diff --git a/.EditorConfig b/.EditorConfig deleted file mode 100644 index 24f2e16..0000000 --- a/.EditorConfig +++ /dev/null @@ -1,4 +0,0 @@ -root = true - -[*.nix] -indent_style = "tab" diff --git a/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg b/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg deleted file mode 100644 index 98fecd4..0000000 Binary files a/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg and /dev/null differ diff --git a/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg b/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg deleted file mode 100644 index 8025707..0000000 Binary files a/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg and /dev/null differ diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index b988793..0000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "config/hosts/grondahl/services/ooye"] - path = config/hosts/grondahl/services/ooye - url = https://cgit.rory.gay/nix/OOYE-module.git diff --git a/Makefile b/Makefile deleted file mode 100644 index af79aff..0000000 --- a/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -all: result - -.PHONY: update result deploy - -result: - nix build -f deploy/default.nix - -update: - cd config/sources && niv update - -deploy: - ./result diff --git a/README.md b/README.md index 6852b72..885ac1b 100644 --- a/README.md +++ b/README.md @@ -1,27 +1 @@ NixOS deployments using [nixus](https://github.com/Infinisil/nixus). - -TL;DR: -1. `make update` -2. `make result` -3. `make deploy` - -First make sure you have `niv` so you can upgrade dependency versions in `sources.json`. -```sh -nix-shell -p niv -(cd config/sources && niv update) -``` -Build with: -```sh -nix-build deploy/ -``` -Deploy by running the generated executable. -```sh -./result -``` - -## Switching nixpkgs branch -```sh -cd config/sources -niv modify nixpkgs -b nixos-xx.yy -``` - diff --git a/config/common/configuration/documentation.nix b/config/common/configuration/documentation.nix deleted file mode 100644 index bc47744..0000000 --- a/config/common/configuration/documentation.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: - -{ - # Some docs fail to build, so we need to disable some of it - documentation = { - enable = true; - man.enable = true; - doc.enable = true; - dev.enable = false; - nixos.enable = false; - }; -} diff --git a/config/common/configuration/nix.nix b/config/common/configuration/nix.nix deleted file mode 100644 index 8540329..0000000 --- a/config/common/configuration/nix.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: - -# Configuration options for the nix package manager -{ - nix.gc = { - # Run garbage collection automatically - automatic = true; - # Run it once a week - dates = "weekly"; - options = "--delete-older-than 30d"; - }; -} diff --git a/config/common/data/pubkeys/backup_host_ed25519_key.pub b/config/common/data/pubkeys/backup_host_ed25519_key.pub deleted file mode 100644 index 6c326b4..0000000 --- a/config/common/data/pubkeys/backup_host_ed25519_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4C5OgZpxoF42L5rPqwejs+Q1ViN9TM9o/fEbpnPFtA diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/config/common/data/pubkeys/despondos_host_ed25519_key.pub new file mode 100644 index 0000000..6367ffa --- /dev/null +++ b/config/common/data/pubkeys/despondos_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7 diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix index b6f3187..6c375a6 100644 --- a/config/common/services/nginx.nix +++ b/config/common/services/nginx.nix @@ -20,26 +20,26 @@ map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } - #add_header Strict-Transport-Security $hsts_header; + add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains - #add_header 'Referrer-Policy' 'same-origin'; + add_header 'Referrer-Policy' 'same-origin'; # Disable embedding as a frame - #add_header X-Frame-Options DENY; + add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) - #add_header X-Content-Type-Options nosniff; + add_header X-Content-Type-Options nosniff; # Enable XSS protection of the browser. # May be unnecessary when CSP is configured properly (see above) - #add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "1; mode=block"; # This might create errors - #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; }; } diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix index c7d5528..a454669 100644 --- a/config/common/services/ssh.nix +++ b/config/common/services/ssh.nix @@ -2,21 +2,19 @@ { services.openssh = { enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + challengeResponseAuthentication = false; hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ]; - settings = { - KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; - Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; - PermitRootLogin = "no"; - KbdInteractiveAuthentication = false; - PasswordAuthentication = false; + kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; + macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; - }; }; programs.ssh.knownHosts = { - backup = { - hostNames = [ "backup.graven.dev" ]; - publicKeyFile = ../data/pubkeys/backup_host_ed25519_key.pub; + despondos = { + hostNames = [ "despondos.nao.sh" ]; + publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub; }; }; diff --git a/config/common/services/tailscale.nix b/config/common/services/tailscale.nix deleted file mode 100644 index 18afac7..0000000 --- a/config/common/services/tailscale.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, pkgs, ... }: -{ -environment.systemPackages = [ pkgs.tailscale ]; - -services.tailscale.enable = false; - - # ... - - # create a oneshot job to authenticate to Tailscale - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = with pkgs; '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey CHANGEME - ''; - }; - -} diff --git a/config/common/users.nix b/config/common/users.nix index ec351ab..e39133d 100644 --- a/config/common/users.nix +++ b/config/common/users.nix @@ -5,7 +5,8 @@ isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAn9xV1GA/hMkCFoP7DWzYyGmbeiri823fHMRz0ZVoxq emelie-personal-bw" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed" ]; }; @@ -16,10 +17,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwmREgBmckocQerEfO4XhB+dbKDsZopok37ePWHwCEj id_ed25519" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILrZWS1PBVRbdmPh8IJdIPHhK0+ZuSnQCR10a8Bl11VZAAAABHNzaDo= amanda@sharpy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6v5D/aJuIhuIVcnzFA7ocxPMI8JgHEnxSPuD+SaLHX amanda@sharpy" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+0x2uHcuXpFQdeXeUWeLGPefWo6Sd7yy2FJlyZy8V+ amanda@tappy" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKWhc20jOFF+pVVT/Mf1ACYOtppkYWkP7NkY0/fPvjPAAAAFHNzaDphMy1uazNhLXBlcnNvbmFs ssh:a3-nk3a-personal" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMLbLay9KARrdb8QM4OLzmqWIN48rZMX6wCddBwYT/U amanda@gpg" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGMWTQc7A3W/LI4AgFWy/Uw/+oMucmSziuJKxC2rleo amanda@bitwarden" ]; }; }; diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix index a4bb6cf..6d317be 100644 --- a/config/hosts/grondahl/configuration.nix +++ b/config/hosts/grondahl/configuration.nix @@ -5,26 +5,23 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ./data/secrets/secrets.nix - ../../common/configuration/nix.nix - ../../common/configuration/documentation.nix ../../common/services/ssh.nix - ../../common/services/tailscale.nix - ../../common/users.nix + ../../common/users.nix ./services/acme.nix - ./services/borg.nix ./services/coturn.nix ./services/nginx.nix + ./services/restic.nix ./services/synapse.nix ./services/postgres.nix - ./services/ooye.nix #./services/mail.nix #./services/containers.nix #./services/redis.nix ]; boot.loader.grub.enable = true; + boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/vda"; - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + boot.kernelPackages = pkgs.linuxPackages_5_10; networking = { hostName = "grondahl"; useDHCP = false; @@ -52,9 +49,9 @@ security.sudo.wheelNeedsPassword = false; - nix.settings = { - auto-optimise-store = true; - trusted-users = [ + nix = { + autoOptimiseStore = true; + trustedUsers = [ "root" "@wheel" ]; @@ -75,15 +72,9 @@ dig ]; - networking.firewall = { - enable = true; - checkReversePath = "loose"; - trustedInterfaces = [ "tailscale0" ]; - allowedUDPPorts = [ config.services.tailscale.port ]; - allowedTCPPorts = [ 22 80 443 ]; - allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ]; - allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ]; - }; + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ]; + networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ]; system.stateVersion = "21.05"; diff --git a/config/hosts/grondahl/data/secrets/acme_anarkafem_dev b/config/hosts/grondahl/data/secrets/acme_anarkafem_dev new file mode 100644 index 0000000..5e08a24 Binary files /dev/null and b/config/hosts/grondahl/data/secrets/acme_anarkafem_dev differ diff --git a/config/hosts/grondahl/data/secrets/borg_pass b/config/hosts/grondahl/data/secrets/borg_pass deleted file mode 100644 index 1d65621..0000000 Binary files a/config/hosts/grondahl/data/secrets/borg_pass and /dev/null differ diff --git a/config/hosts/grondahl/data/secrets/ooye_client_secret b/config/hosts/grondahl/data/secrets/ooye_client_secret deleted file mode 100644 index 719fb6e..0000000 Binary files a/config/hosts/grondahl/data/secrets/ooye_client_secret and /dev/null differ diff --git a/config/hosts/grondahl/data/secrets/ooye_token b/config/hosts/grondahl/data/secrets/ooye_token deleted file mode 100644 index 99de111..0000000 Binary files a/config/hosts/grondahl/data/secrets/ooye_token and /dev/null differ diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix index 88d7155..1feacfc 100644 Binary files a/config/hosts/grondahl/data/secrets/secrets.nix and b/config/hosts/grondahl/data/secrets/secrets.nix differ diff --git a/config/hosts/grondahl/data/secrets/synapse_db_password b/config/hosts/grondahl/data/secrets/synapse_db_password new file mode 100644 index 0000000..c2cd71a Binary files /dev/null and b/config/hosts/grondahl/data/secrets/synapse_db_password differ diff --git a/config/hosts/grondahl/data/secrets/synapse_extra_config b/config/hosts/grondahl/data/secrets/synapse_extra_config deleted file mode 100644 index 022aa1e..0000000 Binary files a/config/hosts/grondahl/data/secrets/synapse_extra_config and /dev/null differ diff --git a/config/hosts/grondahl/hardware-configuration.nix b/config/hosts/grondahl/hardware-configuration.nix index 47e53af..1460245 100644 --- a/config/hosts/grondahl/hardware-configuration.nix +++ b/config/hosts/grondahl/hardware-configuration.nix @@ -2,7 +2,7 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") - #(modulesPath + "/profiles/minimal.nix") + (modulesPath + "/profiles/minimal.nix") ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; diff --git a/config/hosts/grondahl/services/acme.nix b/config/hosts/grondahl/services/acme.nix index 687ea2a..a69f94e 100644 --- a/config/hosts/grondahl/services/acme.nix +++ b/config/hosts/grondahl/services/acme.nix @@ -3,7 +3,12 @@ { security.acme = { acceptTerms = true; - defaults.email = "admin+certs@anarkafem.dev"; + email = "admin+certs@anarkafem.dev"; + certs."anarkafem.dev" = { + extraDomainNames = [ "*.anarkafem.dev" ]; + dnsProvider = "hurricane"; + credentialsFile = config.secrets.files.acme_anarkafem_dev.file; + }; }; } diff --git a/config/hosts/grondahl/services/borg.nix b/config/hosts/grondahl/services/borg.nix deleted file mode 100644 index bb86d9d..0000000 --- a/config/hosts/grondahl/services/borg.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, ... }: - -{ - services.borgbackup.jobs = { - postgres = { - paths = "/var/lib/postgresql/backup"; - repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/postgres"; - encryption.mode = "repokey"; - encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}"; - environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}"; - compression = "auto,zstd"; - startAt = "*-*-* 03:15:00"; - user = "postgres"; - }; - synapse = { - paths = "/var/lib/matrix-synapse"; - repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/synapse"; - encryption.mode = "repokey"; - encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}"; - environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}"; - compression = "auto,zstd"; - startAt = "*-*-* 03:45:00"; - user = "matrix-synapse"; - }; - }; -} diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix index 7b5d306..d313927 100644 --- a/config/hosts/grondahl/services/nginx.nix +++ b/config/hosts/grondahl/services/nginx.nix @@ -1,13 +1,8 @@ { imports = [ ../../../common/services/nginx.nix ]; services.nginx.virtualHosts = { - "ooye.anarkafem.dev" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://127.0.0.1:6693/"; - }; "anarkafem.dev" = { - enableACME = true; + useACMEHost = "anarkafem.dev"; forceSSL = true; locations."/".root = "/var/www/anarkafem.dev/public"; locations."/_matrix/".proxyPass = "http://127.0.0.1:8008"; @@ -26,21 +21,14 @@ }; }; "cal.anarkafem.dev" = { - enableACME = true; + useACMEHost = "anarkafem.dev"; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:4000"; }; "auth.anarkafem.dev" = { - enableACME = true; + useACMEHost = "anarkafem.dev"; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:9000"; }; - "beanz.one" = { - forceSSL = true; - enableACME = true; - locations."/" = { - root = "/var/www/beanz.one/public"; - }; - }; }; } diff --git a/config/hosts/grondahl/services/ooye b/config/hosts/grondahl/services/ooye deleted file mode 160000 index 11cc65e..0000000 --- a/config/hosts/grondahl/services/ooye +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 11cc65efa2909bdc7e3e978bf1f56f6d141bf82a diff --git a/config/hosts/grondahl/services/ooye.nix b/config/hosts/grondahl/services/ooye.nix deleted file mode 100644 index f739cf3..0000000 --- a/config/hosts/grondahl/services/ooye.nix +++ /dev/null @@ -1,16 +0,0 @@ -# Out of your Element prerequisites -{ config, ... }: -{ - imports = [ - ./ooye/module.nix - ]; - services.matrix-ooye = { - enable = true; - homeserver = "http://localhost:8008"; - namespace = "_discord_"; - discordClientSecretPath = builtins.toString config.secrets.files.ooye_client_secret.file; - discordTokenPath = builtins.toString config.secrets.files.ooye_token.file; - bridgeOrigin = "https://ooye.anarkafem.dev"; - enableSynapseIntegration = true; - }; -} diff --git a/config/hosts/grondahl/services/postgres.nix b/config/hosts/grondahl/services/postgres.nix index 8a1c392..950c67a 100644 --- a/config/hosts/grondahl/services/postgres.nix +++ b/config/hosts/grondahl/services/postgres.nix @@ -2,8 +2,8 @@ { services.postgresql = { enable = true; - package = pkgs.postgresql_16; - extensions = with config.services.postgresql.package.pkgs; [ + package = pkgs.postgresql_13; + extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ]; ensureDatabases = [ @@ -14,15 +14,15 @@ ensureUsers = [ { name = "matrix-synapse"; - ensureDBOwnership = true; + ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES"; } { name = "mobilizon"; - ensureDBOwnership = true; + ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES"; } { name = "authentik"; - ensureDBOwnership = true; + ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES"; } ]; initialScript = pkgs.writeText "synapse-init.sql" '' diff --git a/config/hosts/grondahl/services/redis.nix b/config/hosts/grondahl/services/redis.nix index 94a915e..6a001e1 100644 --- a/config/hosts/grondahl/services/redis.nix +++ b/config/hosts/grondahl/services/redis.nix @@ -1,13 +1,11 @@ { config, ... }: { services.redis = { + enable = true; + unixSocket = "/run/redis/redis.sock"; vmOverCommit = true; - servers."" = { - enable = true; - unixSocket = "/run/redis/redis.sock"; - unixSocketPerm = 770; - #requirePassfile = config.secrets.files.redis_pass.file; - }; + unixSocketPerm = 770; + #requirePassfile = config.secrets.files.redis_pass.file; }; } diff --git a/config/hosts/grondahl/services/restic.nix b/config/hosts/grondahl/services/restic.nix new file mode 100644 index 0000000..f92203e --- /dev/null +++ b/config/hosts/grondahl/services/restic.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + services.restic.backups = { + "postgres" = { + paths = [ "/var/lib/postgresql/backup" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "03:15"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "postgres"; + }; + "synapse" = { + paths = [ "/var/lib/matrix-synapse" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "03:45"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "matrix-synapse"; + }; + }; +} + diff --git a/config/hosts/grondahl/services/synapse.nix b/config/hosts/grondahl/services/synapse.nix index 8eaca03..210914f 100644 --- a/config/hosts/grondahl/services/synapse.nix +++ b/config/hosts/grondahl/services/synapse.nix @@ -3,76 +3,72 @@ { services.matrix-synapse = { enable = true; + server_name = "anarkafem.dev"; + enable_registration = false; + registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; + turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; + max_upload_size = "100M"; + database_type = "psycopg2"; + database_args = { + password = builtins.toString config.secrets.files.synapse_db_password.file; + }; + turn_uris = [ + "turn:turn.anarkafem.dev:3478?transport=udp" + "turn:turn.anarkafem.dev:3478?transport=tcp" + "turn:turn.anarkafem.dev:3479?transport=udp" + "turn:turn.anarkafem.dev:3479?transport=tcp" + "turns:turn.anarkafem.dev:5349?transport=udp" + "turns:turn.anarkafem.dev:5349?transport=tcp" + "turns:turn.anarkafem.dev:5350?transport=udp" + "turns:turn.anarkafem.dev:5350?transport=tcp" + ]; + report_stats = false; withJemalloc = true; - settings = { - database = { - name = "psycopg2"; - args.user = "matrix-synapse"; - args.database = "matrix-synapse"; - }; + servers = { "anarkafem.dev" = {}; }; + extraConfig = '' + default_room_version: "9" + auto_join_rooms: + - "#suf-aalborg:anarkafem.dev" + ''; + logConfig = '' + version: 1 - server_name = "anarkafem.dev"; - enable_registration = false; - registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; - turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; - max_upload_size = "100M"; - turn_uris = [ - "turn:turn.anarkafem.dev:3478?transport=udp" - "turn:turn.anarkafem.dev:3478?transport=tcp" - "turn:turn.anarkafem.dev:3479?transport=udp" - "turn:turn.anarkafem.dev:3479?transport=tcp" - "turns:turn.anarkafem.dev:5349?transport=udp" - "turns:turn.anarkafem.dev:5349?transport=tcp" - "turns:turn.anarkafem.dev:5350?transport=udp" - "turns:turn.anarkafem.dev:5350?transport=tcp" - ]; - report_stats = false; - servers = { "anarkafem.dev" = {}; }; - extraConfig = '' - default_room_version: "9" - auto_join_rooms: - - "#suf-aalborg:anarkafem.dev" - ''; - logConfig = '' - version: 1 + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' - formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + handlers: + console: + class: logging.StreamHandler + formatter: precise - handlers: - console: - class: logging.StreamHandler - formatter: precise + loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO - loggers: - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: INFO + root: + level: INFO + handlers: [console] - root: - level: INFO - handlers: [console] - - disable_existing_loggers: false - ''; - listeners = [ - { - port = 8008; - bind_addresses = ["127.0.0.1"]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; - }; + disable_existing_loggers: false + ''; + listeners = [ + { + port = 8008; + bind_address = "127.0.0.1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; }; } diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix index b096665..4b3c0c9 100644 --- a/config/hosts/rudiger/configuration.nix +++ b/config/hosts/rudiger/configuration.nix @@ -1,93 +1,83 @@ { config, pkgs, ... }: { - imports = [ - ./hardware-configuration.nix - ./data/secrets/secrets.nix - ../../common/configuration/nix.nix - ../../common/configuration/documentation.nix - ../../common/services/ssh.nix - ../../common/services/tailscale.nix - ../../common/users.nix - ./services/acme.nix - ./services/immich.nix - ./services/nextcloud.nix - ./services/nginx.nix - ./services/postgres.nix - ./services/redis.nix - ./services/restic.nix - ]; + imports = + [ + ./hardware-configuration.nix + ./data/secrets/secrets.nix + ../../common/services/ssh.nix + ../../common/users.nix + ./services/acme.nix + ./services/nextcloud.nix + ./services/nginx.nix + ./services/postgres.nix + ./services/redis.nix + ./services/restic.nix + ]; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; - boot.supportedFilesystems = ["zfs"]; - services.zfs.autoSnapshot.enable = false; - services.zfs.autoScrub.enable = true; + boot.supportedFilesystems = ["zfs"]; + services.zfs.autoSnapshot.enable = true; + services.zfs.autoScrub.enable = true; - time.timeZone = "Europe/Copenhagen"; + time.timeZone = "Europe/Copenhagen"; - networking = { - hostName = "rudiger"; - hostId = "8c7b66a4"; - useDHCP = false; - tempAddresses = "disabled"; - interfaces = { - "ens3" = { - ipv4.addresses = [ { - address = "202.61.202.170"; - prefixLength = 22; - } ]; - ipv6.addresses = [ { - address = "2a03:4000:5a:c61::1"; - prefixLength = 64; - } ]; - }; - }; - defaultGateway = "202.61.200.1"; - defaultGateway6 = { - address = "fe80::1"; - interface = "ens3"; - }; - nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; - }; + networking = { + hostName = "rudiger"; + hostId = "8c7b66a4"; + useDHCP = false; + tempAddresses = "disabled"; + interfaces = { + "ens3" = { + ipv4.addresses = [ { + address = "202.61.202.170"; + prefixLength = 22; + } ]; + ipv6.addresses = [ { + address = "2a03:4000:5a:c61::1"; + prefixLength = 64; + } ]; + }; + }; + defaultGateway = "202.61.200.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "ens3"; + }; + nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; + }; - nix.settings = { - auto-optimise-store = true; - trusted-users = [ - "root" - "@wheel" - ]; - }; + nix = { + autoOptimiseStore = true; + trustedUsers = [ + "root" + "@wheel" + ]; + }; - environment.systemPackages = with pkgs; [ - vim - wget - htop - iotop - dig - tailscale - ]; - security.sudo.wheelNeedsPassword = false; + environment.systemPackages = with pkgs; [ + vim + wget + htop + iotop + dig + ]; + security.sudo.wheelNeedsPassword = false; - systemd.services."nextcloud-setup" = { - requires = [ "postgresql.service" "redis.service" ]; - after = [ "postgresql.service" "redis.service" ]; - }; + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" "redis.service" ]; + after = [ "postgresql.service" "redis.service" ]; + }; - users.groups.redis.members = [ "nextcloud" ]; - users.groups.backup.members = [ "nextcloud" "postgres" ]; + users.groups.redis.members = [ "nextcloud" ]; + users.groups.backup.members = [ "nextcloud" "postgres" ]; - networking.firewall = { - allowedTCPPorts = [ 22 80 443 ]; - allowedUDPPorts = [ config.services.tailscale.port ]; - trustedInterfaces = [ "tailscale0" ]; - enable = true; - checkReversePath = "loose"; - }; - # networking.firewall.allowedUDPPorts = [ ... ]; - system.stateVersion = "21.05"; + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + system.stateVersion = "21.05"; } diff --git a/config/hosts/rudiger/hardware-configuration.nix b/config/hosts/rudiger/hardware-configuration.nix index 283b86a..1e82882 100644 --- a/config/hosts/rudiger/hardware-configuration.nix +++ b/config/hosts/rudiger/hardware-configuration.nix @@ -3,7 +3,7 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") - #(modulesPath + "/profiles/minimal.nix") + (modulesPath + "/profiles/minimal.nix") ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; diff --git a/config/hosts/rudiger/services/acme.nix b/config/hosts/rudiger/services/acme.nix index 693e006..62ae467 100644 --- a/config/hosts/rudiger/services/acme.nix +++ b/config/hosts/rudiger/services/acme.nix @@ -3,7 +3,7 @@ { security.acme = { acceptTerms = true; - defaults.email = "admin+certs@graven.dev"; + email = "admin+certs@graven.dev"; }; } diff --git a/config/hosts/rudiger/services/borg.nix b/config/hosts/rudiger/services/borg.nix deleted file mode 100644 index 28f5790..0000000 --- a/config/hosts/rudiger/services/borg.nix +++ /dev/null @@ -1,27 +0,0 @@ - -{ config, ... }: - -{ - services.borgbackup.jobs = { - postgres = { - paths = "/var/lib/postgresql/backup"; - repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/postgres"; - encryption.mode = "repokey"; - encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}"; - environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}"; - compression = "auto,zstd"; - startAt = "*-*-* 03:15:00"; - user = "postgres"; - }; - synapse = { - paths = "/var/lib/nextcloud/data"; - repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/nextcloud"; - encryption.mode = "repokey"; - encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}"; - environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}"; - compression = "auto,zstd"; - startAt = "*-*-* 03:45:00"; - user = "nextcloud"; - }; - }; -} diff --git a/config/hosts/rudiger/services/immich.nix b/config/hosts/rudiger/services/immich.nix deleted file mode 100644 index fe71843..0000000 --- a/config/hosts/rudiger/services/immich.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: - -{ - services.immich = { - enable = true; - port = 2283; - settings.server.externalDomain = "https://immich.graven.dev"; - }; -} diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix index 4f1a9da..fd2a274 100644 --- a/config/hosts/rudiger/services/nextcloud.nix +++ b/config/hosts/rudiger/services/nextcloud.nix @@ -1,25 +1,22 @@ { config, pkgs, ... }: { - services.nextcloud = { - enable = true; - hostName = "cloud.graven.dev"; - https = true; - package = pkgs.nextcloud32; - autoUpdateApps.enable = true; - maxUploadSize = "10G"; - webfinger = true; - caching.redis = true; - config = { - dbtype = "pgsql"; - dbuser = "nextcloud"; - dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself - dbname = "nextcloud"; - adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file; - adminuser = "root"; - }; - settings = { - default_phone_region = "DK"; - }; - phpOptions."opcache.interned_strings_buffer" = "23"; - }; + services.nextcloud = { + enable = true; + hostName = "cloud.graven.dev"; + https = true; + package = pkgs.nextcloud22; + autoUpdateApps.enable = true; + maxUploadSize = "10G"; + webfinger = true; + caching.redis = true; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + defaultPhoneRegion = "DK"; + adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file; + adminuser = "root"; + }; + }; } diff --git a/config/hosts/rudiger/services/nginx.nix b/config/hosts/rudiger/services/nginx.nix index 6335fcb..d896bab 100644 --- a/config/hosts/rudiger/services/nginx.nix +++ b/config/hosts/rudiger/services/nginx.nix @@ -1,25 +1,8 @@ -{ config, ... }: +{ ... }: { imports = [ ../../../common/services/nginx.nix ]; services.nginx.virtualHosts."cloud.graven.dev" = { enableACME = true; forceSSL = true; }; - services.nginx.virtualHosts."immich.graven.dev" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://[::1]:${toString config.services.immich.port}"; - proxyWebsockets = true; - recommendedProxySettings = true; - extraConfig = '' - client_max_body_size 50000M; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - proxy_max_temp_file_size 0; - proxy_buffering off; - ''; - }; - }; } diff --git a/config/hosts/rudiger/services/postgres.nix b/config/hosts/rudiger/services/postgres.nix index cee84a2..af4cc48 100644 --- a/config/hosts/rudiger/services/postgres.nix +++ b/config/hosts/rudiger/services/postgres.nix @@ -1,15 +1,14 @@ -{ pkgs, ... }: +{ ... }: { services.postgresql = { enable = true; - package = pkgs.postgresql_15; ensureDatabases = [ "nextcloud" ]; ensureUsers = [ { name = "nextcloud"; - ensureDBOwnership = true; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; } ]; }; diff --git a/config/hosts/rudiger/services/redis.nix b/config/hosts/rudiger/services/redis.nix index 87b2587..2db61e7 100644 --- a/config/hosts/rudiger/services/redis.nix +++ b/config/hosts/rudiger/services/redis.nix @@ -1,12 +1,10 @@ { config, ... }: { services.redis = { + enable = true; + unixSocket = "/run/redis/redis.sock"; vmOverCommit = true; - servers."" = { - enable = true; - unixSocket = "/run/redis/redis.sock"; - unixSocketPerm = 770; - #requirePassfile = config.secrets.files.redis_pass.file; - }; - }; + unixSocketPerm = 770; + #requirePassfile = config.secrets.files.redis_pass.file; + }; } diff --git a/config/hosts/rudiger/services/restic.nix b/config/hosts/rudiger/services/restic.nix index a639bd2..dc6ad4d 100644 --- a/config/hosts/rudiger/services/restic.nix +++ b/config/hosts/rudiger/services/restic.nix @@ -3,21 +3,21 @@ services.restic.backups = { "postgres" = { paths = [ "/var/lib/postgresql/backup" ]; - repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/postgres"; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/postgres"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "04:15"; }; - extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "postgres"; }; "nextcloud" = { paths = [ "/var/lib/nextcloud/data" ]; - repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/nextcloud"; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/nextcloud"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "04:30"; }; - extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "nextcloud"; }; diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix index bf8aeb0..80ef0b1 100644 --- a/config/hosts/wind/configuration.nix +++ b/config/hosts/wind/configuration.nix @@ -1,16 +1,13 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { - imports = [ - ./hardware-configuration.nix - ../../common/configuration/nix.nix - ../../common/configuration/documentation.nix + imports = [ + ./hardware-configuration.nix ../../common/services/ssh.nix - ../../common/services/tailscale.nix ../../common/users.nix ./services/acme.nix - ./services/borg.nix ./services/coturn.nix + #./services/grocy.nix ./services/nginx.nix ./services/postgres.nix ./services/synapse.nix @@ -19,15 +16,15 @@ ./services/restic.nix ./services/vaultwarden.nix ./services/wireguard.nix - ./services/akkoma.nix ./data/secrets/secrets.nix ]; boot.loader.grub.enable = true; + boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + boot.kernelPackages = pkgs.linuxPackages_5_10; boot.supportedFilesystems = ["zfs"]; - services.zfs.autoSnapshot.enable = false; + services.zfs.autoSnapshot.enable = true; services.zfs.autoScrub.enable = true; networking.hostName = "wind"; @@ -41,7 +38,7 @@ users.users.deploy-web = { isNormalUser = true; extraGroups = [ "nginx" ]; - openssh.authorizedKeys.keys = [ + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop" ]; }; @@ -53,12 +50,11 @@ htop iotop dig - tailscale ]; - nix.settings = { - auto-optimise-store = true; - trusted-users = [ + nix = { + autoOptimiseStore = true; + trustedUsers = [ "root" "@wheel" ]; diff --git a/config/hosts/wind/data/secrets/acme_graven_dev.env b/config/hosts/wind/data/secrets/acme_graven_dev.env new file mode 100644 index 0000000..cd4a5e2 Binary files /dev/null and b/config/hosts/wind/data/secrets/acme_graven_dev.env differ diff --git a/config/hosts/wind/data/secrets/acme_graven_se.env b/config/hosts/wind/data/secrets/acme_graven_se.env new file mode 100644 index 0000000..7ac992b Binary files /dev/null and b/config/hosts/wind/data/secrets/acme_graven_se.env differ diff --git a/config/hosts/wind/data/secrets/borg_pass b/config/hosts/wind/data/secrets/borg_pass deleted file mode 100644 index 1d65621..0000000 Binary files a/config/hosts/wind/data/secrets/borg_pass and /dev/null differ diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix index d95a37c..5592aaf 100644 Binary files a/config/hosts/wind/data/secrets/secrets.nix and b/config/hosts/wind/data/secrets/secrets.nix differ diff --git a/config/hosts/wind/data/secrets/ssh_key b/config/hosts/wind/data/secrets/ssh_key index eb6c6ce..6dd0719 100644 Binary files a/config/hosts/wind/data/secrets/ssh_key and b/config/hosts/wind/data/secrets/ssh_key differ diff --git a/config/hosts/wind/data/secrets/ssh_key.pub b/config/hosts/wind/data/secrets/ssh_key.pub index de5e671..54b1d0b 100644 Binary files a/config/hosts/wind/data/secrets/ssh_key.pub and b/config/hosts/wind/data/secrets/ssh_key.pub differ diff --git a/config/hosts/wind/data/secrets/synapse_extra_config b/config/hosts/wind/data/secrets/synapse_extra_config deleted file mode 100644 index 7307817..0000000 Binary files a/config/hosts/wind/data/secrets/synapse_extra_config and /dev/null differ diff --git a/config/hosts/wind/data/secrets/synapse_sliding_sync_env b/config/hosts/wind/data/secrets/synapse_sliding_sync_env deleted file mode 100644 index b5b3eec..0000000 Binary files a/config/hosts/wind/data/secrets/synapse_sliding_sync_env and /dev/null differ diff --git a/config/hosts/wind/hardware-configuration.nix b/config/hosts/wind/hardware-configuration.nix index ee338a2..50c7560 100644 --- a/config/hosts/wind/hardware-configuration.nix +++ b/config/hosts/wind/hardware-configuration.nix @@ -6,7 +6,7 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") - #(modulesPath + "/profiles/minimal.nix") + (modulesPath + "/profiles/minimal.nix") #(modulesPath + "/profiles/hardened.nix") ]; diff --git a/config/hosts/wind/services/acme.nix b/config/hosts/wind/services/acme.nix index 693e006..862d516 100644 --- a/config/hosts/wind/services/acme.nix +++ b/config/hosts/wind/services/acme.nix @@ -3,7 +3,19 @@ { security.acme = { acceptTerms = true; - defaults.email = "admin+certs@graven.dev"; + email = "admin+certs@graven.dev"; + certs = { + "graven.dev" = { + extraDomainNames = [ "*.graven.dev" ]; + dnsProvider = "hurricane"; + credentialsFile = config.secrets.files.acme_graven_dev.file; + }; + "graven.se" = { + extraDomainNames = [ "*.graven.se" ]; + dnsProvider = "hurricane"; + credentialsFile = config.secrets.files.acme_graven_se.file; + }; + }; }; } diff --git a/config/hosts/wind/services/akkoma.nix b/config/hosts/wind/services/akkoma.nix deleted file mode 100644 index 3dabcf5..0000000 --- a/config/hosts/wind/services/akkoma.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, pkgs, ... }: -{ - - services.akkoma = { - enable = true; - config = { - ":pleroma" = { - ":instance" = { - name = "graven.se"; - description = "Graven Fedi"; - email = "charlie@graven.se"; - registration_open = false; - }; - - "Pleroma.Web.Endpoint" = { - url.host = "fedi.graven.se"; - }; - "Pleroma.Web.Webfinger" = { - domain = "graven.se"; - }; - "Pleroma.Upload".filters = - map (pkgs.formats.elixirConf { }).lib.mkRaw - [ - "Pleroma.Upload.Filter.Exiftool" - "Pleroma.Upload.Filter.Dedupe" - "Pleroma.Upload.Filter.AnonymizeFilename" - ]; - }; - }; - nginx = { - enableACME = true; - forceSSL = true; - serverName = "fedi.graven.se"; - }; - }; -} diff --git a/config/hosts/wind/services/borg.nix b/config/hosts/wind/services/borg.nix deleted file mode 100644 index 776f91d..0000000 --- a/config/hosts/wind/services/borg.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, ... }: - -{ - services.borgbackup.jobs = { - gitea = { - paths = "/var/lib/gitea"; - repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/gitea"; - encryption.mode = "repokey"; - encryption.passCommand = "cat ${config.secrets.files.borg_pass_gitea.file}"; - environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_gitea.file}"; - compression = "auto,zstd"; - startAt = "*-*-* 02:15:00"; - user = "gitea"; - }; - postgres = { - paths = "/var/lib/postgresql/backup"; - repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/postgres"; - encryption.mode = "repokey"; - encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}"; - environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}"; - compression = "auto,zstd"; - startAt = "*-*-* 03:15:00"; - user = "postgres"; - }; - synapse = { - paths = "/var/lib/matrix-synapse"; - repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/synapse"; - encryption.mode = "repokey"; - encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}"; - environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}"; - compression = "auto,zstd"; - startAt = "*-*-* 03:15:00"; - user = "matrix-synapse"; - }; - }; -} diff --git a/config/hosts/wind/services/coturn.nix b/config/hosts/wind/services/coturn.nix index b2c61c8..6481466 100644 --- a/config/hosts/wind/services/coturn.nix +++ b/config/hosts/wind/services/coturn.nix @@ -1,7 +1,7 @@ { config, ... }: { services.coturn = { - enable = false; + enable = true; lt-cred-mech = true; use-auth-secret = true; static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file; diff --git a/config/hosts/wind/services/gitea.nix b/config/hosts/wind/services/gitea.nix index 3d3966e..58fc760 100644 --- a/config/hosts/wind/services/gitea.nix +++ b/config/hosts/wind/services/gitea.nix @@ -1,32 +1,16 @@ { ... }: { - services.forgejo = { + services.gitea = { enable = true; - user = "gitea"; - group = "gitea"; - stateDir = "/var/lib/gitea"; + domain = "git.graven.dev"; + rootUrl = "https://git.graven.dev"; + enableUnixSocket = true; + cookieSecure = true; + appName = "Graven Gitea"; + settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; }; database = { type = "postgres"; - name = "gitea"; - user = "gitea"; - }; - settings = { - DEFAULT.APP_NAME = "Graven Gitea"; - service.DISABLE_REGISTRATION = true; - session.COOKIE_SECURE = true; - server.DOMAIN = "git.graven.dev"; - server.ROOT_URL = "https://git.graven.dev"; - server.PROTOCOL = "http+unix"; }; }; - - users.users.gitea = { - home = "/var/lib/gitea"; - useDefaultShell = true; - group = "gitea"; - isSystemUser = true; - }; - - users.groups.gitea = {}; } diff --git a/config/hosts/wind/services/grocy.nix b/config/hosts/wind/services/grocy.nix new file mode 100644 index 0000000..324680a --- /dev/null +++ b/config/hosts/wind/services/grocy.nix @@ -0,0 +1,10 @@ +{ + services.grocy = { + enable = true; + hostName = "grocy.graven.dev"; + settings = { + currency = "DKK"; + calendar.firstDayOfWeek = 1; + }; + }; +} diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix index b7b7b77..e219049 100644 --- a/config/hosts/wind/services/nginx.nix +++ b/config/hosts/wind/services/nginx.nix @@ -2,13 +2,11 @@ imports = [ ../../../common/services/nginx.nix ]; services.nginx.virtualHosts = { "graven.dev" = { - enableACME = true; + useACMEHost = "graven.dev"; forceSSL = true; locations."/".root = "/var/www/graven.dev/public"; - locations."~ ^(\\/_matrix|\\/_synapse\\/client)" = { - proxyPass = "http://127.0.0.1:8008"; - priority = 1000; - }; + locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; + locations."/_synapse".proxyPass = "http://127.0.0.1:8008"; locations."/.well-known/matrix/" = { root = "/var/www/matrix/public"; extraConfig = '' @@ -16,34 +14,24 @@ add_header Access-Control-Allow-Origin "*"; add_header Strict-Transport-Security $hsts_header; add_header Referrer-Policy "same-origin"; + add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; ''; }; }; - # Fedi webfinger - "graven.se" = { - enableACME = true; - forceSSL = true; - locations."/.well-known/host-meta".return = "301 https://fedi.graven.se$request_uri"; - }; - "amanda.graven.dev" = { - enableACME = true; - forceSSL = true; - locations."/".root = "/var/www/amanda.graven.dev/public"; - }; "rss.graven.dev" = { - enableACME = true; + useACMEHost = "graven.dev"; forceSSL = true; }; "git.graven.dev" = { - enableACME = true; + useACMEHost = "graven.dev"; forceSSL = true; - locations."/".proxyPass = "http://unix:/run/forgejo/forgejo.sock:"; + locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:"; }; "vault.graven.dev" = { forceSSL = true; - enableACME = true; + useACMEHost = "graven.dev"; locations."/" = { proxyPass = "http://localhost:8812"; proxyWebsockets = true; @@ -59,7 +47,7 @@ }; "openpgpkey.graven.dev" = { forceSSL = true; - enableACME = true; + useACMEHost = "graven.dev"; locations."/" = { root = "/var/www/openpgpkey"; extraConfig = '' @@ -75,7 +63,7 @@ }; "openpgpkey.graven.se" = { forceSSL = true; - enableACME = true; + useACMEHost = "graven.se"; locations."/" = { root = "/var/www/openpgpkey"; extraConfig = '' @@ -91,7 +79,7 @@ }; "tor.graven.dev" = { forceSSL = true; - enableACME = true; + useACMEHost = "graven.dev"; locations."/" = { root = "/var/www/tor"; extraConfig = '' diff --git a/config/hosts/wind/services/postgres.nix b/config/hosts/wind/services/postgres.nix index e7712e4..79cf378 100644 --- a/config/hosts/wind/services/postgres.nix +++ b/config/hosts/wind/services/postgres.nix @@ -2,7 +2,7 @@ { services.postgresql = { enable = true; - package = pkgs.postgresql_16; + package = pkgs.postgresql_13; initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE synapse; CREATE DATABASE synapse WITH OWNER synapse diff --git a/config/hosts/wind/services/restic.nix b/config/hosts/wind/services/restic.nix index 7f06514..083e4cc 100644 --- a/config/hosts/wind/services/restic.nix +++ b/config/hosts/wind/services/restic.nix @@ -5,41 +5,41 @@ services.restic.backups = { "gitea" = { paths = [ "/var/lib/gitea" ]; - repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/gitea"; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "02:15"; }; - extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "gitea"; }; "postgres" = { paths = [ "/var/lib/postgresql/backup" ]; - repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/postgres"; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "03:00"; }; - extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "postgres"; }; "synapse" = { paths = [ "/var/lib/matrix-synapse" ]; - repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/synapse"; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "03:30"; }; - extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "matrix-synapse"; }; "vaultwarden" = { paths = [ "/var/lib/bitwarden_rs" ]; - repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/vaultwarden"; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "23:45"; }; - extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "vaultwarden"; }; diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix index c5899eb..e88e79e 100644 --- a/config/hosts/wind/services/synapse.nix +++ b/config/hosts/wind/services/synapse.nix @@ -3,68 +3,87 @@ { services.matrix-synapse = { enable = true; + server_name = "graven.dev"; + enable_registration = false; + registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; + turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; + max_upload_size = "100M"; + database_type = "psycopg2"; + database_user = "synapse"; + database_name = "synapse"; + turn_uris = [ + "turn:turn.graven.dev:3478?transport=udp" + "turn:turn.graven.dev:3478?transport=tcp" + "turn:turn.graven.dev:3479?transport=udp" + "turn:turn.graven.dev:3479?transport=tcp" + "turns:turn.graven.dev:5349?transport=udp" + "turns:turn.graven.dev:5349?transport=tcp" + "turns:turn.graven.dev:5350?transport=udp" + "turns:turn.graven.dev:5350?transport=tcp" + ]; + report_stats = true; withJemalloc = true; - extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ]; - settings = { - server_name = "graven.dev"; - enable_registration = false; - registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; - turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; - max_upload_size = "100M"; - database.name = "psycopg2"; - database.args.user = "synapse"; - database.args.database = "synapse"; - turn_uris = [ - "turn:turn.graven.dev:3478?transport=udp" - "turn:turn.graven.dev:3478?transport=tcp" - "turn:turn.graven.dev:3479?transport=udp" - "turn:turn.graven.dev:3479?transport=tcp" - "turns:turn.graven.dev:5349?transport=udp" - "turns:turn.graven.dev:5349?transport=tcp" - "turns:turn.graven.dev:5350?transport=udp" - "turns:turn.graven.dev:5350?transport=tcp" - ]; - report_stats = true; - logConfig = '' - version: 1 - formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + extraConfig = '' +password_config: + enabled: false +oidc_providers: + - idp_id: authentik + idp_name: authentik + discover: true + issuer: "https://auth.graven.dev/application/o/synapse/" + client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5" + client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55" + allow_existing_users: true + scopes: + - "openid" + - "profile" + - "email" + user_mapping_provider: + config: + localpart_template: "{{ user.name }}" + display_name_template: "{{ user.name|capitalize }}" + ''; - handlers: - console: - class: logging.StreamHandler - formatter: precise + logConfig = '' +version: 1 - loggers: - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: WARN +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' - root: - level: WARN - handlers: [console] +handlers: + console: + class: logging.StreamHandler + formatter: precise - disable_existing_loggers: false - ''; - listeners = [ - { - port = 8008; - bind_addresses = ["127.0.0.1"]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; - }; +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [console] + +disable_existing_loggers: false + ''; + listeners = [ + { + port = 8008; + bind_address = "127.0.0.1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; }; } diff --git a/config/hosts/wind/services/ttrss-plugins/fever.nix b/config/hosts/wind/services/ttrss-plugins/fever.nix deleted file mode 100644 index e7e5080..0000000 --- a/config/hosts/wind/services/ttrss-plugins/fever.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ lib, stdenv, fetchFromGitHub, tt-rss, ... }: - -stdenv.mkDerivation rec { - pname = "tt-rss-fever-api"; - version = "2.3.0"; - - src = fetchFromGitHub { - owner = "DigitalDJ"; - repo = "tinytinyrss-fever-plugin"; - rev = "${version}"; - sha256 = "fKHnF7pXMD04sWygoRnPH5hLUyWW4Dv/e4JWtfobX/g="; - }; - - installPhase = '' - mkdir -p $out/fever - cp -r fever_api.php index.php init.php $out/fever/ - ''; - - meta = { - description = "Fever API for Tiny Tiny RSS"; - longDescription = '' - This is a plugin for Tiny Tiny RSS (tt-rss). - - It lets you use feed reader programs which interface with the Fever feed - reader API together with Tiny Tiny RSS - ''; - license = lib.licenses.gpl3Only; - homepage = "https://github.com/DigitalDJ/tinytinyrss-fever-plugin"; - maintainers = [ { - email = "amanda@graven.dev"; - name = "Amanda Graven"; - github = "agraven"; - githubId = 23525639; - } ]; - inherit (tt-rss.meta) platforms; - }; -} diff --git a/config/hosts/wind/services/ttrss.nix b/config/hosts/wind/services/ttrss.nix index a93a1af..3a30bee 100644 --- a/config/hosts/wind/services/ttrss.nix +++ b/config/hosts/wind/services/ttrss.nix @@ -1,13 +1,10 @@ -{ config, pkgs, ... }: +{ config, ... }: { - services.tt-rss = { - enable = true; - registration.enable = false; - virtualHost = "rss.graven.dev"; - selfUrlPath = "https://rss.graven.dev"; - pluginPackages = [ - (pkgs.callPackage ./ttrss-plugins/fever.nix {}) - ]; - }; + services.tt-rss = { + enable = true; + registration.enable = true; + virtualHost = "rss.graven.dev"; + selfUrlPath = "https://rss.graven.dev"; + }; } diff --git a/config/hosts/wind/services/vaultwarden.nix b/config/hosts/wind/services/vaultwarden.nix index 987466a..bf6c7d3 100644 --- a/config/hosts/wind/services/vaultwarden.nix +++ b/config/hosts/wind/services/vaultwarden.nix @@ -3,7 +3,7 @@ services.vaultwarden = { enable = true; environmentFile = config.secrets.files.vaultwarden_env.file; - backupDir = "/var/backup/vaultwarden"; + backupDir = "/var/lib/bitwarden_rs/backup"; config = { domain = "https://vault.graven.dev"; signupsAllowed = false; diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json index 349dfba..63de6ff 100644 --- a/config/sources/nix/sources.json +++ b/config/sources/nix/sources.json @@ -5,10 +5,10 @@ "homepage": "https://github.com/nmattia/niv", "owner": "nmattia", "repo": "niv", - "rev": "368268e45dee0c94d1cf898381a384856379ad76", - "sha256": "1k03n7qmaz6yf2r8i5sng4kii3rr1y36g8k70sg7piqz3npxisy3", + "rev": "df49d53b71ad5b6b5847b32e5254924d60703c46", + "sha256": "1j5p8mi1wi3pdcq0lfb881p97i232si07nb605dl92cjwnira88c", "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/368268e45dee0c94d1cf898381a384856379ad76.tar.gz", + "url": "https://github.com/nmattia/niv/archive/df49d53b71ad5b6b5847b32e5254924d60703c46.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixos-hardware": { @@ -17,22 +17,22 @@ "homepage": "", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61", - "sha256": "1al72rhlaa6g725syx72klpismv8xygdd55smqfwa9xglhv35r34", + "rev": "feceb4d24f582817d8f6e737cd40af9e162dee05", + "sha256": "1q92jq6xf5b1pshai9j72cj17r0ah3fhrx669h3vc58rj7xvgiw7", "type": "tarball", - "url": "https://github.com/NixOS/nixos-hardware/archive/2096f3f411ce46e88a79ae4eafcfc9df8ed41c61.tar.gz", + "url": "https://github.com/NixOS/nixos-hardware/archive/feceb4d24f582817d8f6e737cd40af9e162dee05.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { - "branch": "nixos-25.11", + "branch": "nixos-21.11", "description": "Nix Packages collection", "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160", - "sha256": "0vma331213djanwmb7ibgmi5290952h6ri123xwb66mg58k8r200", + "rev": "ccb90fb9e11459aeaf83cc28d5f8910816d90dd0", + "sha256": "1jlyhw5nf7pcxg22k1bwkv13vm02p86d7jf6znihl3hczz1yfgi0", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/a4bf06618f0b5ee50f14ed8f0da77d34ecc19160.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/ccb90fb9e11459aeaf83cc28d5f8910816d90dd0.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": { @@ -41,10 +41,10 @@ "homepage": "", "owner": "Infinisil", "repo": "nixus", - "rev": "b12665bc80134ac167eef1fff2f4e41e1f8925cb", - "sha256": "11894412807mhg0kgkrn4bjbdk9b2a89b0plh0bpdn06c8pfg11g", + "rev": "d1e1057a31f16a75d9f871e311c4aaaf664561b9", + "sha256": "0d4576dssr6l4vdpi86rbf6dyn3jfl3csvmn9csd4n6dj53f5pqm", "type": "tarball", - "url": "https://github.com/Infinisil/nixus/archive/b12665bc80134ac167eef1fff2f4e41e1f8925cb.tar.gz", + "url": "https://github.com/Infinisil/nixus/archive/d1e1057a31f16a75d9f871e311c4aaaf664561b9.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/config/sources/nix/sources.nix b/config/sources/nix/sources.nix index fe3dadf..1938409 100644 --- a/config/sources/nix/sources.nix +++ b/config/sources/nix/sources.nix @@ -10,50 +10,29 @@ let let name' = sanitizeName name + "-src"; in - if spec.builtin or true then - builtins_fetchurl { inherit (spec) url sha256; name = name'; } - else - pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; name = name'; } + else + pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; fetch_tarball = pkgs: name: spec: let name' = sanitizeName name + "-src"; in - if spec.builtin or true then - builtins_fetchTarball { name = name'; inherit (spec) url sha256; } - else - pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; + if spec.builtin or true then + builtins_fetchTarball { name = name'; inherit (spec) url sha256; } + else + pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; fetch_git = name: spec: let ref = - spec.ref or ( + if spec ? ref then spec.ref else if spec ? branch then "refs/heads/${spec.branch}" else - if spec ? tag then "refs/tags/${spec.tag}" else - abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!" - ); - submodules = spec.submodules or false; - submoduleArg = - let - nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; - emptyArgWithWarning = - if submodules - then - builtins.trace - ( - "The niv input \"${name}\" uses submodules " - + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " - + "does not support them" - ) - { } - else { }; - in - if nixSupportsSubmodules - then { inherit submodules; } - else emptyArgWithWarning; + if spec ? tag then "refs/tags/${spec.tag}" else + abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; in - builtins.fetchGit - ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); + builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; fetch_local = spec: spec.path; @@ -87,16 +66,16 @@ let hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; hasThisAsNixpkgsPath = == ./.; in - if builtins.hasAttr "nixpkgs" sources - then sourcesNixpkgs - else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then - import { } - else - abort - '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import {} + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; # The actual fetching function. fetch = pkgs: name: spec: @@ -116,13 +95,13 @@ let # the path directly as opposed to the fetched source. replace = name: drv: let - saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name; + saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; in - if ersatz == "" then drv else - # this turns the string into an actual Nix path (for both absolute and - # relative paths) - if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; + if ersatz == "" then drv else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; # Ports of functions for older nix versions @@ -133,7 +112,7 @@ let ); # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1); + range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); @@ -144,46 +123,43 @@ let concatStrings = builtins.concatStringsSep ""; # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 - optionalAttrs = cond: as: if cond then as else { }; + optionalAttrs = cond: as: if cond then as else {}; # fetchTarball version that is compatible between all the versions of Nix builtins_fetchTarball = { url, name ? null, sha256 }@attrs: let inherit (builtins) lessThan nixVersion fetchTarball; in - if lessThan nixVersion "1.12" then - fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) - else - fetchTarball attrs; + if lessThan nixVersion "1.12" then + fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchTarball attrs; # fetchurl version that is compatible between all the versions of Nix builtins_fetchurl = { url, name ? null, sha256 }@attrs: let inherit (builtins) lessThan nixVersion fetchurl; in - if lessThan nixVersion "1.12" then - fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) - else - fetchurl attrs; + if lessThan nixVersion "1.12" then + fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchurl attrs; # Create the final "sources" from the config mkSources = config: - mapAttrs - ( - name: spec: - if builtins.hasAttr "outPath" spec - then - abort - "The values in sources.json should not have an 'outPath' attribute" - else - spec // { outPath = replace name (fetch config.pkgs name spec); } - ) - config.sources; + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = replace name (fetch config.pkgs name spec); } + ) config.sources; # The "config" used by the fetchers mkConfig = { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null - , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile) + , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) , system ? builtins.currentSystem , pkgs ? mkPkgs sources system }: rec { @@ -195,4 +171,4 @@ let }; in -mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); } +mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/deploy/default.nix b/deploy/default.nix index 023444f..ee07e2e 100644 --- a/deploy/default.nix +++ b/deploy/default.nix @@ -13,21 +13,21 @@ in import "${sources.nixus}" {} ({ config, ... }: { nodes = { wind = { lib, config, ... }: { - host = "graven.dev"; + host = "emelie@graven.dev"; configuration = ../config/hosts/wind/configuration.nix; switchTimeout = 300; successTimeout = 300; ignoreFailingSystemdUnits = true; }; grondahl = { lib, config, ... }: { - host = "anarkafem.dev"; + host = "emelie@anarkafem.dev"; configuration = ../config/hosts/grondahl/configuration.nix; successTimeout = 300; switchTimeout = 300; ignoreFailingSystemdUnits = true; }; rudiger = { lib, config, ... }: { - host = "cloud.graven.dev"; + host = "emelie@cloud.graven.dev"; configuration = ../config/hosts/rudiger/configuration.nix; switchTimeout = 300; successTimeout = 300; diff --git a/shell.nix b/shell.nix deleted file mode 100644 index d11b0d4..0000000 --- a/shell.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs ? import {} }: - -pkgs.mkShell { - packages = with pkgs; [ - niv - ]; -}