From 8f8da2a071d5247179df32c21761e61647d7441c Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Mon, 14 Feb 2022 12:29:36 +0100
Subject: [PATCH] Restructure DB config, add ssh keys

---
 config/common/users.nix                       |   3 +-
 config/hosts/grondahl/configuration.nix       |   3 +
 .../hosts/grondahl/data/secrets/authentik_env | Bin 0 -> 907 bytes
 .../hosts/grondahl/data/secrets/email_noreply | Bin 83 -> 83 bytes
 .../hosts/grondahl/data/secrets/mobilizon_env | Bin 0 -> 1041 bytes
 .../hosts/grondahl/data/secrets/secrets.nix   | Bin 716 -> 961 bytes
 .../grondahl/data/secrets/synapse_db_password | Bin 0 -> 87 bytes
 config/hosts/grondahl/services/containers.nix |  53 ++++++++++++++++++
 config/hosts/grondahl/services/mail.nix       |  29 ++++++++++
 config/hosts/grondahl/services/nginx.nix      |  10 ++++
 config/hosts/grondahl/services/postgres.nix   |  45 ++++++++++++---
 config/hosts/grondahl/services/redis.nix      |  11 ++++
 config/hosts/grondahl/services/synapse.nix    |   5 +-
 config/hosts/rudiger/services/postgres.nix    |  13 +++--
 14 files changed, 155 insertions(+), 17 deletions(-)
 create mode 100644 config/hosts/grondahl/data/secrets/authentik_env
 create mode 100644 config/hosts/grondahl/data/secrets/mobilizon_env
 create mode 100644 config/hosts/grondahl/data/secrets/synapse_db_password
 create mode 100644 config/hosts/grondahl/services/containers.nix
 create mode 100644 config/hosts/grondahl/services/mail.nix
 create mode 100644 config/hosts/grondahl/services/redis.nix

diff --git a/config/common/users.nix b/config/common/users.nix
index 1f17e6b..6bc7138 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -6,8 +6,7 @@
 			extraGroups = [ "wheel" ];
 			openssh.authorizedKeys.keys = [
               "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
-              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKHlANxRo9NEU6GHMCiAhv3Kxbxd6mOrOiMBw3bGohOAAAABHNzaDo= emelie@flap-fed"
-							"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE7/U/Mk1jGofcommKmPfG+qwybiFH1nFkXzUqGiXSy/AAAABHNzaDo= emelie@thinky-fed"
+							"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed"
 
 			];
 		};
diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix
index 2c929e1..6d317be 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@@ -13,6 +13,9 @@
     ./services/restic.nix
     ./services/synapse.nix
     ./services/postgres.nix
+		#./services/mail.nix
+		#./services/containers.nix
+		#./services/redis.nix
     ];
 
   boot.loader.grub.enable = true;
diff --git a/config/hosts/grondahl/data/secrets/authentik_env b/config/hosts/grondahl/data/secrets/authentik_env
new file mode 100644
index 0000000000000000000000000000000000000000..52c163146482dc943e2f5964462dbafd62d91525
GIT binary patch
literal 907
zcmZQ@_Y83kiVO&0FkJ2!d?_Ph&4tKfH%?36%t>1&zflZIzBBp5+o~P6kN@XPnkKMl
zN6cBp1BsntY+*a37YXf>{?_OiT^wSiu;6vWBxz3_(YErwqn`thE99$hH1NCS$1gE=
zWA-xs3u5jE`%CP?Cbn1ZSa%>keZiTf_DK%1N7g7EUDRCp=i;XycVi=OTe8?xTroHs
zw;_4o!rAI+!j11|a_5Op&7QyM((~We#R+Td(rP{jZ<};FA@WYZgnTiHLm3}SgFnsE
zpZ4xi<1VJuT7$MA)=2NUCv|dlZUr&CnAYVYzICH=>Wf!Gf6i`S_ajE%_RSO1lhd9}
z+EU+q{>_6E3ma6FH(EJ+6-9iJ`2S7LO}A^tp@L6*4}VF&Rba8XI;ZyUX|LMls_f+q
zB?`B1GR3}HzM%h$>z8W%H*H(?ZrJMc<^6%#Gd|?%e%hVI8>-qP*7vG(OO#7c#=Ud3
z;aANHpKvcJXzvTXC{U7>Gd)GX+B2F>SgXS`;>6>b%;8Vkp8k5jxk76H+{B9<32}F0
z8<$SkNtL|*YWn9Vdo%*XsuH=6W!yXxt$9W#^+Lp!`(6iB*dBS@5R3cd_a^dH?}RQ-
z+qe2kD;7L`qU$EZDW@Uzx9nZSW<BNmm$=?CGkF|d9n61GvHTzB+c~>@7;E3ZI~bsS
zaPcw*1F1(9v5!kMj$PGnIHWGNgp+;GK~{zHZR{s15_YcB(LcQFQmn(u44aE*AIwrr
zTv-*td{bV_?S0n-hB!q>i`Igqll7~<Y+9S%xi%(cs%)gR)g7-@m(3e?%5gu+_V-RY
z6SOn1aoU&HYnZaGA3u6i;orea8}c5Mc>GUT6l640al*DO9aEd@*3F#ysaZYF<5l6K
zwvAs;|DQeWazx19tVQX{4My8%f16_X`PjsiLvN(s8cYsj{g(Ge_oAcnlMQFr9$laP
zX`kE2A3j^W1z%|;hWm7FQ0rgx=j$5Bt$!PClx-2Pj5p$zQ&niHN@=vq-m+Q#&eTAb
zr(Mee8uoV9RPS1EGAZO&P)d&MU(e!e5<CS~Tpf{T*LCf2P*({$mn$W=uj2VeuJD|-
zyU$I1<+OJ0tQY^b<iD%_rnrVb`qj!OTXhyO=*7+0c(?c8_Lu*EJvpbC5~$Yw`y+St
zQ{CxtMf@yJO_Jlh4{rFz?H9pXQ~NT}Zu_QqBi4lCRZ>-tlMH6_F+`>Xypp^T+@i(4
b{nyM*i~VfnLigC1&FcPDdGh9ucV4jodnv}Q

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/email_noreply b/config/hosts/grondahl/data/secrets/email_noreply
index babe205fdffc5ed70027ac188d4ca5a80652c8ca..851aa9fd71a788e0c32971efb104308135efa87e 100644
GIT binary patch
literal 83
zcmZQ@_Y83kiVO&0IBu6X@$<B==M-ue)<;J#tFM}O{`l0yhV{{JUCgx|;^zN(cdp8!
qEL`^C_C3?<7yYoR`fth<c(}IY*o>;!M>Y{bH&@rZ@@Q&%6%PP}_9_<u

literal 83
zcmZQ@_Y83kiVO&0c$@a!o@d85>s&>FJzDc)r`^bTbvAp`vCU0W&q(gLSaCTh;i;p?
q?OR_;|GMm-`}WeL@+(PvlOv=!?!GHDY!iO7FLsB6?v79ouBQN+$|=?W

diff --git a/config/hosts/grondahl/data/secrets/mobilizon_env b/config/hosts/grondahl/data/secrets/mobilizon_env
new file mode 100644
index 0000000000000000000000000000000000000000..2f1635d9c4826c40c8c3d78743fd7c168a6bd9fd
GIT binary patch
literal 1041
zcmZQ@_Y83kiVO&0$k^bqXX2gmH_s|E?AD&%=pHjw{EqDLxqD|fuRXCV=i$GzZY<Mc
z^}o6FapbWCSDT(&AgXq1cBI6?soAsn`lPS2`5sp@X!;#`W`oj7g-*5KpVwb0DezkT
zWR{_|$?H@5AL`DVD5qokwDb2H#d$SK!hbr992(<3tbTTVQ;AGQor2f>n3At%wGrA)
zH-9_#Z_AE&wRt8_>w#mjt3o=}`OT-kTylBI=f%8<XM}lTzI6Pb_~8Baxm;oEy5!e1
zUR|D2f7x&5kv&gdNji6JRN>p;dU{Ub$u76aPDMNmrPpwqy|-O<g)MB|^nR;(^J?_=
zt@c%Y-oo`_vq+Qa!$}`y76s1x^}W+JLgi?{+6mGYUwGHvUeb4VHSdMx-Y4#HCB$ub
z7UJ^ndgwB%ihXRyR!g5M_mo(<Q7HPgz}`K}%1&lDKV)g^wyFsU{O{!1a?A72kJ(Ga
zv*hG=w6pKs%WC*LUtlZ$gt#^3zKjmhpRK1{@BAm+n6X%EVVc>KX@9l6&##YMHv9Cq
z!}1O3j~+Pfv|Lz}K2iDT47+_HzlB6RfBdLambJO{MaJWY)D(q#uO2><dUXHtnd4gG
ztOx(jmb>b9K%xDrn<(3|#cA`ZUj09&enRToncnzcKVIAWy}X(6XR)$`V_5OIXL9rA
ze0-p~HirA;o>L`#=02IS1`fVfq0I5KG=Jp&ikw$<IwGjs{O;GpO5eVhTXpA&tktfr
zeOCDHo(Rh&3GT;T<+kw$)BArewwd11Fvn~5-5#k5KARoM+df>JC0($#a>u!^_h)fr
zJ5E`2c9yKkIYY(2Y7;H)v*kr(2paIu%x~a7z;=|CGk*HMI`_h}o2T7hcy~gO?b*3M
zcSi5Zem*bvmOaB4#jmbWZL>SVtqz>(WvoAU;mYL7KXwOi&pBGiWc$wexWF2PDbFr`
zy`_HihE&3v?cW7cUp$=g^tHESY0WdG-G%4w{krG#^W<}Rfp)`!uPjHMzIN#-idONx
zdh^Dc!^GyzDno$}mTh7^Z=On89y`0Bo9}8_kdM#xITG1xt+mAFWbCy$ZCiWZE^4bw
zf5i%Z`K_zc%TAOpVSc;Dh|j9<#CqvPF1j<znI10u^|G$hDP~omMfQZ;;NuJT)MqJd
zEL1c-tk#)!e)gO_4z>ks47vN)OByr@7gc99&0oy(V)Or_J-b%P#072*2|m1j@uv_z
zwj)#TWbd(FelD%>*?}ir^OjFKJL${|M^n~$W*QBw6WFG`(%-R2<c^K!QMrDlf00VR
z9=tk#H%~cSvFZ)4^qIr;apH2>71g^Zeet;eILKti%!4w)-|y>*epQ$uRO_|l-A=Pt
z6HG$AH+ot5SV*p2`Nr7ylbTbUK(f~Urmg$eXa_}IzIo<Wz`=jEja~ZlcYlz1t-ej$
PdR>y<j*BUVrSmcXLqrW2

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix
index 89f5c0189c4ec860b213ee2cb7fbf3083cab9735..2b87a11d869139930add82ebfe871e322cc9bcd0 100644
GIT binary patch
literal 961
zcmZQ@_Y83kiVO&0_{-L`VfAvx@>?=ax0c@QIu^I`o7y^_QiX4xE*vE<Z)B|ayrq7x
z(B?NP8+P+*IoAA{+iTW2w>Yciu*|e4NmHKuP-2Wa{K{9$=yT&GzBvpgZ4VcGXrI}V
zB6+8ELiVO!;kmNsj|aBr|D54J+wXJvasP%!-)B+(7~Rwx$^=gTy7R5hp}YOXoGnM|
z%C;~5Rr2G~Jthw3>r?kKOrPDYer_(Gbai3v9feJm%U73}URYLsCy6=yb@Qp1s1)H0
zIkl@vrm_C38g=Jq-|=q9jcELI??UgK>9W1fT(*XGoA<mG)p!&n>+pD{S4;VZB#u8!
znXz%Fd!_unUrAWsytVM4-rN<Z?F@GpKc0DPr;D259HA3(MOQ*uM3cWfc)u`InP-2?
zf}7q!r?2kWUf7?0kV&h|GPu3Oc3#F$N%`H?I~$a3&j0awbNq&BU)>EGt=22QzUisn
zRydHibvnm_#qQl(_*ey0Zd|_AQRTQh!pZzhNHojlkA)r&Kk`jqz9ntRKK5zz&RogV
z{P1nl+dx0oH`VM6b65XxnVhHa;Bf#0>-*Z9R^C5<ojCX5R05k+=-nstLS0{#tWK*4
zpV7Laees7n#j9--(h8alW*odPqkqm+?JCDF{hS-F3F6*~47#CjL)V-Me6%k9o@AdS
z*WJ$tCm*lvYF)b8>VjRS!rJ=1HBY6#xKy}SS}S{1-~DaXpZazGq8xc|Ci{Y0a(j!i
ze*C{ZpX0<->j?KLMcw(;VFnpYsRxd%%UZWNAXvR|zSq?D#K4q~KV};SZ46+%wB8~r
ztXhq=HSeEXX^x`_-`}!FS7f<fJlkiVe)RWsX-_lXfZ}ky_614{KRflk{`f4HbxGv&
zvNwmaK8R1t4ABVS35n&(`?Qf|m)6hNxpFR#o(bLNZR4LCU7V;qZ~IXLgU4bMS;G0Q
zqzgTZh?upz?oOW0@|E2$yW-oGG#oPmg8qA-lD;pOWfL2@-aI$^cu_E~R&nr$(tU?F
zOmwn8^;zp?!>dA#i8mYP6>Jw(ns<Ma()=$KSBk8Rbb7m<$oL+Ak|y<c?|~-^Z}xmL
z)5`bRBCo$Zq+xD*_JI)dT@pgvU;Z*Zee+@Jqt@qtj9KnQwB_sV5?xtg_CDmRqRIMW
zzfWHe{Z{GXb@lJQ3p{4&*ZA%Fp1tf4yl1E!9=Y;$<TwAdtJ2NC91oc8vf%JX-fG`t
z!NM0l{b|tK-?9CRjdPcp_1sxI#Wh#2W}Y0ovB|I^=o(M%J=SNpcm%~)yPgz`(7YE{
eZ?<<y>@|g~H%^DP&u{(FVwrL1nc|w-0}24+$=<jC

literal 716
zcmZQ@_Y83kiVO&0u<vn5&GMRGTyUaJqv6kldgoTvPm7N3eehEAhSNLyH|HO=)Eb3I
zC*N?4clY{u*wD2jXGP_W-sT5kW>?};Bi1PVQ|mM-W8C{g+4)?G(YlE{yTq2b9jpmh
z9P5{}{r>cikKfGLtMROhDal1{k<j#?+mn9E9lE4^)cX(HPA!|HS8E@f>1Mnsp>icC
zMXTyef17o%=%tP<>5>xd^Hr1czf^SF^8b9?%BxgZ7IE0<$*FlwQWJbVXE@!MaiY`b
z+v>b`hAefKN+&E?U0ytWetGqmQ%<XlJlfsuXDg(cIZc^#K-Fl$+y<sA^#xPj%EkIm
zj<gR7+4Z5)tyAo+=sKU<!qU?}TJ~5T$|_vV8^d}pLu_@TakWh4<0%1~*1SFK$$$Oj
z!xUBLC1(z4AAH*5D5Uz#%Kc00+)F9PPt6pb^Wf-(9Y-b!U4LTu@x|(bhVl%H)o1<X
zro`)aPEPofDE5sha-XdBnQ$S)hSJ%$GtbOh@YAP#>gU6bw@MneR3<XHvnJ-aI-6dP
zJ9o^wW9z27{-Oza%ziU+4z_)0-BG}Na#fgk&X!e158wCOOFG`oI6cLRVS`mhOXn=r
zs1GWkO)>Abam!j1e!4I{<<w8@Glp#sRE6K(axae7nw7RFknMu7#~%0TT@N2GkozRD
z*s*@Txde|E!}oPdX0Lga@_w?7mfhb%H4mon%H4q`6K`&nYIn@7J~`Ex<8sa99e&EE
z4(+x-YNfOI<EK~NuV&3Nwx6cl->`W`sPXp34|>ubaaLh|S+SpcW9Dx+Vp=V+%FF)g
z=}!|D==<nJp4hOmGV!3DY1*t=hPic#ZNa=;TmEXDHf36C>melawQ1SvZMWWj4V|)6
z+}y>`?83WeVm)u=IA(+yo5|(;+&(8_(-Pgl@^#02PyX5d$0Nbiuir#)VbJ6D5REnw
ftAgV@KeB}c$!%F>r=T4a6W?UC;rD7U9=ZPjGZ$Ld

diff --git a/config/hosts/grondahl/data/secrets/synapse_db_password b/config/hosts/grondahl/data/secrets/synapse_db_password
new file mode 100644
index 0000000000000000000000000000000000000000..c2cd71a63320dc7ed02275b19236d533922d8808
GIT binary patch
literal 87
zcmZQ@_Y83kiVO&0$myP&!FC}t>{Cj6!@U#x8u`j^sQh)h+tZ);$dzC8e#+aaS2Fh1
uRqcDt%X!*;Qpk?b*wR@laSz)W&3(5AG(KFtG3W2${e}T8y#JcNuLA()J1Xn|

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/services/containers.nix b/config/hosts/grondahl/services/containers.nix
new file mode 100644
index 0000000..7d814f0
--- /dev/null
+++ b/config/hosts/grondahl/services/containers.nix
@@ -0,0 +1,53 @@
+{ config, pkgs, ... }:
+
+{
+	config.virtualisation.oci-containers = {
+		backend = "podman";
+		containers = {
+			#mobilizon = {
+			#	image = "framasoft/mobilizon";
+		#		ports = [ "127.0.0.1:4000:4000" ];
+		#		volumes = [
+		#			"/var/lib/mobilizon/uploads:/var/lib/mobilizon/uploads"
+		#			"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
+		#		];
+		#		environmentFiles = [ config.secrets.files.mobilizon_env.file ];
+		#	};
+			authentik-server = {
+				image = "ghcr.io/goauthentik/server:stable";
+				ports = [
+					"127.0.0.1:9000:9000"
+					"127.0.0.1:9443:9443"
+				];
+				volumes = [
+					"/var/lib/authentik/media:/media"
+					"/var/lib/authentik/templates:/templates"
+					"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
+					"/run/redis/redis.sock:/run/redis/redis.sock"
+				];
+				environmentFiles = [ config.secrets.files.authentik_env.file ];
+				cmd = ["server"];
+			};
+			authentik-worker = {
+				image = "ghcr.io/goauthentik/server:stable";
+				volumes = [
+					"/var/lib/authentik/backups:/backups"
+					"/var/lib/authentik/media:/media"
+					"/var/lib/authentik/certs:/certs"
+					"/var/lib/authentik/templates:/templates"
+				];
+				environmentFiles = [ config.secrets.files.authentik_env.file ];
+				cmd = ["worker"];
+			};
+		};
+	};
+
+	config.systemd.services.create-authentik-pod = with config.virtualisation.oci-containers; {
+		serviceConfig.Type = "oneshot";
+		wantedBy = [ "podman-authentik-server.service" "podman-authentik-worker.service" ];
+		script = ''
+			${pkgs.podman}/bin/podman pod exists authentik || \
+				${pkgs.podman}/bin/podman pod create -n authentik -p '127.0.0.1:9000:9000' -p '127.0.0.1:9443:9443'
+		'';
+	};
+}
diff --git a/config/hosts/grondahl/services/mail.nix b/config/hosts/grondahl/services/mail.nix
new file mode 100644
index 0000000..6aef8d3
--- /dev/null
+++ b/config/hosts/grondahl/services/mail.nix
@@ -0,0 +1,29 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a commit from the branch you are interested in
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz";
+      # And set its hash
+      sha256 = "1i56llz037x416bw698v8j6arvv622qc0vsycd20lx3yx8n77n44";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "anarkafem.dev";
+    domains = [ "anarkafem.dev" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
+    loginAccounts = {
+        "noreply@anarkafem.dev" = {
+            hashedPasswordFile = config.secrets.files.email_noreply.file;
+        };
+    };
+
+		keyFile = config.security.acme.certs."anarkafem.dev".directory + "/key.pem";
+		certificateFile = config.security.acme.certs."anarkafem.dev".directory + "/cert.pem";
+    certificateScheme = 1;
+  };
+}
diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix
index 505f79b..d313927 100644
--- a/config/hosts/grondahl/services/nginx.nix
+++ b/config/hosts/grondahl/services/nginx.nix
@@ -20,5 +20,15 @@
         '';
       };
     };
+		"cal.anarkafem.dev" = {
+			useACMEHost = "anarkafem.dev";
+			forceSSL = true;
+			locations."/".proxyPass = "http://127.0.0.1:4000";
+		};
+		"auth.anarkafem.dev" = {
+			useACMEHost = "anarkafem.dev";
+			forceSSL = true;
+			locations."/".proxyPass = "http://127.0.0.1:9000";
+		};
   };
 }
diff --git a/config/hosts/grondahl/services/postgres.nix b/config/hosts/grondahl/services/postgres.nix
index e092165..950c67a 100644
--- a/config/hosts/grondahl/services/postgres.nix
+++ b/config/hosts/grondahl/services/postgres.nix
@@ -1,26 +1,55 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_13;
+		extraPlugins = with config.services.postgresql.package.pkgs; [
+			postgis
+		];
+    ensureDatabases = [ 
+			"matrix-synapse"
+			"mobilizon"
+			"authentik"
+		];
+    ensureUsers = [
+    	{
+				name = "matrix-synapse";
+      	ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
+    	}
+			{
+				name = "mobilizon";
+      	ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES";
+  		}
+			{ 
+				name = "authentik";
+				ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES";
+			}
+    ];
     initialScript = pkgs.writeText "synapse-init.sql" ''
-                      CREATE ROLE synapse;
-                      CREATE DATABASE synapse WITH OWNER synapse
+                      CREATE ROLE matrix-synapse;
+                      CREATE DATABASE matrix-synapse WITH OWNER matrix-synapse
                           TEMPLATE template0
                           LC_COLLATE = "C"
                           LC_CTYPE = "C"
                           ENCODING = "UTF8";
     '';
-    authentication = pkgs.lib.mkOverride 10 ''
-        local all all trust
-        host all all ::1/128 trust
-    '';
+		settings = { password_encryption = "scram-sha-256"; };
+		authentication = pkgs.lib.mkForce ''
+			local all postgres peer
+			local all matrix-synapse peer
+			local all mobilizon scram-sha-256
+			local all authentik scram-sha-256
+		'';
   };
 
   services.postgresqlBackup = {
     enable = true;
     location = "/var/lib/postgresql/backup";
-    databases = [ "synapse" ];
+    databases = [ 
+			"matrix-synapse"
+			"mobilizon"
+			"authentik"
+		];
     startAt = "02:30";
     compression = "none";
   };
diff --git a/config/hosts/grondahl/services/redis.nix b/config/hosts/grondahl/services/redis.nix
new file mode 100644
index 0000000..6a001e1
--- /dev/null
+++ b/config/hosts/grondahl/services/redis.nix
@@ -0,0 +1,11 @@
+{ config, ...  }:
+{
+  services.redis = {
+    enable = true;
+    unixSocket = "/run/redis/redis.sock";
+    vmOverCommit = true;
+    unixSocketPerm = 770;
+    #requirePassfile = config.secrets.files.redis_pass.file;
+  }; 
+}
+
diff --git a/config/hosts/grondahl/services/synapse.nix b/config/hosts/grondahl/services/synapse.nix
index 9d0c32e..210914f 100644
--- a/config/hosts/grondahl/services/synapse.nix
+++ b/config/hosts/grondahl/services/synapse.nix
@@ -9,8 +9,9 @@
     turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
     max_upload_size = "100M";
     database_type = "psycopg2";
-    database_user = "synapse";
-    database_name = "synapse";
+		database_args = { 
+			password = builtins.toString config.secrets.files.synapse_db_password.file;
+		};
     turn_uris = [
       "turn:turn.anarkafem.dev:3478?transport=udp"
       "turn:turn.anarkafem.dev:3478?transport=tcp"
diff --git a/config/hosts/rudiger/services/postgres.nix b/config/hosts/rudiger/services/postgres.nix
index 4651a6e..af4cc48 100644
--- a/config/hosts/rudiger/services/postgres.nix
+++ b/config/hosts/rudiger/services/postgres.nix
@@ -2,18 +2,21 @@
 {
   services.postgresql = {
     enable = true;
-    ensureDatabases = [ "nextcloud" ];
+    ensureDatabases = [ 
+			"nextcloud"
+		];
     ensureUsers = [
-     { name = "nextcloud";
-       ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
-     }
+    	{
+				name = "nextcloud";
+      	ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+    	}
     ];
   };
 
   services.postgresqlBackup = {
     enable = true;
     location = "/var/lib/postgresql/backup";
-    databases = [ "synapse" ];
+    databases = [ "nextcloud" ];
     startAt = "02:30";
     compression = "none";
   };