy5bHFjHrLVXXzAEoaZ5/8spGHMA9sZeLR8jCbXKxbLZ0zVsABDutIILKlLIaZSkfzowH1BGR16C/o5mWxojH3oizts57wYMQ3gmvKOzTcvGGwO5ToDNYFo9+8JG3GiAYRlyXTKe6R9OCE/bHBiiYbOvFuRBRnQO3RRdYyfcM0TOdorPJNBjnbBbAhemswD/C+Aysj/M9NgiRW1chpmg8UEU4QBCSSR1ysCw2ZdoIh5KlQkVDDOWXG2dBtP6ZXBofzsnCi7R7/LnvBv/eJpLLirGdB4ovtD6bvebnypkvVBxdLfBmDXn7Y3EH/jz9nRy0XVdf7T9UadShjuq41pEw1J4ypRitMUlQaiPotUZkaJGwg6wkaDqZzcMoGLZXH/GSXMiZeVNuqL0RGtWFlNi1eutkrKdy846NbS363TP8jkIxnkIipGoGzmP6WtabTPXDNCtIW+sldI5Xjhf1ldRSQ9fYroPhqeqjzQwS23eQsEpXQ8uKIOCH+e6NMTLOtB6mcl4o2sC87ylPV8NN7bWIZHi53vsevTq7xbEw8YjRPWho13MuC50qiZkbSXi30kdI4wTGdpsfCw5fbt3atWd5BrNUYK8bALH2ims4zKffIaJpX/hndvCo1cTTWsAjb+L+4ab7bYsS0pBVQZCfvZtMlP875uHMpd6FcovV0jBnTLiNlGIgzAMUi1agSFWfAB7hU1H09reR08OmwdNjSPhD/jMV6C58qAwMZjDtWc65d8t2Eed2Fw0HUT3vDfebaQNWzV+m/3ptk0wLAa1ayUI9bVIZdgyfb5VGVSd3w6V8JyOke/aSRdbUKSGkR0jlWQF88IiYpQ381S/we0Mkq4uClw+VngDYXOUOuCdueXSppKS8qhhVzFgisf0W8Oa+FKegtI0ewVPXhq+ZU12L/d7oLWuI5XZ1AKkWMZFaUey71ea/3nBYb7RcPYAoNvEjaSLcfEAL4kfppt5Dq7TdxqFdcyYjYd3UIXmXddZRgGY35dXoZsDSXB5BbrPcvbLKzEk6LDnvyNao4ZBBTom0ScStvynX0feH+j5cRFuaFrcd2AbsouX4kqMojHG94A0VYZ+t4ZLKQ+QEfLb0EIYOboz0zmalLDwelPYAYxQNMfN0CRKnLq5z4v1uzL6Gz99xsHYuGMS3tx8s+vGPZB+kCXjys21I2VwtRWVd1jqLHfjmv3i+HVKE39Dj4jOAQ06uSZrjx/B7hmVq7ScSqtOawRMz0lNUE9ZPR+rXOJnh1cXI4zx82YmxLQ6zUYE3O1QtL3ZrVJ45gcY4Hvv5miRYyzUTwmjX7psKPOa6dggf6Wh2dllIdDcO05aAdY7F1BRL4bXZlJo8GSonLpoq6l/9Mx8Hm0bCXMOER+MKNosoy1Wy72v2uvw3fqDaeu3iryaHBkVT/V9rcmgihCypwnkpFu4iQMCWIYkKQBO547pCrX5uxnQsuq2RcIcuXe/jZnq5i9vuMGVJ6kyhudVG/1H8zDwaKB1R+PJSDW1JoB0a942MNBOuCeTZivFNxPpDX57mrPJRJSSoxEuETgvGxTiAzkDbSOrXPhQY6UWOvOsOx/6dfEzQEd1gz4W7k0=,iv:DHHn5SX646k5naHyx8OdDWcmQMRUYKIKWGZ8IWVG8I0=,tag:YSHy/NXD0c3vZ52Im8ZgFg==,type:str] +matrix-livekit-secret-key: ENC[AES256_GCM,data:Qj89Swcj24jkNR2gmsdx3wfJ5PADU+uN7d1N3jNy8REfpL5MJUym3V14YqhCLbNzuihRGsXlUtboBVx+,iv:/TdoutHl39y/L8cqcOX78SAsB12RZTNCPXJrCHowwF4=,tag:pM2Mf0Rj2Qe6y+BxhT+3HQ==,type:str] +sops: + age: + - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYVh0dithekdBY0VNUTk3 + S2xBS2M1QVorVnRvdEdRM2MrODNXTmU2cWlJCjhkZTNhSGFTcGNNeFVXMjhISU5l + T0pqZVh4US9YSksvMDlNR1k2R01QRGsKLS0tIGhUQUlDZ1hUOTdPTGREVmlhY2gr + RUZtb01sOUFaVU56RjMyeDR1YTVvNW8KhYw8sxDzilAUePO/H7FFwHLbGMGaEmPQ + cnWWTSmBACJhh9PQL+I1RYwGTmxXgoYg2KW2Neg13znq2e2DsxW++Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMU1uYzlsTmNOdXF6dHpF + TWdyVjJQcEVQdFI5K2puc0s4TWI5T004cEV3CjhFbmI0LytDMUZDNHo2Q0U1UnNy + Vm93VmpkMjV0cmVSVTNYNXliNU81b28KLS0tIFJPS2VVb25oOG0zKzZ4MFgwTTNw + aDZkcDMzOHZrMWpHb1FYZTljQk80MlEKXun1lWxAyUC+abSc258Wl8YaJqJmWlpg + cbCotao9FjTlelqtERIdl1W/bdoVOV2JTgUDCAOPl9n33uKCEvg9mg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-05-18T19:52:51Z" + mac: ENC[AES256_GCM,data:XXdE62W90b2b6HyDSXqKFahBncu1yZWMD0vttjbBqGdZjYpRG5V3f9QunOVQ+1Rr0tADria0ecrlbcfkrHVU9l2oPlpaZ9DEgSuD8UEIRzWGgtIlM4lzMvvaTcZMz97vfbAv/Che+SBtQ8vrE8V4SPX5W0L86OLi7OalsuRDw78=,iv:nSo8iE/ma7+ihfSeOQMIxKrUcinBBVRr+bhYMvgbygo=,tag:ANfqvsfKiCHyZLy8/ZjIPA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.2 From 3b4cd0651f71399397c5b7061a9a92039e4c9ef1 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 May 2026 16:45:41 +0200 Subject: [PATCH 45/55] Update mastodon to 4.5.10 --- config/hosts/mastodon/mastodon.nix | 8 ++++---- flake.lock | 18 +++++++++--------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 56cdd00..e636bef 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,4 +1,4 @@ -{ pkgs, nixpkgs-unstable, ... }: +{ pkgs, nixpkgs-unstable, nixpkgs-master, ... }: let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.9"; + version = "4.5.10"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-EXMJWdcuvQWe2cXONlcN/oB4b0nXwDqRT+miIB7P7js="; + sha256 = "sha256-aW5WMmhfV+q/ddebSuEuCL5Mdwav+qocMPBnbvXFBk4="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; @@ -53,7 +53,7 @@ let yarnMissingHashes = prev.mastodon.src.yarnMissingHashes; }); }; - pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; + pkgs-overlay = nixpkgs-master.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { diff --git a/flake.lock b/flake.lock index 548d0bc..e0a270b 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1778947228, - "narHash": "sha256-z1PIyRIm5nlh6sB4I4ObT42O6IT5zuFzQK0RtvRoL/c=", + "lastModified": 1779243744, + "narHash": "sha256-hwD5/IbAs5FTdg7R2VPWlVsAwrVDmILa+w8gj4U3HQQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ff5e747c5f45865599ba7387244212420558e83c", + "rev": "7f04f29e010fdf57851461605322d7c2b95f9f15", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1778973839, - "narHash": "sha256-gnglqTdKUK1UlKfq+ZRXmxWW+MRhbpOi3DzjTp2zqRU=", + "lastModified": 1779287632, + "narHash": "sha256-AMcWQ3mQUrdeXiJaCHXYh+c5tBI3lTsbymEUXPRegdo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b6aac1076920329e7863e9fb607d4d1811ea16f3", + "rev": "22dcc7e4821c231607aacd682b035f29fabc2f8f", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1778930970, - "narHash": "sha256-FqqcYr0c5in/HRL5bkRWykAGp/Q10Vj/zUiSr1P8URE=", + "lastModified": 1779273561, + "narHash": "sha256-O3UFKrh5oDyOwqD4Njdf7+SIxptOl3gHZyesYvNsIbw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5a51fe22e18a6ce886b3cffa4c255378c151323c", + "rev": "8e72e9888e67ce593df16546cd31e0d75544ad0d", "type": "github" }, "original": { From e04b5ac8e68b9884504dc67221aff383582d1424 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 00:15:06 +0200 Subject: [PATCH 46/55] Migrate metrics to sops-nix --- config/hosts/metrics/grafana.nix | 17 +++++++++++++++-- config/hosts/metrics/secrets.nix | 21 --------------------- config/hosts/metrics/secrets.yaml | 26 ++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 23 deletions(-) delete mode 100644 config/hosts/metrics/secrets.nix create mode 100644 config/hosts/metrics/secrets.yaml diff --git a/config/hosts/metrics/grafana.nix b/config/hosts/metrics/grafana.nix index 7cf4dcf..05f80e3 100644 --- a/config/hosts/metrics/grafana.nix +++ b/config/hosts/metrics/grafana.nix @@ -11,14 +11,14 @@ cookie_secure = true; cookie_samesite = "strict"; admin_user = "yuri"; - admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}"; + admin_password = "$__file{/run/secrets/metrics-grafana-admin-password}"; admin_email = "yuri@nekover.se"; }; smtp = { enabled = true; host = "mail.grzb.de:465"; user = "grafana"; - password = "$__file{/secrets/metrics-grafana-smtp-password.secret}"; + password = "$__file{/run/secrets/metrics-grafana-smtp-password}"; from_address = "grafana@robot.grzb.de"; from_name = "Grafana"; startTLS_policy = "NoStartTLS"; @@ -33,4 +33,17 @@ } ]; }; + + sops.secrets."metrics-grafana-admin-password" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; + sops.secrets."metrics-grafana-smtp-password" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; } diff --git a/config/hosts/metrics/secrets.nix b/config/hosts/metrics/secrets.nix deleted file mode 100644 index fcf9baa..0000000 --- a/config/hosts/metrics/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "metrics-grafana-admin-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "metrics-grafana-smtp-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/metrics/secrets.yaml b/config/hosts/metrics/secrets.yaml new file mode 100644 index 0000000..154cc13 --- /dev/null +++ b/config/hosts/metrics/secrets.yaml @@ -0,0 +1,26 @@ +metrics-grafana-admin-password: ENC[AES256_GCM,data:vk5KwDxDvTtI/vycl+2XItCFadUQL7rDHZ+0e3WAXynkHq/gmP0Q4VBBjQQNnFwxumF/dIj+CxEqEDdCL6HpSqEOZm/SJCfBARSCxyNCXoYiI/0+NTlUdfhscrDVleLJcMNrBxmxKt3cnDotPWS8rwF5oA1A79OW6+eZm1RC8hA=,iv:JtV0/vZIIzIF+WtD9KRPmyfLI4sMSe7ff5KHG7PEXjY=,tag:A1RgqOOd6M2m1ueXWPxw2w==,type:str] +metrics-grafana-smtp-password: ENC[AES256_GCM,data:ledR3mYQaQndiXgWJSZCqwrar1d5LvnwfdAb0EYI40M=,iv:T6yV0KKz5MK8pLWQoO0xi/ZAdhpFgNvER17X5ZfCCe0=,tag:16lt0z4Gn4Gcc54ssF0W5w==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVWd2NHNWTElaTk42R1Qx + bmZxYnhoT3NqQ0I5ZWVsS0N4eHdWMDhRU0hFCmhlQ1hrZ3R5REt2ODV0dTA4VWl0 + R0dtNWIydzhCUmVMYk85d0ZETk8wQkEKLS0tIElFbXRhYWprVER4ZGZocTNzcGNv + RHN2MWJVTXFEZnhKeXNQdUlnQ0ZiYmMKXicuiR0ZlDNb4EX49y3NmAOk7onTcDEV + Ohe+Enl0dM+dMfCdcojIkdTln74KZ+h6yxVr5jDU3EnDZVZpczY5wQ== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bkFiY0x1TUFGYnExWnYz + QldDOW1oaWVEUDMvbUN2TmwxZVZEOVpZbW5JCjlnYklSSjV1OExObDl1QUhoZFls + V3cyVVBkYWwyT0lpTlVnb1kxTG9IM0UKLS0tIENGak1HaFZYT2ZCL0hleUVVUDZu + MTI5ZkhUK0RZdGhSYVFZMDNHaS9QaFEKyptwQi4pYw0zZ2F9LvwX4F18UUdjqVrz + aB4hZkakAI94qVz3JvIVlslWzsDtIKoBTobl3dBNFId7M8TQwwZUvg== + -----END AGE ENCRYPTED FILE----- + recipient: age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n + lastmodified: "2026-05-23T22:14:10Z" + mac: ENC[AES256_GCM,data:w1pNlY6g/PxQcpY/0Jt02TL5oZ0gwB5fYIzd99PgJTU0X76tmvlAF1i58SubnyR6TWiO0Q4TYJcqgeKHHvWYkYtQZzV4MGc0UwY1+Ipw3q38fRTHqVNbiaCorYbWBMXUnewE4eXictnFfq+vIfFeWktoGws/NTrZEIQ4lY+NSiE=,iv:vP7vujgXGRSr/adBJu1SATryPbqF3Obcg885EZahMTg=,tag:HuRqc8wS1+geWmJMdRWNSA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From 7740eb01f238a74d8b0e4a71ab2f9577e62c08ee Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 00:39:39 +0200 Subject: [PATCH 47/55] Migrate metrics-nekomesh to sops-nix --- config/hosts/metrics-nekomesh/grafana.nix | 33 ++++++++++++++++--- config/hosts/metrics-nekomesh/secrets.nix | 37 ---------------------- config/hosts/metrics-nekomesh/secrets.yaml | 28 ++++++++++++++++ 3 files changed, 57 insertions(+), 41 deletions(-) delete mode 100644 config/hosts/metrics-nekomesh/secrets.nix create mode 100644 config/hosts/metrics-nekomesh/secrets.yaml diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix index 8c4255d..2c596c5 100644 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -11,15 +11,15 @@ cookie_secure = true; cookie_samesite = "strict"; admin_user = "admin"; - admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; + admin_password = "$__file{/run/secrets/metrics-nekomesh-grafana-admin-password}"; admin_email = "fi@nekover.se"; - secret_key = "$__file{/secrets/metrics-nekomesh-grafana-secret-key.secret}"; + secret_key = "$__file{/run/secrets/metrics-nekomesh-grafana-secret-key}"; }; smtp = { enabled = true; host = "mail.grzb.de:465"; user = "nekomesh@grzb.de"; - password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}"; + password = "$__file{/run/secrets/mail-nekomesh-nekover-se}"; from_address = "nyareply@nekover.se"; from_name = "Nekomesh"; startTLS_policy = "NoStartTLS"; @@ -29,7 +29,7 @@ name = "Nekoverse ID"; allow_sign_up = true; client_id = "nekomesh"; - client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}"; + client_secret = "$__file{/run/secrets/metrics-nekomesh-grafana-keycloak-client-secret}"; scopes = "openid email profile offline_access roles"; email_attribute_path = "email"; login_attribute_path = "preferred_username"; @@ -52,4 +52,29 @@ } ]; }; + + sops.secrets."metrics-nekomesh-grafana-admin-password" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; + sops.secrets."metrics-nekomesh-grafana-keycloak-client-secret" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; + sops.secrets."metrics-nekomesh-grafana-secret-key" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; + sops.secrets."mail-nekomesh-nekover-se" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; } diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix deleted file mode 100644 index 8014354..0000000 --- a/config/hosts/metrics-nekomesh/secrets.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "metrics-nekomesh-grafana-admin-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "metrics-nekomesh-grafana-keycloak-client-secret.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "metrics-nekomesh-grafana-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/secret-key" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-nekomesh-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/metrics-nekomesh/secrets.yaml b/config/hosts/metrics-nekomesh/secrets.yaml new file mode 100644 index 0000000..53bef00 --- /dev/null +++ b/config/hosts/metrics-nekomesh/secrets.yaml @@ -0,0 +1,28 @@ +metrics-nekomesh-grafana-admin-password: ENC[AES256_GCM,data:7Ji5Bb+/ekFtptG6JQBViocqozol7vdTRxAgYuRpicO3v7UFswLBkFd/+asaCKkYTrYjDFcOOSjSMr2Yp+9IhQ==,iv:VjpntKn3PdIX56DjHlkhYmx05MZtvTinGcO0vz4BFkQ=,tag:Lcat3LbXJyWcEOq6pmTx9w==,type:str] +metrics-nekomesh-grafana-keycloak-client-secret: ENC[AES256_GCM,data:6SHmMy0gbT6rYC9i60TzCcP0q4eSzC3Srse9O3La1Ag=,iv:H6wEzy6MgX2Ft+D3rWzyWwnh8ZmNmMlcEQLuKrkSwoU=,tag:M7pGHOKq0fglHGyj5jFoYg==,type:str] +metrics-nekomesh-grafana-secret-key: ENC[AES256_GCM,data:5+aUdzNAy0nDuGW8g2e7LdT9woo=,iv:rSn+XTJA46Eq4FcKUQaph/WPLXC4vxnRulpSjls1QZg=,tag:aXSgUUzxe8tQV+oqXnidPA==,type:str] +mail-nekomesh-nekover-se: ENC[AES256_GCM,data:vuyDjtvCT0D8aYftcGiA59i7mriqLNoqeHy0+LQ3awUt4d//p81LpPNdb/EQMuUnCp2QZgdsy4rU5ktDa1Ewfg==,iv:+pqVQfWxSQF4fTJ0gMuAf4EjyvsUVFUxpRa2BHpvZ3Q=,tag:UlHzONbcfeCJuJjamKV39w==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOVFIckQ3R2FsYXl4NkRW + RGdSRmNaMURIUkYrSGtnWmdxVGJMOUFta0JJCnN1blNoaG9PUVJNN1RJcUhnYlFq + WTlhcGx3cUUwbkREMVVleDZNazJ2dm8KLS0tIFl5NGhFeHZKaENmQjRwZ0hiS3Jl + TTRMVloxK25uUVVMcE56M1RMKzlDb2cKuNKexzjC9eefQHCjVAY4rS7wqTSqs0uO + PvSvxs4tY5d2nUJuORGn25MU9Y65UFTvTzuxgqg9Z37NTEjVfvnrYA== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTzErWVY1V3ZrMHBYTjRm + M1IwTG9DZmhBTFpGSkwyTVJJYndsRnRSOTJrClhFWi9TbGhRWkQ1VjhLaE4wd3Bi + WlpSUUcxU3A4dmZUYmNJYnlyQnMwK00KLS0tIDZqdU1DcXc3YmpDMThRMzQwQWk4 + TnFKNS9xcXdKZXo0cThpbjd2NEQ3NTgK4XTrXdaHVveeXwsEuGx5+Y2bu/F6jooo + auWtrm7z3rxzCxePxNs6LCYr/ppoE7J8nEFKnFmT0vyUGryhzlbo9A== + -----END AGE ENCRYPTED FILE----- + recipient: age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse + lastmodified: "2026-05-23T22:38:11Z" + mac: ENC[AES256_GCM,data:VWo7UFRey2w/2x/wn/XfFW9gCpogO9Igxt/xEBngHBTkSJh0p6HhbZlmA3iv3QmYKui74cHSfQUOq2IOc96CLsfWKUWhMQVw5z/be7OEoY3cIG8V1WRTixQB5a0284jPXcGHPreLdMdAQW5nvJJRwx6Pysm7+rTzdxi8VGmOKyE=,iv:l4KBomWzPfOw1UiVpMwWg68OdYc85FtrRcVygfbEoeU=,tag:EeboepV+hDkA9QNmi/Ao+w==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From b5d6055f36d8a0fb050342b4cb316652ccb022b8 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 01:09:56 +0200 Subject: [PATCH 48/55] Migrate nextcloud to sops-nix --- config/hosts/nextcloud/nextcloud.nix | 15 +++++++++++++-- config/hosts/nextcloud/secrets.nix | 21 --------------------- config/hosts/nextcloud/secrets.yaml | 26 ++++++++++++++++++++++++++ 3 files changed, 39 insertions(+), 23 deletions(-) delete mode 100644 config/hosts/nextcloud/secrets.nix create mode 100644 config/hosts/nextcloud/secrets.yaml diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index f27c9a6..7c13bd4 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -7,7 +7,7 @@ https = true; config = { dbtype = "pgsql"; - adminpassFile = "/secrets/nextcloud-adminpass.secret"; + adminpassFile = "/run/secrets/nextcloud-adminpass"; }; database.createLocally = true; configureRedis = true; @@ -30,7 +30,7 @@ default_phone_region = "DE"; }; # Only contains mail_smtppassword - secretFile = "/secrets/nextcloud-secretfile.secret"; + secretFile = "/run/secrets/nextcloud-secretfile"; phpOptions = { # The amount of memory for interned strings in Mbytes "opcache.interned_strings_buffer" = "64"; @@ -50,4 +50,15 @@ ''; }; }; + + sops.secrets."nextcloud-adminpass" = { + mode = "0440"; + owner = "nextcloud"; + group = "nextcloud"; + }; + sops.secrets."nextcloud-secretfile" = { + mode = "0440"; + owner = "nextcloud"; + group = "nextcloud"; + }; } diff --git a/config/hosts/nextcloud/secrets.nix b/config/hosts/nextcloud/secrets.nix deleted file mode 100644 index b344d78..0000000 --- a/config/hosts/nextcloud/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "nextcloud-adminpass.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ]; - destDir = "/secrets"; - user = "nextcloud"; - group = "nextcloud"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "nextcloud-secretfile.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ]; - destDir = "/secrets"; - user = "nextcloud"; - group = "nextcloud"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/nextcloud/secrets.yaml b/config/hosts/nextcloud/secrets.yaml new file mode 100644 index 0000000..c92b6c0 --- /dev/null +++ b/config/hosts/nextcloud/secrets.yaml @@ -0,0 +1,26 @@ +nextcloud-adminpass: ENC[AES256_GCM,data:9hjeHUMNBg3fCN80mGCXarXEMOySEdyfnFIL8ivGb2Vi8LKbzZ2fHZZUzMO5/7XYRpNKWtBz1yzn2fj/ZeLiMw==,iv:38bucE+hmU/hZXw67fc34s1uZefXpWdY5vaTpvDfpUI=,tag:vKI6DrBYekjVU8Va/7BT8A==,type:str] +nextcloud-secretfile: ENC[AES256_GCM,data:PaX7jAFBNweVwyG9nNU/TTHlGrQvPfgc92uCS1s1UwrHH8KlbKGed6NpTPvulwgMQ5cjwUMy5OuOt15kGRS03LQNcWJ+mlu2TQ2Hjsza+SV/ahtxzs/NiA==,iv:An3LZG9gnnna8TuNYlXDGxyter/Sj5DbIjZyGedqteU=,tag:2VbInjBoiv+w3nhh6AAQng==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bDNNZnh5UTFtei84YXdC + SFJONFdHNE1WZ1FvSFZoSW4rMkh3ZC9tbWljClA0RWlRTFA1K2pSMTAyY0I0d01a + cHlUK3ZTd0lydm82VnpBbUdCQmFRYWcKLS0tIEhicldwUFc0cEt2aFVKeVhSeEtS + eFNBbUY1UXZMSEVzL3YyZDUrWVlxd0EKy5TnMyh7WxWK9lO7MKLINRbwMQuFlN4l + E01+FXAUiVSHO4aJW4CsqeegTAAux3FUWB1tL2myZskOFkJPws3boQ== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAra3A4ZDQzZEZCRGErVFBK + bUFqS0ZSTjJFYm00cnVuei85MldCU25MV0VrCnMwVTJndWNQbUUwWmJnMUR3MjJp + VXUwV1RaZElaN2l1S3JxQVVoOXhweEkKLS0tIFFndXpaRlRKdzRvUUxUZVN1cXVr + TTFFYmx5OVU4Q3BWaFpWNFlPdGJZSzQKMLLZzESV0JdlNbMGpdDaorJnDKaSuax0 + YQT/+G702pjqOjg8kRbHH8BZ3pK/3wApJBUW5iilAAxIzIm1zU/0Hw== + -----END AGE ENCRYPTED FILE----- + recipient: age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu + lastmodified: "2026-05-23T23:09:29Z" + mac: ENC[AES256_GCM,data:dPYCQ7hfToQptTlbeA22MQ7EEtn9NyYvdshG9d24h2kLkPKpq/i0bcmG3o6xfyDsofTPZOOzRjCVUlxRukWuhHODPpyOronoDv3hrJNtj1YHsMzeMEK1xK1hpNtJeYkWx12SBZw4zZ7Vw3tLxc5Ay95LD7ZWCsCTqawbMufMjwc=,iv:3LeWH8eU0vTtnJRr0ZqUHHNdifzb++i6Y3CB6J/2wdA=,tag:40tOjuZZ+0Ww2wOwIXkcUQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From 6282e3fed97a37fbd5219d3f0c6627b77d91c0f7 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 01:18:37 +0200 Subject: [PATCH 49/55] Migrate searx to sops-nix --- config/hosts/searx/searx.nix | 9 ++++++++- config/hosts/searx/secrets.nix | 11 ----------- config/hosts/searx/secrets.yaml | 25 +++++++++++++++++++++++++ 3 files changed, 33 insertions(+), 12 deletions(-) delete mode 100644 config/hosts/searx/secrets.nix create mode 100644 config/hosts/searx/secrets.yaml diff --git a/config/hosts/searx/searx.nix b/config/hosts/searx/searx.nix index cdb9940..29a645e 100644 --- a/config/hosts/searx/searx.nix +++ b/config/hosts/searx/searx.nix @@ -24,6 +24,13 @@ ui.static_use_hash = true; enabled_plugins = [ "Hash plugin" "Self Informations" "Tracker URL remover" "Ahmia blacklist" ]; }; - environmentFile = "/secrets/searx-secret-key.secret"; + environmentFile = "/run/secrets/searx-secret-key"; + }; + + sops.secrets."searx-secret-key" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "searx.service" ]; }; } diff --git a/config/hosts/searx/secrets.nix b/config/hosts/searx/secrets.nix deleted file mode 100644 index 38231fc..0000000 --- a/config/hosts/searx/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys."searx-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "searx/secret-key" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; -} diff --git a/config/hosts/searx/secrets.yaml b/config/hosts/searx/secrets.yaml new file mode 100644 index 0000000..70c5b8f --- /dev/null +++ b/config/hosts/searx/secrets.yaml @@ -0,0 +1,25 @@ +searx-secret-key: ENC[AES256_GCM,data:FH/TfmvtaDIwVCDf69EJBgUljeUFGEzBBF2nUNPxZL5HKh4zPR5peVW1vld2OSNWd3UD72H+/F/7TArcV3nEJgqNc/rU9BXsUeS4tvsrZqlI,iv:p5Rdz8clGb8mBF8mVqSjYhDPXrsIVM4KC2WcXwAs8O4=,tag:C/wZoqqF+mcYRGjVUSLjhQ==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWVN5bnY5OTZlT3MwVFZR + YjhTR3Z6Q3QrRDVHN0pvVDl4ZTJXMHNLVEdBCjZHcW9uWStQUXBBcWRrZHlhbjlx + blhGOWRRS0UzSVFTQmJSWUZrQ3kwZlUKLS0tIFBLcDROOU1aU05hVFR0NGJWY0xY + Q2VmY0lHUmhKSGtWT01NN2t6amVVMzQKgpe5zffX6Pc1GDJ8zA7ipa257zG5ZRho + rLdQBJkA+N4crKj12lPLYf5fd4sowfFMTfsdyuxcZUD7Wwq8SO7aQA== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTmhNeUdMRnpWQ0JoWmRJ + Uk5ubUF3K3l2eDUzYnB4ZXQvRUJ5dnJmOXd3CnlhUEJHK0NvNVA5dWp0eGV5VWR1 + ZzV6S3hneiszZU4vaEg0R2laOU1XbTAKLS0tIDU2ZkFWcXl5TE9Sd1AxVjZ1Rzlq + UUFXZEQ2cDlsS2hnTVVlNWxDK3VyeWMKMvH2PBlKpyHt4WVp9BLJwAGm2h8QPMa1 + LCxybdE3+Gs6uQboKX6uo5pMXMQPOedyJZFBDhdu74BOd46u0rcMoQ== + -----END AGE ENCRYPTED FILE----- + recipient: age17h3js5v8s5vezcankky6kqxcrvtfxanmvhp3axmnqs4y9s2lr9yqvc6zrn + lastmodified: "2026-05-23T23:16:55Z" + mac: ENC[AES256_GCM,data:yx+gxeRcl89iokWwH+a+t/OVtOUZUN3Sws/85o9hymtefBxNLqX7GGTMZfa/nQloD4avevWTU71TkYZWRZZj/qlW2B29BSPoIfadbba5rgJHu5D/ij4XrYY14wK3SwMTKpwkjhSBiFOFZLml0zADPWaJH0F6QCTSshUsFQapAW8=,iv:vZt/ejbutG+1UuIU+mQIVXbsl0TQhE+nrulvP0rIVpI=,tag:iSSbw67/A8oMknEzcoOgXw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From f4265bbb5df10753bd36594dc238ab0e1ade4705 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 01:24:38 +0200 Subject: [PATCH 50/55] Migrate torrent to sops-nix --- config/hosts/torrent/configuration.nix | 8 +++++++- config/hosts/torrent/secrets.nix | 13 ------------- config/hosts/torrent/secrets.yaml | 25 +++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 14 deletions(-) delete mode 100644 config/hosts/torrent/secrets.nix create mode 100644 config/hosts/torrent/secrets.yaml diff --git a/config/hosts/torrent/configuration.nix b/config/hosts/torrent/configuration.nix index 83dbdab..e673884 100644 --- a/config/hosts/torrent/configuration.nix +++ b/config/hosts/torrent/configuration.nix @@ -15,7 +15,7 @@ fsType = "cifs"; options = [ "username=torrent" - "credentials=/secrets/torrent-samba-credentials.secret" + "credentials=/run/secrets/torrent-samba-credentials" "iocharset=utf8" "vers=3.1.1" "uid=torrent" @@ -25,5 +25,11 @@ }; }; + sops.secrets."torrent-samba-credentials" = { + mode = "0440"; + owner = "root"; + group = "root"; + }; + system.stateVersion = "24.11"; } diff --git a/config/hosts/torrent/secrets.nix b/config/hosts/torrent/secrets.nix deleted file mode 100644 index 289778a..0000000 --- a/config/hosts/torrent/secrets.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "torrent-samba-credentials.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "torrent/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/torrent/secrets.yaml b/config/hosts/torrent/secrets.yaml new file mode 100644 index 0000000..021916b --- /dev/null +++ b/config/hosts/torrent/secrets.yaml @@ -0,0 +1,25 @@ +torrent-samba-credentials: ENC[AES256_GCM,data:dPK2pePHoH+bOvE1NsQ5N6/UncaLCTqpTvQEI0lmYBxCpaI6F14+JwwTYDzqxuNAgLDRDdRINoLQWdkMR8Cwk1AzRWObE6BKHA==,iv:cEImJtn9N3O8RJUYe77BbuDAMbLAzqWu3WVbcM5B6k8=,tag:MXPRfjvqViNa0uvJvH449Q==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSE44bFdlQlArMUdwTDdD + TVdCdWF6QkVCTzFxRWd0T2xYSWJUWTdEY25rCnRhd0t6OVVpbzNQTDVwNHRybmMy + ZlYwdTRpVnFmTG1VbVlnT1ZtSHpMeFEKLS0tIGZNRDU0SFpMS0cvY3JOSnpLR2FK + TG1pZGpGRXA3bTc4NDQrWkFLVUxIS1EKrm9NENbpt/moVGrBhVLSOzFtBtLKoOJT + A87C8H4SHQ1W61X4Chz+eQdCRCqVUWUXvyOgJsC1cwECjXR177zQ3w== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTlpSQlFZOFZqZ3BTR3Fj + WEV3TTBIYjZaSTd0MVl2V2owbS9VRS81bTI0CkJKQVBtcnhmZ2tKaThocTM2Q29O + NHJCczNSY01EeDNZQTdjUjI5cHFnRnMKLS0tIDlUKzkyUHdGbDlhekY4N3NMRTNm + c2tmVHBQTWprSVE0eEJGajNPcFJCWTQKPopTbKZuLVxipgl9S4wMzYyjFj9T0Euq + t8Yw2jG8s09EeKq2slwBUqev0JpIptwItT/yiuWNQgu70V9Cd7uZhA== + -----END AGE ENCRYPTED FILE----- + recipient: age1m37wtvp7fpavaygn2jc6kq2gtuvgvf0jgwwhd3p5862djv5segqs97mg7c + lastmodified: "2026-05-23T23:24:28Z" + mac: ENC[AES256_GCM,data:3dwyQ1ZBoL/Pq8gqyBhGSLy3HHYCLtP75ezkJQR8ndY8n9yHtkfuR96H6+OkskASReDpFo4HfuYOLSiZZlli4pokYCrdtCbm53kE92L2n5jXWDXur/EIwjHfRe2rsPyvKbhe4zLB8GPQYMsxzHN0iYbO+6/TmPGTzi26iZvLlrc=,iv:Gf5oWQ7foRy1mb41X9+jYXS+20mSJBXWbuFtZP6FRmk=,tag:jigFUiga1zHJ+xLE4ObZTQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 From d845904ecd809b4b1874c0128edf2dacdeed3763 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 02:00:19 +0200 Subject: [PATCH 51/55] Migrate valkyrie to sops-nix --- config/hosts/valkyrie/configuration.nix | 49 ++++++++++++++++++++--- config/hosts/valkyrie/secrets.nix | 53 ------------------------- config/hosts/valkyrie/secrets.yaml | 30 ++++++++++++++ config/hosts/valkyrie/services.nix | 2 + 4 files changed, 75 insertions(+), 59 deletions(-) delete mode 100644 config/hosts/valkyrie/secrets.nix create mode 100644 config/hosts/valkyrie/secrets.yaml diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index e581f8c..3534c33 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -23,26 +23,26 @@ { name = "site1-grzb"; publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; + presharedKeyFile = "/run/secrets/wireguard-valkyrie-site1-grzb-psk"; endpoint = "site1.grzb.de:51826"; allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; } { name = "site2-grzb"; publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; + presharedKeyFile = "/run/secrets/wireguard-valkyrie-site2-grzb-psk"; endpoint = "site2.grzb.de:51826"; allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; } { name = "site1-jsts"; publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; + presharedKeyFile = "/run/secrets/wireguard-valkyrie-site1-jsts-psk"; endpoint = "site1.jsts.xyz:51823"; allowedIPs = [ "10.203.10.4/32" ]; } ]; - privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + privateKeyFile = "/run/secrets/wireguard-valkyrie-wg0-privatekey"; }; # mail-1 VPN wg1 = { @@ -54,7 +54,7 @@ { name = "mail-1"; publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; - presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; + presharedKeyFile = "/run/secrets/wireguard-valkyrie-mail-1-valkyrie-psk"; allowedIPs = [ "172.18.50.2/32" ]; } ]; @@ -66,7 +66,7 @@ ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE ''; - privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; + privateKeyFile = "/run/secrets/wireguard-valkyrie-wg1-privatekey"; }; }; }; @@ -96,5 +96,42 @@ services.prometheus.exporters.node.enable = false; + sops.secrets."wireguard-valkyrie-wg0-privatekey" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + sops.secrets."wireguard-valkyrie-site1-grzb-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + sops.secrets."wireguard-valkyrie-site2-grzb-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + sops.secrets."wireguard-valkyrie-site1-jsts-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + sops.secrets."wireguard-valkyrie-wg1-privatekey" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg1.service" ]; + }; + sops.secrets."wireguard-valkyrie-mail-1-valkyrie-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg1.service" ]; + }; + system.stateVersion = "24.11"; } diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix deleted file mode 100644 index 3acc555..0000000 --- a/config/hosts/valkyrie/secrets.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "wireguard-valkyrie-wg0-privatekey.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-site1-grzb-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-site2-grzb-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-site1-jsts-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-wg1-privatekey.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/valkyrie/secrets.yaml b/config/hosts/valkyrie/secrets.yaml new file mode 100644 index 0000000..57e5ccb --- /dev/null +++ b/config/hosts/valkyrie/secrets.yaml @@ -0,0 +1,30 @@ +wireguard-valkyrie-wg0-privatekey: ENC[AES256_GCM,data:9swm9dqXWFAcYIHyGjDEyxxr9BTio6RiRKCkdpNp4Y9Sr7W47j84w6kGcH4=,iv:kNOoW38EasmwgdY3P6+Tsd0ufJCL6n9SU9IjMgN5E+U=,tag:vLZqiv+ONLuKpogXM/Lbng==,type:str] +wireguard-valkyrie-site1-grzb-psk: ENC[AES256_GCM,data:b9OrqPFS0oBO8CegA23T9Vxb68hN5F2td6Z7NuIs8Rkr8dcfTAFnsBRNybY=,iv:B/qO6alDlDohDUMnDadMbqXTWi7q1c3B3sx7wk2MvL4=,tag:/Ene7PsPErH5rU+qaOA9wQ==,type:str] +wireguard-valkyrie-site2-grzb-psk: ENC[AES256_GCM,data:DTpDyVXnH9Vz+4YnLY3WbVhFEvjVh5t/M6l9N+gQSAVAg+NDZxhveBuR0O8=,iv:idIPxZ6Oxn0sob2lrGt2wsUWR8mlZ+ddRSlcb5uHbcA=,tag:qNXbUtwtY5KnPp1wHniD9g==,type:str] +wireguard-valkyrie-site1-jsts-psk: ENC[AES256_GCM,data:BJ2U779egMGG1DyuxcGYcX1yZdqybXqmtFJpzOZ5xOeHo98sb+j4O8Q3VVs=,iv:FDqcFdqPTn2CqY+lXSdXowEHAWIugkj+o+p3QNzYNWo=,tag:RXXhL3hgFjFPOSzNvqbpXw==,type:str] +wireguard-valkyrie-wg1-privatekey: ENC[AES256_GCM,data:5fyjBs7ZH1DomFKFXelVSRF0QvHnLrhztYCy2rghpNkHWEWaf0RJaCZHQ+8=,iv:aoYbWKcPW1LBljYFN5s3Le0LbQOBltTicEbyZCSFQ3o=,tag:MjmOG+79D3szR9tEFIaKCA==,type:str] +wireguard-valkyrie-mail-1-valkyrie-psk: ENC[AES256_GCM,data:g3IHwa5KBLGBYcl27UtHEn3oa2oFY9cZ4vVodhF3sHUmVPhwfrLulEkqXi0=,iv:yom0odezXCMf9uHVAJWil38R7jSy+D8spJC37EFnq1s=,tag:uCNG66hs3zKntrzBfWVdZg==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdkltL1RSSG1CczZnanRV + Zzd4aW1BbUR2S2NpcFZmNXZCQTNGdmQxVW5BCkVDRnZPNEl5MW5lY1ZDRnFBN3Y3 + bm1MSTVyZnp0M2pCbXhCQ2NjT28zdzgKLS0tIEFuNDhvMGZkaE5UbGQ4WlVvZUZo + YzR2Mm9sd3hWQkdvOGJ6MkhSa2J5bEEKWWzpmcva3cXFa53SrrSM+CPaj6tHRnRX + UkJELp8VQDgUOCWnWAy6gbmmu9bNYSEyjzufu0eW1GArOs9F/QvQPg== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZ2VNVGxWc3JLeFZDMFF2 + c3g0V2ZybnFNVkJUZlF4WWFHWWRCNHl5QVJNCk1PcU9yM3ZjakhMazZWSlFSN3pW + eEZTaWdqaDZkUE1qZ2MyM1RodkxOeUEKLS0tIGRicURwV1lhck1DTVo2YzhkeXlN + QnBnY3ViYUw4NkszVWhaMXhPM1BQdjAKFzJexdsikV4im1B50bKM6FKfN3RQHTqa + 9fU5X3xjdH7jpBhGn5HGROvMNjmPrlbz5DaxIJ1hUtUtc8fpYPoNgA== + -----END AGE ENCRYPTED FILE----- + recipient: age1guqc5pnajp2whkla6vws4yqnpe5hq4z89w6te3n5yql5pugzfqlqczjlee + lastmodified: "2026-05-24T00:00:10Z" + mac: ENC[AES256_GCM,data:Ioke9QIDw2GM36EMiHKVC00WyBbZbqNd+e/hF+ZUiFudH7GAVDfWBM8FaP3Q5uQBpoPvHzVsYIMV+15daVEKvU0zIep2Aqluxclijb9ljuxmn6JpC29tImyMzEMUw18bgqaoHQvCa5qscC01QFzpFN3mASeVlAJCPl8ggOu4gsE=,iv:JEwH0GLrLJd1ptQDJKpUJLCreYJGVeWzONBasIJ4ors=,tag:jo7p7HDBrV5XBPyKtpep+w==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index dc0fa6d..83ad8ff 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -30,5 +30,7 @@ in User = "root"; Group = "root"; }; + + wantedBy = [ "multi-user.target" ]; }; } From e35aa9aabd0b71ed9778942c7525e192da77fc29 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 02:23:59 +0200 Subject: [PATCH 52/55] Migrate mail-1 to sops-nix --- config/hosts/mail-1/configuration.nix | 17 ++- config/hosts/mail-1/secrets.nix | 109 ------------------ config/hosts/mail-1/secrets.yaml | 37 ++++++ .../hosts/mail-1/simple-nixos-mailserver.nix | 89 ++++++++++++-- 4 files changed, 130 insertions(+), 122 deletions(-) delete mode 100644 config/hosts/mail-1/secrets.nix create mode 100644 config/hosts/mail-1/secrets.yaml diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index c94de3b..b384f41 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -51,11 +51,11 @@ Name = "wg0"; }; wireguardConfig = { - PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; + PrivateKeyFile = "/run/secrets/wireguard-mail-1-wg0-privatekey"; }; wireguardPeers = [{ PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; - PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; + PresharedKeyFile = "/run/secrets/wireguard-valkyrie-mail-1-mail-1-psk"; Endpoint = "212.53.203.19:51822"; AllowedIPs = [ "0.0.0.0/0" ]; PersistentKeepalive = 25; @@ -77,5 +77,18 @@ wireguard-tools ]; + sops.secrets."wireguard-valkyrie-mail-1-mail-1-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + sops.secrets."wireguard-mail-1-wg0-privatekey" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + system.stateVersion = "23.05"; } diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix deleted file mode 100644 index c7dd92c..0000000 --- a/config/hosts/mail-1/secrets.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "wireguard-valkyrie-mail-1-mail-1-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-mail-1-wg0-privatekey.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-fiona-grzb-de.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-yuri-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-mio-vs-grzb-de.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-fubuki-wg-grzb-de.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-cloud-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-status-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-matrix-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-nekomesh-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-social-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-id-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/id-nekover-se" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-forgejo-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/mail-1/secrets.yaml b/config/hosts/mail-1/secrets.yaml new file mode 100644 index 0000000..007b274 --- /dev/null +++ b/config/hosts/mail-1/secrets.yaml @@ -0,0 +1,37 @@ +wireguard-valkyrie-mail-1-mail-1-psk: ENC[AES256_GCM,data:qlmzG+qatZCGFqD2Yf9Nlc7tUUMr5JGIvwFcaBqmgwSFoRjVpObjpTn9h6Q=,iv:8kukGi7FyKY7Un5bfmD+xOrt57Zr4uGEho3GGFyy8KY=,tag:0SqD/4OCYC1gRcsDAK8oBw==,type:str] +wireguard-mail-1-wg0-privatekey: ENC[AES256_GCM,data:oI3NZ3QBaGsWPx8ajLtP2MUdVTpWlnmOF1j3aex+0rI5fixwtNwJvUZD3mA=,iv:ecO78C4upN99mm9ZosIxXR0RsZJRsL97FFvh6ktpczA=,tag:obxoVfxh49XznQykp1ROuA==,type:str] +mail-fiona-grzb-de: ENC[AES256_GCM,data:igpnhygXhe1kIMc+Dvj0LB+PFrJOJu53ZS5svt+B2qpXAk5kD9zQIRoU5TdHLyOdIOSSb2XBPkKgbShv,iv:MPgHxNvZGZ/NtflrxpazgryT+T1Qy/5z0klZ/BQ/mGA=,tag:8huvfd1eLJTQrKdDxFDsDw==,type:str] +mail-yuri-nekover-se: ENC[AES256_GCM,data:XsFmWttVmDnI9+q/7ZN0bDlRiYue1XPonQTfWMkkHfZ7mk1ZXlDjC3oYR3V3a3yEQrS4Jz0fAc/N4lnR,iv:RPqs8Q3QSGSJ0zSClKyIo5JmW5UEE6xYjEnqvmFE5C8=,tag:DZaDfFc+3RG9L0oIpj9f3Q==,type:str] +mail-mio-vs-grzb-de: ENC[AES256_GCM,data:R+eq1w3a6NLD20sMBejlnQ9asEGOxGBgPqQ+oLTwfryYu0b0by3rF0a7StCtSzsFMkzpAWw+En4Zreuw,iv:r7VLjix8sRSXbnpRS+9XzXI0qjklOXuQU77kU2LF7zA=,tag:BhqSLiMvnGHagq9Jg5852A==,type:str] +mail-fubuki-wg-grzb-de: ENC[AES256_GCM,data:pFPmrMtF33P3ANpnWB+qcTfEfAMJ0w4/fE/zAsVYKjEO1nhZtWSMQfyorYSq5GdbXuitIYdjx/IBCj0r,iv:FZtnyp90pB9R0nYaHsudnE7IyDi26UE+vxIpzZm0Q4s=,tag:XJcIP9LyYwbzw21QLpHfCA==,type:str] +mail-cloud-nekover-se: ENC[AES256_GCM,data:lY7ufbNOS+GPHAi1fJGhZNT0dMv1B7k+6BzGTb1IxWvvHmFv7u6NKGBmyQQD57Qvt2EwdtnGDJ2XugCD,iv:NZLdBFNHSkSj9pau0vWQzwznOjkFvhZcGalcfWoKI9w=,tag:8dn5ULJzaTYtnT3CBfpp8g==,type:str] +mail-status-nekover-se: ENC[AES256_GCM,data:blaHK5q8mJKQMo/UYf2NG2x7IsIkZD5cxaVv56Z7PFrn+pua821j8pwNGXCnmuGJFhDj16PkvfOuRXU7,iv:+Q2J73Af27qjta5xYtuF/mrwL45fyTV+K5GDpnA11Lo=,tag:OKhLFQfgKTAvg5wvID5RGA==,type:str] +mail-matrix-nekover-se: ENC[AES256_GCM,data:9Fs5Un2DI2ZHm1zLkbAsQ3tsuff9LjvuJkysxVWc1pdQuQsMHCNTHfioBMqJ1dH1E8ilkqCqljEmHh9+,iv:F73WEWyq7o06n0zkuu2cNYWUdmpX7YX4BGcR4Hgep2Y=,tag:+7BPbiCNM0QdBTBx6RKkHQ==,type:str] +mail-nekomesh-nekover-se: ENC[AES256_GCM,data:k25S+W3t4gn8HuUs4xge5iLjxtayB82y9PNs3lxxg3En7W4CbiSt1ccoiP4h9v9iN5rMHqiF8wg2ONlBJwQ6qA==,iv:LqjOUza0cioak0qeuBBkmRl3Kg8z05kqTeZCrgEX9qY=,tag:NkqrRxJp0c+h/C0+jfiQqg==,type:str] +mail-social-nekover-se: ENC[AES256_GCM,data:b+7hmL8yiqABkf5NFUQVTSBmj1EjImzB58Q0xpDkxSU9DVkhhURTzoi+HdgFgOOzDtkegzprokXA+I+j,iv:LtOn8+dx5Nhes4t5qpqWsnaOfD07IBZEaCXKIniJlJc=,tag:ipLZNPRN7YCkvVJYKonXmQ==,type:str] +mail-id-nekover-se: ENC[AES256_GCM,data:5odIPSrJEVoT95hch48lu4pmb0PVnjtTUOo3eohfbX1I8CNpwIuhz4Mjk5lam5q3toIKtXMhtA73RAup,iv:bvpCkS4Tz0/oorStgip0XXnsxkBMAoFJrTFAzrjPLYU=,tag:KOVNkURmuwb+8VRxfTxEDQ==,type:str] +mail-forgejo-nekover-se: ENC[AES256_GCM,data:PLZFl5aokzJorTCKD8/qJs0N1BlDLPl1tW23roMMCRkn9tAupaNwZASp1pKrPJBVBCAH4Ijj84WDIhsHdQzNhg==,iv:CExDJ2uwe0juL0f+SCyTGOfUHuEwPTHduHUkh8WAQMo=,tag:pf0QArVKBNh1F4TMxsJyRA==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1ppWG1iZzJaaTJxMi9I + MTNvWUFWU1JRakpWbGxYQU9zdk5rVWMzZHdzCktRL1NEN01EY0lvVVJuQ3V2eTBZ + OFVnN1FiVTJndHZZeDBNQmloNndLY1EKLS0tIE5Lc0NqYzI4U29zamJaK2FiL1BZ + UTc2MkpZRmpVVVpvVSsxUkdpdVMzYW8KnCIMs31S6/SSx+vUAOYfjO21pGl/AMQa + iunevrTybuTFB2F/xePkdeIVvXLTLcj0XiAIw+qzAl/GvIWp7DDnTw== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZVdRK214bVQyNVRWMXVI + dmNOWk9VMXRUWnpZaXRJQVIydmRTeDJrUzMwCi95VWVGU2t3U0dqTHVWbTVjakh6 + a2luYVZVdlFpVDRKeWpUZnpTY1J0eEkKLS0tIEtqTjBMY3UxU09jN2RuSzNGU3hX + UndxdWMyTVkzTUYzU3h6VjlyMjl6emsKNs+ED4FRI/+wrD3TUsQYyzuFvVEyrnBD + dsyjzSv8WubSloRUHkV7hwfHxgVzg37A5nlQo/qSdJC6TtfWmoXpsg== + -----END AGE ENCRYPTED FILE----- + recipient: age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp + lastmodified: "2026-05-24T00:23:52Z" + mac: ENC[AES256_GCM,data:QH4MalhMoA5CyNmGPksMRzn6LOfxxRSBlufJ6ejcDx+l6owNT3xqKAYE9EfIUMh8z7Sw+btHhn8q02K2FnWlYD2FUY187cCcoykGRU+juJEDZH6yQ5PCqrBKXDB0wv8IBI/xTeFS7mUOzlvZfHtnLKULNZBfojN9f9jDoZCUhYo=,iv:S0AU8Ox62kk3nwL31QzYT0CGDaYNYbG/ONaQhiUbGD4=,tag:qKUkkxNouKaDb/1ptXSobg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 15318e8..0e8dba3 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -15,55 +15,55 @@ domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; loginAccounts = { "fiona@grzb.de" = { - hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret"; + hashedPasswordFile = "/run/secrets/mail-fiona-grzb-de"; aliases = [ "@grzb.de" ]; catchAll = [ "grzb.de" ]; }; "yuri@nekover.se" = { - hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret"; + hashedPasswordFile = "/run/secrets/mail-yuri-nekover-se"; aliases = [ "@nekover.se" ]; catchAll = [ "nekover.se" ]; }; "mio@vs.grzb.de" = { - hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret"; + hashedPasswordFile = "/run/secrets/mail-mio-vs-grzb-de"; sendOnly = true; aliases = [ "root@vs.grzb.de" ]; }; "fubuki@wg.grzb.de" = { - hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret"; + hashedPasswordFile = "/run/secrets/mail-fubuki-wg-grzb-de"; sendOnly = true; aliases = [ "root@wg.grzb.de" ]; }; "cloud@nekover.se" = { - hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret"; + hashedPasswordFile = "/run/secrets/mail-cloud-nekover-se"; sendOnly = true; }; "status@nekover.se" = { - hashedPasswordFile = "/secrets/mail-status-nekover-se.secret"; + hashedPasswordFile = "/run/secrets/mail-status-nekover-se"; sendOnly = true; }; "matrix@nekover.se" = { - hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret"; + hashedPasswordFile = "/run/secrets/mail-matrix-nekover-se"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; "nekomesh@nekover.se" = { - hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret"; + hashedPasswordFile = "/run/secrets/mail-nekomesh-nekover-se"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; "social@nekover.se" = { - hashedPasswordFile = "/secrets/mail-social-nekover-se.secret"; + hashedPasswordFile = "/run/secrets/mail-social-nekover-se"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; "id@nekover.se" = { - hashedPasswordFile = "/secrets/mail-id-nekover-se.secret"; + hashedPasswordFile = "/run/secrets/mail-id-nekover-se"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; "forgejo@nekover.se" = { - hashedPasswordFile = "/secrets/mail-forgejo-nekover-se.secret"; + hashedPasswordFile = "/run/secrets/mail-forgejo-nekover-se"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; @@ -79,4 +79,71 @@ proxy_interfaces = "212.53.203.19"; }; }; + + sops.secrets."mail-fiona-grzb-de" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-yuri-nekover-se" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-mio-vs-grzb-de" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-fubuki-wg-grzb-de" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-cloud-nekover-se" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-status-nekover-se" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-matrix-nekover-se" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-nekomesh-nekover-se" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-social-nekover-se" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-id-nekover-se" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; + sops.secrets."mail-forgejo-nekover-se" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "postfix.service" ]; + }; } From c288ff153a6837864369bab752eed586608588a7 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 02:35:42 +0200 Subject: [PATCH 53/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/7f04f29e010fdf57851461605322d7c2b95f9f15?narHash=sha256-hwD5/IbAs5FTdg7R2VPWlVsAwrVDmILa%2Bw8gj4U3HQQ%3D' (2026-05-20) → 'github:NixOS/nixpkgs/63ec6699e426863863e065730574a1f336e4925a?narHash=sha256-4H8sc3E4lGoLmM5M5EmDoVpfAzMuz75q2/UNQV2h/Yg%3D' (2026-05-23) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/22dcc7e4821c231607aacd682b035f29fabc2f8f?narHash=sha256-AMcWQ3mQUrdeXiJaCHXYh%2Bc5tBI3lTsbymEUXPRegdo%3D' (2026-05-20) → 'github:NixOS/nixpkgs/89afca31a77b6850e7335d60e3d35cd742e772cb?narHash=sha256-aJYBdQXSD2gMlD39zP35E5qcPN91f3GWI5%2B9RHxiHsc%3D' (2026-05-24) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/8e72e9888e67ce593df16546cd31e0d75544ad0d?narHash=sha256-O3UFKrh5oDyOwqD4Njdf7%2BSIxptOl3gHZyesYvNsIbw%3D' (2026-05-20) → 'github:NixOS/nixpkgs/19942a940b16e7e7285e3cf58f09fa1aeb2f90cd?narHash=sha256-6SjdsouT54k1%2B/DyBqTJwdFlja4RBNq9jP9N%2B8kBIa0%3D' (2026-05-23) --- config/hosts/mail-1/configuration.nix | 12 ++++++------ flake.lock | 18 +++++++++--------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index b384f41..3f27ce3 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -79,15 +79,15 @@ sops.secrets."wireguard-valkyrie-mail-1-mail-1-psk" = { mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; + owner = "systemd-network"; + group = "systemd-network"; + restartUnits = [ "systemd-networkd.service" ]; }; sops.secrets."wireguard-mail-1-wg0-privatekey" = { mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; + owner = "systemd-network"; + group = "systemd-network"; + restartUnits = [ "systemd-networkd.service" ]; }; system.stateVersion = "23.05"; diff --git a/flake.lock b/flake.lock index e0a270b..8751992 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1779243744, - "narHash": "sha256-hwD5/IbAs5FTdg7R2VPWlVsAwrVDmILa+w8gj4U3HQQ=", + "lastModified": 1779516755, + "narHash": "sha256-4H8sc3E4lGoLmM5M5EmDoVpfAzMuz75q2/UNQV2h/Yg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f04f29e010fdf57851461605322d7c2b95f9f15", + "rev": "63ec6699e426863863e065730574a1f336e4925a", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1779287632, - "narHash": "sha256-AMcWQ3mQUrdeXiJaCHXYh+c5tBI3lTsbymEUXPRegdo=", + "lastModified": 1779582842, + "narHash": "sha256-aJYBdQXSD2gMlD39zP35E5qcPN91f3GWI5+9RHxiHsc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "22dcc7e4821c231607aacd682b035f29fabc2f8f", + "rev": "89afca31a77b6850e7335d60e3d35cd742e772cb", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1779273561, - "narHash": "sha256-O3UFKrh5oDyOwqD4Njdf7+SIxptOl3gHZyesYvNsIbw=", + "lastModified": 1779543187, + "narHash": "sha256-6SjdsouT54k1+/DyBqTJwdFlja4RBNq9jP9N+8kBIa0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8e72e9888e67ce593df16546cd31e0d75544ad0d", + "rev": "19942a940b16e7e7285e3cf58f09fa1aeb2f90cd", "type": "github" }, "original": { From 938e8cfd626a28564c9f668e4545aeb50421a5c8 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 02:55:48 +0200 Subject: [PATCH 54/55] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/89afca31a77b6850e7335d60e3d35cd742e772cb?narHash=sha256-aJYBdQXSD2gMlD39zP35E5qcPN91f3GWI5%2B9RHxiHsc%3D' (2026-05-24) → 'github:NixOS/nixpkgs/7187ab1fdea9daa9ed0267b791ac5837f123c5e2?narHash=sha256-Q96rInBJ%2BFj9uKWfESTZflRTaQAouNEN9yBLmYiXr%2B8%3D' (2026-05-24) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 8751992..4b2d904 100644 --- a/flake.lock +++ b/flake.lock @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1779582842, - "narHash": "sha256-aJYBdQXSD2gMlD39zP35E5qcPN91f3GWI5+9RHxiHsc=", + "lastModified": 1779583734, + "narHash": "sha256-Q96rInBJ+Fj9uKWfESTZflRTaQAouNEN9yBLmYiXr+8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "89afca31a77b6850e7335d60e3d35cd742e772cb", + "rev": "7187ab1fdea9daa9ed0267b791ac5837f123c5e2", "type": "github" }, "original": { From e99fed5833960df9bcf11ae876a22c1342a2f7bb Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 02:56:10 +0200 Subject: [PATCH 55/55] Remove config for colmena secrets --- flake.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/flake.nix b/flake.nix index 0e09394..512ca5f 100644 --- a/flake.nix +++ b/flake.nix @@ -33,9 +33,6 @@ specialArgs = { inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; - - # Provide environment for secret key command - keyCommandEnv = [ "env" "GNUPGHOME=/home/fi/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/fi/pass/infra" ]; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts;