diff --git a/.EditorConfig b/.EditorConfig new file mode 100644 index 0000000..24f2e16 --- /dev/null +++ b/.EditorConfig @@ -0,0 +1,4 @@ +root = true + +[*.nix] +indent_style = "tab" diff --git a/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg b/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg new file mode 100644 index 0000000..98fecd4 Binary files /dev/null and b/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg differ diff --git a/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg b/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg new file mode 100644 index 0000000..8025707 Binary files /dev/null and b/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg differ diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..b988793 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "config/hosts/grondahl/services/ooye"] + path = config/hosts/grondahl/services/ooye + url = https://cgit.rory.gay/nix/OOYE-module.git diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..af79aff --- /dev/null +++ b/Makefile @@ -0,0 +1,12 @@ +all: result + +.PHONY: update result deploy + +result: + nix build -f deploy/default.nix + +update: + cd config/sources && niv update + +deploy: + ./result diff --git a/README.md b/README.md index 885ac1b..6852b72 100644 --- a/README.md +++ b/README.md @@ -1 +1,27 @@ NixOS deployments using [nixus](https://github.com/Infinisil/nixus). + +TL;DR: +1. `make update` +2. `make result` +3. `make deploy` + +First make sure you have `niv` so you can upgrade dependency versions in `sources.json`. +```sh +nix-shell -p niv +(cd config/sources && niv update) +``` +Build with: +```sh +nix-build deploy/ +``` +Deploy by running the generated executable. +```sh +./result +``` + +## Switching nixpkgs branch +```sh +cd config/sources +niv modify nixpkgs -b nixos-xx.yy +``` + diff --git a/config/common/configuration/documentation.nix b/config/common/configuration/documentation.nix new file mode 100644 index 0000000..bc47744 --- /dev/null +++ b/config/common/configuration/documentation.nix @@ -0,0 +1,12 @@ +{ ... }: + +{ + # Some docs fail to build, so we need to disable some of it + documentation = { + enable = true; + man.enable = true; + doc.enable = true; + dev.enable = false; + nixos.enable = false; + }; +} diff --git a/config/common/configuration/nix.nix b/config/common/configuration/nix.nix new file mode 100644 index 0000000..8540329 --- /dev/null +++ b/config/common/configuration/nix.nix @@ -0,0 +1,12 @@ +{ ... }: + +# Configuration options for the nix package manager +{ + nix.gc = { + # Run garbage collection automatically + automatic = true; + # Run it once a week + dates = "weekly"; + options = "--delete-older-than 30d"; + }; +} diff --git a/config/common/data/pubkeys/backup_host_ed25519_key.pub b/config/common/data/pubkeys/backup_host_ed25519_key.pub new file mode 100644 index 0000000..6c326b4 --- /dev/null +++ b/config/common/data/pubkeys/backup_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4C5OgZpxoF42L5rPqwejs+Q1ViN9TM9o/fEbpnPFtA diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/config/common/data/pubkeys/despondos_host_ed25519_key.pub deleted file mode 100644 index 6367ffa..0000000 --- a/config/common/data/pubkeys/despondos_host_ed25519_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7 diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix index 6c375a6..b6f3187 100644 --- a/config/common/services/nginx.nix +++ b/config/common/services/nginx.nix @@ -20,26 +20,26 @@ map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } - add_header Strict-Transport-Security $hsts_header; + #add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'same-origin'; + #add_header 'Referrer-Policy' 'same-origin'; # Disable embedding as a frame - add_header X-Frame-Options DENY; + #add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; + #add_header X-Content-Type-Options nosniff; # Enable XSS protection of the browser. # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; + #add_header X-XSS-Protection "1; mode=block"; # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; }; } diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix index a454669..c7d5528 100644 --- a/config/common/services/ssh.nix +++ b/config/common/services/ssh.nix @@ -2,19 +2,21 @@ { services.openssh = { enable = true; - permitRootLogin = "no"; - passwordAuthentication = false; - challengeResponseAuthentication = false; hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ]; - kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; - macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; + settings = { + KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; + Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; + PermitRootLogin = "no"; + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; + }; }; programs.ssh.knownHosts = { - despondos = { - hostNames = [ "despondos.nao.sh" ]; - publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub; + backup = { + hostNames = [ "backup.graven.dev" ]; + publicKeyFile = ../data/pubkeys/backup_host_ed25519_key.pub; }; }; diff --git a/config/common/services/tailscale.nix b/config/common/services/tailscale.nix new file mode 100644 index 0000000..18afac7 --- /dev/null +++ b/config/common/services/tailscale.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: +{ +environment.systemPackages = [ pkgs.tailscale ]; + +services.tailscale.enable = false; + + # ... + + # create a oneshot job to authenticate to Tailscale + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up -authkey CHANGEME + ''; + }; + +} diff --git a/config/common/users.nix b/config/common/users.nix index e39133d..ec351ab 100644 --- a/config/common/users.nix +++ b/config/common/users.nix @@ -5,8 +5,7 @@ isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAn9xV1GA/hMkCFoP7DWzYyGmbeiri823fHMRz0ZVoxq emelie-personal-bw" ]; }; @@ -17,6 +16,10 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwmREgBmckocQerEfO4XhB+dbKDsZopok37ePWHwCEj id_ed25519" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILrZWS1PBVRbdmPh8IJdIPHhK0+ZuSnQCR10a8Bl11VZAAAABHNzaDo= amanda@sharpy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6v5D/aJuIhuIVcnzFA7ocxPMI8JgHEnxSPuD+SaLHX amanda@sharpy" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+0x2uHcuXpFQdeXeUWeLGPefWo6Sd7yy2FJlyZy8V+ amanda@tappy" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKWhc20jOFF+pVVT/Mf1ACYOtppkYWkP7NkY0/fPvjPAAAAFHNzaDphMy1uazNhLXBlcnNvbmFs ssh:a3-nk3a-personal" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMLbLay9KARrdb8QM4OLzmqWIN48rZMX6wCddBwYT/U amanda@gpg" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGMWTQc7A3W/LI4AgFWy/Uw/+oMucmSziuJKxC2rleo amanda@bitwarden" ]; }; }; diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix index 6d317be..a4bb6cf 100644 --- a/config/hosts/grondahl/configuration.nix +++ b/config/hosts/grondahl/configuration.nix @@ -5,23 +5,26 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ./data/secrets/secrets.nix + ../../common/configuration/nix.nix + ../../common/configuration/documentation.nix ../../common/services/ssh.nix - ../../common/users.nix + ../../common/services/tailscale.nix + ../../common/users.nix ./services/acme.nix + ./services/borg.nix ./services/coturn.nix ./services/nginx.nix - ./services/restic.nix ./services/synapse.nix ./services/postgres.nix + ./services/ooye.nix #./services/mail.nix #./services/containers.nix #./services/redis.nix ]; boot.loader.grub.enable = true; - boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/vda"; - boot.kernelPackages = pkgs.linuxPackages_5_10; + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; networking = { hostName = "grondahl"; useDHCP = false; @@ -49,9 +52,9 @@ security.sudo.wheelNeedsPassword = false; - nix = { - autoOptimiseStore = true; - trustedUsers = [ + nix.settings = { + auto-optimise-store = true; + trusted-users = [ "root" "@wheel" ]; @@ -72,9 +75,15 @@ dig ]; - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ]; - networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ]; + networking.firewall = { + enable = true; + checkReversePath = "loose"; + trustedInterfaces = [ "tailscale0" ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + allowedTCPPorts = [ 22 80 443 ]; + allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ]; + allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ]; + }; system.stateVersion = "21.05"; diff --git a/config/hosts/grondahl/data/secrets/acme_anarkafem_dev b/config/hosts/grondahl/data/secrets/acme_anarkafem_dev deleted file mode 100644 index 5e08a24..0000000 Binary files a/config/hosts/grondahl/data/secrets/acme_anarkafem_dev and /dev/null differ diff --git a/config/hosts/grondahl/data/secrets/borg_pass b/config/hosts/grondahl/data/secrets/borg_pass new file mode 100644 index 0000000..1d65621 Binary files /dev/null and b/config/hosts/grondahl/data/secrets/borg_pass differ diff --git a/config/hosts/grondahl/data/secrets/ooye_client_secret b/config/hosts/grondahl/data/secrets/ooye_client_secret new file mode 100644 index 0000000..719fb6e Binary files /dev/null and b/config/hosts/grondahl/data/secrets/ooye_client_secret differ diff --git a/config/hosts/grondahl/data/secrets/ooye_token b/config/hosts/grondahl/data/secrets/ooye_token new file mode 100644 index 0000000..99de111 Binary files /dev/null and b/config/hosts/grondahl/data/secrets/ooye_token differ diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix index 1feacfc..88d7155 100644 Binary files a/config/hosts/grondahl/data/secrets/secrets.nix and b/config/hosts/grondahl/data/secrets/secrets.nix differ diff --git a/config/hosts/grondahl/data/secrets/synapse_db_password b/config/hosts/grondahl/data/secrets/synapse_db_password deleted file mode 100644 index c2cd71a..0000000 Binary files a/config/hosts/grondahl/data/secrets/synapse_db_password and /dev/null differ diff --git a/config/hosts/grondahl/data/secrets/synapse_extra_config b/config/hosts/grondahl/data/secrets/synapse_extra_config new file mode 100644 index 0000000..022aa1e Binary files /dev/null and b/config/hosts/grondahl/data/secrets/synapse_extra_config differ diff --git a/config/hosts/grondahl/hardware-configuration.nix b/config/hosts/grondahl/hardware-configuration.nix index 1460245..47e53af 100644 --- a/config/hosts/grondahl/hardware-configuration.nix +++ b/config/hosts/grondahl/hardware-configuration.nix @@ -2,7 +2,7 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/minimal.nix") + #(modulesPath + "/profiles/minimal.nix") ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; diff --git a/config/hosts/grondahl/services/acme.nix b/config/hosts/grondahl/services/acme.nix index a69f94e..687ea2a 100644 --- a/config/hosts/grondahl/services/acme.nix +++ b/config/hosts/grondahl/services/acme.nix @@ -3,12 +3,7 @@ { security.acme = { acceptTerms = true; - email = "admin+certs@anarkafem.dev"; - certs."anarkafem.dev" = { - extraDomainNames = [ "*.anarkafem.dev" ]; - dnsProvider = "hurricane"; - credentialsFile = config.secrets.files.acme_anarkafem_dev.file; - }; + defaults.email = "admin+certs@anarkafem.dev"; }; } diff --git a/config/hosts/grondahl/services/borg.nix b/config/hosts/grondahl/services/borg.nix new file mode 100644 index 0000000..bb86d9d --- /dev/null +++ b/config/hosts/grondahl/services/borg.nix @@ -0,0 +1,26 @@ +{ config, ... }: + +{ + services.borgbackup.jobs = { + postgres = { + paths = "/var/lib/postgresql/backup"; + repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/postgres"; + encryption.mode = "repokey"; + encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}"; + environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}"; + compression = "auto,zstd"; + startAt = "*-*-* 03:15:00"; + user = "postgres"; + }; + synapse = { + paths = "/var/lib/matrix-synapse"; + repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/synapse"; + encryption.mode = "repokey"; + encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}"; + environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}"; + compression = "auto,zstd"; + startAt = "*-*-* 03:45:00"; + user = "matrix-synapse"; + }; + }; +} diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix index d313927..7b5d306 100644 --- a/config/hosts/grondahl/services/nginx.nix +++ b/config/hosts/grondahl/services/nginx.nix @@ -1,8 +1,13 @@ { imports = [ ../../../common/services/nginx.nix ]; services.nginx.virtualHosts = { + "ooye.anarkafem.dev" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:6693/"; + }; "anarkafem.dev" = { - useACMEHost = "anarkafem.dev"; + enableACME = true; forceSSL = true; locations."/".root = "/var/www/anarkafem.dev/public"; locations."/_matrix/".proxyPass = "http://127.0.0.1:8008"; @@ -21,14 +26,21 @@ }; }; "cal.anarkafem.dev" = { - useACMEHost = "anarkafem.dev"; + enableACME = true; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:4000"; }; "auth.anarkafem.dev" = { - useACMEHost = "anarkafem.dev"; + enableACME = true; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:9000"; }; + "beanz.one" = { + forceSSL = true; + enableACME = true; + locations."/" = { + root = "/var/www/beanz.one/public"; + }; + }; }; } diff --git a/config/hosts/grondahl/services/ooye b/config/hosts/grondahl/services/ooye new file mode 160000 index 0000000..11cc65e --- /dev/null +++ b/config/hosts/grondahl/services/ooye @@ -0,0 +1 @@ +Subproject commit 11cc65efa2909bdc7e3e978bf1f56f6d141bf82a diff --git a/config/hosts/grondahl/services/ooye.nix b/config/hosts/grondahl/services/ooye.nix new file mode 100644 index 0000000..f739cf3 --- /dev/null +++ b/config/hosts/grondahl/services/ooye.nix @@ -0,0 +1,16 @@ +# Out of your Element prerequisites +{ config, ... }: +{ + imports = [ + ./ooye/module.nix + ]; + services.matrix-ooye = { + enable = true; + homeserver = "http://localhost:8008"; + namespace = "_discord_"; + discordClientSecretPath = builtins.toString config.secrets.files.ooye_client_secret.file; + discordTokenPath = builtins.toString config.secrets.files.ooye_token.file; + bridgeOrigin = "https://ooye.anarkafem.dev"; + enableSynapseIntegration = true; + }; +} diff --git a/config/hosts/grondahl/services/postgres.nix b/config/hosts/grondahl/services/postgres.nix index 950c67a..8a1c392 100644 --- a/config/hosts/grondahl/services/postgres.nix +++ b/config/hosts/grondahl/services/postgres.nix @@ -2,8 +2,8 @@ { services.postgresql = { enable = true; - package = pkgs.postgresql_13; - extraPlugins = with config.services.postgresql.package.pkgs; [ + package = pkgs.postgresql_16; + extensions = with config.services.postgresql.package.pkgs; [ postgis ]; ensureDatabases = [ @@ -14,15 +14,15 @@ ensureUsers = [ { name = "matrix-synapse"; - ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES"; + ensureDBOwnership = true; } { name = "mobilizon"; - ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES"; + ensureDBOwnership = true; } { name = "authentik"; - ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES"; + ensureDBOwnership = true; } ]; initialScript = pkgs.writeText "synapse-init.sql" '' diff --git a/config/hosts/grondahl/services/redis.nix b/config/hosts/grondahl/services/redis.nix index 6a001e1..94a915e 100644 --- a/config/hosts/grondahl/services/redis.nix +++ b/config/hosts/grondahl/services/redis.nix @@ -1,11 +1,13 @@ { config, ... }: { services.redis = { - enable = true; - unixSocket = "/run/redis/redis.sock"; vmOverCommit = true; - unixSocketPerm = 770; - #requirePassfile = config.secrets.files.redis_pass.file; + servers."" = { + enable = true; + unixSocket = "/run/redis/redis.sock"; + unixSocketPerm = 770; + #requirePassfile = config.secrets.files.redis_pass.file; + }; }; } diff --git a/config/hosts/grondahl/services/restic.nix b/config/hosts/grondahl/services/restic.nix deleted file mode 100644 index f92203e..0000000 --- a/config/hosts/grondahl/services/restic.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, ... }: -{ - services.restic.backups = { - "postgres" = { - paths = [ "/var/lib/postgresql/backup" ]; - repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres"; - initialize = true; - pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; - timerConfig = { "OnCalendar" = "03:15"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; - passwordFile = builtins.toString config.secrets.files.restic_pass.file; - user = "postgres"; - }; - "synapse" = { - paths = [ "/var/lib/matrix-synapse" ]; - repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse"; - initialize = true; - pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; - timerConfig = { "OnCalendar" = "03:45"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; - passwordFile = builtins.toString config.secrets.files.restic_pass.file; - user = "matrix-synapse"; - }; - }; -} - diff --git a/config/hosts/grondahl/services/synapse.nix b/config/hosts/grondahl/services/synapse.nix index 210914f..8eaca03 100644 --- a/config/hosts/grondahl/services/synapse.nix +++ b/config/hosts/grondahl/services/synapse.nix @@ -3,72 +3,76 @@ { services.matrix-synapse = { enable = true; - server_name = "anarkafem.dev"; - enable_registration = false; - registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; - turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; - max_upload_size = "100M"; - database_type = "psycopg2"; - database_args = { - password = builtins.toString config.secrets.files.synapse_db_password.file; - }; - turn_uris = [ - "turn:turn.anarkafem.dev:3478?transport=udp" - "turn:turn.anarkafem.dev:3478?transport=tcp" - "turn:turn.anarkafem.dev:3479?transport=udp" - "turn:turn.anarkafem.dev:3479?transport=tcp" - "turns:turn.anarkafem.dev:5349?transport=udp" - "turns:turn.anarkafem.dev:5349?transport=tcp" - "turns:turn.anarkafem.dev:5350?transport=udp" - "turns:turn.anarkafem.dev:5350?transport=tcp" - ]; - report_stats = false; withJemalloc = true; - servers = { "anarkafem.dev" = {}; }; - extraConfig = '' - default_room_version: "9" - auto_join_rooms: - - "#suf-aalborg:anarkafem.dev" - ''; - logConfig = '' - version: 1 + settings = { + database = { + name = "psycopg2"; + args.user = "matrix-synapse"; + args.database = "matrix-synapse"; + }; - formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + server_name = "anarkafem.dev"; + enable_registration = false; + registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; + turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; + max_upload_size = "100M"; + turn_uris = [ + "turn:turn.anarkafem.dev:3478?transport=udp" + "turn:turn.anarkafem.dev:3478?transport=tcp" + "turn:turn.anarkafem.dev:3479?transport=udp" + "turn:turn.anarkafem.dev:3479?transport=tcp" + "turns:turn.anarkafem.dev:5349?transport=udp" + "turns:turn.anarkafem.dev:5349?transport=tcp" + "turns:turn.anarkafem.dev:5350?transport=udp" + "turns:turn.anarkafem.dev:5350?transport=tcp" + ]; + report_stats = false; + servers = { "anarkafem.dev" = {}; }; + extraConfig = '' + default_room_version: "9" + auto_join_rooms: + - "#suf-aalborg:anarkafem.dev" + ''; + logConfig = '' + version: 1 - handlers: - console: - class: logging.StreamHandler - formatter: precise + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' - loggers: - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: INFO + handlers: + console: + class: logging.StreamHandler + formatter: precise - root: - level: INFO - handlers: [console] + loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO - disable_existing_loggers: false - ''; - listeners = [ - { - port = 8008; - bind_address = "127.0.0.1"; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; + root: + level: INFO + handlers: [console] + + disable_existing_loggers: false + ''; + listeners = [ + { + port = 8008; + bind_addresses = ["127.0.0.1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + }; }; } diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix index 4b3c0c9..b096665 100644 --- a/config/hosts/rudiger/configuration.nix +++ b/config/hosts/rudiger/configuration.nix @@ -1,83 +1,93 @@ { config, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ./data/secrets/secrets.nix - ../../common/services/ssh.nix - ../../common/users.nix - ./services/acme.nix - ./services/nextcloud.nix - ./services/nginx.nix - ./services/postgres.nix - ./services/redis.nix - ./services/restic.nix - ]; + imports = [ + ./hardware-configuration.nix + ./data/secrets/secrets.nix + ../../common/configuration/nix.nix + ../../common/configuration/documentation.nix + ../../common/services/ssh.nix + ../../common/services/tailscale.nix + ../../common/users.nix + ./services/acme.nix + ./services/immich.nix + ./services/nextcloud.nix + ./services/nginx.nix + ./services/postgres.nix + ./services/redis.nix + ./services/restic.nix + ]; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - boot.supportedFilesystems = ["zfs"]; - services.zfs.autoSnapshot.enable = true; - services.zfs.autoScrub.enable = true; + boot.supportedFilesystems = ["zfs"]; + services.zfs.autoSnapshot.enable = false; + services.zfs.autoScrub.enable = true; - time.timeZone = "Europe/Copenhagen"; + time.timeZone = "Europe/Copenhagen"; - networking = { - hostName = "rudiger"; - hostId = "8c7b66a4"; - useDHCP = false; - tempAddresses = "disabled"; - interfaces = { - "ens3" = { - ipv4.addresses = [ { - address = "202.61.202.170"; - prefixLength = 22; - } ]; - ipv6.addresses = [ { - address = "2a03:4000:5a:c61::1"; - prefixLength = 64; - } ]; - }; - }; - defaultGateway = "202.61.200.1"; - defaultGateway6 = { - address = "fe80::1"; - interface = "ens3"; - }; - nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; - }; + networking = { + hostName = "rudiger"; + hostId = "8c7b66a4"; + useDHCP = false; + tempAddresses = "disabled"; + interfaces = { + "ens3" = { + ipv4.addresses = [ { + address = "202.61.202.170"; + prefixLength = 22; + } ]; + ipv6.addresses = [ { + address = "2a03:4000:5a:c61::1"; + prefixLength = 64; + } ]; + }; + }; + defaultGateway = "202.61.200.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "ens3"; + }; + nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; + }; - nix = { - autoOptimiseStore = true; - trustedUsers = [ - "root" - "@wheel" - ]; - }; + nix.settings = { + auto-optimise-store = true; + trusted-users = [ + "root" + "@wheel" + ]; + }; - environment.systemPackages = with pkgs; [ - vim - wget - htop - iotop - dig - ]; - security.sudo.wheelNeedsPassword = false; + environment.systemPackages = with pkgs; [ + vim + wget + htop + iotop + dig + tailscale + ]; + security.sudo.wheelNeedsPassword = false; - systemd.services."nextcloud-setup" = { - requires = [ "postgresql.service" "redis.service" ]; - after = [ "postgresql.service" "redis.service" ]; - }; + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" "redis.service" ]; + after = [ "postgresql.service" "redis.service" ]; + }; - users.groups.redis.members = [ "nextcloud" ]; - users.groups.backup.members = [ "nextcloud" "postgres" ]; + users.groups.redis.members = [ "nextcloud" ]; + users.groups.backup.members = [ "nextcloud" "postgres" ]; - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - system.stateVersion = "21.05"; + networking.firewall = { + allowedTCPPorts = [ 22 80 443 ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + trustedInterfaces = [ "tailscale0" ]; + enable = true; + checkReversePath = "loose"; + }; + # networking.firewall.allowedUDPPorts = [ ... ]; + system.stateVersion = "21.05"; } diff --git a/config/hosts/rudiger/hardware-configuration.nix b/config/hosts/rudiger/hardware-configuration.nix index 1e82882..283b86a 100644 --- a/config/hosts/rudiger/hardware-configuration.nix +++ b/config/hosts/rudiger/hardware-configuration.nix @@ -3,7 +3,7 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/minimal.nix") + #(modulesPath + "/profiles/minimal.nix") ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; diff --git a/config/hosts/rudiger/services/acme.nix b/config/hosts/rudiger/services/acme.nix index 62ae467..693e006 100644 --- a/config/hosts/rudiger/services/acme.nix +++ b/config/hosts/rudiger/services/acme.nix @@ -3,7 +3,7 @@ { security.acme = { acceptTerms = true; - email = "admin+certs@graven.dev"; + defaults.email = "admin+certs@graven.dev"; }; } diff --git a/config/hosts/rudiger/services/borg.nix b/config/hosts/rudiger/services/borg.nix new file mode 100644 index 0000000..28f5790 --- /dev/null +++ b/config/hosts/rudiger/services/borg.nix @@ -0,0 +1,27 @@ + +{ config, ... }: + +{ + services.borgbackup.jobs = { + postgres = { + paths = "/var/lib/postgresql/backup"; + repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/postgres"; + encryption.mode = "repokey"; + encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}"; + environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}"; + compression = "auto,zstd"; + startAt = "*-*-* 03:15:00"; + user = "postgres"; + }; + synapse = { + paths = "/var/lib/nextcloud/data"; + repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/nextcloud"; + encryption.mode = "repokey"; + encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}"; + environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}"; + compression = "auto,zstd"; + startAt = "*-*-* 03:45:00"; + user = "nextcloud"; + }; + }; +} diff --git a/config/hosts/rudiger/services/immich.nix b/config/hosts/rudiger/services/immich.nix new file mode 100644 index 0000000..fe71843 --- /dev/null +++ b/config/hosts/rudiger/services/immich.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + services.immich = { + enable = true; + port = 2283; + settings.server.externalDomain = "https://immich.graven.dev"; + }; +} diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix index fd2a274..4f1a9da 100644 --- a/config/hosts/rudiger/services/nextcloud.nix +++ b/config/hosts/rudiger/services/nextcloud.nix @@ -1,22 +1,25 @@ { config, pkgs, ... }: { - services.nextcloud = { - enable = true; - hostName = "cloud.graven.dev"; - https = true; - package = pkgs.nextcloud22; - autoUpdateApps.enable = true; - maxUploadSize = "10G"; - webfinger = true; - caching.redis = true; - config = { - dbtype = "pgsql"; - dbuser = "nextcloud"; - dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself - dbname = "nextcloud"; - defaultPhoneRegion = "DK"; - adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file; - adminuser = "root"; - }; - }; + services.nextcloud = { + enable = true; + hostName = "cloud.graven.dev"; + https = true; + package = pkgs.nextcloud32; + autoUpdateApps.enable = true; + maxUploadSize = "10G"; + webfinger = true; + caching.redis = true; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file; + adminuser = "root"; + }; + settings = { + default_phone_region = "DK"; + }; + phpOptions."opcache.interned_strings_buffer" = "23"; + }; } diff --git a/config/hosts/rudiger/services/nginx.nix b/config/hosts/rudiger/services/nginx.nix index d896bab..6335fcb 100644 --- a/config/hosts/rudiger/services/nginx.nix +++ b/config/hosts/rudiger/services/nginx.nix @@ -1,8 +1,25 @@ -{ ... }: +{ config, ... }: { imports = [ ../../../common/services/nginx.nix ]; services.nginx.virtualHosts."cloud.graven.dev" = { enableACME = true; forceSSL = true; }; + services.nginx.virtualHosts."immich.graven.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.immich.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + proxy_max_temp_file_size 0; + proxy_buffering off; + ''; + }; + }; } diff --git a/config/hosts/rudiger/services/postgres.nix b/config/hosts/rudiger/services/postgres.nix index af4cc48..cee84a2 100644 --- a/config/hosts/rudiger/services/postgres.nix +++ b/config/hosts/rudiger/services/postgres.nix @@ -1,14 +1,15 @@ -{ ... }: +{ pkgs, ... }: { services.postgresql = { enable = true; + package = pkgs.postgresql_15; ensureDatabases = [ "nextcloud" ]; ensureUsers = [ { name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + ensureDBOwnership = true; } ]; }; diff --git a/config/hosts/rudiger/services/redis.nix b/config/hosts/rudiger/services/redis.nix index 2db61e7..87b2587 100644 --- a/config/hosts/rudiger/services/redis.nix +++ b/config/hosts/rudiger/services/redis.nix @@ -1,10 +1,12 @@ { config, ... }: { services.redis = { - enable = true; - unixSocket = "/run/redis/redis.sock"; vmOverCommit = true; - unixSocketPerm = 770; - #requirePassfile = config.secrets.files.redis_pass.file; - }; + servers."" = { + enable = true; + unixSocket = "/run/redis/redis.sock"; + unixSocketPerm = 770; + #requirePassfile = config.secrets.files.redis_pass.file; + }; + }; } diff --git a/config/hosts/rudiger/services/restic.nix b/config/hosts/rudiger/services/restic.nix index dc6ad4d..a639bd2 100644 --- a/config/hosts/rudiger/services/restic.nix +++ b/config/hosts/rudiger/services/restic.nix @@ -3,21 +3,21 @@ services.restic.backups = { "postgres" = { paths = [ "/var/lib/postgresql/backup" ]; - repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/postgres"; + repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/postgres"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "04:15"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "postgres"; }; "nextcloud" = { paths = [ "/var/lib/nextcloud/data" ]; - repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/nextcloud"; + repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/nextcloud"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "04:30"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "nextcloud"; }; diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix index b909657..bf8aeb0 100644 --- a/config/hosts/wind/configuration.nix +++ b/config/hosts/wind/configuration.nix @@ -1,11 +1,15 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, ... }: { - imports = [ - ./hardware-configuration.nix + imports = [ + ./hardware-configuration.nix + ../../common/configuration/nix.nix + ../../common/configuration/documentation.nix ../../common/services/ssh.nix + ../../common/services/tailscale.nix ../../common/users.nix ./services/acme.nix + ./services/borg.nix ./services/coturn.nix ./services/nginx.nix ./services/postgres.nix @@ -15,15 +19,15 @@ ./services/restic.nix ./services/vaultwarden.nix ./services/wireguard.nix + ./services/akkoma.nix ./data/secrets/secrets.nix ]; boot.loader.grub.enable = true; - boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; - boot.kernelPackages = pkgs.linuxPackages_5_10; + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.supportedFilesystems = ["zfs"]; - services.zfs.autoSnapshot.enable = true; + services.zfs.autoSnapshot.enable = false; services.zfs.autoScrub.enable = true; networking.hostName = "wind"; @@ -37,7 +41,7 @@ users.users.deploy-web = { isNormalUser = true; extraGroups = [ "nginx" ]; - openssh.authorizedKeys.keys = [ + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop" ]; }; @@ -49,11 +53,12 @@ htop iotop dig + tailscale ]; - nix = { - autoOptimiseStore = true; - trustedUsers = [ + nix.settings = { + auto-optimise-store = true; + trusted-users = [ "root" "@wheel" ]; diff --git a/config/hosts/wind/data/secrets/acme_graven_dev.env b/config/hosts/wind/data/secrets/acme_graven_dev.env deleted file mode 100644 index cd4a5e2..0000000 Binary files a/config/hosts/wind/data/secrets/acme_graven_dev.env and /dev/null differ diff --git a/config/hosts/wind/data/secrets/acme_graven_se.env b/config/hosts/wind/data/secrets/acme_graven_se.env deleted file mode 100644 index 7ac992b..0000000 Binary files a/config/hosts/wind/data/secrets/acme_graven_se.env and /dev/null differ diff --git a/config/hosts/wind/data/secrets/borg_pass b/config/hosts/wind/data/secrets/borg_pass new file mode 100644 index 0000000..1d65621 Binary files /dev/null and b/config/hosts/wind/data/secrets/borg_pass differ diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix index 5592aaf..d95a37c 100644 Binary files a/config/hosts/wind/data/secrets/secrets.nix and b/config/hosts/wind/data/secrets/secrets.nix differ diff --git a/config/hosts/wind/data/secrets/ssh_key b/config/hosts/wind/data/secrets/ssh_key index 6dd0719..eb6c6ce 100644 Binary files a/config/hosts/wind/data/secrets/ssh_key and b/config/hosts/wind/data/secrets/ssh_key differ diff --git a/config/hosts/wind/data/secrets/ssh_key.pub b/config/hosts/wind/data/secrets/ssh_key.pub index 54b1d0b..de5e671 100644 Binary files a/config/hosts/wind/data/secrets/ssh_key.pub and b/config/hosts/wind/data/secrets/ssh_key.pub differ diff --git a/config/hosts/wind/data/secrets/synapse_extra_config b/config/hosts/wind/data/secrets/synapse_extra_config new file mode 100644 index 0000000..7307817 Binary files /dev/null and b/config/hosts/wind/data/secrets/synapse_extra_config differ diff --git a/config/hosts/wind/data/secrets/synapse_sliding_sync_env b/config/hosts/wind/data/secrets/synapse_sliding_sync_env new file mode 100644 index 0000000..b5b3eec Binary files /dev/null and b/config/hosts/wind/data/secrets/synapse_sliding_sync_env differ diff --git a/config/hosts/wind/hardware-configuration.nix b/config/hosts/wind/hardware-configuration.nix index 50c7560..ee338a2 100644 --- a/config/hosts/wind/hardware-configuration.nix +++ b/config/hosts/wind/hardware-configuration.nix @@ -6,7 +6,7 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/minimal.nix") + #(modulesPath + "/profiles/minimal.nix") #(modulesPath + "/profiles/hardened.nix") ]; diff --git a/config/hosts/wind/services/acme.nix b/config/hosts/wind/services/acme.nix index 862d516..693e006 100644 --- a/config/hosts/wind/services/acme.nix +++ b/config/hosts/wind/services/acme.nix @@ -3,19 +3,7 @@ { security.acme = { acceptTerms = true; - email = "admin+certs@graven.dev"; - certs = { - "graven.dev" = { - extraDomainNames = [ "*.graven.dev" ]; - dnsProvider = "hurricane"; - credentialsFile = config.secrets.files.acme_graven_dev.file; - }; - "graven.se" = { - extraDomainNames = [ "*.graven.se" ]; - dnsProvider = "hurricane"; - credentialsFile = config.secrets.files.acme_graven_se.file; - }; - }; + defaults.email = "admin+certs@graven.dev"; }; } diff --git a/config/hosts/wind/services/akkoma.nix b/config/hosts/wind/services/akkoma.nix new file mode 100644 index 0000000..3dabcf5 --- /dev/null +++ b/config/hosts/wind/services/akkoma.nix @@ -0,0 +1,36 @@ +{ config, pkgs, ... }: +{ + + services.akkoma = { + enable = true; + config = { + ":pleroma" = { + ":instance" = { + name = "graven.se"; + description = "Graven Fedi"; + email = "charlie@graven.se"; + registration_open = false; + }; + + "Pleroma.Web.Endpoint" = { + url.host = "fedi.graven.se"; + }; + "Pleroma.Web.Webfinger" = { + domain = "graven.se"; + }; + "Pleroma.Upload".filters = + map (pkgs.formats.elixirConf { }).lib.mkRaw + [ + "Pleroma.Upload.Filter.Exiftool" + "Pleroma.Upload.Filter.Dedupe" + "Pleroma.Upload.Filter.AnonymizeFilename" + ]; + }; + }; + nginx = { + enableACME = true; + forceSSL = true; + serverName = "fedi.graven.se"; + }; + }; +} diff --git a/config/hosts/wind/services/borg.nix b/config/hosts/wind/services/borg.nix new file mode 100644 index 0000000..776f91d --- /dev/null +++ b/config/hosts/wind/services/borg.nix @@ -0,0 +1,36 @@ +{ config, ... }: + +{ + services.borgbackup.jobs = { + gitea = { + paths = "/var/lib/gitea"; + repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/gitea"; + encryption.mode = "repokey"; + encryption.passCommand = "cat ${config.secrets.files.borg_pass_gitea.file}"; + environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_gitea.file}"; + compression = "auto,zstd"; + startAt = "*-*-* 02:15:00"; + user = "gitea"; + }; + postgres = { + paths = "/var/lib/postgresql/backup"; + repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/postgres"; + encryption.mode = "repokey"; + encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}"; + environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}"; + compression = "auto,zstd"; + startAt = "*-*-* 03:15:00"; + user = "postgres"; + }; + synapse = { + paths = "/var/lib/matrix-synapse"; + repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/synapse"; + encryption.mode = "repokey"; + encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}"; + environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}"; + compression = "auto,zstd"; + startAt = "*-*-* 03:15:00"; + user = "matrix-synapse"; + }; + }; +} diff --git a/config/hosts/wind/services/coturn.nix b/config/hosts/wind/services/coturn.nix index 6481466..b2c61c8 100644 --- a/config/hosts/wind/services/coturn.nix +++ b/config/hosts/wind/services/coturn.nix @@ -1,7 +1,7 @@ { config, ... }: { services.coturn = { - enable = true; + enable = false; lt-cred-mech = true; use-auth-secret = true; static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file; diff --git a/config/hosts/wind/services/gitea.nix b/config/hosts/wind/services/gitea.nix index 58fc760..3d3966e 100644 --- a/config/hosts/wind/services/gitea.nix +++ b/config/hosts/wind/services/gitea.nix @@ -1,16 +1,32 @@ { ... }: { - services.gitea = { + services.forgejo = { enable = true; - domain = "git.graven.dev"; - rootUrl = "https://git.graven.dev"; - enableUnixSocket = true; - cookieSecure = true; - appName = "Graven Gitea"; - settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; }; + user = "gitea"; + group = "gitea"; + stateDir = "/var/lib/gitea"; database = { type = "postgres"; + name = "gitea"; + user = "gitea"; + }; + settings = { + DEFAULT.APP_NAME = "Graven Gitea"; + service.DISABLE_REGISTRATION = true; + session.COOKIE_SECURE = true; + server.DOMAIN = "git.graven.dev"; + server.ROOT_URL = "https://git.graven.dev"; + server.PROTOCOL = "http+unix"; }; }; + + users.users.gitea = { + home = "/var/lib/gitea"; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; + }; + + users.groups.gitea = {}; } diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix index e219049..b7b7b77 100644 --- a/config/hosts/wind/services/nginx.nix +++ b/config/hosts/wind/services/nginx.nix @@ -2,11 +2,13 @@ imports = [ ../../../common/services/nginx.nix ]; services.nginx.virtualHosts = { "graven.dev" = { - useACMEHost = "graven.dev"; + enableACME = true; forceSSL = true; locations."/".root = "/var/www/graven.dev/public"; - locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; - locations."/_synapse".proxyPass = "http://127.0.0.1:8008"; + locations."~ ^(\\/_matrix|\\/_synapse\\/client)" = { + proxyPass = "http://127.0.0.1:8008"; + priority = 1000; + }; locations."/.well-known/matrix/" = { root = "/var/www/matrix/public"; extraConfig = '' @@ -14,24 +16,34 @@ add_header Access-Control-Allow-Origin "*"; add_header Strict-Transport-Security $hsts_header; add_header Referrer-Policy "same-origin"; - add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; ''; }; }; + # Fedi webfinger + "graven.se" = { + enableACME = true; + forceSSL = true; + locations."/.well-known/host-meta".return = "301 https://fedi.graven.se$request_uri"; + }; + "amanda.graven.dev" = { + enableACME = true; + forceSSL = true; + locations."/".root = "/var/www/amanda.graven.dev/public"; + }; "rss.graven.dev" = { - useACMEHost = "graven.dev"; + enableACME = true; forceSSL = true; }; "git.graven.dev" = { - useACMEHost = "graven.dev"; + enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:"; + locations."/".proxyPass = "http://unix:/run/forgejo/forgejo.sock:"; }; "vault.graven.dev" = { forceSSL = true; - useACMEHost = "graven.dev"; + enableACME = true; locations."/" = { proxyPass = "http://localhost:8812"; proxyWebsockets = true; @@ -47,7 +59,7 @@ }; "openpgpkey.graven.dev" = { forceSSL = true; - useACMEHost = "graven.dev"; + enableACME = true; locations."/" = { root = "/var/www/openpgpkey"; extraConfig = '' @@ -63,7 +75,7 @@ }; "openpgpkey.graven.se" = { forceSSL = true; - useACMEHost = "graven.se"; + enableACME = true; locations."/" = { root = "/var/www/openpgpkey"; extraConfig = '' @@ -79,7 +91,7 @@ }; "tor.graven.dev" = { forceSSL = true; - useACMEHost = "graven.dev"; + enableACME = true; locations."/" = { root = "/var/www/tor"; extraConfig = '' diff --git a/config/hosts/wind/services/postgres.nix b/config/hosts/wind/services/postgres.nix index 79cf378..e7712e4 100644 --- a/config/hosts/wind/services/postgres.nix +++ b/config/hosts/wind/services/postgres.nix @@ -2,7 +2,7 @@ { services.postgresql = { enable = true; - package = pkgs.postgresql_13; + package = pkgs.postgresql_16; initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE synapse; CREATE DATABASE synapse WITH OWNER synapse diff --git a/config/hosts/wind/services/restic.nix b/config/hosts/wind/services/restic.nix index 083e4cc..7f06514 100644 --- a/config/hosts/wind/services/restic.nix +++ b/config/hosts/wind/services/restic.nix @@ -5,41 +5,41 @@ services.restic.backups = { "gitea" = { paths = [ "/var/lib/gitea" ]; - repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea"; + repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/gitea"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "02:15"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "gitea"; }; "postgres" = { paths = [ "/var/lib/postgresql/backup" ]; - repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres"; + repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/postgres"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "03:00"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "postgres"; }; "synapse" = { paths = [ "/var/lib/matrix-synapse" ]; - repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse"; + repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/synapse"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "03:30"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "matrix-synapse"; }; "vaultwarden" = { paths = [ "/var/lib/bitwarden_rs" ]; - repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden"; + repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/vaultwarden"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "23:45"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; user = "vaultwarden"; }; diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix index e88e79e..c5899eb 100644 --- a/config/hosts/wind/services/synapse.nix +++ b/config/hosts/wind/services/synapse.nix @@ -3,87 +3,68 @@ { services.matrix-synapse = { enable = true; - server_name = "graven.dev"; - enable_registration = false; - registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; - turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; - max_upload_size = "100M"; - database_type = "psycopg2"; - database_user = "synapse"; - database_name = "synapse"; - turn_uris = [ - "turn:turn.graven.dev:3478?transport=udp" - "turn:turn.graven.dev:3478?transport=tcp" - "turn:turn.graven.dev:3479?transport=udp" - "turn:turn.graven.dev:3479?transport=tcp" - "turns:turn.graven.dev:5349?transport=udp" - "turns:turn.graven.dev:5349?transport=tcp" - "turns:turn.graven.dev:5350?transport=udp" - "turns:turn.graven.dev:5350?transport=tcp" - ]; - report_stats = true; withJemalloc = true; + extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ]; + settings = { + server_name = "graven.dev"; + enable_registration = false; + registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; + turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; + max_upload_size = "100M"; + database.name = "psycopg2"; + database.args.user = "synapse"; + database.args.database = "synapse"; + turn_uris = [ + "turn:turn.graven.dev:3478?transport=udp" + "turn:turn.graven.dev:3478?transport=tcp" + "turn:turn.graven.dev:3479?transport=udp" + "turn:turn.graven.dev:3479?transport=tcp" + "turns:turn.graven.dev:5349?transport=udp" + "turns:turn.graven.dev:5349?transport=tcp" + "turns:turn.graven.dev:5350?transport=udp" + "turns:turn.graven.dev:5350?transport=tcp" + ]; + report_stats = true; + logConfig = '' + version: 1 - extraConfig = '' -password_config: - enabled: false -oidc_providers: - - idp_id: authentik - idp_name: authentik - discover: true - issuer: "https://auth.graven.dev/application/o/synapse/" - client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5" - client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55" - allow_existing_users: true - scopes: - - "openid" - - "profile" - - "email" - user_mapping_provider: - config: - localpart_template: "{{ user.name }}" - display_name_template: "{{ user.name|capitalize }}" - ''; + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' - logConfig = '' -version: 1 + handlers: + console: + class: logging.StreamHandler + formatter: precise -formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN -handlers: - console: - class: logging.StreamHandler - formatter: precise + root: + level: WARN + handlers: [console] -loggers: - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: WARN - -root: - level: WARN - handlers: [console] - -disable_existing_loggers: false - ''; - listeners = [ - { - port = 8008; - bind_address = "127.0.0.1"; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; + disable_existing_loggers: false + ''; + listeners = [ + { + port = 8008; + bind_addresses = ["127.0.0.1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + }; }; } diff --git a/config/hosts/wind/services/ttrss-plugins/fever.nix b/config/hosts/wind/services/ttrss-plugins/fever.nix new file mode 100644 index 0000000..e7e5080 --- /dev/null +++ b/config/hosts/wind/services/ttrss-plugins/fever.nix @@ -0,0 +1,37 @@ +{ lib, stdenv, fetchFromGitHub, tt-rss, ... }: + +stdenv.mkDerivation rec { + pname = "tt-rss-fever-api"; + version = "2.3.0"; + + src = fetchFromGitHub { + owner = "DigitalDJ"; + repo = "tinytinyrss-fever-plugin"; + rev = "${version}"; + sha256 = "fKHnF7pXMD04sWygoRnPH5hLUyWW4Dv/e4JWtfobX/g="; + }; + + installPhase = '' + mkdir -p $out/fever + cp -r fever_api.php index.php init.php $out/fever/ + ''; + + meta = { + description = "Fever API for Tiny Tiny RSS"; + longDescription = '' + This is a plugin for Tiny Tiny RSS (tt-rss). + + It lets you use feed reader programs which interface with the Fever feed + reader API together with Tiny Tiny RSS + ''; + license = lib.licenses.gpl3Only; + homepage = "https://github.com/DigitalDJ/tinytinyrss-fever-plugin"; + maintainers = [ { + email = "amanda@graven.dev"; + name = "Amanda Graven"; + github = "agraven"; + githubId = 23525639; + } ]; + inherit (tt-rss.meta) platforms; + }; +} diff --git a/config/hosts/wind/services/ttrss.nix b/config/hosts/wind/services/ttrss.nix index 3a30bee..a93a1af 100644 --- a/config/hosts/wind/services/ttrss.nix +++ b/config/hosts/wind/services/ttrss.nix @@ -1,10 +1,13 @@ -{ config, ... }: +{ config, pkgs, ... }: { - services.tt-rss = { - enable = true; - registration.enable = true; - virtualHost = "rss.graven.dev"; - selfUrlPath = "https://rss.graven.dev"; - }; + services.tt-rss = { + enable = true; + registration.enable = false; + virtualHost = "rss.graven.dev"; + selfUrlPath = "https://rss.graven.dev"; + pluginPackages = [ + (pkgs.callPackage ./ttrss-plugins/fever.nix {}) + ]; + }; } diff --git a/config/hosts/wind/services/vaultwarden.nix b/config/hosts/wind/services/vaultwarden.nix index bf6c7d3..987466a 100644 --- a/config/hosts/wind/services/vaultwarden.nix +++ b/config/hosts/wind/services/vaultwarden.nix @@ -3,7 +3,7 @@ services.vaultwarden = { enable = true; environmentFile = config.secrets.files.vaultwarden_env.file; - backupDir = "/var/lib/bitwarden_rs/backup"; + backupDir = "/var/backup/vaultwarden"; config = { domain = "https://vault.graven.dev"; signupsAllowed = false; diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json index 63de6ff..349dfba 100644 --- a/config/sources/nix/sources.json +++ b/config/sources/nix/sources.json @@ -5,10 +5,10 @@ "homepage": "https://github.com/nmattia/niv", "owner": "nmattia", "repo": "niv", - "rev": "df49d53b71ad5b6b5847b32e5254924d60703c46", - "sha256": "1j5p8mi1wi3pdcq0lfb881p97i232si07nb605dl92cjwnira88c", + "rev": "368268e45dee0c94d1cf898381a384856379ad76", + "sha256": "1k03n7qmaz6yf2r8i5sng4kii3rr1y36g8k70sg7piqz3npxisy3", "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/df49d53b71ad5b6b5847b32e5254924d60703c46.tar.gz", + "url": "https://github.com/nmattia/niv/archive/368268e45dee0c94d1cf898381a384856379ad76.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixos-hardware": { @@ -17,22 +17,22 @@ "homepage": "", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "feceb4d24f582817d8f6e737cd40af9e162dee05", - "sha256": "1q92jq6xf5b1pshai9j72cj17r0ah3fhrx669h3vc58rj7xvgiw7", + "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61", + "sha256": "1al72rhlaa6g725syx72klpismv8xygdd55smqfwa9xglhv35r34", "type": "tarball", - "url": "https://github.com/NixOS/nixos-hardware/archive/feceb4d24f582817d8f6e737cd40af9e162dee05.tar.gz", + "url": "https://github.com/NixOS/nixos-hardware/archive/2096f3f411ce46e88a79ae4eafcfc9df8ed41c61.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { - "branch": "nixos-21.11", + "branch": "nixos-25.11", "description": "Nix Packages collection", "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ccb90fb9e11459aeaf83cc28d5f8910816d90dd0", - "sha256": "1jlyhw5nf7pcxg22k1bwkv13vm02p86d7jf6znihl3hczz1yfgi0", + "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160", + "sha256": "0vma331213djanwmb7ibgmi5290952h6ri123xwb66mg58k8r200", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/ccb90fb9e11459aeaf83cc28d5f8910816d90dd0.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/a4bf06618f0b5ee50f14ed8f0da77d34ecc19160.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": { @@ -41,10 +41,10 @@ "homepage": "", "owner": "Infinisil", "repo": "nixus", - "rev": "d1e1057a31f16a75d9f871e311c4aaaf664561b9", - "sha256": "0d4576dssr6l4vdpi86rbf6dyn3jfl3csvmn9csd4n6dj53f5pqm", + "rev": "b12665bc80134ac167eef1fff2f4e41e1f8925cb", + "sha256": "11894412807mhg0kgkrn4bjbdk9b2a89b0plh0bpdn06c8pfg11g", "type": "tarball", - "url": "https://github.com/Infinisil/nixus/archive/d1e1057a31f16a75d9f871e311c4aaaf664561b9.tar.gz", + "url": "https://github.com/Infinisil/nixus/archive/b12665bc80134ac167eef1fff2f4e41e1f8925cb.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/config/sources/nix/sources.nix b/config/sources/nix/sources.nix index 1938409..fe3dadf 100644 --- a/config/sources/nix/sources.nix +++ b/config/sources/nix/sources.nix @@ -10,29 +10,50 @@ let let name' = sanitizeName name + "-src"; in - if spec.builtin or true then - builtins_fetchurl { inherit (spec) url sha256; name = name'; } - else - pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; name = name'; } + else + pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; fetch_tarball = pkgs: name: spec: let name' = sanitizeName name + "-src"; in - if spec.builtin or true then - builtins_fetchTarball { name = name'; inherit (spec) url sha256; } - else - pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; + if spec.builtin or true then + builtins_fetchTarball { name = name'; inherit (spec) url sha256; } + else + pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; fetch_git = name: spec: let ref = - if spec ? ref then spec.ref else + spec.ref or ( if spec ? branch then "refs/heads/${spec.branch}" else - if spec ? tag then "refs/tags/${spec.tag}" else - abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + if spec ? tag then "refs/tags/${spec.tag}" else + abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!" + ); + submodules = spec.submodules or false; + submoduleArg = + let + nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; + emptyArgWithWarning = + if submodules + then + builtins.trace + ( + "The niv input \"${name}\" uses submodules " + + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + + "does not support them" + ) + { } + else { }; + in + if nixSupportsSubmodules + then { inherit submodules; } + else emptyArgWithWarning; in - builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + builtins.fetchGit + ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); fetch_local = spec: spec.path; @@ -66,16 +87,16 @@ let hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; hasThisAsNixpkgsPath = == ./.; in - if builtins.hasAttr "nixpkgs" sources - then sourcesNixpkgs - else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then - import {} - else - abort - '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import { } + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; # The actual fetching function. fetch = pkgs: name: spec: @@ -95,13 +116,13 @@ let # the path directly as opposed to the fetched source. replace = name: drv: let - saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; + saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name; ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; in - if ersatz == "" then drv else - # this turns the string into an actual Nix path (for both absolute and - # relative paths) - if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; + if ersatz == "" then drv else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; # Ports of functions for older nix versions @@ -112,7 +133,7 @@ let ); # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); + range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1); # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); @@ -123,43 +144,46 @@ let concatStrings = builtins.concatStringsSep ""; # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 - optionalAttrs = cond: as: if cond then as else {}; + optionalAttrs = cond: as: if cond then as else { }; # fetchTarball version that is compatible between all the versions of Nix builtins_fetchTarball = { url, name ? null, sha256 }@attrs: let inherit (builtins) lessThan nixVersion fetchTarball; in - if lessThan nixVersion "1.12" then - fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) - else - fetchTarball attrs; + if lessThan nixVersion "1.12" then + fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) + else + fetchTarball attrs; # fetchurl version that is compatible between all the versions of Nix builtins_fetchurl = { url, name ? null, sha256 }@attrs: let inherit (builtins) lessThan nixVersion fetchurl; in - if lessThan nixVersion "1.12" then - fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) - else - fetchurl attrs; + if lessThan nixVersion "1.12" then + fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) + else + fetchurl attrs; # Create the final "sources" from the config mkSources = config: - mapAttrs ( - name: spec: - if builtins.hasAttr "outPath" spec - then abort - "The values in sources.json should not have an 'outPath' attribute" - else - spec // { outPath = replace name (fetch config.pkgs name spec); } - ) config.sources; + mapAttrs + ( + name: spec: + if builtins.hasAttr "outPath" spec + then + abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = replace name (fetch config.pkgs name spec); } + ) + config.sources; # The "config" used by the fetchers mkConfig = { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null - , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) + , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile) , system ? builtins.currentSystem , pkgs ? mkPkgs sources system }: rec { @@ -171,4 +195,4 @@ let }; in -mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } +mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/deploy/default.nix b/deploy/default.nix index ee07e2e..023444f 100644 --- a/deploy/default.nix +++ b/deploy/default.nix @@ -13,21 +13,21 @@ in import "${sources.nixus}" {} ({ config, ... }: { nodes = { wind = { lib, config, ... }: { - host = "emelie@graven.dev"; + host = "graven.dev"; configuration = ../config/hosts/wind/configuration.nix; switchTimeout = 300; successTimeout = 300; ignoreFailingSystemdUnits = true; }; grondahl = { lib, config, ... }: { - host = "emelie@anarkafem.dev"; + host = "anarkafem.dev"; configuration = ../config/hosts/grondahl/configuration.nix; successTimeout = 300; switchTimeout = 300; ignoreFailingSystemdUnits = true; }; rudiger = { lib, config, ... }: { - host = "emelie@cloud.graven.dev"; + host = "cloud.graven.dev"; configuration = ../config/hosts/rudiger/configuration.nix; switchTimeout = 300; successTimeout = 300; diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..d11b0d4 --- /dev/null +++ b/shell.nix @@ -0,0 +1,7 @@ +{ pkgs ? import {} }: + +pkgs.mkShell { + packages = with pkgs; [ + niv + ]; +}