june/fi-nix-infra
1
0
Fork 0
forked from fi/nix-infra
Code Pull requests Activity

Compare commits

base: june:main
Branches Tags
june:main
fi:main
fi:ikiwiki
fi:mas
..
compare: fi:main
Branches Tags
fi:main
fi:ikiwiki
fi:mas
june:main

55 commits
main ... main

Author SHA1 Message Date
Fiona Grzebien
e99fed5833
 		Remove config for colmena secrets 2026-05-24 02:56:10 +02:00
Fiona Grzebien
938e8cfd62
 		flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/89afca31a77b6850e7335d60e3d35cd742e772cb?narHash=sha256-aJYBdQXSD2gMlD39zP35E5qcPN91f3GWI5%2B9RHxiHsc%3D' (2026-05-24)
  → 'github:NixOS/nixpkgs/7187ab1fdea9daa9ed0267b791ac5837f123c5e2?narHash=sha256-Q96rInBJ%2BFj9uKWfESTZflRTaQAouNEN9yBLmYiXr%2B8%3D' (2026-05-24)
 2026-05-24 02:55:48 +02:00
Fiona Grzebien
c288ff153a
 		flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/7f04f29e010fdf57851461605322d7c2b95f9f15?narHash=sha256-hwD5/IbAs5FTdg7R2VPWlVsAwrVDmILa%2Bw8gj4U3HQQ%3D' (2026-05-20)
  → 'github:NixOS/nixpkgs/63ec6699e426863863e065730574a1f336e4925a?narHash=sha256-4H8sc3E4lGoLmM5M5EmDoVpfAzMuz75q2/UNQV2h/Yg%3D' (2026-05-23)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/22dcc7e4821c231607aacd682b035f29fabc2f8f?narHash=sha256-AMcWQ3mQUrdeXiJaCHXYh%2Bc5tBI3lTsbymEUXPRegdo%3D' (2026-05-20)
  → 'github:NixOS/nixpkgs/89afca31a77b6850e7335d60e3d35cd742e772cb?narHash=sha256-aJYBdQXSD2gMlD39zP35E5qcPN91f3GWI5%2B9RHxiHsc%3D' (2026-05-24)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/8e72e9888e67ce593df16546cd31e0d75544ad0d?narHash=sha256-O3UFKrh5oDyOwqD4Njdf7%2BSIxptOl3gHZyesYvNsIbw%3D' (2026-05-20)
  → 'github:NixOS/nixpkgs/19942a940b16e7e7285e3cf58f09fa1aeb2f90cd?narHash=sha256-6SjdsouT54k1%2B/DyBqTJwdFlja4RBNq9jP9N%2B8kBIa0%3D' (2026-05-23)
 2026-05-24 02:52:51 +02:00
Fiona Grzebien
e35aa9aabd
 		Migrate mail-1 to sops-nix 2026-05-24 02:34:27 +02:00
Fiona Grzebien
d845904ecd
 		Migrate valkyrie to sops-nix 2026-05-24 02:06:28 +02:00
Fiona Grzebien
f4265bbb5d
 		Migrate torrent to sops-nix 2026-05-24 01:31:50 +02:00
Fiona Grzebien
6282e3fed9
 		Migrate searx to sops-nix 2026-05-24 01:21:13 +02:00
Fiona Grzebien
b5d6055f36
 		Migrate nextcloud to sops-nix 2026-05-24 01:14:43 +02:00
Fiona Grzebien
7740eb01f2
 		Migrate metrics-nekomesh to sops-nix 2026-05-24 00:45:44 +02:00
Fiona Grzebien
e04b5ac8e6
 		Migrate metrics to sops-nix 2026-05-24 00:26:33 +02:00
fi
3b4cd0651f
 		Update mastodon to 4.5.10 2026-05-20 16:52:34 +02:00
fi
a01a891495
 		Migrate matrix to sops-nix 2026-05-18 21:56:57 +02:00
Fiona Grzebien
dc965c3329
 		Migrate mastodon to sops-nix 2026-05-17 18:55:08 +02:00
Fiona Grzebien
88ce33c504
 		Add secrets for mastodon 2026-05-17 03:45:18 +02:00
Fiona Grzebien
8784537a38
 		Migrate lifeline to sops-nix 2026-05-17 03:25:55 +02:00
Fiona Grzebien
5d1fc8bbc3
 		Migrate keycloak to sops-nix 2026-05-17 03:14:42 +02:00
Fiona Grzebien
985c4c9040
 		Migrate jellyfin to sops-nix 2026-05-17 03:01:07 +02:00
Fiona Grzebien
74f35e704c
 		Migrate forgejo to sops-nix 2026-05-17 02:56:18 +02:00
Fiona Grzebien
679f815d60
 		Add sops.nix to every host 2026-05-17 02:41:04 +02:00
Fiona Grzebien
408bbe2de2
 		Add all host age keys 2026-05-17 02:33:39 +02:00
Fiona Grzebien
b3f6e37765
 		Remove mail-2 2026-05-17 02:12:42 +02:00
Fiona Grzebien
8d107286a9
 		flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/30f30521f3fce93c4c22bb43941cdf8e2d90d311?narHash=sha256-/VER73JyDAsvWXmEk6Qph%2Bq1cXLof4iXtxgwKsj3cP8%3D' (2026-05-16)
  → 'github:NixOS/nixpkgs/ff5e747c5f45865599ba7387244212420558e83c?narHash=sha256-z1PIyRIm5nlh6sB4I4ObT42O6IT5zuFzQK0RtvRoL/c%3D' (2026-05-16)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/183fe40a77b6860ddd8ed01433d0f4f2f5343e7b?narHash=sha256-W9Dm45lszeihc0BZIHeLMVAJzOETAZtgQQbPhqyLPA0%3D' (2026-05-16)
  → 'github:NixOS/nixpkgs/b6aac1076920329e7863e9fb607d4d1811ea16f3?narHash=sha256-gnglqTdKUK1UlKfq%2BZRXmxWW%2BMRhbpOi3DzjTp2zqRU%3D' (2026-05-16)
 2026-05-17 01:26:48 +02:00
Fiona Grzebien
5b44c4516c
 		Remove hydra host 2026-05-17 01:24:09 +02:00
Fiona Grzebien
a28f7a5848
 		Migrate coturn to sops-nix 2026-05-17 01:18:39 +02:00
Fiona Grzebien
bff3401ada
 		Migrate ikiwiki to sops-nix 2026-05-17 01:04:54 +02:00
Fiona Grzebien
668f2ef4d8
 		Add ssh-to-age 2026-05-16 23:41:15 +02:00
Fiona Grzebien
37df75b8cb
 		flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/a3c34a1dd63140ab2150ebb4fa290bbbae58193b?narHash=sha256-wVKu7ZYV3ikh7RVDY1TVlaKwPTFvfkYnOzQGn3IqT4o%3D' (2026-05-15)
  → 'github:NixOS/nixpkgs/30f30521f3fce93c4c22bb43941cdf8e2d90d311?narHash=sha256-/VER73JyDAsvWXmEk6Qph%2Bq1cXLof4iXtxgwKsj3cP8%3D' (2026-05-16)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/b0415a300a8d2daf19019ef418f0b019ee38cf47?narHash=sha256-NZ9yg%2BVJy6RftGD3YXeqCEEVsPZH9hPu6yWm/bAuqLM%3D' (2026-05-15)
  → 'github:NixOS/nixpkgs/183fe40a77b6860ddd8ed01433d0f4f2f5343e7b?narHash=sha256-W9Dm45lszeihc0BZIHeLMVAJzOETAZtgQQbPhqyLPA0%3D' (2026-05-16)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/758b562bc257084aef30b8e3efbdd61d292806c3?narHash=sha256-BxYhb8H0aVtiM1kGRt%2BS49NbsJMUMIHvOXxziE9u0nY%3D' (2026-05-15)
  → 'github:NixOS/nixpkgs/5a51fe22e18a6ce886b3cffa4c255378c151323c?narHash=sha256-FqqcYr0c5in/HRL5bkRWykAGp/Q10Vj/zUiSr1P8URE%3D' (2026-05-16)
• Added input 'sops-nix':
    'github:Mic92/sops-nix/c591bf665727040c6cc5cb409079acb22dcce33c?narHash=sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8%3D' (2026-05-05)
• Added input 'sops-nix/nixpkgs':
    follows 'nixpkgs'
 2026-05-16 22:50:29 +02:00
Fiona Grzebien
2a8f0b0564
 		Add sops-nix 2026-05-16 22:49:13 +02:00
Fiona Grzebien
b2079ab04d
 		Add mastodon default patches for yarn-4.14-support.patch 2026-05-16 21:25:16 +02:00
Fiona Grzebien
80916c6b85
 		flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/7fea5ede44b70af67136a82b41e39878cfb3a51b?narHash=sha256-adRHzYRN0huy51aAykoXC4xxBe84AupPMp81lmoNJHM%3D' (2026-04-30)
  → 'github:NixOS/nixpkgs/a3c34a1dd63140ab2150ebb4fa290bbbae58193b?narHash=sha256-wVKu7ZYV3ikh7RVDY1TVlaKwPTFvfkYnOzQGn3IqT4o%3D' (2026-05-15)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/6d457375d24d7d6c8b537a161660173ca225dfdf?narHash=sha256-/H8BBZdwWPVS9mzK5a8XskmLI%2BwMf6Zf8d22ZLeWSc4%3D' (2026-04-30)
  → 'github:NixOS/nixpkgs/b0415a300a8d2daf19019ef418f0b019ee38cf47?narHash=sha256-NZ9yg%2BVJy6RftGD3YXeqCEEVsPZH9hPu6yWm/bAuqLM%3D' (2026-05-15)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/417335fe04072fe234d9a566b72d7955df681844?narHash=sha256-XqqAel6imMLIA8ZeX5CNydzOaokD6GIoUf02DuFeWr4%3D' (2026-04-30)
  → 'github:NixOS/nixpkgs/758b562bc257084aef30b8e3efbdd61d292806c3?narHash=sha256-BxYhb8H0aVtiM1kGRt%2BS49NbsJMUMIHvOXxziE9u0nY%3D' (2026-05-15)
 2026-05-15 22:38:20 +02:00
fi
df36846fb2
 		Update element-web to 1.12.17 2026-05-01 16:35:54 +02:00
fi
cbfe669ad4
 		Update element-admin to 0.1.11 2026-05-01 16:33:25 +02:00
fi
618b6ba170
 		Update mastodon to 4.5.9 2026-05-01 16:21:22 +02:00
fi
9ba87803fc
 		Add /.well-known/matrix/support endpoint 2026-05-01 16:18:28 +02:00
fi
ae2a4c91fd
 		Set LIVEKIT_FULL_ACCESS_HOMESERVERS 2026-05-01 02:40:31 +02:00
fi
3a4ce8d0eb
 		flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/0aecba5a03727e1ac2d66378907d9a6e9c8266d0' (2026-04-03)
  → 'github:NixOS/nixpkgs/7fea5ede44b70af67136a82b41e39878cfb3a51b' (2026-04-30)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/942d1c86a6642bff0c4a440d30a7669a7a18a903' (2026-04-03)
  → 'github:NixOS/nixpkgs/6d457375d24d7d6c8b537a161660173ca225dfdf' (2026-04-30)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/0eac666efaa8a9afea2821f9efc7921b4ef39b4e' (2026-04-03)
  → 'github:NixOS/nixpkgs/417335fe04072fe234d9a566b72d7955df681844' (2026-04-30)
 2026-05-01 01:50:20 +02:00
fi
f73990a427
 		WIP 2026-04-07 22:59:15 +02:00
fi
f19436b178
 		Allow proxy protocol to reverse proxy 2026-04-07 22:03:15 +02:00
fi
fe86c128ed
 		Put matrix federation behind reverse proxy 2026-04-07 21:32:12 +02:00
fi
44215ecfc9
 		Remove obsolete configuration 2026-04-05 23:59:35 +02:00
fi
654a8459eb
 		Route IPv6 traffic via valkyrie 2026-04-05 23:50:38 +02:00
fi
d793308ebe
 		Add stardew ssh key 2026-04-04 00:53:32 +02:00
fi
051571d200
 		Add default grafana secret key for metrics-nekomesh 2026-04-04 00:02:07 +02:00
fi
5e2c28fd13
 		Update mastodon to 4.5.8 2026-04-03 22:58:44 +02:00
fi
39be09bb6b
 		flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/56ed9a39b84feaee9624111dc86869d19f4c22f3' (2026-03-30)
  → 'github:NixOS/nixpkgs/0aecba5a03727e1ac2d66378907d9a6e9c8266d0' (2026-04-03)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/98ce05a593c5d9655ddbd09fd81f7679381b5392' (2026-03-30)
  → 'github:NixOS/nixpkgs/942d1c86a6642bff0c4a440d30a7669a7a18a903' (2026-04-03)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/318977b8e175faba256cb35e0ca6810c7d87edf2' (2026-03-30)
  → 'github:NixOS/nixpkgs/0eac666efaa8a9afea2821f9efc7921b4ef39b4e' (2026-04-03)
 2026-04-03 22:51:49 +02:00
fi
17ddc2f9c9
 		flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/08ebc444a070153227d6f45acf979f4d5f1f97f9' (2026-02-11)
  → 'github:NixOS/nixpkgs/56ed9a39b84feaee9624111dc86869d19f4c22f3' (2026-03-30)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/8605a9be3795437e3717dab6c542d2d571369e70' (2026-02-11)
  → 'github:NixOS/nixpkgs/98ce05a593c5d9655ddbd09fd81f7679381b5392' (2026-03-30)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/d9ca3a4b73f19ea147c9d977d3dde8f612ac648f' (2026-02-11)
  → 'github:NixOS/nixpkgs/318977b8e175faba256cb35e0ca6810c7d87edf2' (2026-03-30)
• Updated input 'simple-nixos-mailserver':
    'gitlab:simple-nixos-mailserver/nixos-mailserver/23f0a53ca6e58e61e1ea2b86791c69b79c91656d' (2025-12-24)
  → 'gitlab:simple-nixos-mailserver/nixos-mailserver/25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5' (2026-03-19)
• Updated input 'simple-nixos-mailserver/flake-compat':
    'github:edolstra/flake-compat/f387cd2afec9419c8ee37694406ca490c3f34ee5' (2025-10-27)
  → 'github:edolstra/flake-compat/5edf11c44bc78a0d334f6334cdaf7d60d732daab' (2025-12-29)
• Updated input 'simple-nixos-mailserver/git-hooks':
    'github:cachix/git-hooks.nix/7275fa67fbbb75891c16d9dee7d88e58aea2d761' (2025-11-16)
  → 'github:cachix/git-hooks.nix/8baab586afc9c9b57645a734c820e4ac0a604af9' (2026-03-07)
• Updated input 'simple-nixos-mailserver/nixpkgs':
    'github:NixOS/nixpkgs/a320ce8e6e2cc6b4397eef214d202a50a4583829' (2025-11-24)
  → 'github:NixOS/nixpkgs/826430a188181a750ffa5948daff334039c5d741' (2026-03-18)
 2026-03-30 22:25:39 +02:00
fi
9862a9d21b
 		Update element-web to 1.12.10 2026-02-11 18:02:31 +01:00
fi
459ac4c314
 		Update mastodon to 4.5.6 and remove fedi fetcher 2026-02-11 17:24:44 +01:00
fi
6daef62b60
 		flake.lock: Update 
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/032a1878682fafe829edfcf5fdfad635a2efe748' (2025-11-27)
  → 'github:nix-community/nixos-generators/8946737ff703382fda7623b9fab071d037e897d5' (2026-01-30)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/044f759a4f4629f2be41e59b859753a091e3c089' (2026-01-04)
  → 'github:NixOS/nixpkgs/08ebc444a070153227d6f45acf979f4d5f1f97f9' (2026-02-11)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/4220734816a0091405c33fe4c113be021c8e9c34' (2026-01-05)
  → 'github:NixOS/nixpkgs/8605a9be3795437e3717dab6c542d2d571369e70' (2026-02-11)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/1e46161ce72e20c156dd2225d7517421236c0f22' (2026-01-05)
  → 'github:NixOS/nixpkgs/d9ca3a4b73f19ea147c9d977d3dde8f612ac648f' (2026-02-11)
 2026-02-11 17:16:34 +01:00
fi
98b3e14bd6 Host element-admin on web-public-2 2026-01-18 19:36:46 +01:00
fi
4bfcfe355c Expose matrix admin api on management VPN 2026-01-18 17:56:04 +01:00
fi
8fe546c3fe Enable MAS admin cli 2026-01-18 17:41:21 +01:00
fi
770ba36ffc Remove invalid password complexity setting in MAS config 
Should be a value between 0 and 4. Default is 3.
 2026-01-18 17:19:30 +01:00
fi
399f53fc3e flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/f376a52d0dc796aec60b5606a2676240ff1565b9' (2025-12-08)
  → 'github:NixOS/nixpkgs/044f759a4f4629f2be41e59b859753a091e3c089' (2026-01-04)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/a0ea537a4fc4c49fb1e226317829c8b32ed95d0e' (2025-12-08)
  → 'github:NixOS/nixpkgs/4220734816a0091405c33fe4c113be021c8e9c34' (2026-01-05)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/fc2de1563f89f0843eba27f14576d261df0e3b80' (2025-12-08)
  → 'github:NixOS/nixpkgs/1e46161ce72e20c156dd2225d7517421236c0f22' (2026-01-05)
• Updated input 'simple-nixos-mailserver':
    'gitlab:simple-nixos-mailserver/nixos-mailserver/a14fe3b293ec2720e5b7fc72ad136d22967e12ba' (2025-11-26)
  → 'gitlab:simple-nixos-mailserver/nixos-mailserver/23f0a53ca6e58e61e1ea2b86791c69b79c91656d' (2025-12-24)
 2026-01-06 00:25:12 +01:00
June
954f7d4d08
 		tweak forgejo service configuration a bit making it nicer 
- Enable Git LFS support, since it's nice to have.
- Enable offline mode to avoid relying on CDNs (and to not use
  Gravatar).
- Enable notification mails for repo activity.
- Put setting for default repo units into "repository" category as the
  "repo" category doesn't exist.
- Also disable all repo units except code, as they mostly aren't needed
  for private repos and can be easily enabled on-demand.
 2026-01-05 20:21:52 +01:00
142 changed files with 1280 additions and 1479 deletions
Download patch file Download diff file Expand all files Collapse all files

96
.sops.yaml Normal file
View file

@ -0,0 +1,96 @@
keys:
- &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- &host_age_coturn age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l
- &host_age_forgejo age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk
- &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0
- &host_age_jellyfin age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt
- &host_age_keycloak age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd
- &host_age_lifeline age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua
- &host_age_mail-1 age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp
- &host_age_mastodon age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30
- &host_age_matrix age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5
- &host_age_metrics age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n
- &host_age_metrics-nekomesh age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse
- &host_age_nextcloud age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu
- &host_age_searx age17h3js5v8s5vezcankky6kqxcrvtfxanmvhp3axmnqs4y9s2lr9yqvc6zrn
- &host_age_torrent age1m37wtvp7fpavaygn2jc6kq2gtuvgvf0jgwwhd3p5862djv5segqs97mg7c
- &host_age_valkyrie age1guqc5pnajp2whkla6vws4yqnpe5hq4z89w6te3n5yql5pugzfqlqczjlee
creation_rules:
- path_regex: config/hosts/coturn/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_coturn
- path_regex: config/hosts/forgejo/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_forgejo
- path_regex: config/hosts/ikiwiki/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_ikiwiki
- path_regex: config/hosts/jellyfin/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_jellyfin
- path_regex: config/hosts/keycloak/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_keycloak
- path_regex: config/hosts/lifeline/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_lifeline
- path_regex: config/hosts/mail-1/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_mail-1
- path_regex: config/hosts/mastodon/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_mastodon
- path_regex: config/hosts/matrix/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_matrix
- path_regex: config/hosts/metrics/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_metrics
- path_regex: config/hosts/metrics-nekomesh/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_metrics-nekomesh
- path_regex: config/hosts/nextcloud/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_nextcloud
- path_regex: config/hosts/searx/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_searx
- path_regex: config/hosts/torrent/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_torrent
- path_regex: config/hosts/valkyrie/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_valkyrie
stores:
yaml:
indent: 2

1
config/common/default.nix
View file

@ -35,6 +35,7 @@
parted
tmux
nano
ssh-to-age
tcpdump
];

9
config/hosts/coturn/coturn.nix
View file

@ -5,7 +5,7 @@
min-port = 49200;
max-port = 49500;
use-auth-secret = true;
static-auth-secret-file = "/secrets/static-auth-secret.secret";
static-auth-secret-file = "/run/secrets/static-auth-secret";
realm = "turn.nekover.se";
cert = "${config.security.acme.certs."turn.nekover.se".directory}/fullchain.pem";
pkey = "${config.security.acme.certs."turn.nekover.se".directory}/key.pem";
@ -42,4 +42,11 @@
total-quota=1200
'';
};
sops.secrets."static-auth-secret" = {
mode = "0440";
owner = "turnserver";
group = "turnserver";
restartUnits = [ "coturn.service" ];
};
}

1
config/hosts/coturn/default.nix
View file

@ -4,5 +4,6 @@
./configuration.nix
./acme.nix
./coturn.nix
./sops.nix
];
}

11
config/hosts/coturn/secrets.nix
View file

@ -1,11 +0,0 @@
{ keyCommandEnv,... }:
{
deployment.keys."static-auth-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ];
destDir = "/secrets";
user = "turnserver";
group = "turnserver";
permissions = "0640";
uploadAt = "pre-activation";
};
}

25
config/hosts/coturn/secrets.yaml Normal file
View file

@ -0,0 +1,25 @@
static-auth-secret: ENC[AES256_GCM,data:af5cjUSeiCEtYki85h+XoJW5FKY4X18i6zOBZnH64Ju/LwA/yUemA8co17TG5cQnc/sw1pz6LySL2DOq/Gj42g==,iv:Yne84/VLN0jCSulA5OQ0UKbQWkqWBmHYogDuAngAp48=,tag:wJ/4yGnbypjTo/akV3P9ZA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMXRScDR1NzhzZGRXYUZQ
ZGpRYUlOUWZTVHQvdUlrSG5SRWM2ME9sdUVZCldCZkZ0SXdqUjBVNlRnckg3N0dS
S0s2NkRnQys2SGJKSTdiUWlnbTg1dkEKLS0tIGthb0FESjAyMjlEbnV4S0lPOHda
S1ZBOWdTSmNRQXMvUGJnd05sK1Q2Qk0KHseEBDVLeSWHdgrYyITRuJyp3orrjwwS
04ORMniHR7ymHzRPvm3oX/jkFD0iJEmk8clgm/Gcn2AQ7xXeJO7Vnw==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmemxWRnFLMFVEcVZCb3BT
MStWU21kcnF5enpleWt3dFdaMHo3RzJGaENNClU2M2tmdE0zd2pXWUJHQkV5Mkhi
a0lIbHJmWDN6UXhVeTZId3RhcEd5TWcKLS0tIFRlSUNQN0pGYmtiOGxJS0pJY0tQ
YjFzS205QklRZWdPbklIRzVzbFFPT2sKCXra+DUchbomy9pe2HJAbhAF1mstgUcv
NalettWmuLXe2B0WjC9fAy2AAJS6kysEbUh960suzSPLTqTce0MGfA==
-----END AGE ENCRYPTED FILE-----
recipient: age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l
lastmodified: "2026-05-16T23:13:15Z"
mac: ENC[AES256_GCM,data:PxX20JAaYhj3DE1KjakVmVucL7jjZU0vh5vnSNmKLgqedJiV2ZqEXpF4s1WPgYTY723aLiWDLw/8kTF/VmvMs8zOdGSkIhojWIWFE6I2yq1MjlawXuUhGpe6C1XGQ+w0KTqzyJLxyIsUSH24GqPHmLRMStE7bYdr0a4lRBHEyqE=,iv:6tXoqhG1XqDAz4SZSIxFCi01Be76/dV4vFPwv3lkcps=,tag:ytLoh7gJ+Iuqv5AwhDElrw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/coturn/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/forgejo/default.nix
View file

@ -5,5 +5,6 @@
./forgejo.nix
./redis.nix
./nginx.nix
./sops.nix
];
}

16
config/hosts/forgejo/forgejo.nix
View file

@ -4,6 +4,7 @@
enable = true;
package = pkgs.forgejo;
database.type = "postgres";
lfs.enable = true;
settings = {
DEFAULT = {
@ -17,6 +18,7 @@
ROOT_URL = "https://git.nekover.se/";
# LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
# Doesn't need to be set.
OFFLINE_MODE = true;
};
admin = {
DISABLE_REGULAR_ORG_CREATION = false;
@ -34,11 +36,10 @@
DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
};
repo = {
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
ENABLE_NOTIFY_MAIL = true;
};
repository = {
DEFAULT_REPO_UNITS = "repo.code";
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};
@ -60,6 +61,13 @@
HOST = "redis+socket:///run/redis-forgejo/redis.sock";
};
};
secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret";
secrets.mailer.PASSWD = "/run/secrets/forgejo-mailer-password";
};
sops.secrets."forgejo-mailer-password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
};
}

3
config/hosts/forgejo/nginx.nix
View file

@ -29,7 +29,8 @@
};
extraConfig = ''
set_real_ip_from 10.202.41.100;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol;
'';
};

13
config/hosts/forgejo/secrets.nix
View file

@ -1,13 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"forgejo-mailer-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
destDir = "/secrets";
user = "forgejo";
group = "forgejo";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

25
config/hosts/forgejo/secrets.yaml Normal file
View file

@ -0,0 +1,25 @@
forgejo-mailer-password: ENC[AES256_GCM,data:bFUrFyE/reeTtKZCrb1T1CG8Ng9QbDwZo9AdxU67i8uNmKcn93k3dqY70tSqBTAc9hpsXyW3UTKnPpk+ffb0mw==,iv:p16td5KV0rTmrrtX8FMojotEa+2oiFmVizkc6mt9QyI=,tag:czg/IlNLkx75m2iSddUkUw==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNjVaNlFWeG9vMW4vM2R3
bWQyVk9jN1VkUUczbTBzUmdpZ2NyWlV4aVFjCmZwa0lDcXUzVDM4d1Mwa1B4Qm9q
WjVKMXJBRVNtc0JzcmE0Y20zdCtzM3cKLS0tIEJWanpwZHdPMGJiL0lkME9yVGQ1
a3ZvRGV3VENIbmlubG16MWF3SkdyQ00KZj5vuzVyCqbLH5gnQjhRpOfHtIB3RVZC
m+VdnnAFIfShrxwfOekVavffaHmG3PWS7RUKoeZNSdtz1ScuwfazPw==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYOEdadnQvSW1mcE9hSmFL
aFlqdHpTejNZRXJCbTh4WjQyQXVobitaa2hFCjV1RU9UOGlqaXhIckNLMmYwb0s2
eHY2VVpiQThzQUNuS1FLbFd3V2NGZk0KLS0tIGdOK3VEOUlNcldBQ1haRHhVS0cw
N3ZoNWlVK2trVkJLQlhnaHFueFdqVEkK800paYmP1opnW7o2V8f2zzWNR5tOVYGs
fl+SA7hE7uTpRrrGfuZq0jQgWOaeAbJ3+PzRuSrVlrXdWIyipcZM2Q==
-----END AGE ENCRYPTED FILE-----
recipient: age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk
lastmodified: "2026-05-17T00:50:59Z"
mac: ENC[AES256_GCM,data:I3a9s9i6sFVTRQIAj94YZNyxQsDIWIvRhy9M/e6iMYpvoQyxFvMD3xAE0NQ1uX1QgMoi+6njTc8AmTXFJvSfoiqtVfHQH+HkLPMR27DZUY6kgZGMvUVswioSKfaF8fZxGEyWRPAuTDlynfOsGpr4Tqt5U8NBiYL1FDD6CPALaiY=,iv:RUbSPPTR6cTWwzvbnQRA/f9AjjjOpQUiEBrWvxqCpTQ=,tag:GcGsBgxWU/AXm06FkUI1LA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/forgejo/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

51
config/hosts/hydra/configuration.nix
View file

@ -1,51 +0,0 @@
{ ... }:
{
boot = {
loader.grub = {
enable = true;
device = "/dev/vda";
};
binfmt.emulatedSystems = [
"armv6l-linux"
"armv7l-linux"
"aarch64-linux"
];
};
networking = {
hostName = "hydra";
firewall = {
enable = true;
allowedTCPPorts = [ 8443 ];
};
};
users.users.builder = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/plZfxF/RtB+pJsUYx9HUgRcB56EoO0uj+j3AGzZta root@cherry"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara"
];
};
nix = {
settings = {
trusted-users = [ "builder" ];
allowed-uris = "http:// https://";
};
buildMachines = [
{
hostName = "localhost";
systems = [
"x86_64-linux"
"armv6l-linux"
"armv7l-linux"
"aarch64-linux"
];
}
];
};
system.stateVersion = "23.05";
}

9
config/hosts/hydra/default.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./hydra.nix
./nix-serve.nix
./nginx.nix
];
}

14
config/hosts/hydra/hydra.nix
View file

@ -1,14 +0,0 @@
{ ... }:
{
services.hydra = {
enable = true;
hydraURL = "https://hydra.nekover.se";
listenHost = "localhost";
port = 3001;
useSubstitutes = true;
notificationSender = "hydra@robot.grzb.de";
extraConfig = "
binary_cache_public_uri = https://nix-cache.nekover.se
";
};
}

42
config/hosts/hydra/nginx.nix
View file

@ -1,42 +0,0 @@
{ ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
"hydra.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."/" = {
proxyPass = "http://localhost:3001";
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
"nix-cache.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [ {
addr = "0.0.0.0";
port = 80;
}];
locations."/" = {
proxyPass = "http://localhost:5005";
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
};
}

9
config/hosts/hydra/nix-serve.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
services.nix-serve = {
enable = true;
port = 5005;
bindAddress = "localhost";
secretKeyFile = "/secrets/signing-key.secret";
};
}

11
config/hosts/hydra/secrets.nix
View file

@ -1,11 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys."signing-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

1
config/hosts/ikiwiki/default.nix
View file

@ -4,5 +4,6 @@
./configuration.nix
./ikiwiki.nix
./nginx.nix
./sops.nix
];
}

12
config/hosts/ikiwiki/nginx.nix
View file

@ -26,7 +26,7 @@ in
tryFiles = "$uri $uri/ =404";
};
"~ .cgi" = {
basicAuthFile = "/secrets/ikiwiki-auth-file.secret";
basicAuthFile = "/run/secrets/auth_file";
extraConfig = ''
gzip off;
fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address};
@ -39,9 +39,17 @@ in
};
};
extraConfig = ''
set_real_ip_from 10.202.41.100;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol;
'';
};
};
sops.secrets."auth_file" = {
mode = "0440";
owner = "nginx";
group = "nginx";
restartUnits = [ "nginx.service" ];
};
}

11
config/hosts/ikiwiki/secrets.nix
View file

@ -1,11 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys."ikiwiki-auth-file.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ];
destDir = "/secrets";
user = "nginx";
group = "nginx";
permissions = "0640";
uploadAt = "pre-activation";
};
}

25
config/hosts/ikiwiki/secrets.yaml Normal file
View file

@ -0,0 +1,25 @@
auth_file: ENC[AES256_GCM,data:5/uT1sIOI95LNA9YFWh3I9J2PCZmz/J38YxVsKVWFHfJdZUOQpSW6ekjX7StP/svtv6Tp0AonnvcKfRcyPYn,iv:NKdWae+EihasTMV24Hk+dKJG8032mWu+RWItWs0b6RE=,tag:WBM6pXlKaDXOMnBWGBLJWg==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNDZLcEFGRHczMHg3S0w3
eTNvNGI5TXBWTTc1eXAzZStlSmZTQ3NkdTA4CmlYVEF1NWhldVZuZmwzTUU0NG5j
UFhvU3Q3Q1BvVHhrODJWc296UUo0TmMKLS0tIFFlUGRYVDNNYm40cXhlZ004eFk5
b3BnLzBjZFpjVDN2clZaTGlWV29NVUEKsdK4V5Og+bK26Gl6HTkOBtFrHfr1RFYu
zWNGQ3skkvATO/ypa0zFf3+qnupCTTO5emwscoRK8ZZFVgSswdnbIA==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUJXWW95OXlEZFFwbHlp
RzJJMDFJU2pUTjltZ1JaWjE5c0xPY0hvNUdZCk5uWk9kdlRWNTNVUUVmT3VVeE9j
ajNNeVlZcEw4WFdqZ2QwTXl2MlhVZ2cKLS0tIFVVUXJtWkhtREFsdXp5ODZkOTA1
b1h3THFYSU1yblM0WmdxTUVtZG1OYVUK5tmcOX+jOdbSD1YCPqcAeoGF8ny61lWY
xwguejMeVZ/pCjO/qf3tb+MUlInPMXva59FelGd3nz6cbVqbeWtxSQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0
lastmodified: "2026-05-16T22:13:21Z"
mac: ENC[AES256_GCM,data:McAN1DueAhDBAY8kloB5l8M0pLIeswtnCxBtMYFyzBaY2Z43gNetBwdpzs5sL4nEmAZGPJ9AjXJVSmjb1tOn3BF8X5n6/9F7DzvHT7ukpIjumGC0KeB0QfaIGgKJyo7koISIVlGFZAwgcf1fQwaKZsYzfOGelj7UNrzFCjArK+Y=,iv:oZUmzcEr08jROw24J2fXQ4EjEJH3vzYysdy51vEtUNM=,tag:QJjNb/YvuZrZtQD9QE1Z3g==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/ikiwiki/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/jellyfin/default.nix
View file

@ -5,5 +5,6 @@
./hardware-configuration.nix
./jellyfin.nix
./nginx.nix
./sops.nix
];
}

8
config/hosts/jellyfin/hardware-configuration.nix
View file

@ -5,7 +5,7 @@
fsType = "cifs";
options = [
"username=jellyfin"
"credentials=/secrets/samba-credentials.secret"
"credentials=/run/secrets/samba-credentials"
"iocharset=utf8"
"vers=3.1.1"
"uid=jellyfin"
@ -13,4 +13,10 @@
"_netdev"
];
};
sops.secrets."samba-credentials" = {
mode = "0440";
owner = "root";
group = "root";
};
}

11
config/hosts/jellyfin/secrets.nix
View file

@ -1,11 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys."samba-credentials.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

25
config/hosts/jellyfin/secrets.yaml Normal file
View file

@ -0,0 +1,25 @@
samba-credentials: ENC[AES256_GCM,data:9txZMLLwlyAMzI3Naag3tUD1zSXLAf/zoJFoJZYTChhmkPpuhuuaIANFcYmH2sUYSsvZLXlbBuLXRryjTix0zK9ZfkZW8/R1vg==,iv:cF3S9S2+Vk+VAb8gyFyxZ12fqmohHSD3GG0fTILrxRM=,tag:m4BqpUlKmUoPbXTEjFmjaA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb3dQYWM4SHVraHFPZEx6
aGpDcTEyVjZ6Y0h6YzM4aVliRXpqZFpLcnprCmNEOHFrby9IdEE1MTZIYWxrS3BS
ZHZTSmYxUW9pek5XblIyZ2FDVlV0TEkKLS0tIEN6NnErRXI3ejc3cVBiSVR6NlpC
a2tnWWxDaXgwQ3hmc0dreTNIRnl0cTAKCSaj/epLw16tVDX4OMCzutxlnARL8MDf
pUVDonkZ7sB7d1+mnyG+gMQuFDhiDcV9WS2h3M83xoSKoHnCkca9Ew==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbUdFMlZvVXlzc3FPSmE4
Rk1jeUpDVUJMeUlJZDlYeHhwK2l6UkJNRVFVCjNUVS9ZMjI2ME9qTFM0Umc3dXZC
Z0todzhYSXZ5Yk5odUdOZGg3VnE3QW8KLS0tIGd1emhUMFVHT3JiZ1JhY0FWOU1i
cW9PWk9oRHZGeFlSdlVLSlJ6TVg4WnMKikUhDJNyuKdiazCUcKBo834NO3U6ZfjB
GbDn3wUKb465CDYw7GPcvZtM2mNufsoInZh+Oq/07Hi+seAXfX2y7A==
-----END AGE ENCRYPTED FILE-----
recipient: age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt
lastmodified: "2026-05-17T00:58:22Z"
mac: ENC[AES256_GCM,data:0WF8JU4d+5nHHB5iBmqdS6TkZem2AHrYNx6zDm4yoIKip7ZVTfCPCyhZ4c3QseEBn1G2IXsTMEtIk6RVI2JigSJPLjyXOTJOeWjVtPD5+1I+mrU7z+YWN+sK5i4F1hQX7/E4JbTDh/h+NbqZ6I9pBq7Nm12QUtZdp/7R5qChXs4=,iv:DBdSDx/X8fh7SXiC073AtDMPDB9idKItzEz2fl7xe+g=,tag:0O1pZp6+Y2Uf2DlijwZLeg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/jellyfin/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/keycloak/default.nix
View file

@ -4,5 +4,6 @@
./configuration.nix
./keycloak.nix
./nginx.nix
./sops.nix
];
}

9
config/hosts/keycloak/keycloak.nix
View file

@ -10,6 +10,13 @@
http-host = "127.0.0.1";
http-port = 8080;
};
database.passwordFile = "/secrets/keycloak-database-password.secret";
database.passwordFile = "/run/secrets/keycloak-database-password";
};
sops.secrets."keycloak-database-password" = {
mode = "0440";
owner = "root";
group = "systemd-network";
restartUnits = [ "keycloak.service" ];
};
}

3
config/hosts/keycloak/nginx.nix
View file

@ -27,7 +27,8 @@
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol;
add_header Strict-Transport-Security "max-age=63072000" always;

13
config/hosts/keycloak/secrets.nix
View file

@ -1,13 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"keycloak-database-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

25
config/hosts/keycloak/secrets.yaml Normal file
View file

@ -0,0 +1,25 @@
keycloak-database-password: ENC[AES256_GCM,data:2Jk0wskmlpdpaZj05MX4YRRDR75eAkk5eDNNOTSA9+dN8OGkUWdI0CX9ZdQFUB31GiRaLZQ4I9gwnIc2sIxzuA==,iv:4fq+safzIGC21NFTaHsIfgZwuKelQyxttEeW7Pp09v8=,tag:c7LO34hJqi1yEwQ+cQc0Dg==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArR0Y2ZVg4S1FDYmRlS0xL
VWlJVzNvdHVXanBMN043QjcxVjd5bFk5d21JCnVzYVcwT2tnQS9jblhVQUFaNWZD
L0owQ1hhUFdhNVAzaVJNbWhQaEdXZlUKLS0tIFZFOFpKUklKNVJFRS9ZY1JaeS9D
RnF5YjRmbXRaY3h1MU5PWEZETGh0N2cKIwZg6mMY8c3VpE9hAk9bcFXLyzl7J/4M
BIh7C+yZbD7bL92TEP3gTpW+EsGiJl2LCq7NVVuDkboYuJ6kAqLppg==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS25mcEErQ1pUMTV6U1h4
WXduajlyTFFncXdhZ09BdXg4amV4V0xMalFNCm85dk1ldUlHTytXRDJLcjIyN2M2
ZmVFVG1YcWhnTmwySmFRUDhEMkVyb1EKLS0tIHVDVkc3QytPU3pQTWxMSG1TRFdI
LzVUdGUrZmVTa1RqRHNWaFFhY09ySEUKFrN7X2ir3gwL/S91mychdjXi2oBPEPr9
aizXtIk0JX6SzrP/Oy0mYROeEEEUfPVBBypEUlBjlyeSyathmEoVLQ==
-----END AGE ENCRYPTED FILE-----
recipient: age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd
lastmodified: "2026-05-17T01:07:49Z"
mac: ENC[AES256_GCM,data:fAOsq2jrl8dTvQSn+Cp0sxuU5AuOdnm97LBIyPY71KbxMAY0vn/RDvhszvskMIE25JWGuZROnFoYmrkUqSp/pxG9gvcPQ6keW9WMr09YFli4u1tvADl6Ag+OkcgDe2UP1aPRkW6i7sGpq7Wfv/3G8HNMLgywhyiAA2XICymbDBI=,iv:ChOk26gheG2ErLVqt/rrMw1MxuOmEA595fay6pGUCcc=,tag:8wGA4YZa+ZyNDIBz/d1DUg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/keycloak/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

18
config/hosts/lifeline/configuration.nix
View file

@ -26,7 +26,7 @@
{
name = "mail-2";
publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM=";
presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret";
presharedKeyFile = "/run/secrets/wireguard-lifeline-mail-2-lifeline-psk";
allowedIPs = [ "172.18.50.2/32" ];
}
];
@ -38,7 +38,7 @@
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE
'';
privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret";
privateKeyFile = "/run/secrets/wireguard-lifeline-wg0-privatekey";
};
};
nat = {
@ -62,5 +62,19 @@
services.prometheus.exporters.node.enable = false;
sops.secrets."wireguard-lifeline-mail-2-lifeline-psk" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
sops.secrets."wireguard-lifeline-wg0-privatekey" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
system.stateVersion = "23.05";
}

1
config/hosts/lifeline/default.nix
View file

@ -3,5 +3,6 @@
imports = [
./configuration.nix
./hardware-configuration.nix
./sops.nix
];
}

21
config/hosts/lifeline/secrets.nix
View file

@ -1,21 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-lifeline-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-lifeline-mail-2-lifeline-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

26
config/hosts/lifeline/secrets.yaml Normal file
View file

@ -0,0 +1,26 @@
wireguard-lifeline-wg0-privatekey: ENC[AES256_GCM,data:yUIu+AC24/84w0GQPko64E89ZjzMoaa0Z8J2IFY8wDmCw+z1Als0h42XB5U=,iv:2pmy0FyeyvHbRRYnog9mth7hWfMt4mNe8/dSK3eYd2E=,tag:/gRbYT8EnbDRiFN0Ohu4ng==,type:str]
wireguard-lifeline-mail-2-lifeline-psk: ENC[AES256_GCM,data:IvgVTsgFfONCm3OJ8iKtwRUY6uTEZfpyGubm/iysOySebPuDg+/AGNUu5ZQ=,iv:HZpAqLLt/cDQo51+koS3nZ1mkN0ZmqCY7gedx6PHthM=,tag:klM8lxBmZvXn3XUD/duGMA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLcGo4RTJsQnZWWXBadjAz
YW5VcFBwWUxUR2N2d092WmN6LzdkaStaVVNJCkdWLzF4ZU4rY3pPLzc1YUZUb2hM
bHNiRkhabG1ON2YzemdCMjQwOW5hdG8KLS0tIER4RGdZNkN4U0dTekx6MURpY0oz
ZURQbEF0c2VXNFFRVEI5YjUydzNQVTQK6Q3yE+P41Ukay2h2RVXHcCbE19piBwHa
Gdxok7ObnjTBpFxWuz4Sqvozb4R9dbkTPtSp72Yjv78QBinLmWGJ/A==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemExaHpsTFBEYjJURjNp
WmluaHcwaUtyNmRINEJ6NXlFVWplZm9YeEJvCktMM2N0dWFxYUFKM25EdVo0RmNG
MDYzcFFnOG95SXdrU3VzWmdqQ3U0L2cKLS0tIGhHUmNNS0w0bzhhdHgzL1hYQjRr
SEczcDdWMnh3aThXK3JrLzkrTEZ0TkUKexB+HBUOWSsel9sNgUHnj5NJdj8zZX/C
XB4W6fwzMxPHHknk1y/4z/F8oNnUzXmh3QfT/15glDmmCpyM3PGWVw==
-----END AGE ENCRYPTED FILE-----
recipient: age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua
lastmodified: "2026-05-17T01:24:39Z"
mac: ENC[AES256_GCM,data:JyTfrwkD8GxbzzuK1CsBRr8+Hxheu1gvB2KP3jGJkvLktzzNLYH7qq7JJu2oP6X18MMa+dlMuY9lHosoWy+wA34kgrtBVqtCfTnOx3jafwfLdNVBVTORN8h7so1N0KKwuSJnFL6BqMWhiQiPVOENGThqlIqKDwSiP3hyfFLDBuM=,iv:0IkM76X2Ly3hil7XneURzQk4wVUJy/bs/9zX3r9cTVo=,tag:vC7HDnB6WCTTy5MSh4tDDg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/lifeline/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

17
config/hosts/mail-1/configuration.nix
View file

@ -51,11 +51,11 @@
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
PrivateKeyFile = "/run/secrets/wireguard-mail-1-wg0-privatekey";
};
wireguardPeers = [{
PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
PresharedKeyFile = "/run/secrets/wireguard-valkyrie-mail-1-mail-1-psk";
Endpoint = "212.53.203.19:51822";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
@ -77,5 +77,18 @@
wireguard-tools
];
sops.secrets."wireguard-valkyrie-mail-1-mail-1-psk" = {
mode = "0440";
owner = "systemd-network";
group = "systemd-network";
restartUnits = [ "systemd-networkd.service" ];
};
sops.secrets."wireguard-mail-1-wg0-privatekey" = {
mode = "0440";
owner = "systemd-network";
group = "systemd-network";
restartUnits = [ "systemd-networkd.service" ];
};
system.stateVersion = "23.05";
}

1
config/hosts/mail-1/default.nix
View file

@ -3,5 +3,6 @@
imports = [
./configuration.nix
./simple-nixos-mailserver.nix
./sops.nix
];
}

109
config/hosts/mail-1/secrets.nix
View file

@ -1,109 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-valkyrie-mail-1-mail-1-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-mail-1-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fiona-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-yuri-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-mio-vs-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fubuki-wg-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-cloud-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-status-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-matrix-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-nekomesh-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-social-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-id-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/id-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-forgejo-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

37
config/hosts/mail-1/secrets.yaml Normal file
View file

@ -0,0 +1,37 @@
wireguard-valkyrie-mail-1-mail-1-psk: ENC[AES256_GCM,data:qlmzG+qatZCGFqD2Yf9Nlc7tUUMr5JGIvwFcaBqmgwSFoRjVpObjpTn9h6Q=,iv:8kukGi7FyKY7Un5bfmD+xOrt57Zr4uGEho3GGFyy8KY=,tag:0SqD/4OCYC1gRcsDAK8oBw==,type:str]
wireguard-mail-1-wg0-privatekey: ENC[AES256_GCM,data:oI3NZ3QBaGsWPx8ajLtP2MUdVTpWlnmOF1j3aex+0rI5fixwtNwJvUZD3mA=,iv:ecO78C4upN99mm9ZosIxXR0RsZJRsL97FFvh6ktpczA=,tag:obxoVfxh49XznQykp1ROuA==,type:str]
mail-fiona-grzb-de: ENC[AES256_GCM,data:igpnhygXhe1kIMc+Dvj0LB+PFrJOJu53ZS5svt+B2qpXAk5kD9zQIRoU5TdHLyOdIOSSb2XBPkKgbShv,iv:MPgHxNvZGZ/NtflrxpazgryT+T1Qy/5z0klZ/BQ/mGA=,tag:8huvfd1eLJTQrKdDxFDsDw==,type:str]
mail-yuri-nekover-se: ENC[AES256_GCM,data:XsFmWttVmDnI9+q/7ZN0bDlRiYue1XPonQTfWMkkHfZ7mk1ZXlDjC3oYR3V3a3yEQrS4Jz0fAc/N4lnR,iv:RPqs8Q3QSGSJ0zSClKyIo5JmW5UEE6xYjEnqvmFE5C8=,tag:DZaDfFc+3RG9L0oIpj9f3Q==,type:str]
mail-mio-vs-grzb-de: ENC[AES256_GCM,data:R+eq1w3a6NLD20sMBejlnQ9asEGOxGBgPqQ+oLTwfryYu0b0by3rF0a7StCtSzsFMkzpAWw+En4Zreuw,iv:r7VLjix8sRSXbnpRS+9XzXI0qjklOXuQU77kU2LF7zA=,tag:BhqSLiMvnGHagq9Jg5852A==,type:str]
mail-fubuki-wg-grzb-de: ENC[AES256_GCM,data:pFPmrMtF33P3ANpnWB+qcTfEfAMJ0w4/fE/zAsVYKjEO1nhZtWSMQfyorYSq5GdbXuitIYdjx/IBCj0r,iv:FZtnyp90pB9R0nYaHsudnE7IyDi26UE+vxIpzZm0Q4s=,tag:XJcIP9LyYwbzw21QLpHfCA==,type:str]
mail-cloud-nekover-se: ENC[AES256_GCM,data:lY7ufbNOS+GPHAi1fJGhZNT0dMv1B7k+6BzGTb1IxWvvHmFv7u6NKGBmyQQD57Qvt2EwdtnGDJ2XugCD,iv:NZLdBFNHSkSj9pau0vWQzwznOjkFvhZcGalcfWoKI9w=,tag:8dn5ULJzaTYtnT3CBfpp8g==,type:str]
mail-status-nekover-se: ENC[AES256_GCM,data:blaHK5q8mJKQMo/UYf2NG2x7IsIkZD5cxaVv56Z7PFrn+pua821j8pwNGXCnmuGJFhDj16PkvfOuRXU7,iv:+Q2J73Af27qjta5xYtuF/mrwL45fyTV+K5GDpnA11Lo=,tag:OKhLFQfgKTAvg5wvID5RGA==,type:str]
mail-matrix-nekover-se: ENC[AES256_GCM,data:9Fs5Un2DI2ZHm1zLkbAsQ3tsuff9LjvuJkysxVWc1pdQuQsMHCNTHfioBMqJ1dH1E8ilkqCqljEmHh9+,iv:F73WEWyq7o06n0zkuu2cNYWUdmpX7YX4BGcR4Hgep2Y=,tag:+7BPbiCNM0QdBTBx6RKkHQ==,type:str]
mail-nekomesh-nekover-se: ENC[AES256_GCM,data:k25S+W3t4gn8HuUs4xge5iLjxtayB82y9PNs3lxxg3En7W4CbiSt1ccoiP4h9v9iN5rMHqiF8wg2ONlBJwQ6qA==,iv:LqjOUza0cioak0qeuBBkmRl3Kg8z05kqTeZCrgEX9qY=,tag:NkqrRxJp0c+h/C0+jfiQqg==,type:str]
mail-social-nekover-se: ENC[AES256_GCM,data:b+7hmL8yiqABkf5NFUQVTSBmj1EjImzB58Q0xpDkxSU9DVkhhURTzoi+HdgFgOOzDtkegzprokXA+I+j,iv:LtOn8+dx5Nhes4t5qpqWsnaOfD07IBZEaCXKIniJlJc=,tag:ipLZNPRN7YCkvVJYKonXmQ==,type:str]
mail-id-nekover-se: ENC[AES256_GCM,data:5odIPSrJEVoT95hch48lu4pmb0PVnjtTUOo3eohfbX1I8CNpwIuhz4Mjk5lam5q3toIKtXMhtA73RAup,iv:bvpCkS4Tz0/oorStgip0XXnsxkBMAoFJrTFAzrjPLYU=,tag:KOVNkURmuwb+8VRxfTxEDQ==,type:str]
mail-forgejo-nekover-se: ENC[AES256_GCM,data:PLZFl5aokzJorTCKD8/qJs0N1BlDLPl1tW23roMMCRkn9tAupaNwZASp1pKrPJBVBCAH4Ijj84WDIhsHdQzNhg==,iv:CExDJ2uwe0juL0f+SCyTGOfUHuEwPTHduHUkh8WAQMo=,tag:pf0QArVKBNh1F4TMxsJyRA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1ppWG1iZzJaaTJxMi9I
MTNvWUFWU1JRakpWbGxYQU9zdk5rVWMzZHdzCktRL1NEN01EY0lvVVJuQ3V2eTBZ
OFVnN1FiVTJndHZZeDBNQmloNndLY1EKLS0tIE5Lc0NqYzI4U29zamJaK2FiL1BZ
UTc2MkpZRmpVVVpvVSsxUkdpdVMzYW8KnCIMs31S6/SSx+vUAOYfjO21pGl/AMQa
iunevrTybuTFB2F/xePkdeIVvXLTLcj0XiAIw+qzAl/GvIWp7DDnTw==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZVdRK214bVQyNVRWMXVI
dmNOWk9VMXRUWnpZaXRJQVIydmRTeDJrUzMwCi95VWVGU2t3U0dqTHVWbTVjakh6
a2luYVZVdlFpVDRKeWpUZnpTY1J0eEkKLS0tIEtqTjBMY3UxU09jN2RuSzNGU3hX
UndxdWMyTVkzTUYzU3h6VjlyMjl6emsKNs+ED4FRI/+wrD3TUsQYyzuFvVEyrnBD
dsyjzSv8WubSloRUHkV7hwfHxgVzg37A5nlQo/qSdJC6TtfWmoXpsg==
-----END AGE ENCRYPTED FILE-----
recipient: age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp
lastmodified: "2026-05-24T00:23:52Z"
mac: ENC[AES256_GCM,data:QH4MalhMoA5CyNmGPksMRzn6LOfxxRSBlufJ6ejcDx+l6owNT3xqKAYE9EfIUMh8z7Sw+btHhn8q02K2FnWlYD2FUY187cCcoykGRU+juJEDZH6yQ5PCqrBKXDB0wv8IBI/xTeFS7mUOzlvZfHtnLKULNZBfojN9f9jDoZCUhYo=,iv:S0AU8Ox62kk3nwL31QzYT0CGDaYNYbG/ONaQhiUbGD4=,tag:qKUkkxNouKaDb/1ptXSobg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

89
config/hosts/mail-1/simple-nixos-mailserver.nix
View file

@ -15,55 +15,55 @@
domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
loginAccounts = {
"fiona@grzb.de" = {
hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret";
hashedPasswordFile = "/run/secrets/mail-fiona-grzb-de";
aliases = [ "@grzb.de" ];
catchAll = [ "grzb.de" ];
};
"yuri@nekover.se" = {
hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-yuri-nekover-se";
aliases = [ "@nekover.se" ];
catchAll = [ "nekover.se" ];
};
"mio@vs.grzb.de" = {
hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret";
hashedPasswordFile = "/run/secrets/mail-mio-vs-grzb-de";
sendOnly = true;
aliases = [ "root@vs.grzb.de" ];
};
"fubuki@wg.grzb.de" = {
hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret";
hashedPasswordFile = "/run/secrets/mail-fubuki-wg-grzb-de";
sendOnly = true;
aliases = [ "root@wg.grzb.de" ];
};
"cloud@nekover.se" = {
hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-cloud-nekover-se";
sendOnly = true;
};
"status@nekover.se" = {
hashedPasswordFile = "/secrets/mail-status-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-status-nekover-se";
sendOnly = true;
};
"matrix@nekover.se" = {
hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-matrix-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"nekomesh@nekover.se" = {
hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-nekomesh-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"social@nekover.se" = {
hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-social-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"id@nekover.se" = {
hashedPasswordFile = "/secrets/mail-id-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-id-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"forgejo@nekover.se" = {
hashedPasswordFile = "/secrets/mail-forgejo-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-forgejo-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
@ -79,4 +79,71 @@
proxy_interfaces = "212.53.203.19";
};
};
sops.secrets."mail-fiona-grzb-de" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-yuri-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-mio-vs-grzb-de" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-fubuki-wg-grzb-de" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-cloud-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-status-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-matrix-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-nekomesh-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-social-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-id-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-forgejo-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
}

6
config/hosts/mail-1/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

9
config/hosts/mail-2/acme.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
security.acme.certs = {
"mail-2.grzb.de" = {
listenHTTP = ":80";
reloadServices = [ "postfix.service" ];
};
};
}

81
config/hosts/mail-2/configuration.nix
View file

@ -1,81 +0,0 @@
{ pkgs, ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
systemd.network = {
enable = true;
networks = {
"enp6s18" = {
matchConfig.Name = "enp6s18";
address = [
"10.201.41.100/24"
];
routes = [
{
Gateway = "10.201.41.1";
Destination = "10.201.0.0/16";
}
{
Gateway = "10.201.41.1";
Destination = "10.202.0.0/16";
}
{
Gateway = "10.201.41.1";
Destination = "172.21.87.0/24";
}
{
Gateway = "10.201.41.1";
Destination = "217.160.117.160/32";
}
];
linkConfig.RequiredForOnline = "routable";
};
"wg0" = {
matchConfig.Name = "wg0";
address = [
"172.18.50.2/24"
];
DHCP = "no";
gateway = [
"172.18.50.1"
];
};
};
netdevs = {
"wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret";
};
wireguardPeers = [{
PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
Endpoint = "217.160.117.160:51820";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
}];
};
};
};
networking = {
hostName = "mail-2";
useDHCP = false;
firewall = {
enable = true;
allowedTCPPorts = [ 25 80 ];
};
};
environment.systemPackages = with pkgs; [
wireguard-tools
];
system.stateVersion = "23.05";
}

8
config/hosts/mail-2/default.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./postfix.nix
./acme.nix
];
}

37
config/hosts/mail-2/postfix.nix
View file

@ -1,37 +0,0 @@
{ config, ... }:
{
# Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
services.postfix = {
enable = true;
hostname = "mail-2.grzb.de";
relayDomains = [
"grzb.de"
"nekover.se"
];
sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem";
sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem";
extraConfig = ''
message_size_limit = 20971520
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
proxy_interfaces = 217.160.117.160
relay_recipient_maps =
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
'';
};
}

21
config/hosts/mail-2/secrets.nix
View file

@ -1,21 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-mail-2-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-lifeline-mail-2-mail-2-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

23
config/hosts/mastodon/containers/fedifetcher/default.nix
View file

@ -1,23 +0,0 @@
{ nixpkgs-unstable, ... }:
{
containers.fedifetcher = {
nixpkgs = nixpkgs-unstable;
autoStart = true;
bindMounts = {
"/secrets" = {
hostPath = "/secrets-fedifetcher";
isReadOnly = true;
};
};
config = { ... }: {
imports = [
./fedifetcher.nix
];
networking.useHostResolvConf = true;
system.stateVersion = "24.05";
};
};
}

42
config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix
View file

@ -1,42 +0,0 @@
{ pkgs, lib, ... }:
{
# config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix
systemd.services.fedifetcher = {
path = [ pkgs.fedifetcher ];
description = "fetch fedi posts";
script = ''
fedifetcher
'';
environment = lib.mapAttrs' (n: v:
(lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n)
(builtins.toString v))) {
server = "social.nekover.se";
state-dir = "/var/lib/fedifetcher";
lock-file = "/run/fedifetcher/fedifetcher.lock";
from-lists = 1;
from-notifications = 1;
max-bookmarks = 80;
max-favourites = 40;
max-follow-requests = 80;
max-followers = 80;
max-followings = 80;
remember-hosts-for-days = 30;
remember-users-for-hours = 168;
reply-interval-in-hours = 2;
};
serviceConfig = {
DynamicUser = true;
User = "fedifetcher";
RuntimeDirectory = "fedifetcher";
RuntimeDirectoryPreserve = true;
StateDirectory = "fedifetcher";
UMask = "0077";
EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ];
};
};
systemd.timers.fedifetcher = {
wantedBy = [ "multi-user.target" ];
timerConfig = { OnCalendar = "*:0/5"; };
};
}

2
config/hosts/mastodon/default.nix
View file

@ -5,6 +5,6 @@
./mastodon.nix
./opensearch.nix
./nginx.nix
./containers/fedifetcher
./sops.nix
];
}

72
config/hosts/mastodon/mastodon.nix
View file

@ -1,9 +1,9 @@
{ pkgs, ... }:
{ pkgs, nixpkgs-unstable, nixpkgs-master, ... }:
let
tangerineUI = pkgs.fetchgit {
url = "https://github.com/nileane/TangerineUI-for-Mastodon.git";
rev = "v2.5.2";
hash = "sha256-RJPP3QynE42cr9Km8twyZrHiZnhMdNcYOOJ7nW0mx1c=";
rev = "v2.5.3";
hash = "sha256-fs/pwIwXZvSNVmlSG304CMT/hSW/RtrzraMsrhg/TbE=";
};
mastodonModern = pkgs.fetchgit {
url = "https://git.gay/freeplay/Mastodon-Modern.git";
@ -16,14 +16,14 @@ let
};
mastodonNekoverseOverlay = final: prev: {
mastodon = (prev.mastodon.override rec {
version = "4.5.2";
version = "4.5.10";
srcOverride = final.applyPatches {
src = pkgs.stdenv.mkDerivation {
name = "mastodonWithThemes";
src = pkgs.fetchgit {
url = "https://github.com/mastodon/mastodon.git";
rev = "v${version}";
sha256 = "sha256-LePly+CcM+Dv6ipX9jIWWKhy2PiF1j8vgc9CXn2o+DQ=";
sha256 = "sha256-aW5WMmhfV+q/ddebSuEuCL5Mdwav+qocMPBnbvXFBk4=";
};
# mastodon ships with broken symlinks, disable the check for that for now
dontCheckForBrokenSymlinks = true;
@ -40,7 +40,7 @@ let
modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml
'';
};
patches = [
patches = prev.mastodon.src.patches ++ [
"${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch"
"${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch"
"${mastodonNekoversePatches}/patches/003_make_toot_cute.patch"
@ -53,7 +53,7 @@ let
yarnMissingHashes = prev.mastodon.src.yarnMissingHashes;
});
};
pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;
pkgs-overlay = nixpkgs-master.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay;
vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU=";
in
{
@ -61,21 +61,21 @@ in
enable = true;
package = pkgs-overlay.mastodon;
localDomain = "social.nekover.se";
secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret";
secretKeyBaseFile = "/run/secrets/mastodon-secret-key-base";
vapidPublicKeyFile = "${vapidPublicKey}";
vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret";
vapidPrivateKeyFile = "/run/secrets/mastodon-vapid-private-key";
smtp = {
authenticate = true;
host = "mail-1.grzb.de";
port = 465;
user = "social@nekover.se";
passwordFile = "/secrets/mastodon-email-smtp-pass.secret";
passwordFile = "/run/secrets/mastodon-email-smtp-pass";
fromAddress = "Nekoverse <nyareply@nekover.se>";
};
streamingProcesses = 3;
activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret";
activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret";
activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret";
activeRecordEncryptionPrimaryKeyFile = "/run/secrets/mastodon-active-record-encryption-primary-key";
activeRecordEncryptionKeyDerivationSaltFile = "/run/secrets/mastodon-active-record-encryption-key-derivation-salt";
activeRecordEncryptionDeterministicKeyFile = "/run/secrets/mastodon-active-record-encryption-deterministic-key";
extraConfig = {
SMTP_TLS = "true";
ES_PRESET = "single_node_cluster";
@ -94,8 +94,52 @@ in
AUTHORIZED_FETCH = "true";
};
extraEnvFiles = [
"/secrets/mastodon-keycloak-client-secret.secret"
"/run/secrets/mastodon-keycloak-client-secret"
];
elasticsearch.host = "127.0.0.1";
};
sops.secrets."mastodon-secret-key-base" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-vapid-private-key" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-email-smtp-pass" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-active-record-encryption-primary-key" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-active-record-encryption-key-derivation-salt" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-active-record-encryption-deterministic-key" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-keycloak-client-secret" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
}

3
config/hosts/mastodon/nginx.nix
View file

@ -57,7 +57,8 @@
};
extraConfig = ''
set_real_ip_from 10.202.41.100;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol;
'';
};

69
config/hosts/mastodon/secrets.nix
View file

@ -1,69 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"mastodon-secret-key-base.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-vapid-private-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-email-smtp-pass.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-keycloak-client-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-active-record-encryption-primary-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-active-record-encryption-key-derivation-salt.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-active-record-encryption-deterministic-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-fedifetcher-access-token.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ];
destDir = "/secrets-fedifetcher";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

31
config/hosts/mastodon/secrets.yaml Normal file
View file

@ -0,0 +1,31 @@
mastodon-secret-key-base: ENC[AES256_GCM,data:GP8mtL5hkDqNjbiqONXJNDX+e9RuOejnAxX0fk1gvVR+Xkb99/wNPun1p85AVOv1rn8n0H4X8aZwPK/P2lljyGWs4RSwYaLOMMoowSu+QwDYzK2+uf2lsiM5esOAr/rfuX1BZIEnrJPYAIZYtTIBTyrMN9zTtPvyBaPn4cL0sKQ=,iv:jxy37Sa3ywLhVSYhgiC1spky6psxZzso74es5CnBObw=,tag:+nW6SxoYJgcSU2r6d2J00g==,type:str]
mastodon-vapid-private-key: ENC[AES256_GCM,data:mE29UuQGzQ/LPrvop0zODM3tI/DOXsCPemh/5Y7VribAUq25Fftoo3tWEbk=,iv:qJTJL4g9AOcPJIP9IWnSso6ECs3sSiubW9SNUaYIcXE=,tag:OnhsJeWYLDFMlmVsLf4syw==,type:str]
mastodon-email-smtp-pass: ENC[AES256_GCM,data:8UcjUSZMuUPZvc1hM79XGjor0LuKcGg8qLr/oFggcTMtQ9+ff2QHGaZFiHRcNFibdp0IexO2PDy0yMF5qivxJA==,iv:fd3vv21PnC2M/Ptdwy2j6vn+juWrEnZKtTtzhS71igI=,tag:8nmdu2TD0TTmCfA+kIkb4Q==,type:str]
mastodon-keycloak-client-secret: ENC[AES256_GCM,data:jLDVhGhUUI5o2UjHolahncXXiqHHyFT/SavQTaUTlaSje3l2khvAIzmEn8TfC6FrF8BMjzI=,iv:Hq5XrtpnFYnIxrIb8rX5PDL7z7bLuOrtTTubm7HsE88=,tag:ayNJWs3UROd/sBQ5rnuv6w==,type:str]
mastodon-active-record-encryption-primary-key: ENC[AES256_GCM,data:H45LQ1gXCaepRe1ftap5ruWwC7ThI8m/EBtKdqP8QHQ=,iv:wAYQW7INq36GscjdaldCCS0RpjYuemtveoNdeqS1wz0=,tag:hjlXqo9WmE57fENQZaRCXA==,type:str]
mastodon-active-record-encryption-key-derivation-salt: ENC[AES256_GCM,data:DeeXCelirIcDyTDdPeKoaAeD2jzWGLU3p28e5JX8m9E=,iv:yQcddWeesrMWgIAj/MnBwPUwikk2VHAbNDFs0r5Fp0Q=,tag:H6boQ5IEGEhx5Ha15eEUhw==,type:str]
mastodon-active-record-encryption-deterministic-key: ENC[AES256_GCM,data:yrakH+MxQ8/SmAtLOvGcyIAjfbVdb8NgqYqpm+ALKA0=,iv:ZbagvnAPTLBmzxAdXZ0Ecat0jTpeRWiudpk3U+1hEXE=,tag:pnF87Gg4nTRC1YVK1bbGCw==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTDB3d1FFWjY2LzhZUmVP
S1BicjRhc2ZzWWMvb2xjT1lzVVY3Z2hqYW53CndNaGJ6NXkyamg0a1BIdzlVL214
dk5SbDFDdVNGNnp1citjZkQ3UTNHcUUKLS0tIGwvOHl4RUErRjR3Nm1paGVmZEhX
a1N2SlZlY05aN2hEcXlGdnA0ZndlUjgK01enGoJvkN5YMbm38wcRYaM1ogzybJIL
OTig1Fg2CopEmaE/Y6bpuMFIyCFXZDhJQ3LaI+0kydzPGB2nZyWZ2g==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbnFPOEJVWXAxTEpiNUgw
SDliL3hZeWpaK3JMN0hyV09jUTBSV2pYN2gwCmd2STBsYzhNYlpWRzhCUWZhZ1Rw
Yzdta25vN0NKeTFXWXRiUWZsTGVaY28KLS0tIC8yUERNWHNqTTFQazQzRkYvNk9K
TjlQaVRFdXJ6WVRIVnczYmlFc2t6S2MK5wnjZnhL+GK1eXnANSDe5zcsZdb5N715
odb/rjaIvUKaSUkmJfQK954pCBsiJXnURt5FKLnOGHtlQmt0kyg8dQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30
lastmodified: "2026-05-17T01:44:58Z"
mac: ENC[AES256_GCM,data:DV91qRrbXxS+yvknPuLjRWYdsJdWtODy9q2onrSpWv6P7YR1siNFNpDyioMLKLRby80kY1R1zSofiaepVmP/nWtqtSDsq/plNWIZi7FR7X0TG0hNc3S6GJ0UatXVxOGp6LxvO2doVIMUs3LKd4+16FFMQYEQJ35VbuYFVhWw5SU=,iv:zVmZ7Ho28I9y7IvCULWehzJB64FSLLaspa/Rj+EJpX0=,tag:HRBTVgvm8pZvUgFBqjCEoQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/mastodon/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/matrix/default.nix
View file

@ -8,5 +8,6 @@
./matrix-authentication-service.nix
./matrix-synapse.nix
./nginx.nix
./sops.nix
];
}

14
config/hosts/matrix/element-call.nix
View file

@ -4,12 +4,22 @@
enable = true;
settings.rtc.use_external_ip = true;
openFirewall = true;
keyFile = "/secrets/matrix-livekit-secret-key.secret";
keyFile = "/run/secrets/matrix-livekit-secret-key";
};
services.lk-jwt-service = {
enable = true;
port = 8082;
livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu";
keyFile = "/secrets/matrix-livekit-secret-key.secret";
keyFile = "/run/secrets/matrix-livekit-secret-key";
};
systemd.services.lk-jwt-service.environment = {
LIVEKIT_FULL_ACCESS_HOMESERVERS = "nekover.se";
};
sops.secrets."matrix-livekit-secret-key" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "livekit.service" "lk-jwt-service.service" ];
};
}

25
config/hosts/matrix/matrix-authentication-service.nix
View file

@ -11,7 +11,7 @@ let
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
{
name = "assets";
path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
}
@ -33,6 +33,17 @@ let
}];
proxy_protocol = false;
}
{
name = "admin";
resources = [{
name = "adminapi";
}];
binds = [{
host = "localhost";
port = 8083;
}];
proxy_protocol = false;
}
];
trusted_proxies = [
"192.168.0.0/16"
@ -63,8 +74,7 @@ let
version = 2;
algorithm = "argon2id";
}
];
minimum_complexity = 8;
];
};
};
masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
@ -82,7 +92,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret";
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/run/secrets/matrix-mas-secret-config";
WorkingDirectory = "${pkgs.matrix-authentication-service}";
User = "matrix-synapse";
Group = "matrix-synapse";
@ -92,4 +102,11 @@ in
"multi-user.target"
];
};
sops.secrets."matrix-mas-secret-config" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-authentication-service.service" ];
};
}

41
config/hosts/matrix/matrix-synapse.nix
View file

@ -51,7 +51,7 @@
notif_from = "Nekoverse Matrix Server <nyareply@nekover.se>";
};
max_upload_size = "500M";
signing_key_path = "/secrets/matrix-homeserver-signing-key.secret";
signing_key_path = "/run/secrets/matrix-homeserver-signing-key";
admin_contact = "mailto:admin@nekover.se";
web_client_location = "https://element.nekover.se";
enable_metrics = true;
@ -86,10 +86,41 @@
};
extras = [ "oidc" ];
extraConfigFiles = [
"/secrets/matrix-registration-shared-secret.secret"
"/secrets/matrix-turn-shared-secret.secret"
"/secrets/matrix-email-smtp-pass.secret"
"/secrets/matrix-homeserver-mas-config.secret"
"/run/secrets/matrix-registration-shared-secret"
"/run/secrets/matrix-turn-shared-secret"
"/run/secrets/matrix-email-smtp-pass"
"/run/secrets/matrix-homeserver-mas-config"
];
};
sops.secrets."matrix-homeserver-signing-key" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
sops.secrets."matrix-registration-shared-secret" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
sops.secrets."matrix-turn-shared-secret" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
sops.secrets."matrix-email-smtp-pass" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
sops.secrets."matrix-homeserver-mas-config" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
}

61
config/hosts/matrix/nginx.nix
View file

@ -11,10 +11,17 @@
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
proxyProtocol = true;
}
];
locations = {
@ -34,11 +41,23 @@
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
"~ ^/_synapse/admin" = {
# Only proxy to the local host on IPv4, because localhost doesn't seem to work
# even if matrix-synapse is listening on ::1 as well.
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Restrict access to admin API.
allow 172.21.87.0/24; # management VPN
deny all;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol;
'';
};
@ -50,14 +69,29 @@
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://localhost:8080";
locations = {
"/" = {
proxyPass = "http://localhost:8080";
};
"~ ^/api/admin" = {
proxyPass = "http://localhost:8083";
extraConfig = ''
# Restrict access to admin API.
allow 172.21.87.0/24; # management VPN
deny all;
'';
};
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol;
'';
};
@ -69,6 +103,12 @@
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."^~ /livekit/jwt/" = {
proxyPass = "http://localhost:8082/";
@ -78,9 +118,8 @@
proxyWebsockets = true;
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol;
'';
};

61
config/hosts/matrix/secrets.nix
View file

@ -1,61 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"matrix-registration-shared-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-turn-shared-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-email-smtp-pass.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-homeserver-signing-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-homeserver-mas-config.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-mas-secret-config.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
"matrix-livekit-secret-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

31
config/hosts/matrix/secrets.yaml Normal file
View file

File diff suppressed because one or more lines are too long

6
config/hosts/matrix/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/metrics-nekomesh/default.nix
View file

@ -6,5 +6,6 @@
./neo4j.nix
./prometheus.nix
./nginx.nix
./sops.nix
];
}

32
config/hosts/metrics-nekomesh/grafana.nix
View file

@ -11,14 +11,15 @@
cookie_secure = true;
cookie_samesite = "strict";
admin_user = "admin";
admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}";
admin_password = "$__file{/run/secrets/metrics-nekomesh-grafana-admin-password}";
admin_email = "fi@nekover.se";
secret_key = "$__file{/run/secrets/metrics-nekomesh-grafana-secret-key}";
};
smtp = {
enabled = true;
host = "mail.grzb.de:465";
user = "nekomesh@grzb.de";
password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}";
password = "$__file{/run/secrets/mail-nekomesh-nekover-se}";
from_address = "nyareply@nekover.se";
from_name = "Nekomesh";
startTLS_policy = "NoStartTLS";
@ -28,7 +29,7 @@
name = "Nekoverse ID";
allow_sign_up = true;
client_id = "nekomesh";
client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}";
client_secret = "$__file{/run/secrets/metrics-nekomesh-grafana-keycloak-client-secret}";
scopes = "openid email profile offline_access roles";
email_attribute_path = "email";
login_attribute_path = "preferred_username";
@ -51,4 +52,29 @@
}
];
};
sops.secrets."metrics-nekomesh-grafana-admin-password" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
sops.secrets."metrics-nekomesh-grafana-keycloak-client-secret" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
sops.secrets."metrics-nekomesh-grafana-secret-key" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
sops.secrets."mail-nekomesh-nekover-se" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
}

3
config/hosts/metrics-nekomesh/nginx.nix
View file

@ -23,7 +23,8 @@
proxyWebsockets = true;
};
extraConfig = ''
set_real_ip_from 10.202.41.100;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol;
'';
};

29
config/hosts/metrics-nekomesh/secrets.nix
View file

@ -1,29 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"metrics-nekomesh-grafana-admin-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"metrics-nekomesh-grafana-keycloak-client-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-nekomesh-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

28
config/hosts/metrics-nekomesh/secrets.yaml Normal file
View file

@ -0,0 +1,28 @@
metrics-nekomesh-grafana-admin-password: ENC[AES256_GCM,data:7Ji5Bb+/ekFtptG6JQBViocqozol7vdTRxAgYuRpicO3v7UFswLBkFd/+asaCKkYTrYjDFcOOSjSMr2Yp+9IhQ==,iv:VjpntKn3PdIX56DjHlkhYmx05MZtvTinGcO0vz4BFkQ=,tag:Lcat3LbXJyWcEOq6pmTx9w==,type:str]
metrics-nekomesh-grafana-keycloak-client-secret: ENC[AES256_GCM,data:6SHmMy0gbT6rYC9i60TzCcP0q4eSzC3Srse9O3La1Ag=,iv:H6wEzy6MgX2Ft+D3rWzyWwnh8ZmNmMlcEQLuKrkSwoU=,tag:M7pGHOKq0fglHGyj5jFoYg==,type:str]
metrics-nekomesh-grafana-secret-key: ENC[AES256_GCM,data:5+aUdzNAy0nDuGW8g2e7LdT9woo=,iv:rSn+XTJA46Eq4FcKUQaph/WPLXC4vxnRulpSjls1QZg=,tag:aXSgUUzxe8tQV+oqXnidPA==,type:str]
mail-nekomesh-nekover-se: ENC[AES256_GCM,data:vuyDjtvCT0D8aYftcGiA59i7mriqLNoqeHy0+LQ3awUt4d//p81LpPNdb/EQMuUnCp2QZgdsy4rU5ktDa1Ewfg==,iv:+pqVQfWxSQF4fTJ0gMuAf4EjyvsUVFUxpRa2BHpvZ3Q=,tag:UlHzONbcfeCJuJjamKV39w==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOVFIckQ3R2FsYXl4NkRW
RGdSRmNaMURIUkYrSGtnWmdxVGJMOUFta0JJCnN1blNoaG9PUVJNN1RJcUhnYlFq
WTlhcGx3cUUwbkREMVVleDZNazJ2dm8KLS0tIFl5NGhFeHZKaENmQjRwZ0hiS3Jl
TTRMVloxK25uUVVMcE56M1RMKzlDb2cKuNKexzjC9eefQHCjVAY4rS7wqTSqs0uO
PvSvxs4tY5d2nUJuORGn25MU9Y65UFTvTzuxgqg9Z37NTEjVfvnrYA==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTzErWVY1V3ZrMHBYTjRm
M1IwTG9DZmhBTFpGSkwyTVJJYndsRnRSOTJrClhFWi9TbGhRWkQ1VjhLaE4wd3Bi
WlpSUUcxU3A4dmZUYmNJYnlyQnMwK00KLS0tIDZqdU1DcXc3YmpDMThRMzQwQWk4
TnFKNS9xcXdKZXo0cThpbjd2NEQ3NTgK4XTrXdaHVveeXwsEuGx5+Y2bu/F6jooo
auWtrm7z3rxzCxePxNs6LCYr/ppoE7J8nEFKnFmT0vyUGryhzlbo9A==
-----END AGE ENCRYPTED FILE-----
recipient: age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse
lastmodified: "2026-05-23T22:38:11Z"
mac: ENC[AES256_GCM,data:VWo7UFRey2w/2x/wn/XfFW9gCpogO9Igxt/xEBngHBTkSJh0p6HhbZlmA3iv3QmYKui74cHSfQUOq2IOc96CLsfWKUWhMQVw5z/be7OEoY3cIG8V1WRTixQB5a0284jPXcGHPreLdMdAQW5nvJJRwx6Pysm7+rTzdxi8VGmOKyE=,iv:l4KBomWzPfOw1UiVpMwWg68OdYc85FtrRcVygfbEoeU=,tag:EeboepV+hDkA9QNmi/Ao+w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/metrics-nekomesh/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

1
config/hosts/metrics/default.nix
View file

@ -5,5 +5,6 @@
./grafana.nix
./prometheus.nix
./nginx.nix
./sops.nix
];
}

17
config/hosts/metrics/grafana.nix
View file

@ -11,14 +11,14 @@
cookie_secure = true;
cookie_samesite = "strict";
admin_user = "yuri";
admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}";
admin_password = "$__file{/run/secrets/metrics-grafana-admin-password}";
admin_email = "yuri@nekover.se";
};
smtp = {
enabled = true;
host = "mail.grzb.de:465";
user = "grafana";
password = "$__file{/secrets/metrics-grafana-smtp-password.secret}";
password = "$__file{/run/secrets/metrics-grafana-smtp-password}";
from_address = "grafana@robot.grzb.de";
from_name = "Grafana";
startTLS_policy = "NoStartTLS";
@ -33,4 +33,17 @@
}
];
};
sops.secrets."metrics-grafana-admin-password" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
sops.secrets."metrics-grafana-smtp-password" = {
mode = "0440";
owner = "grafana";
group = "grafana";
restartUnits = [ "grafana.service" ];
};
}

21
config/hosts/metrics/secrets.nix
View file

@ -1,21 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"metrics-grafana-admin-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
"metrics-grafana-smtp-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ];
destDir = "/secrets";
user = "grafana";
group = "grafana";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

26
config/hosts/metrics/secrets.yaml Normal file
View file

@ -0,0 +1,26 @@
metrics-grafana-admin-password: ENC[AES256_GCM,data:vk5KwDxDvTtI/vycl+2XItCFadUQL7rDHZ+0e3WAXynkHq/gmP0Q4VBBjQQNnFwxumF/dIj+CxEqEDdCL6HpSqEOZm/SJCfBARSCxyNCXoYiI/0+NTlUdfhscrDVleLJcMNrBxmxKt3cnDotPWS8rwF5oA1A79OW6+eZm1RC8hA=,iv:JtV0/vZIIzIF+WtD9KRPmyfLI4sMSe7ff5KHG7PEXjY=,tag:A1RgqOOd6M2m1ueXWPxw2w==,type:str]
metrics-grafana-smtp-password: ENC[AES256_GCM,data:ledR3mYQaQndiXgWJSZCqwrar1d5LvnwfdAb0EYI40M=,iv:T6yV0KKz5MK8pLWQoO0xi/ZAdhpFgNvER17X5ZfCCe0=,tag:16lt0z4Gn4Gcc54ssF0W5w==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVWd2NHNWTElaTk42R1Qx
bmZxYnhoT3NqQ0I5ZWVsS0N4eHdWMDhRU0hFCmhlQ1hrZ3R5REt2ODV0dTA4VWl0
R0dtNWIydzhCUmVMYk85d0ZETk8wQkEKLS0tIElFbXRhYWprVER4ZGZocTNzcGNv
RHN2MWJVTXFEZnhKeXNQdUlnQ0ZiYmMKXicuiR0ZlDNb4EX49y3NmAOk7onTcDEV
Ohe+Enl0dM+dMfCdcojIkdTln74KZ+h6yxVr5jDU3EnDZVZpczY5wQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bkFiY0x1TUFGYnExWnYz
QldDOW1oaWVEUDMvbUN2TmwxZVZEOVpZbW5JCjlnYklSSjV1OExObDl1QUhoZFls
V3cyVVBkYWwyT0lpTlVnb1kxTG9IM0UKLS0tIENGak1HaFZYT2ZCL0hleUVVUDZu
MTI5ZkhUK0RZdGhSYVFZMDNHaS9QaFEKyptwQi4pYw0zZ2F9LvwX4F18UUdjqVrz
aB4hZkakAI94qVz3JvIVlslWzsDtIKoBTobl3dBNFId7M8TQwwZUvg==
-----END AGE ENCRYPTED FILE-----
recipient: age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n
lastmodified: "2026-05-23T22:14:10Z"
mac: ENC[AES256_GCM,data:w1pNlY6g/PxQcpY/0Jt02TL5oZ0gwB5fYIzd99PgJTU0X76tmvlAF1i58SubnyR6TWiO0Q4TYJcqgeKHHvWYkYtQZzV4MGc0UwY1+Ipw3q38fRTHqVNbiaCorYbWBMXUnewE4eXictnFfq+vIfFeWktoGws/NTrZEIQ4lY+NSiE=,iv:vP7vujgXGRSr/adBJu1SATryPbqF3Obcg885EZahMTg=,tag:HuRqc8wS1+geWmJMdRWNSA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/metrics/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

33
config/hosts/navidrome/configuration.nix
View file

@ -1,33 +0,0 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "navidrome";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
fileSystems = {
"/mnt/music" = {
device = "//10.202.40.5/music-ro";
fsType = "cifs";
options = [
"username=navidrome"
"credentials=/secrets/navidrome-samba-credentials.secret"
"iocharset=utf8"
"vers=3.1.1"
"uid=navidrome"
"gid=navidrome"
"_netdev"
];
};
};
system.stateVersion = "23.05";
}

7
config/hosts/navidrome/default.nix
View file

@ -1,7 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./navidrome.nix
./nginx.nix
];
}

9
config/hosts/navidrome/navidrome.nix
View file

@ -1,9 +0,0 @@
{ ... }: {
services.navidrome = {
enable = true;
settings = {
Address = "unix:/run/navidrome/navidrome.socket";
MusicFolder = "/mnt/music";
};
};
}

24
config/hosts/navidrome/nginx.nix
View file

@ -1,24 +0,0 @@
{ ... }: {
services.nginx = {
enable = true;
user = "navidrome";
virtualHosts."navidrome.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/" = {
proxyPass = "http://unix:/run/navidrome/navidrome.socket";
};
};
};
}

13
config/hosts/navidrome/secrets.nix
View file

@ -1,13 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"navidrome-samba-credentials.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

17
config/hosts/netbox/configuration.nix
View file

@ -1,17 +0,0 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "netbox";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
system.stateVersion = "23.05";
}

8
config/hosts/netbox/default.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./netbox.nix
./nginx.nix
];
}

8
config/hosts/netbox/netbox.nix
View file

@ -1,8 +0,0 @@
{ pkgs, ... }:
{
services.netbox = {
enable = true;
package = pkgs.netbox;
secretKeyFile = "/secrets/netbox-secret-key.secret";
};
}

29
config/hosts/netbox/nginx.nix
View file

@ -1,29 +0,0 @@
{ config, ... }:
{
services.nginx = {
enable = true;
clientMaxBodySize = "25m";
user = "netbox";
virtualHosts."netbox.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/static/" = {
alias = "${config.services.netbox.dataDir}/static/";
};
locations."/" = {
proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
};
};
};
}

11
config/hosts/netbox/secrets.nix
View file

@ -1,11 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys."netbox-secret-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ];
destDir = "/secrets";
user = "netbox";
group = "netbox";
permissions = "0640";
uploadAt = "pre-activation";
};
}

1
config/hosts/nextcloud/default.nix
View file

@ -4,5 +4,6 @@
./configuration.nix
./hardware-configuration.nix
./nextcloud.nix
./sops.nix
];
}

18
config/hosts/nextcloud/nextcloud.nix
View file

@ -7,7 +7,7 @@
https = true;
config = {
dbtype = "pgsql";
adminpassFile = "/secrets/nextcloud-adminpass.secret";
adminpassFile = "/run/secrets/nextcloud-adminpass";
};
database.createLocally = true;
configureRedis = true;
@ -30,7 +30,7 @@
default_phone_region = "DE";
};
# Only contains mail_smtppassword
secretFile = "/secrets/nextcloud-secretfile.secret";
secretFile = "/run/secrets/nextcloud-secretfile";
phpOptions = {
# The amount of memory for interned strings in Mbytes
"opcache.interned_strings_buffer" = "64";
@ -44,9 +44,21 @@
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol;
'';
};
};
sops.secrets."nextcloud-adminpass" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
};
sops.secrets."nextcloud-secretfile" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
};
}

21
config/hosts/nextcloud/secrets.nix
View file

@ -1,21 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"nextcloud-adminpass.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ];
destDir = "/secrets";
user = "nextcloud";
group = "nextcloud";
permissions = "0640";
uploadAt = "pre-activation";
};
"nextcloud-secretfile.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ];
destDir = "/secrets";
user = "nextcloud";
group = "nextcloud";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

26
config/hosts/nextcloud/secrets.yaml Normal file
View file

@ -0,0 +1,26 @@
nextcloud-adminpass: ENC[AES256_GCM,data:9hjeHUMNBg3fCN80mGCXarXEMOySEdyfnFIL8ivGb2Vi8LKbzZ2fHZZUzMO5/7XYRpNKWtBz1yzn2fj/ZeLiMw==,iv:38bucE+hmU/hZXw67fc34s1uZefXpWdY5vaTpvDfpUI=,tag:vKI6DrBYekjVU8Va/7BT8A==,type:str]
nextcloud-secretfile: ENC[AES256_GCM,data:PaX7jAFBNweVwyG9nNU/TTHlGrQvPfgc92uCS1s1UwrHH8KlbKGed6NpTPvulwgMQ5cjwUMy5OuOt15kGRS03LQNcWJ+mlu2TQ2Hjsza+SV/ahtxzs/NiA==,iv:An3LZG9gnnna8TuNYlXDGxyter/Sj5DbIjZyGedqteU=,tag:2VbInjBoiv+w3nhh6AAQng==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bDNNZnh5UTFtei84YXdC
SFJONFdHNE1WZ1FvSFZoSW4rMkh3ZC9tbWljClA0RWlRTFA1K2pSMTAyY0I0d01a
cHlUK3ZTd0lydm82VnpBbUdCQmFRYWcKLS0tIEhicldwUFc0cEt2aFVKeVhSeEtS
eFNBbUY1UXZMSEVzL3YyZDUrWVlxd0EKy5TnMyh7WxWK9lO7MKLINRbwMQuFlN4l
E01+FXAUiVSHO4aJW4CsqeegTAAux3FUWB1tL2myZskOFkJPws3boQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAra3A4ZDQzZEZCRGErVFBK
bUFqS0ZSTjJFYm00cnVuei85MldCU25MV0VrCnMwVTJndWNQbUUwWmJnMUR3MjJp
VXUwV1RaZElaN2l1S3JxQVVoOXhweEkKLS0tIFFndXpaRlRKdzRvUUxUZVN1cXVr
TTFFYmx5OVU4Q3BWaFpWNFlPdGJZSzQKMLLZzESV0JdlNbMGpdDaorJnDKaSuax0
YQT/+G702pjqOjg8kRbHH8BZ3pK/3wApJBUW5iilAAxIzIm1zU/0Hw==
-----END AGE ENCRYPTED FILE-----
recipient: age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu
lastmodified: "2026-05-23T23:09:29Z"
mac: ENC[AES256_GCM,data:dPYCQ7hfToQptTlbeA22MQ7EEtn9NyYvdshG9d24h2kLkPKpq/i0bcmG3o6xfyDsofTPZOOzRjCVUlxRukWuhHODPpyOronoDv3hrJNtj1YHsMzeMEK1xK1hpNtJeYkWx12SBZw4zZ7Vw3tLxc5Ay95LD7ZWCsCTqawbMufMjwc=,iv:3LeWH8eU0vTtnJRr0ZqUHHNdifzb++i6Y3CB6J/2wdA=,tag:40tOjuZZ+0Ww2wOwIXkcUQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/nextcloud/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

17
config/hosts/nitter/configuration.nix
View file

@ -1,17 +0,0 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "nitter";
firewall = {
enable = true;
allowedTCPPorts = [ 8443 ];
};
};
system.stateVersion = "23.05";
}

8
config/hosts/nitter/default.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./nginx.nix
./nitter.nix
];
}

23
config/hosts/nitter/nginx.nix
View file

@ -1,23 +0,0 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts."birdsite.nekover.se" = {
forceSSL = true;
enableACME = true;
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: /\\n\"";
};
locations."/" = {
proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}";
proxyWebsockets = true;
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
}

21
config/hosts/nitter/nitter.nix
View file

@ -1,21 +0,0 @@
{ ... }:
{
services.nitter = {
enable = true;
server = {
title = "Birdsite";
https = true;
address = "127.0.0.1";
port = 8080;
hostname = "birdsite.nekover.se";
};
preferences = {
theme = "Mastodon";
replaceTwitter = "birdsite.nekover.se";
infiniteScroll = true;
hlsPlayback = true;
};
};
}

17
config/hosts/paperless/configuration.nix
View file

@ -1,17 +0,0 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "paperless";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
system.stateVersion = "23.05";
}

9
config/hosts/paperless/default.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix
./nginx.nix
./paperless.nix
];
}

30
config/hosts/paperless/hardware-configuration.nix
View file

@ -1,30 +0,0 @@
{ ... }:
{
fileSystems = {
"/mnt/data" = {
device = "/dev/disk/by-label/data";
fsType = "ext4";
autoFormat = true;
autoResize = true;
};
"/mnt/paperless-consume" = {
device = "//10.201.40.10/paperless-consume";
fsType = "cifs";
options = [
"username=paperless"
"credentials=/secrets/paperless-samba-credentials.secret"
"iocharset=utf8"
"vers=3.1.1"
"uid=paperless"
"gid=paperless"
"_netdev"
];
};
"/var/lib/paperless" = {
depends = [ "/mnt/data" ];
device = "/mnt/data/paperless";
fsType = "none";
options = [ "bind" ];
};
};
}

Some files were not shown because too many files have changed in this diff Show more