From c710e06232a3fa341854bec9b87484baed3018ec Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 27 Feb 2022 17:30:31 +0100
Subject: [PATCH 01/83] Add beanz.one to nginx and update sources

---
 README.md                                | 14 ++++++++++++++
 config/hosts/grondahl/services/nginx.nix |  5 +++++
 config/sources/nix/sources.json          | 12 ++++++------
 3 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 885ac1b..fbd43da 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,15 @@
 NixOS deployments using [nixus](https://github.com/Infinisil/nixus).
+
+First make sure you have `niv` so you can upgrade dependency versions in `sources.json`.
+```sh
+$ nix-shell -p niv
+$ (cd config/sources && niv update)
+```
+Build with:
+```sh
+$ nix-build deploy/
+```
+Deploy by running the generated executable.
+```sh
+$ ./results
+```
diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix
index d313927..379b8b3 100644
--- a/config/hosts/grondahl/services/nginx.nix
+++ b/config/hosts/grondahl/services/nginx.nix
@@ -30,5 +30,10 @@
 			forceSSL = true;
 			locations."/".proxyPass = "http://127.0.0.1:9000";
 		};
+    "beanz.one" = {
+      locations."/" = {
+        root = "/var/www/beanz.one/public";
+      };
+    };
   };
 }
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 32b4231..1049969 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "c361b954759195c2ac085fbbed5ad7d513e1585b",
-        "sha256": "0grx60c7qhidnna8d5i6mq4mymwpq8rlkrl275dgchv5yfy451js",
+        "rev": "c3c66f6db4ac74a59eb83d83e40c10046ebc0b8c",
+        "sha256": "1h5x8zgmxzdj15pgssn7nihi24ni63571q75hdpsz7zxgyjw2nyh",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/c361b954759195c2ac085fbbed5ad7d513e1585b.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/c3c66f6db4ac74a59eb83d83e40c10046ebc0b8c.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c28fb0a4671ff2715c1922719797615945e5b6a0",
-        "sha256": "1qzvhxcsxb6s410xlfs4ggcvm1xbbd4jrazy6cpxc1rkrxbyz0kk",
+        "rev": "4275a321beab5a71872fb7a5fe5da511bb2bec73",
+        "sha256": "1p3pn7767ifbg08nmgjd93iqk0z87z4lv29ypalj9idwd3chsm69",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/c28fb0a4671ff2715c1922719797615945e5b6a0.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/4275a321beab5a71872fb7a5fe5da511bb2bec73.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From d173ab984feab7ba7124876439b9bca7181a73e8 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 27 Feb 2022 17:39:59 +0100
Subject: [PATCH 02/83] Enable SSL for beanz.one

---
 config/hosts/grondahl/services/nginx.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix
index 379b8b3..9d2edcd 100644
--- a/config/hosts/grondahl/services/nginx.nix
+++ b/config/hosts/grondahl/services/nginx.nix
@@ -31,6 +31,8 @@
 			locations."/".proxyPass = "http://127.0.0.1:9000";
 		};
     "beanz.one" = {
+      forceSSL = true;
+      enableACME = true;
       locations."/" = {
         root = "/var/www/beanz.one/public";
       };

From 306652ff73a3302c398ec6b3284c86a3257785ca Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Tue, 12 Apr 2022 15:38:07 +0200
Subject: [PATCH 03/83] Set up nitter on wind

---
 config/hosts/wind/services/nginx.nix  |  5 +++++
 config/hosts/wind/services/nitter.nix | 11 +++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 config/hosts/wind/services/nitter.nix

diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index e219049..5e0cf2f 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -29,6 +29,11 @@
 			forceSSL = true;
 			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
 		};
+		"nitter.graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+			locations."/".proxyPass = "http://localhost:4992"
+		}
 		"vault.graven.dev" = {
 			forceSSL = true;
 			useACMEHost = "graven.dev";
diff --git a/config/hosts/wind/services/nitter.nix b/config/hosts/wind/services/nitter.nix
new file mode 100644
index 0000000..9bc7f40
--- /dev/null
+++ b/config/hosts/wind/services/nitter.nix
@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+	services.nitter = {
+		enable = true;
+		server = {
+			port = 4992;
+			# Only save cookies on HTTPS
+			https = true;
+		}
+	}
+}

From eb43445854c5f2b83a1470609c7ded365427a09c Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 12 Apr 2022 16:07:17 +0200
Subject: [PATCH 04/83] Disable external access, delete nginx config

---
 config/hosts/wind/configuration.nix   | 1 +
 config/hosts/wind/services/nginx.nix  | 5 -----
 config/hosts/wind/services/nitter.nix | 3 ++-
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index b909657..5d59f5f 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -8,6 +8,7 @@
 		./services/acme.nix
 		./services/coturn.nix
 		./services/nginx.nix
+		./services/nitter.nix
 		./services/postgres.nix
 		./services/synapse.nix
 		./services/ttrss.nix
diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index 5e0cf2f..e219049 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -29,11 +29,6 @@
 			forceSSL = true;
 			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
 		};
-		"nitter.graven.dev" = {
-			useACMEHost = "graven.dev";
-			forceSSL = true;
-			locations."/".proxyPass = "http://localhost:4992"
-		}
 		"vault.graven.dev" = {
 			forceSSL = true;
 			useACMEHost = "graven.dev";
diff --git a/config/hosts/wind/services/nitter.nix b/config/hosts/wind/services/nitter.nix
index 9bc7f40..7c07e62 100644
--- a/config/hosts/wind/services/nitter.nix
+++ b/config/hosts/wind/services/nitter.nix
@@ -5,7 +5,8 @@
 		server = {
 			port = 4992;
 			# Only save cookies on HTTPS
-			https = true;
+			address = "127.0.0.1";
+
 		}
 	}
 }

From 2fc3df27a4079f11d84d813037ff1a67eb5fa5bf Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 12 Apr 2022 16:36:07 +0200
Subject: [PATCH 05/83] Up nixpkgs, fix nitter syntax errors

---
 config/hosts/wind/services/nitter.nix |  4 ++--
 config/sources/nix/sources.json       | 12 ++++++------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/config/hosts/wind/services/nitter.nix b/config/hosts/wind/services/nitter.nix
index 7c07e62..2755b18 100644
--- a/config/hosts/wind/services/nitter.nix
+++ b/config/hosts/wind/services/nitter.nix
@@ -7,6 +7,6 @@
 			# Only save cookies on HTTPS
 			address = "127.0.0.1";
 
-		}
-	}
+		};
+	};
 }
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 63de6ff..da3f107 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "feceb4d24f582817d8f6e737cd40af9e162dee05",
-        "sha256": "1q92jq6xf5b1pshai9j72cj17r0ah3fhrx669h3vc58rj7xvgiw7",
+        "rev": "f4160a629bac3538939a3005c8b5c7fb320bcf59",
+        "sha256": "0w4k1fis534iafc72cjmig72697pz4s3fjj211fhzf443zh49in7",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/feceb4d24f582817d8f6e737cd40af9e162dee05.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/f4160a629bac3538939a3005c8b5c7fb320bcf59.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ccb90fb9e11459aeaf83cc28d5f8910816d90dd0",
-        "sha256": "1jlyhw5nf7pcxg22k1bwkv13vm02p86d7jf6znihl3hczz1yfgi0",
+        "rev": "e7d63bd0d50df412f5a1d8acfa3caae75522e347",
+        "sha256": "132pc4f9ixisyv4117p2jirmlyl6sd76bfaz33rhlcwakg7bhjm7",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/ccb90fb9e11459aeaf83cc28d5f8910816d90dd0.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/e7d63bd0d50df412f5a1d8acfa3caae75522e347.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 27530f0de0912841c37006c270786cbf19fc252c Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 12 Apr 2022 17:36:08 +0200
Subject: [PATCH 06/83] Remove wildcard cert

---
 .../grondahl/data/secrets/acme_anarkafem_dev   | Bin 120 -> 0 bytes
 config/hosts/grondahl/data/secrets/secrets.nix | Bin 1045 -> 955 bytes
 config/hosts/grondahl/services/acme.nix        |   5 -----
 config/hosts/grondahl/services/nginx.nix       |   6 +++---
 .../wind/data/secrets/acme_graven_dev.env      | Bin 117 -> 0 bytes
 .../hosts/wind/data/secrets/acme_graven_se.env | Bin 116 -> 0 bytes
 config/hosts/wind/data/secrets/secrets.nix     | Bin 1030 -> 866 bytes
 config/hosts/wind/services/acme.nix            |  12 ------------
 config/hosts/wind/services/nginx.nix           |  14 +++++++-------
 9 files changed, 10 insertions(+), 27 deletions(-)
 delete mode 100644 config/hosts/grondahl/data/secrets/acme_anarkafem_dev
 delete mode 100644 config/hosts/wind/data/secrets/acme_graven_dev.env
 delete mode 100644 config/hosts/wind/data/secrets/acme_graven_se.env

diff --git a/config/hosts/grondahl/data/secrets/acme_anarkafem_dev b/config/hosts/grondahl/data/secrets/acme_anarkafem_dev
deleted file mode 100644
index 5e08a249ae5a2dcd4d20c2399a7f0ac31b5dc9f6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 120
zcmZQ@_Y83kiVO&0IR57ETzg5^th0-!B%OEiy7DUbj7U!-gY~P+3_`QsEjX<GlH0`M
zDQ{^eLtJ3I<DTvN1DvkS<$QaRX<hiA^_jOzPPkY8{P}&E>NGJ!!51~hHD%T_IbY=a
dt=n&+V10PKQ*P+tt!9P+es4BBd%wW-000-pIbQ$(

diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix
index 1feacfcb4006c08b8c5ba2be61bdb614710fe5b0..249edb2f002158783f59c4399986469a44e1dda0 100644
GIT binary patch
literal 955
zcmZQ@_Y83kiVO&0czkG~s>qce!g8%EDkAUJ2W*~D_O$aZ<MG@~ySX28n7{5>)x3pC
zVaL7in-4s{r*dD#+I)gD({u4SK7-S&ZQqT#Q};7Ch)!R)Y-fMuOD#+Djba`S?k61n
zrr!LU@^4<v^a(4LafR*V+NzxQ+`UcLdRCdOTZU?*t;15ibrv@9z2P%|2d8!KR{OZ_
zmjCDdJ0dmjeG+&hsyWe9T-WQs=9Qe*>?iCv5<9M)iuD!!b-}%iFG*p?84b2@o((zL
zK8Z7rPJ4JN__>wjU6p5kUwnUBJvtKlUr4ffQRs@ZYVPyqStK4?Xfe~S(cAk(wnS7-
zfanU@C9D^VHgEK2E;XNM&F=nzNxC7M`^Qn)(zf>3B{zMHZaWIem;HFOkoUl<H=0ww
zu-I?8``RG3Jz+!A>=u`zo}(8W3K<riKEe>?U-0j{^(PIF6Ep8g*tK6!6N}q;IPpU0
z$t%29Ed&Y|*iT8Gze{*Y=b@z~9}AvbGPf~Gy>rTH?(y#u-)(2kO1b>tiC~bhqF%al
zX;j-2U6w0M+@2?7J3T@q(;b%mog<baF)vIcJ>uuR#jmdK%F9ffJjY5fhEeAA`Yzc6
zMHj@SUa<0(#C>_ZcG=E_PxpSkR#m@{L)_v2q{MG(GDprtcCPxvCCHswQ6AYEe|OuV
z39CC_UOSbu#7n%wy=+T*=j6#!KhhcZ>a=PI1#zAEBp`Fm=3uIX=7)-`Z8m{|bK17)
zlz-TKa7x9k@B={=1zT<{ow}O$c~OSW&sVz^_e41PY`eDe)yv+k-689wQttm{m;8NS
z|KR&#r-Ic=+2vL)Z#ABOwl~snxbMFG`uX_02c~Kj&kK&VT<YxKv&4@7=poA-N7kDc
zrY*Mmb?uACm+Q0oBus7A+~MSIS?`b<xtjBjQ2+faEB}7-T2gytw!#XQRk~e;rp0;6
z(ShFrZ`Y;XU*~(IH?jNMGv%2xY_iNYy%S0)tlG`evcsdi!gJn%)b!vRpEQn1nH1Hl
zNv4LzbM4M(*(+rm8J=uBy>+qR?963}edb>7cWU=vO*4<Ruy^#9mV3X;;NMx!Ij5!U
zOqmxrPL4l0&Gq@ogFhDU{MfD_@!LemPI1kJd%~-B+XdMKEtQ_7R~y%AF28*J#U=MY
zzTjnwn=SR0XR3(%@fz`?b{}>X#v4>{UGcxBVXC@NL+ZuCM`=qI94>ui{82Fd+kX|N
zg1F1S--ot`@9%gYAhF17Qs&l<(>{XSzpt0Zy?XiL%ul`DUeC)c70$NWN!08~iU^Rr
YTmL#UW7CWj2aYPfBLDq$8!t8j0KpN@>Hq)$

literal 1045
zcmZQ@_Y83kiVO&0;E|bq@vkoH&W01|`OHG;s~S2}q%F^_+|6GY-?bvzFD)$p`~&^Z
zQ+hUjnJX6_@<XSZMfmjmkE^b16c1`H|FdGl*>y)2q+GnV`A?xo^~MiTd<T8bok;p~
z`rV@B_M{8^4eX+x&qPk#XtX~5Fp0Np0jt(2&7VvR_k!#WY=5VHSDwqH`}EukGj)Hk
z%!zk@rnm82&V%{C&9B*fX{<^Qo78*p#Fi9x3ANwlAD(Y(V9wj!qc&&0(3$N{<#B&Z
zUOjieI3w=JtBlGSXJiEyIHg|iZLA6lEPm9mOgO8>$fN%5y(*!jK`Gn1_|AKGKE7Rh
zgs)v&Q8au>M2zyrLq%HkR_hOK4DA<koW?#Ss%+z_(@|MF1z+-8F4}sC^QOr403(~!
zUyGdA{k?sz+gO74t;or!YL9d4`~7UI3`}d|IJ#s!9k)Jn70{Y?zKEqqc(KysNq<iM
zo5Iw#NF-<ek0~Nrm9J9%9Xrm-sbXo<@oHh}_8<Sn3wOxv^|+K5+3b|EN8sPahF4~8
zoyU((3~Smf9OHPx@pXb_lHI=ik}1Z0;t%g1&Hw){=B51=|KnkAm%e*2=Wk{1f(`i@
z?9(<Ca+poCN}O}rW|eFG%-pwu^PMAn!X3A0|2BK_ags8Z>CC7(wtH5J{kow)W#ZBO
zJC5D%w#k}(G5+3e#r8P4H8DD@@@o435_<gdEnLJ>|8BZzI{U)g$LEWxCthlt*d3A8
z_RIc3K=UR?F_W768ns1l(wSH+ik_@^ELgq3biL=FL$l_ePycX*Y1{2}2RFLx`?*Rn
zQBQ<bszUaki_-rYt^Up1dNfu#@g4Wt6yJSqZ_my%E>GFd#~Db-Hf?X@-*jtP{9>u5
zhTEKPeqZ>xz4QFL!~e75?(Mi+*z;q_w>b~gSI=~<H|CR%=VkuYwEOGkcTK5<TWWq>
zp73i2%N_gXkS$x77CgG$&3NGnYigd&B6W$@g`(3xZrs-J`$o3aY8U61UiV#Yn<y`K
zc=T_(ohqA()2W}c7`C}DI2@J7@TFB}r-y5k<u$jt|ChAxn87TivNP11QS4^xHCqQ`
z0U5(wfocxn-Ou{YoY~#?>CkJF)LyrMH3qw8cF(%N^g~sSt?!8OS&w(Wx4vCpaW1M`
zTWguD;gP4gm!I$4!)V!7!M~!yEpU@wW02F2e`2<EPM&3VcW4)I?fWQsSLSee*IiA~
z6=rM({#PHWe7}`@>RJA}IEPB@!YmOxmX(iq{(Emc5Wb;VTUBw%l^iwIviXGtCX?3x
zis;BWZz8tc{e<cvqXkYEgUmx8+!FdS+wGp&-Reul?K|fPPBLFGCFgEUcx;l4u*Am0
zg3tEto7HlB;%WA)8j4qQ-TDryM!T-O!<X4Lb$;%ttH1p$`q>P(?E3B=z3t?mU*<V{
RY%kUNKV+wN<;hpS008aB3yuH)

diff --git a/config/hosts/grondahl/services/acme.nix b/config/hosts/grondahl/services/acme.nix
index a69f94e..076f91c 100644
--- a/config/hosts/grondahl/services/acme.nix
+++ b/config/hosts/grondahl/services/acme.nix
@@ -4,11 +4,6 @@
   security.acme = {
     acceptTerms = true;
     email = "admin+certs@anarkafem.dev";
-    certs."anarkafem.dev" = {
-      extraDomainNames = [ "*.anarkafem.dev" ];
-      dnsProvider = "hurricane";
-      credentialsFile = config.secrets.files.acme_anarkafem_dev.file;
-    };
   };
 }
 
diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix
index 9d2edcd..2195ebe 100644
--- a/config/hosts/grondahl/services/nginx.nix
+++ b/config/hosts/grondahl/services/nginx.nix
@@ -2,7 +2,7 @@
   imports = [ ../../../common/services/nginx.nix ];
   services.nginx.virtualHosts = {
     "anarkafem.dev" = {
-      useACMEHost = "anarkafem.dev";
+      enableACME = true;
       forceSSL = true;
       locations."/".root = "/var/www/anarkafem.dev/public";
       locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
@@ -21,12 +21,12 @@
       };
     };
 		"cal.anarkafem.dev" = {
-			useACMEHost = "anarkafem.dev";
+			enableACME = true;
 			forceSSL = true;
 			locations."/".proxyPass = "http://127.0.0.1:4000";
 		};
 		"auth.anarkafem.dev" = {
-			useACMEHost = "anarkafem.dev";
+			enableACME = true;
 			forceSSL = true;
 			locations."/".proxyPass = "http://127.0.0.1:9000";
 		};
diff --git a/config/hosts/wind/data/secrets/acme_graven_dev.env b/config/hosts/wind/data/secrets/acme_graven_dev.env
deleted file mode 100644
index cd4a5e26fb592967a6c54cfbb405f6d7c203eb6e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 117
zcmZQ@_Y83kiVO&0a1;<(bUkWT<G$Yqf32MHa%%ZOm(~kK^LE56uvOT3ac5#i3ESzH
zEgX?D^*&qotL@Fn@Rk+wu`m7hyz%9V<4s3yiZyq#R_<>56g11Tc4oaxo=twx`8Cb;
ZMNBtWo&CgW=2&GhJ!oYce@jf#Tma9$I3fT5

diff --git a/config/hosts/wind/data/secrets/acme_graven_se.env b/config/hosts/wind/data/secrets/acme_graven_se.env
deleted file mode 100644
index 7ac992bb3ff98e1e615d6a10f8dfa88b17b1f1c4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 116
zcmZQ@_Y83kiVO&0IF={&$jKr*XycM*L)M)#U;iHdJmFp4`ur`~#+t6W6Z%3on%C4?
zee!!c=^5{#$vQJ^dY^uKz%${|*L@S*GbSEk+4woJ>;TV^8GSci>pf!3tNUAdbH~l+
apASU7E$e(Ix$(mL0PBl8^in2HeF^~T**)R_

diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix
index 5592aaf52288f4f30d9c3f15c700d2555915670c..815cba8d9dc5b16e1144e704fa5104a41c342684 100644
GIT binary patch
literal 866
zcmZQ@_Y83kiVO&0n9U@5Qe%>EbDHaJMaf_LxA{1_PuP9wYT7J$v9PUT{E26$ocD=P
z<!Q}Vt16rqD#5g2%hDrLrWri<d>5#?{GiK8!_4{0Pg!=hRL(mZ)b3xV^7GBFwZ7BY
zE?Bk8?RfD(Nb*u}ugBMlB-43C>ix$VxFxt99xw51sry!CCMWFUa#&tEAddakDxWrE
z-=rm9x9xtMB`>k+<?Hq9MZGR1sGNwf_uA!FcxPF0#jev`J@zUgZx>&7`~ByM^i|#!
zFSPB&3xzLS{8pOz<=2f~3Bl_1J3GH8UHdA_wrcOI=+5JZ`*y5uW1g^{IZ-!Cv0M4n
zHIFkJ_(jBni+;!Mls=Yt?9^$Csgld(IP1A3?oMF)dvd9SmzH-^=%Y5P$k6SJq}KYc
zJCVclUYdE<6}I}I{Vz{H?d-XJPVH;Ra?Qi-&p(Ly%jq0#;L(dn(5h5?^7|r#=9?L+
z+bZW&`7`C)v%9;0y;7|3yvugU@tA|=QT#6wG}fHDdpD}9vd@NZOR26|Rk-Q9CwgX5
zF<aN{o#)qj)##_rQKQlc#y6$7_QX^f9bKQRCSd>k_dDIG^Db8{J02s#a>ar_?8MaV
z5iG*%rioYk?Ny2uf6o{pB{%uTB?Y%cvBv>k<tdZI7;bSc3G2_4JM5%2p|?~=_^wc+
z>s}|z14fFwocrqKju|K<t@gjxu)p*f&+e(e1e&fru~&ImcQka4&lCSSTBqvn@h_Cj
z>NRv+71(*$P<#6?_8BZEwuEy2Y1V$hnVpkdbVYJg?PuR}XFQaY1=p+>En!RgvGm&A
z<2LRK&hFHHwX>%y<g<m;x(}Mle{~KuueqPpwI%Ayr`Wlv$w@1>81TDKUN6btZg%Wv
z(u!F9o94S;&tl|Pi83*?+bUiW7Oyn(f0sbm;X5UM=M0@+mPZE*L@Fy4@a#Pu-P0@o
zcI(^g0$c6l3O=j|5&x#wAAH8yocUdUfu^?G%0GsZ1y#mtu9#KU?@|crSu4yCQSj&N
z*16v%7nzmpi2n5A_Vj~3J_Q|e3$i|Mo?se&@qajT*uoD*vpYUV39mSMLt?taef^JK
z5vzmlu3wXRYxNC%5vR3$=>k_m`Z$Vy@p=muC!LEGWn;ZmdcXccTK<BL`X37QlQ*97
gSL2?r`*^k^Pptj7bZ7VY-OQ^jKF#ep^840t00<?T00000

literal 1030
zcmZQ@_Y83kiVO&0xOHJ>iTdyO=NGyD?za7vndqy-A#>L6m)H0Cxo;WDG(KI+*1Pv&
zR)pe4n^x)8Cz{tMHQGNvCDs3c@pGV)+O2zS&VolThqh>o@o4_Oy)6ALUqFw%;Ea3H
zCVpvWit04wORp?=yW?HKw;+?w8$G+8C;xt7{47X!s)s@E+v;;wWy+J}tq#0Aaeb|P
zrNy$PSN=+8e7|C`Yl}jjLQciLzcW;|rGM}F(3;xGekSjM>6yNxdCxNrXW1QNPFt_^
zVK=K8cldW<Zn22(Wh@7HyZ>(1zi=r__RpLe;l+-1onn2Db*A!W&xr1tANBgu4`ss*
z&84>*X2<c@#^l-W;CkSC<e2?_9vh+DH=(+sB@;>m9yIO!Zl}K8oK62^k!j<SHs#kh
z%<m{>@7cI|<E_g|H(R!fUC!L__LHIcjacIs8>MZ0=GCVDV5w>oe%q-wLp(8*^-@FX
z+w;$po}6x1x-ez6VBc!5{3G28sYa$*sr3&htcZ`$Sp9iXYV>^v=DQCZyh;r-6CRw}
zJ8y;UvbQm_gbgp*KfUm%M2ss=di|!Y%$ujrk5g?d5p~PT-hGYhv(k)}M|tPu9p$(b
zrt{=ttAwv}vBFf(iGCifiYHAXE_{CH&e`{Me_FyNhbjKdY~SV??3!(Mam#`2&(qiD
zI%z+;TDsu;zy6zNCoPU*$zf%Be!}k4%{TwtUR+`+cvznm?(y=VqL+L4M+b-EzO*w>
zSI&9T&2&ViA;dW?VP(lz!PNb3Jn|nO|A}IVGUq*Cao6xVGfRLq+oztbGx+WoPrJ96
z-+jy8B`P~I8%`*;<y5Eaxmd+B`*Cf4ky3QXs`q&}WK?6OY}{ioul7Z&-_``%sn2rd
zGDY~`y=fLGntb>E&u5!2M{jpp|L|ZgL*kmcWp(wrk8enXo(<w+Z|>?o=PtVX{Fx`W
zGS}@nca5XfwYgbAUq4xBX8&mkW1XCD5n5FaM&`~tZhn4NE%fNs4+f@4y%451*E2Q=
zidL1k`2TEm71&v_@6F*=C;J#Dn@_8i*y6r#uii=V6~~m8t?@{|dctY(<n6z?RqmGX
zmeo(6@8s_;emiAXyII8R(~45oDSA))_w{BOAIaTuIhN~P6m!3Me7tv8g{`l!fSR$(
zhcNG&mQur6jQ_U2wb<e-ZgC-WMOi_Z#s8y+Cfv8Us}niFe_`#LeDjGPogVD{AEs3x
z5fR5xxiG%s>*oViC)QL|x*VDxyV@yBPx^vz(X8*!>UVDZe(;CM<!^T)e{Y>S?P^Q!
zv-uZ#IAzxxyqa~vHT##o^uCY{YQ6dUgL3D(y$D#dQTfTGy;cTSw`zMVj!`(X<ZYa;
z(2M==&sSZt;D1)!!R6jqb#0FE-pCE-(tj8=*BMlKF?(6=GuW`|xTf0bqoy?g%J%{Z

diff --git a/config/hosts/wind/services/acme.nix b/config/hosts/wind/services/acme.nix
index 862d516..62ae467 100644
--- a/config/hosts/wind/services/acme.nix
+++ b/config/hosts/wind/services/acme.nix
@@ -4,18 +4,6 @@
   security.acme = {
     acceptTerms = true;
     email = "admin+certs@graven.dev";
-		certs = {
-			"graven.dev" = {
-				extraDomainNames = [ "*.graven.dev" ];
-				dnsProvider = "hurricane";
-				credentialsFile = config.secrets.files.acme_graven_dev.file;
-			};
-			"graven.se" = {
-				extraDomainNames = [ "*.graven.se" ];
-				dnsProvider = "hurricane";
-				credentialsFile = config.secrets.files.acme_graven_se.file;
-			};
-		};
   };
 }
 
diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index e219049..a440332 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -2,7 +2,7 @@
 	imports = [ ../../../common/services/nginx.nix ];
 	services.nginx.virtualHosts = {
 		"graven.dev" = {
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			forceSSL = true;
 			locations."/".root = "/var/www/graven.dev/public";
 			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
@@ -21,17 +21,17 @@
 			};
 		};
 		"rss.graven.dev" = {
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			forceSSL = true;
 		};
 		"git.graven.dev" = {
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			forceSSL = true;
 			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
 		};
 		"vault.graven.dev" = {
 			forceSSL = true;
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			locations."/" = {
 				proxyPass = "http://localhost:8812";
 				proxyWebsockets = true;
@@ -47,7 +47,7 @@
 		};
 		"openpgpkey.graven.dev" = {
 			forceSSL = true;
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			locations."/" = {
 				root = "/var/www/openpgpkey";
 				extraConfig = ''
@@ -63,7 +63,7 @@
 		};
 		"openpgpkey.graven.se" = {
 			forceSSL = true;
-			useACMEHost = "graven.se";
+			enableACME = true;
 			locations."/" = {
 				root = "/var/www/openpgpkey";
 				extraConfig = ''
@@ -79,7 +79,7 @@
 		};
 		"tor.graven.dev" = {
 			forceSSL = true;
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			locations."/" = {
 				root = "/var/www/tor";
 				extraConfig = ''

From 41781e6a17f215ece1f4cbcb2abfe135280c82d2 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 12 Apr 2022 19:25:11 +0200
Subject: [PATCH 07/83] Up nixpkgs

---
 config/sources/nix/sources.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index da3f107..e5d4f86 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -24,15 +24,15 @@
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-21.11",
+        "branch": "release-21.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e7d63bd0d50df412f5a1d8acfa3caae75522e347",
-        "sha256": "132pc4f9ixisyv4117p2jirmlyl6sd76bfaz33rhlcwakg7bhjm7",
+        "rev": "838eefb4f93f2306d4614aafb9b2375f315d917f",
+        "sha256": "1bm8cmh1wx4h8b4fhbs75hjci3gcrpi7k1m1pmiy3nc0gjim9vkg",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/e7d63bd0d50df412f5a1d8acfa3caae75522e347.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/838eefb4f93f2306d4614aafb9b2375f315d917f.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 8750d000bc029e8c619828337f8617bc97c36fa9 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Wed, 3 Aug 2022 08:57:34 +0200
Subject: [PATCH 08/83] Bump to nixpkgs 22.05

---
 config/common/services/ssh.nix                |   2 +-
 config/common/users.nix                       |   5 +-
 .../hosts/grondahl/data/secrets/secrets.nix   | Bin 955 -> 957 bytes
 .../grondahl/data/secrets/synapse_db_password | Bin 87 -> 0 bytes
 .../data/secrets/synapse_extra_config         | Bin 0 -> 187 bytes
 config/hosts/grondahl/services/acme.nix       |   2 +-
 config/hosts/grondahl/services/redis.nix      |  10 +-
 config/hosts/grondahl/services/synapse.nix    | 122 +++++++--------
 config/hosts/rudiger/services/acme.nix        |   2 +-
 config/hosts/rudiger/services/nextcloud.nix   |   2 +-
 config/hosts/rudiger/services/redis.nix       |  12 +-
 config/hosts/wind/services/acme.nix           |   2 +-
 config/hosts/wind/services/synapse.nix        | 148 +++++++++---------
 config/sources/nix/sources.json               |  26 +--
 14 files changed, 170 insertions(+), 163 deletions(-)
 delete mode 100644 config/hosts/grondahl/data/secrets/synapse_db_password
 create mode 100644 config/hosts/grondahl/data/secrets/synapse_extra_config

diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix
index a454669..60dceee 100644
--- a/config/common/services/ssh.nix
+++ b/config/common/services/ssh.nix
@@ -4,7 +4,7 @@
     enable = true;
     permitRootLogin = "no";
     passwordAuthentication = false;
-    challengeResponseAuthentication = false;
+    kbdInteractiveAuthentication = false;
     hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ];
     kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
     macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
diff --git a/config/common/users.nix b/config/common/users.nix
index e39133d..8d92c93 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -5,8 +5,9 @@
 			isNormalUser = true;
 			extraGroups = [ "wheel" ];
 			openssh.authorizedKeys.keys = [
-              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
-							"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed"
+              			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed"
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBkWK8PsRh8tOz4800XFN3V2IUm2u95qOaVnuHnMknjiAAAABHNzaDo= emelie@em-work"
 
 			];
 		};
diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix
index 249edb2f002158783f59c4399986469a44e1dda0..b79d57c072b44ce1ff1701aea03cdf0e5201cd67 100644
GIT binary patch
literal 957
zcmZQ@_Y83kiVO&0$iHQ`McZnB%QWTI;v<hUOkZoVeV_SPbm{8b+Cf`#RNE6oo=y0_
zZ^FC#u|M<ApRZKa-Q?GD{;s{;t0`J{tbD{hZ6f&RN~vkQWqF*tXrICg-;(_cuWhX1
z<GKIcK=1r3laD@6Y8`iRMxF7nd8l?|>ACzlG9QnYi=|xnxA@Vk_=Vf2E1X`vqBu}@
zOHqv6gY^t$Q<}Z6O78g?HE;LPe*dtIY#dQv)ZKg*njilnwK##Z=gxL6q3|n7^W9I0
z>#fLjG@2!_Zw}L%v`^dW7dmGZ#pxe7lH+~z=9jt3lYcJU<@o001oa&;oO|W&+URPY
zew4c7u*x4JuWd15%kRIAy!hzcHSgF@b4^6q>?bUED(&-zInS`#Kws$p#-%$sHdk4_
zn6L6$a!q}k+|h(5?tWfhGAzFu=g<Fq_4@&z1&Y7-EckuW&cfCD?6x_krJ~#W5^_F7
z=(K!sc-FYscG`Q>2^Aq7ThwbF><Q4&VT`>Ru3ZvyK(s6L*^}p=;-AE5zcpLL*}eT-
z%CC^lV<ou>HZyrQ&l2P96Ro~ES9jH}!Yl5cZqhQ%>b8}$SR#K;VV?SFbIKJjjThyq
ziHX0;vRX9aZ^u7Lxz4f6#Uiow$b}^;M+1_oVjWjZx@kQ(exqP0f8?}Ple#)wKb0-I
z7N$P6(qTs8KQUj${`k3n?lS6pVRKbA;z{)k)-2t9Yehh|_;K0ip?=$r2t}1dr`}?_
zT_LY5ef90Dl!a_PH3w}n)lOxrZZ-dR_I>`1Eh47np*!}lM}6P?DZASzuYAW_bycy|
zj4ku#aHLEYdZ>0r!BOt}v79-Nvc*1Gwj1Y4SZ!N(MebL&S4H>78DeLSwycz`uq`$|
z&-MD(l76q0V=Aqkm(C?T+Mh2`R^_=S_QM_Po&~lJ&koG`n0D!7(zO<zcR?~rmz8%K
zByF!>`@Q~kf7sots(bF95O4L0E}QVq{@ohuO^YVy-{BICIebBWEm!7_lgl^9$;2#V
ze51EPSbfi#DW&K99I~(Mk#acMpv6!){h~$ZmXa4oQY|)~G>H1S%(F@0jn4JfInjHT
ztyeteWEfTZ@{MDZbxyUyA*UKHN40)+(Tu(QOEY-0%tgv&<eE~wIK<!0-8nC5k<|wq
zl}C%2mmGAgj(hGeSj;h9cwx!bJ&fAx=jEuS9e%mE>-heyzN!=a)*nB1_q1l9iQAnQ
z+3&AQ`J}x#nw`G%^lXQJ?wfwC*{=3#f&8n&3ug}hne;}yS@UdwVoKQRvs1Urn4afK
cP?~VGhS|(wb###L>-4hd)Hw$uI9t~P0DrpI>i_@%

literal 955
zcmZQ@_Y83kiVO&0czkG~s>qce!g8%EDkAUJ2W*~D_O$aZ<MG@~ySX28n7{5>)x3pC
zVaL7in-4s{r*dD#+I)gD({u4SK7-S&ZQqT#Q};7Ch)!R)Y-fMuOD#+Djba`S?k61n
zrr!LU@^4<v^a(4LafR*V+NzxQ+`UcLdRCdOTZU?*t;15ibrv@9z2P%|2d8!KR{OZ_
zmjCDdJ0dmjeG+&hsyWe9T-WQs=9Qe*>?iCv5<9M)iuD!!b-}%iFG*p?84b2@o((zL
zK8Z7rPJ4JN__>wjU6p5kUwnUBJvtKlUr4ffQRs@ZYVPyqStK4?Xfe~S(cAk(wnS7-
zfanU@C9D^VHgEK2E;XNM&F=nzNxC7M`^Qn)(zf>3B{zMHZaWIem;HFOkoUl<H=0ww
zu-I?8``RG3Jz+!A>=u`zo}(8W3K<riKEe>?U-0j{^(PIF6Ep8g*tK6!6N}q;IPpU0
z$t%29Ed&Y|*iT8Gze{*Y=b@z~9}AvbGPf~Gy>rTH?(y#u-)(2kO1b>tiC~bhqF%al
zX;j-2U6w0M+@2?7J3T@q(;b%mog<baF)vIcJ>uuR#jmdK%F9ffJjY5fhEeAA`Yzc6
zMHj@SUa<0(#C>_ZcG=E_PxpSkR#m@{L)_v2q{MG(GDprtcCPxvCCHswQ6AYEe|OuV
z39CC_UOSbu#7n%wy=+T*=j6#!KhhcZ>a=PI1#zAEBp`Fm=3uIX=7)-`Z8m{|bK17)
zlz-TKa7x9k@B={=1zT<{ow}O$c~OSW&sVz^_e41PY`eDe)yv+k-689wQttm{m;8NS
z|KR&#r-Ic=+2vL)Z#ABOwl~snxbMFG`uX_02c~Kj&kK&VT<YxKv&4@7=poA-N7kDc
zrY*Mmb?uACm+Q0oBus7A+~MSIS?`b<xtjBjQ2+faEB}7-T2gytw!#XQRk~e;rp0;6
z(ShFrZ`Y;XU*~(IH?jNMGv%2xY_iNYy%S0)tlG`evcsdi!gJn%)b!vRpEQn1nH1Hl
zNv4LzbM4M(*(+rm8J=uBy>+qR?963}edb>7cWU=vO*4<Ruy^#9mV3X;;NMx!Ij5!U
zOqmxrPL4l0&Gq@ogFhDU{MfD_@!LemPI1kJd%~-B+XdMKEtQ_7R~y%AF28*J#U=MY
zzTjnwn=SR0XR3(%@fz`?b{}>X#v4>{UGcxBVXC@NL+ZuCM`=qI94>ui{82Fd+kX|N
zg1F1S--ot`@9%gYAhF17Qs&l<(>{XSzpt0Zy?XiL%ul`DUeC)c70$NWN!08~iU^Rr
YTmL#UW7CWj2aYPfBLDq$8!t8j0KpN@>Hq)$

diff --git a/config/hosts/grondahl/data/secrets/synapse_db_password b/config/hosts/grondahl/data/secrets/synapse_db_password
deleted file mode 100644
index c2cd71a63320dc7ed02275b19236d533922d8808..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 87
zcmZQ@_Y83kiVO&0$myP&!FC}t>{Cj6!@U#x8u`j^sQh)h+tZ);$dzC8e#+aaS2Fh1
uRqcDt%X!*;Qpk?b*wR@laSz)W&3(5AG(KFtG3W2${e}T8y#JcNuLA()J1Xn|

diff --git a/config/hosts/grondahl/data/secrets/synapse_extra_config b/config/hosts/grondahl/data/secrets/synapse_extra_config
new file mode 100644
index 0000000000000000000000000000000000000000..c33b2c07368ef67cc0a009d15d4dad5b06988619
GIT binary patch
literal 187
zcmZQ@_Y83kiVO&0u;x0hl9}l7q9tV7v1>6QeFi4sxwf90Y;@OO|Jb!b?W_EZUkB^<
z&%0=UQu<fT-qT+)b}F}swOVn04$sfJxUIcke(veWYw1#zmrb8{zV!Q0_?j=G@vMJY
z!Ra!ccj<+m3(n_wOj&3?cfHsD6vn7UKg8qs_AFGJxoX*IHKBPM%T&*8T`C{6nKO^i
w<k(_=2G$S9*8I3#-@o$bp7@#>;ZI951>+z5Pg%I}ba0I<m-Xy7lX|8C0Nqwxs{jB1

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/services/acme.nix b/config/hosts/grondahl/services/acme.nix
index 076f91c..687ea2a 100644
--- a/config/hosts/grondahl/services/acme.nix
+++ b/config/hosts/grondahl/services/acme.nix
@@ -3,7 +3,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    email = "admin+certs@anarkafem.dev";
+    defaults.email = "admin+certs@anarkafem.dev";
   };
 }
 
diff --git a/config/hosts/grondahl/services/redis.nix b/config/hosts/grondahl/services/redis.nix
index 6a001e1..94a915e 100644
--- a/config/hosts/grondahl/services/redis.nix
+++ b/config/hosts/grondahl/services/redis.nix
@@ -1,11 +1,13 @@
 { config, ...  }:
 {
   services.redis = {
-    enable = true;
-    unixSocket = "/run/redis/redis.sock";
     vmOverCommit = true;
-    unixSocketPerm = 770;
-    #requirePassfile = config.secrets.files.redis_pass.file;
+    servers."" = {
+      enable = true;
+      unixSocket = "/run/redis/redis.sock";
+      unixSocketPerm = 770;
+      #requirePassfile = config.secrets.files.redis_pass.file;
+    };
   }; 
 }
 
diff --git a/config/hosts/grondahl/services/synapse.nix b/config/hosts/grondahl/services/synapse.nix
index 210914f..3155a21 100644
--- a/config/hosts/grondahl/services/synapse.nix
+++ b/config/hosts/grondahl/services/synapse.nix
@@ -3,72 +3,72 @@
 {
   services.matrix-synapse = {
     enable = true;
-    server_name = "anarkafem.dev";
-    enable_registration = false;
-    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
-    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
-    max_upload_size = "100M";
-    database_type = "psycopg2";
-		database_args = { 
-			password = builtins.toString config.secrets.files.synapse_db_password.file;
-		};
-    turn_uris = [
-      "turn:turn.anarkafem.dev:3478?transport=udp"
-      "turn:turn.anarkafem.dev:3478?transport=tcp"
-      "turn:turn.anarkafem.dev:3479?transport=udp"
-      "turn:turn.anarkafem.dev:3479?transport=tcp"
-      "turns:turn.anarkafem.dev:5349?transport=udp"
-      "turns:turn.anarkafem.dev:5349?transport=tcp"
-      "turns:turn.anarkafem.dev:5350?transport=udp"
-      "turns:turn.anarkafem.dev:5350?transport=tcp"
-    ];
-    report_stats = false;
-    withJemalloc = true;
-    servers = { "anarkafem.dev" = {}; };
-    extraConfig = ''
-      default_room_version: "9"
-      auto_join_rooms:
-        - "#suf-aalborg:anarkafem.dev"
-    '';
-    logConfig = ''
-      version: 1
+    extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ];
+    settings = {
 
-      formatters:
-          precise:
-              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+      server_name = "anarkafem.dev";
+      enable_registration = false;
+      registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+      turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+      max_upload_size = "100M";
+      turn_uris = [
+        "turn:turn.anarkafem.dev:3478?transport=udp"
+        "turn:turn.anarkafem.dev:3478?transport=tcp"
+        "turn:turn.anarkafem.dev:3479?transport=udp"
+        "turn:turn.anarkafem.dev:3479?transport=tcp"
+        "turns:turn.anarkafem.dev:5349?transport=udp"
+        "turns:turn.anarkafem.dev:5349?transport=tcp"
+        "turns:turn.anarkafem.dev:5350?transport=udp"
+        "turns:turn.anarkafem.dev:5350?transport=tcp"
+      ];
+      report_stats = false;
+      withJemalloc = true;
+      servers = { "anarkafem.dev" = {}; };
+      extraConfig = ''
+        default_room_version: "9"
+        auto_join_rooms:
+          - "#suf-aalborg:anarkafem.dev"
+      '';
+      logConfig = ''
+        version: 1
 
-      handlers:
-          console:
-              class: logging.StreamHandler
-              formatter: precise
+        formatters:
+            precise:
+                format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
 
-      loggers:
-          synapse.storage.SQL:
-              # beware: increasing this to DEBUG will make synapse log sensitive
-              # information such as access tokens.
-              level: INFO
+        handlers:
+            console:
+                class: logging.StreamHandler
+                formatter: precise
 
-      root:
-          level: INFO
-          handlers: [console]
+        loggers:
+            synapse.storage.SQL:
+                # beware: increasing this to DEBUG will make synapse log sensitive
+                # information such as access tokens.
+                level: INFO
 
-      disable_existing_loggers: false
-    '';
-    listeners = [
-      {
-        port = 8008;
-        bind_address = "127.0.0.1";
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          { 
-            names = [ "client" "federation" ];
-            compress = false;
-          }
-        ];
-      }
-    ];
+        root:
+            level: INFO
+            handlers: [console]
+
+        disable_existing_loggers: false
+      '';
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["127.0.0.1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            { 
+              names = [ "client" "federation" ];
+              compress = false;
+            }
+          ];
+        }
+      ];
+    };
   };
 }
     
diff --git a/config/hosts/rudiger/services/acme.nix b/config/hosts/rudiger/services/acme.nix
index 62ae467..693e006 100644
--- a/config/hosts/rudiger/services/acme.nix
+++ b/config/hosts/rudiger/services/acme.nix
@@ -3,7 +3,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    email = "admin+certs@graven.dev";
+    defaults.email = "admin+certs@graven.dev";
   };
 }
 
diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index fd2a274..b81b53e 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -4,7 +4,7 @@
     enable = true;
     hostName = "cloud.graven.dev";
     https = true;
-    package = pkgs.nextcloud22;
+    package = pkgs.nextcloud24;
     autoUpdateApps.enable = true;
     maxUploadSize = "10G";
     webfinger = true;
diff --git a/config/hosts/rudiger/services/redis.nix b/config/hosts/rudiger/services/redis.nix
index 2db61e7..87b2587 100644
--- a/config/hosts/rudiger/services/redis.nix
+++ b/config/hosts/rudiger/services/redis.nix
@@ -1,10 +1,12 @@
 { config, ...  }:
 {
   services.redis = {
-    enable = true;
-    unixSocket = "/run/redis/redis.sock";
     vmOverCommit = true;
-    unixSocketPerm = 770;
-    #requirePassfile = config.secrets.files.redis_pass.file;
-  }; 
+    servers."" = {
+      enable = true;
+      unixSocket = "/run/redis/redis.sock";
+      unixSocketPerm = 770;
+      #requirePassfile = config.secrets.files.redis_pass.file;
+    };
+  };
 }
diff --git a/config/hosts/wind/services/acme.nix b/config/hosts/wind/services/acme.nix
index 62ae467..693e006 100644
--- a/config/hosts/wind/services/acme.nix
+++ b/config/hosts/wind/services/acme.nix
@@ -3,7 +3,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    email = "admin+certs@graven.dev";
+    defaults.email = "admin+certs@graven.dev";
   };
 }
 
diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix
index e88e79e..7d9feb2 100644
--- a/config/hosts/wind/services/synapse.nix
+++ b/config/hosts/wind/services/synapse.nix
@@ -3,87 +3,89 @@
 {
   services.matrix-synapse = {
     enable = true;
-    server_name = "graven.dev";
-    enable_registration = false;
-    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
-    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
-    max_upload_size = "100M";
-    database_type = "psycopg2";
-    database_user = "synapse";
-    database_name = "synapse";
-    turn_uris = [
-      "turn:turn.graven.dev:3478?transport=udp"
-      "turn:turn.graven.dev:3478?transport=tcp"
-      "turn:turn.graven.dev:3479?transport=udp"
-      "turn:turn.graven.dev:3479?transport=tcp"
-      "turns:turn.graven.dev:5349?transport=udp"
-      "turns:turn.graven.dev:5349?transport=tcp"
-      "turns:turn.graven.dev:5350?transport=udp"
-      "turns:turn.graven.dev:5350?transport=tcp"
-    ];
-    report_stats = true;
     withJemalloc = true;
+    settings = {
+      server_name = "graven.dev";
+      enable_registration = false;
+      registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+      turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+      max_upload_size = "100M";
+      database.name = "psycopg2";
+      database.args.user = "synapse";
+      database.args.database = "synapse";
+      turn_uris = [
+        "turn:turn.graven.dev:3478?transport=udp"
+        "turn:turn.graven.dev:3478?transport=tcp"
+        "turn:turn.graven.dev:3479?transport=udp"
+        "turn:turn.graven.dev:3479?transport=tcp"
+        "turns:turn.graven.dev:5349?transport=udp"
+        "turns:turn.graven.dev:5349?transport=tcp"
+        "turns:turn.graven.dev:5350?transport=udp"
+        "turns:turn.graven.dev:5350?transport=tcp"
+      ];
+      report_stats = true;
 
-    extraConfig = ''
-password_config:
-  enabled: false
-oidc_providers:
-  - idp_id: authentik
-    idp_name: authentik
-    discover: true
-    issuer: "https://auth.graven.dev/application/o/synapse/"
-    client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5"
-    client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55"
-    allow_existing_users: true
-    scopes:
-      - "openid"
-      - "profile"
-      - "email"
-    user_mapping_provider:
-      config:
-        localpart_template: "{{ user.name }}"
-        display_name_template: "{{ user.name|capitalize }}"
-    '';
+      extraConfig = ''
+  password_config:
+    enabled: false
+  oidc_providers:
+    - idp_id: authentik
+      idp_name: authentik
+      discover: true
+      issuer: "https://auth.graven.dev/application/o/synapse/"
+      client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5"
+      client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55"
+      allow_existing_users: true
+      scopes:
+        - "openid"
+        - "profile"
+        - "email"
+      user_mapping_provider:
+        config:
+          localpart_template: "{{ user.name }}"
+          display_name_template: "{{ user.name|capitalize }}"
+      '';
 
-    logConfig = ''
-version: 1
+      logConfig = ''
+  version: 1
 
-formatters:
-    precise:
-        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+  formatters:
+      precise:
+          format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
 
-handlers:
-    console:
-        class: logging.StreamHandler
-        formatter: precise
+  handlers:
+      console:
+          class: logging.StreamHandler
+          formatter: precise
 
-loggers:
-    synapse.storage.SQL:
-        # beware: increasing this to DEBUG will make synapse log sensitive
-        # information such as access tokens.
-        level: WARN
+  loggers:
+      synapse.storage.SQL:
+          # beware: increasing this to DEBUG will make synapse log sensitive
+          # information such as access tokens.
+          level: WARN
 
-root:
-    level: WARN
-    handlers: [console]
+  root:
+      level: WARN
+      handlers: [console]
 
-disable_existing_loggers: false
-    '';
-    listeners = [
-      {
-        port = 8008;
-        bind_address = "127.0.0.1";
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          { 
-            names = [ "client" "federation" ];
-            compress = false;
-          }
-        ];
-      }
-    ];
+  disable_existing_loggers: false
+      '';
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["127.0.0.1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            { 
+              names = [ "client" "federation" ];
+              compress = false;
+            }
+          ];
+        }
+      ];
+    };
   };
 }
     
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index e5d4f86..b49671b 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "df49d53b71ad5b6b5847b32e5254924d60703c46",
-        "sha256": "1j5p8mi1wi3pdcq0lfb881p97i232si07nb605dl92cjwnira88c",
+        "rev": "82e5cd1ad3c387863f0545d7591512e76ab0fc41",
+        "sha256": "090l219mzc0gi33i3psgph6s2pwsc8qy4lyrqjdj4qzkvmaj65a7",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/df49d53b71ad5b6b5847b32e5254924d60703c46.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/82e5cd1ad3c387863f0545d7591512e76ab0fc41.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "f4160a629bac3538939a3005c8b5c7fb320bcf59",
-        "sha256": "0w4k1fis534iafc72cjmig72697pz4s3fjj211fhzf443zh49in7",
+        "rev": "ea3efc80f8ab83cb73aec39f4e76fe87afb15a08",
+        "sha256": "0h87y6z42ch128j6yslydvdzajqcrqzhihi4nrpwida4js2pl1ak",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/f4160a629bac3538939a3005c8b5c7fb320bcf59.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/ea3efc80f8ab83cb73aec39f4e76fe87afb15a08.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "release-21.11",
+        "branch": "release-22.05",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "838eefb4f93f2306d4614aafb9b2375f315d917f",
-        "sha256": "1bm8cmh1wx4h8b4fhbs75hjci3gcrpi7k1m1pmiy3nc0gjim9vkg",
+        "rev": "c55096e021c6ab0be3945be2535b3b4324e4f571",
+        "sha256": "0smvw72cv80zq1y1y5vjfjbz0bv6mg8iznhv779s2vn5dz1s3kwx",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/838eefb4f93f2306d4614aafb9b2375f315d917f.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/c55096e021c6ab0be3945be2535b3b4324e4f571.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "d1e1057a31f16a75d9f871e311c4aaaf664561b9",
-        "sha256": "0d4576dssr6l4vdpi86rbf6dyn3jfl3csvmn9csd4n6dj53f5pqm",
+        "rev": "a7b742f2f4c9d37cd84b8f0ab7ee57c4b3d9f393",
+        "sha256": "0pyplivs96vxnnnj3w8drd806xxzhrxcn969hh1bhbds4h4s5k16",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/d1e1057a31f16a75d9f871e311c4aaaf664561b9.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/a7b742f2f4c9d37cd84b8f0ab7ee57c4b3d9f393.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From 4ba7a0328a54e6c4aacab8679cbdb7ce77d27d0f Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Wed, 10 Aug 2022 21:30:41 +0200
Subject: [PATCH 09/83] Fix anarkafem.dev synapse db

---
 .../grondahl/data/secrets/synapse_extra_config  | Bin 187 -> 287 bytes
 config/hosts/grondahl/services/synapse.nix      |   8 ++++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/config/hosts/grondahl/data/secrets/synapse_extra_config b/config/hosts/grondahl/data/secrets/synapse_extra_config
index c33b2c07368ef67cc0a009d15d4dad5b06988619..82813efa5f3b9b2f55b55832b95511eed5c18efd 100644
GIT binary patch
literal 287
zcmZQ@_Y83kiVO&0$T;-HYg-_fccJ6f)X963e@*TECl{3a%~9Ov@T|I+9p2}5-~6yS
zQ}cM#U9TvkpE{-2{h3Pk%nVynl6UjHqR?K0+m^?c?Dd|I8z|Vh!0Wk+jAUnli=a>T
z{7()Z8NaNiT>O36^VMGOcXzf;UhuPkW6^m-`%Oorq_yI@^8<n=e{uOU^Aty{@?O3>
z6ArUQpP0FAa+;*Zqzh3RNB+O^v1woKxpi8p7e~rV&Pc^xPQ$0~YHPj*&JD7g^~^_b
zwQO)!`|=h1vhSz=boJTv%c`*9_hqFyI|HQ}UQB<{ApFJsXG??d(TzXn#Ozm|e>$_U
xQp@>7;YGv!B`R{=dh>Rle{t%ZRp7C=H36%5BLAo=K5o2z-@2NeC)o7Z5&)hrjvW91

literal 187
zcmZQ@_Y83kiVO&0u;x0hl9}l7q9tV7v1>6QeFi4sxwf90Y;@OO|Jb!b?W_EZUkB^<
z&%0=UQu<fT-qT+)b}F}swOVn04$sfJxUIcke(veWYw1#zmrb8{zV!Q0_?j=G@vMJY
z!Ra!ccj<+m3(n_wOj&3?cfHsD6vn7UKg8qs_AFGJxoX*IHKBPM%T&*8T`C{6nKO^i
w<k(_=2G$S9*8I3#-@o$bp7@#>;ZI951>+z5Pg%I}ba0I<m-Xy7lX|8C0Nqwxs{jB1

diff --git a/config/hosts/grondahl/services/synapse.nix b/config/hosts/grondahl/services/synapse.nix
index 3155a21..8eaca03 100644
--- a/config/hosts/grondahl/services/synapse.nix
+++ b/config/hosts/grondahl/services/synapse.nix
@@ -3,8 +3,13 @@
 {
   services.matrix-synapse = {
     enable = true;
-    extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ];
+    withJemalloc = true;
     settings = {
+      database = {
+        name = "psycopg2";
+        args.user = "matrix-synapse";
+        args.database = "matrix-synapse";
+      };
 
       server_name = "anarkafem.dev";
       enable_registration = false;
@@ -22,7 +27,6 @@
         "turns:turn.anarkafem.dev:5350?transport=tcp"
       ];
       report_stats = false;
-      withJemalloc = true;
       servers = { "anarkafem.dev" = {}; };
       extraConfig = ''
         default_room_version: "9"

From 3d860de3435a26ef90b3ee30a8d1f21e40e1c202 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 23 Aug 2022 18:34:47 +0200
Subject: [PATCH 10/83] fix anarkafem.dev synapse

---
 .../grondahl/data/secrets/synapse_extra_config  | Bin 287 -> 211 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/config/hosts/grondahl/data/secrets/synapse_extra_config b/config/hosts/grondahl/data/secrets/synapse_extra_config
index 82813efa5f3b9b2f55b55832b95511eed5c18efd..022aa1edecd0ba271708cff0181b098004b3d5ad 100644
GIT binary patch
literal 211
zcmZQ@_Y83kiVO&0@Qlgco84--e1*_qgG$XS+swCJ)ag^<KJuZqkjs(H&Ot&ZZ&uY2
zH`~^geWh`#|LqqY&oLMNvSI3*4M7*IAG~W}uyv^FOW)9FcyE5q0$KU<&THM{dzY=!
zk9+^w_%FXf!lf6it^QrUzoyk`Ecd>yC#z(#!0N}ssssD}d`qf`l9X5bP;f?LS>lGN
z-`&J5ntncAy7OYtcHuL#r!vnDm-`@A!I(24j^{$)O-W|<W4i(?z4-IzY*6jE*j{o-
U*JO=(h|%h~X_EVwDIAdl06UyuqyPW_

literal 287
zcmZQ@_Y83kiVO&0$T;-HYg-_fccJ6f)X963e@*TECl{3a%~9Ov@T|I+9p2}5-~6yS
zQ}cM#U9TvkpE{-2{h3Pk%nVynl6UjHqR?K0+m^?c?Dd|I8z|Vh!0Wk+jAUnli=a>T
z{7()Z8NaNiT>O36^VMGOcXzf;UhuPkW6^m-`%Oorq_yI@^8<n=e{uOU^Aty{@?O3>
z6ArUQpP0FAa+;*Zqzh3RNB+O^v1woKxpi8p7e~rV&Pc^xPQ$0~YHPj*&JD7g^~^_b
zwQO)!`|=h1vhSz=boJTv%c`*9_hqFyI|HQ}UQB<{ApFJsXG??d(TzXn#Ozm|e>$_U
xQp@>7;YGv!B`R{=dh>Rle{t%ZRp7C=H36%5BLAo=K5o2z-@2NeC)o7Z5&)hrjvW91


From c975d30f4f9c73d0c4d2479e699386b5d4e738d2 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 23 Aug 2022 18:36:50 +0200
Subject: [PATCH 11/83] Disable zfs snapshots

---
 config/hosts/rudiger/configuration.nix | 2 +-
 config/hosts/wind/configuration.nix    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix
index 4b3c0c9..0dabc0d 100644
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@@ -20,7 +20,7 @@
   boot.loader.grub.device = "/dev/sda";
 
   boot.supportedFilesystems = ["zfs"];
-  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoSnapshot.enable = false;
   services.zfs.autoScrub.enable = true;
 
   time.timeZone = "Europe/Copenhagen";
diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index 5d59f5f..9df6c08 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -24,7 +24,7 @@
 	boot.loader.grub.device = "/dev/sda";
 	boot.kernelPackages = pkgs.linuxPackages_5_10;
 	boot.supportedFilesystems = ["zfs"];
-	services.zfs.autoSnapshot.enable = true;
+	services.zfs.autoSnapshot.enable = false;
 	services.zfs.autoScrub.enable = true;
 
 	networking.hostName = "wind";

From ca550f134fff9b333760ee07c2557ec1ab2ac5c4 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 23 Aug 2022 19:40:35 +0200
Subject: [PATCH 12/83] Add 1 git-crypt collaborator

New collaborators:

	BE59D7CC Emelie Graven <e.graven@famedly.com>
---
 .../3C377393274931EF017630D5A2168D0DBE59D7CC.gpg  | Bin 0 -> 293 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 .git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg

diff --git a/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg b/.git-crypt/keys/default/0/3C377393274931EF017630D5A2168D0DBE59D7CC.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..98fecd44d665c7a10d14d76d4aad5623f467f1f7
GIT binary patch
literal 293
zcmZpPW8QsjLUoSo%jZIj><;W}m#sKIPjsdHk^lQbLW|i?n<@D{d{ubx*V5m-bL{43
z8&q)4zC25*lxae(eC+Wr41ufsg8HVtG{4#4kl*k#wkUH^*R&m{XMRq45#-0`dgbVr
zO9z-3m80sJ?K=)Tt=xXw*>W;F%bU&_GdYq=j@|B*cQf_0EVky|9(Cyozlx?va_NyW
zv%AkivMwf0Z~psvjb&I***eh;?#HE9+TGEequl9o#m;ZpFTdx{{LQu7c84$@GWoZ%
zJbby6trwg3?|)7kr!KDIYnaSf%NE$z;V|)KP;uSwOHvN8J0^ar5$P;$n6~N3@dF##
z&L1pSeJ!K##q`95sQo3gj^6vwwrWw*7wxzCGeS3gN|W2(zsYZ&pRSYmYtcXT(hFAr
E01Kj!9smFU

literal 0
HcmV?d00001


From 071126e9c31ccbce63afb42d52c568db38622734 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 23 Aug 2022 20:31:09 +0200
Subject: [PATCH 13/83] fuck

---
 config/hosts/wind/data/secrets/secrets.nix    | Bin 866 -> 963 bytes
 .../wind/data/secrets/synapse_extra_config    | Bin 0 -> 683 bytes
 config/hosts/wind/services/synapse.nix        |  23 +-----------------
 config/sources/nix/sources.json               |  18 +++++++-------
 4 files changed, 10 insertions(+), 31 deletions(-)
 create mode 100644 config/hosts/wind/data/secrets/synapse_extra_config

diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix
index 815cba8d9dc5b16e1144e704fa5104a41c342684..063fd3a8371eadd236eca8f600bca97aa6f28686 100644
GIT binary patch
literal 963
zcmZQ@_Y83kiVO&0keKr4t>xP9t+CAl&3Ecv=Na2eemYtk^>ae3mgQV`!^G0spzU8Y
zwm2>nt}2#(Y_~y9YRat>@og8{yT2y|9Ok<{=huynuI!yVZ*SDAdH8yxl*s(EE?2ZP
zvez(3x}3@QXKtu|-8!?wUDYFK^^?bkZfWUlKmWN{C19`1(QNUf>=8Ll0bAo=t&p4H
z?fg@GiuLY|`Pu&S7qbe!&bxA0bymij-Cfi7-W6ioQ+D|7>5l)M&ObMCe~B$WWI6A4
z+4_&u{~eq=#c^j~is;F(6aVHa{4`56a@Zkcyz;iHj_rzfb@~T3d*&-KeV(z(uSS~b
z-n%u90u_wg9?Lkz7;zYR$Tpmdh<W$vo{)gdx?nB83rATqyv>T%n$`%i{W|rC*|6&7
zbz!yacdwsFhkuZl=X}jo@~L9#yoc;6Dlrq*&YinFBgd=ue&afsnO;gyYegsc+MUQx
zi*9e>dbGl4;)WXn*~XeBS`S{zvQ)BP=Pq0=<y~9xKyC5n<n0xqb8Gay6Sur$dGsS%
z(eL4^$yF~adMA2I<T$$?y}hgW;WYPO?hmx4UoXhz<#plX7k~Qp@XF7Yil+~JFEu(^
z?m5Hg$=2MmvTGZ)%opvnDb8Rka_^kM>%sOQ@~4UagH2xrtoJnTG;ZS)NSb`uu;#;A
zwMo}(e(yDzzvpG-3tqLeY;m$l7cQUVzkkZNpQB1^>FTt?>B=4c<=cD}*2Xpz>tB)O
zV3#aScgZu{x&Ld@`(vkOi7pQ1k1ey>Vt2^?W0SPUXU9vubq*gVN-&)~S0W_C`)>Bn
zZtX*sPW#u*oitHZB~kr8Z>w{3YUkpri{EGb{`^<8P;7E*XXp&BM>b)K`8!LNF6GO(
z<}P5*)1cJ*vBpPpamw=~F{fE~<vxU2`z~k6Y%>*CO)Ohl5F2ag!M2!3kWnmSr_u*&
z6~QvM)1Kx`M?@l96;ijDHb4IpvuN@R&VQ<VwfbK@yO8C$`D}=TNadEZftT61syFXv
ze3ySEsY-L1P2>J83%4JfWL>}8@%_?|71b<9AA2S+P4(T>(?50P=8LNhtwk#SFWK;j
zW5G7gQirfoYmJf@|JJH2JlgcHLNx8S=7;c?1{)gdIV(F4z01=6`7}{QYK_AagLro5
zX0y5mg&BYT-t@>VKA#`Cr#a4h+Oq{0{s^(&7xiD-vE*z6zsWq|3(I~t_Wvr)+NDr!
z$YH(huFLz)F(MXcW8Am$-fjBk@adE4^8kmBZY~WRHrmYUe^;(Gc;D;7{QTe1?n};#
f-mE*RZ6;;4u2^A3lIhi)i3d&Mezv<zO??OeX4cNj

literal 866
zcmZQ@_Y83kiVO&0n9U@5Qe%>EbDHaJMaf_LxA{1_PuP9wYT7J$v9PUT{E26$ocD=P
z<!Q}Vt16rqD#5g2%hDrLrWri<d>5#?{GiK8!_4{0Pg!=hRL(mZ)b3xV^7GBFwZ7BY
zE?Bk8?RfD(Nb*u}ugBMlB-43C>ix$VxFxt99xw51sry!CCMWFUa#&tEAddakDxWrE
z-=rm9x9xtMB`>k+<?Hq9MZGR1sGNwf_uA!FcxPF0#jev`J@zUgZx>&7`~ByM^i|#!
zFSPB&3xzLS{8pOz<=2f~3Bl_1J3GH8UHdA_wrcOI=+5JZ`*y5uW1g^{IZ-!Cv0M4n
zHIFkJ_(jBni+;!Mls=Yt?9^$Csgld(IP1A3?oMF)dvd9SmzH-^=%Y5P$k6SJq}KYc
zJCVclUYdE<6}I}I{Vz{H?d-XJPVH;Ra?Qi-&p(Ly%jq0#;L(dn(5h5?^7|r#=9?L+
z+bZW&`7`C)v%9;0y;7|3yvugU@tA|=QT#6wG}fHDdpD}9vd@NZOR26|Rk-Q9CwgX5
zF<aN{o#)qj)##_rQKQlc#y6$7_QX^f9bKQRCSd>k_dDIG^Db8{J02s#a>ar_?8MaV
z5iG*%rioYk?Ny2uf6o{pB{%uTB?Y%cvBv>k<tdZI7;bSc3G2_4JM5%2p|?~=_^wc+
z>s}|z14fFwocrqKju|K<t@gjxu)p*f&+e(e1e&fru~&ImcQka4&lCSSTBqvn@h_Cj
z>NRv+71(*$P<#6?_8BZEwuEy2Y1V$hnVpkdbVYJg?PuR}XFQaY1=p+>En!RgvGm&A
z<2LRK&hFHHwX>%y<g<m;x(}Mle{~KuueqPpwI%Ayr`Wlv$w@1>81TDKUN6btZg%Wv
z(u!F9o94S;&tl|Pi83*?+bUiW7Oyn(f0sbm;X5UM=M0@+mPZE*L@Fy4@a#Pu-P0@o
zcI(^g0$c6l3O=j|5&x#wAAH8yocUdUfu^?G%0GsZ1y#mtu9#KU?@|crSu4yCQSj&N
z*16v%7nzmpi2n5A_Vj~3J_Q|e3$i|Mo?se&@qajT*uoD*vpYUV39mSMLt?taef^JK
z5vzmlu3wXRYxNC%5vR3$=>k_m`Z$Vy@p=muC!LEGWn;ZmdcXccTK<BL`X37QlQ*97
gSL2?r`*^k^Pptj7bZ7VY-OQ^jKF#ep^840t00<?T00000

diff --git a/config/hosts/wind/data/secrets/synapse_extra_config b/config/hosts/wind/data/secrets/synapse_extra_config
new file mode 100644
index 0000000000000000000000000000000000000000..2b6eb7afca09f78437ed30d99c076e2d4022988d
GIT binary patch
literal 683
zcmZQ@_Y83kiVO&0xNt%I|Bn+jlf4&eZDMh~X?^0)(*3$G<LayKns-mwa&9tPXkpzX
zH$nNXDB+kyL8t!Mv#pWaReo=q`?3C*``)Wh1h&o>{rSbGznnwq0O$QliHYa`Ex2)1
zd5=2(v-=&tj(#w$vYG7U+pw+u@dx#{g<8ovQ*3sxZ>V{Bm+^#=;ajPoCr?kTXNcM;
zD!YC6DTR!$965jQ#l>`AStx(Xvp@Q}Q>^LQiiUXAw{Ax+$ynBTGZc7CKl%AXM8_d5
z*`51;YUrKHj@+-zmC>7e;Ap|Iw8nWEPr5t`bUS*V>g?S5>@<URNsL%P|H-_FCw&6x
zrU!DKD6-Wu{P<C#AaG?tseI9%zrk_~l!C<<E<1Dc&zrr1-G?5S8E)`otgMec#~}WC
z^@Dv=gm-RxmAte4X<$GNgUm(wzm1^=S-v|i1luTZ@qfzm-WGnW;aT6t32Xdz2AH0V
zmA>LNTW|V|NgRvb3ZFKT(3{ek$$Mncxt$GG?Vs|Od}!at=P715A^cI=x^-ry=VzFx
zG~1{Pmu^fE@3_J5x2wVaIxFkth>wSbHg-N|3oz5Y)w0^I$z)|)a$@NM9>E8TdrHD>
zw1ZA0oaAm2?vpIFDVdai=IzboKP%3<C5wHUp13jk-+?!J5=Y*2sOL}J!YVNFn4y&o
z$Ly^dk=ys)xH$FHNp9(Db3gdVWM@uY{`{V!vUBPEe&PGaLae%yD-t#YxNlMH^I7R`
zUUtxV)`k_qyQfXNV0Gmq*B*to(`Nz<dnI32`~Lo4<aA-~SC;EMnI`G+#{a7H<s;8G
z@%ptCI;?X1Slp~sEblCr$Tf>$>B?Xi$Np}vL@}KMzUPDL()M=grCPVSp6$7QJ@rf*
wZ^1Tm#plj!>E$o4?UAc+{af($pYnlSE6ZM{{WtBO-7?uWn%UyZe1q9V0M>p?&;S4c

literal 0
HcmV?d00001

diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix
index 7d9feb2..c5899eb 100644
--- a/config/hosts/wind/services/synapse.nix
+++ b/config/hosts/wind/services/synapse.nix
@@ -4,6 +4,7 @@
   services.matrix-synapse = {
     enable = true;
     withJemalloc = true;
+    extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ];
     settings = {
       server_name = "graven.dev";
       enable_registration = false;
@@ -24,28 +25,6 @@
         "turns:turn.graven.dev:5350?transport=tcp"
       ];
       report_stats = true;
-
-      extraConfig = ''
-  password_config:
-    enabled: false
-  oidc_providers:
-    - idp_id: authentik
-      idp_name: authentik
-      discover: true
-      issuer: "https://auth.graven.dev/application/o/synapse/"
-      client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5"
-      client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55"
-      allow_existing_users: true
-      scopes:
-        - "openid"
-        - "profile"
-        - "email"
-      user_mapping_provider:
-        config:
-          localpart_template: "{{ user.name }}"
-          display_name_template: "{{ user.name|capitalize }}"
-      '';
-
       logConfig = ''
   version: 1
 
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index b49671b..a544f32 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "ea3efc80f8ab83cb73aec39f4e76fe87afb15a08",
-        "sha256": "0h87y6z42ch128j6yslydvdzajqcrqzhihi4nrpwida4js2pl1ak",
+        "rev": "12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1",
+        "sha256": "061bvqikx69rz6kz4ya8ksnk226gfdjvzy6j2lbi0vj398xmd2fk",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/ea3efc80f8ab83cb73aec39f4e76fe87afb15a08.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c55096e021c6ab0be3945be2535b3b4324e4f571",
-        "sha256": "0smvw72cv80zq1y1y5vjfjbz0bv6mg8iznhv779s2vn5dz1s3kwx",
+        "rev": "22b6dc7dbd0fed58f41c117123494c6ed691fdb8",
+        "sha256": "1p88904pshasnivgw44m3vv14gwrq6cf25301spx3vpw89f48d2a",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/c55096e021c6ab0be3945be2535b3b4324e4f571.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/22b6dc7dbd0fed58f41c117123494c6ed691fdb8.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "a7b742f2f4c9d37cd84b8f0ab7ee57c4b3d9f393",
-        "sha256": "0pyplivs96vxnnnj3w8drd806xxzhrxcn969hh1bhbds4h4s5k16",
+        "rev": "bc40879a51c0739b83e3a0bd6381fe0bf51b0649",
+        "sha256": "0ky0dgrfpsgcgzk1jfzqzfa7f4pjrpqijjqbg97mpibwmxzj5qr4",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/a7b742f2f4c9d37cd84b8f0ab7ee57c4b3d9f393.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/bc40879a51c0739b83e3a0bd6381fe0bf51b0649.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From 4ee143230e8e5ef85d37f4826d074c8115626d3d Mon Sep 17 00:00:00 2001
From: Emelie Graven <e.graven@famedly.com>
Date: Tue, 23 Aug 2022 20:42:25 +0200
Subject: [PATCH 14/83] fix perms

---
 config/hosts/wind/data/secrets/secrets.nix | Bin 963 -> 977 bytes
 config/sources/nix/sources.json            |   6 +++---
 config/sources/nix/sources.nix             |  22 ++++++++++++++++++++-
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix
index 063fd3a8371eadd236eca8f600bca97aa6f28686..b00061f2e447a3f121aedda3a1f0048dad8d45e4 100644
GIT binary patch
literal 977
zcmZQ@_Y83kiVO&0DAE?V-18x*!Ryz|;-Hl5H@f#kf0ngwa9Vk&!SLOx_qWXb7zA#$
z%zM8-e{WSfcfQ5G*IW|{3J)gSI6Y&oTUih1#swZt7k}o5*ydLA&RUpz<oB0zY_|XF
zzFdC#@A`AOhV*ULk3^pHi?5r@WGr=g*4p!lky+xLho;&b%X2*@YIs_AY0Q5$tJ4_?
zvzjg>26ApLmwfxHRdkV4Xt<)DU=)9s<f4-y{gGK;o_}3&BmRDJpTdNvkrJgAQze;Z
z>oZlkUR3R>6lHv5@RcX9!QztH^>dRsp0{>t39Z&X+o<s)eaG4t`l~uuo=y2|`n0p+
zLeJ*Cp35DYjv3v1>bZp{GyT=VlM;^$DmfO{+}-}|NcHOJwhKMB8QeZMDcWP%mB%{;
z{UldhV}Gx>bhY13-V4Q+DLLDB@4CN=tKI7_SAf+G{tsfWoHrzu>*r1_uYRz>FGb7h
z7wdev$5U6zwBNm+c}DuPLXG17Er(uAes%n3!+Il*?S8i}m;7EBrR}M~k^lSJ=1&iW
zEw~I9x!6zA68dx^>E!#Q#XroiuAZWy@$l!IoT(>Uy5xo4EUK7#W3~A2G|lN@XZ&RZ
zcD8x8RCQPyzuCdP=>5S-WgG7~=tu>3y-8a>Rh8whaK{{p8m3V0TmP0-PTneQ-!`Lg
z%>{Xf)NWNS$?e-0Sn)4Rkng_p$$R;dZ@0hxSheKyOV3%Kv$;6Fn19?;9Li#9{Yf}c
zU)}A2LUgKC`ld%$#5ONB%RMg1yzfwkBJ0s==PgW}Z)BIx@vojVS$wa-+r}?R+Ui?2
zxLWkFBuw-?X2q=YTE<J`jn-G$1%JMkFk2nBJjHd#ZeLPB-@lW(-%FoNlGDC?Jj(d-
zww-?4KP0yOW?khX(9tcPALh2`*GdL8L$xDi-pb1ym@lZvncS@w{AV(6|F$=MZm&d=
zu6{`Rc{Av?h~;Th_bcr)?a%fFKd=4yX7c~#MymUm|1l-oi(lEbWbNs^ob)T-S1oid
zJig~)*H2TAACnl5ZjQZLoM@9{_tWv9VeH8hTh_C`R^PznR;1n6d9N_qb?PgIqj?T4
z9ip190`vE2&FVTJ5<Q6}roQt<hR}wGNAi#T-&#`DBT(4;d8Jv6?x{m;?bWYCQuwaB
z?zz;svyHR(bN<X7w`-JZ-({>@a%FGH@+s0+8E;L`&}Lu1bMMtd4pIANWJ>m@d^mDW
zaBDATiu$kn23J1|vwU6lYq_}0w}%PglfL*o{l90WJA-15#0`f}tM^{{QgP-@4x{<i
yjaN=<h__v0`;c;(;kGraaNBdqz6G2W((AqFu2Mc`{OD&zskG?l=F|35gIWOJ0_rIM

literal 963
zcmZQ@_Y83kiVO&0keKr4t>xP9t+CAl&3Ecv=Na2eemYtk^>ae3mgQV`!^G0spzU8Y
zwm2>nt}2#(Y_~y9YRat>@og8{yT2y|9Ok<{=huynuI!yVZ*SDAdH8yxl*s(EE?2ZP
zvez(3x}3@QXKtu|-8!?wUDYFK^^?bkZfWUlKmWN{C19`1(QNUf>=8Ll0bAo=t&p4H
z?fg@GiuLY|`Pu&S7qbe!&bxA0bymij-Cfi7-W6ioQ+D|7>5l)M&ObMCe~B$WWI6A4
z+4_&u{~eq=#c^j~is;F(6aVHa{4`56a@Zkcyz;iHj_rzfb@~T3d*&-KeV(z(uSS~b
z-n%u90u_wg9?Lkz7;zYR$Tpmdh<W$vo{)gdx?nB83rATqyv>T%n$`%i{W|rC*|6&7
zbz!yacdwsFhkuZl=X}jo@~L9#yoc;6Dlrq*&YinFBgd=ue&afsnO;gyYegsc+MUQx
zi*9e>dbGl4;)WXn*~XeBS`S{zvQ)BP=Pq0=<y~9xKyC5n<n0xqb8Gay6Sur$dGsS%
z(eL4^$yF~adMA2I<T$$?y}hgW;WYPO?hmx4UoXhz<#plX7k~Qp@XF7Yil+~JFEu(^
z?m5Hg$=2MmvTGZ)%opvnDb8Rka_^kM>%sOQ@~4UagH2xrtoJnTG;ZS)NSb`uu;#;A
zwMo}(e(yDzzvpG-3tqLeY;m$l7cQUVzkkZNpQB1^>FTt?>B=4c<=cD}*2Xpz>tB)O
zV3#aScgZu{x&Ld@`(vkOi7pQ1k1ey>Vt2^?W0SPUXU9vubq*gVN-&)~S0W_C`)>Bn
zZtX*sPW#u*oitHZB~kr8Z>w{3YUkpri{EGb{`^<8P;7E*XXp&BM>b)K`8!LNF6GO(
z<}P5*)1cJ*vBpPpamw=~F{fE~<vxU2`z~k6Y%>*CO)Ohl5F2ag!M2!3kWnmSr_u*&
z6~QvM)1Kx`M?@l96;ijDHb4IpvuN@R&VQ<VwfbK@yO8C$`D}=TNadEZftT61syFXv
ze3ySEsY-L1P2>J83%4JfWL>}8@%_?|71b<9AA2S+P4(T>(?50P=8LNhtwk#SFWK;j
zW5G7gQirfoYmJf@|JJH2JlgcHLNx8S=7;c?1{)gdIV(F4z01=6`7}{QYK_AagLro5
zX0y5mg&BYT-t@>VKA#`Cr#a4h+Oq{0{s^(&7xiD-vE*z6zsWq|3(I~t_Wvr)+NDr!
z$YH(huFLz)F(MXcW8Am$-fjBk@adE4^8kmBZY~WRHrmYUe^;(Gc;D;7{QTe1?n};#
f-mE*RZ6;;4u2^A3lIhi)i3d&Mezv<zO??OeX4cNj

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index a544f32..bef4006 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "22b6dc7dbd0fed58f41c117123494c6ed691fdb8",
-        "sha256": "1p88904pshasnivgw44m3vv14gwrq6cf25301spx3vpw89f48d2a",
+        "rev": "580d1ea22a647908f159fb6b138083dfe5c8c7b0",
+        "sha256": "1gsrpc7gg6844sncryx3rbaly0rfd2bkwrrzyvl03b7g29mwvdvb",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/22b6dc7dbd0fed58f41c117123494c6ed691fdb8.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/580d1ea22a647908f159fb6b138083dfe5c8c7b0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
diff --git a/config/sources/nix/sources.nix b/config/sources/nix/sources.nix
index 1938409..9a01c8a 100644
--- a/config/sources/nix/sources.nix
+++ b/config/sources/nix/sources.nix
@@ -31,8 +31,28 @@ let
           if spec ? branch then "refs/heads/${spec.branch}" else
             if spec ? tag then "refs/tags/${spec.tag}" else
               abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
+      submodules = if spec ? submodules then spec.submodules else false;
+      submoduleArg =
+        let
+          nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
+          emptyArgWithWarning =
+            if submodules == true
+            then
+              builtins.trace
+                (
+                  "The niv input \"${name}\" uses submodules "
+                  + "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
+                  + "does not support them"
+                )
+                {}
+            else {};
+        in
+          if nixSupportsSubmodules
+          then { inherit submodules; }
+          else emptyArgWithWarning;
     in
-      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
+      builtins.fetchGit
+        ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
 
   fetch_local = spec: spec.path;
 

From 5557db3a54f10854a1840f5ef793b760375e486e Mon Sep 17 00:00:00 2001
From: Emelie Graven <e.graven@famedly.com>
Date: Tue, 13 Sep 2022 10:13:23 +0200
Subject: [PATCH 15/83] Bump nixpkgs, add ssh key

---
 config/common/users.nix         |  1 +
 config/sources/nix/sources.json | 18 +++++++++---------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 8d92c93..99f0c5e 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -18,6 +18,7 @@
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwmREgBmckocQerEfO4XhB+dbKDsZopok37ePWHwCEj id_ed25519"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILrZWS1PBVRbdmPh8IJdIPHhK0+ZuSnQCR10a8Bl11VZAAAABHNzaDo= amanda@sharpy"
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6v5D/aJuIhuIVcnzFA7ocxPMI8JgHEnxSPuD+SaLHX amanda@sharpy"
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH0o3EApXEP3vZMP9sVG9CQZ122KemUQuT6BZF2uhZnHAAAABHNzaDo= amanda@ed25519_resident_nk3"
 			];
 		};
 	};
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index bef4006..5ada689 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1",
-        "sha256": "061bvqikx69rz6kz4ya8ksnk226gfdjvzy6j2lbi0vj398xmd2fk",
+        "rev": "1fec8fda86dac5701146c77d5f8a414b14ed1ff6",
+        "sha256": "18z2v5id3sad22f4nk8yjpablk9c693nwl5vix2n06h6s3kfmr10",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/1fec8fda86dac5701146c77d5f8a414b14ed1ff6.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "580d1ea22a647908f159fb6b138083dfe5c8c7b0",
-        "sha256": "1gsrpc7gg6844sncryx3rbaly0rfd2bkwrrzyvl03b7g29mwvdvb",
+        "rev": "ccafeb2aff99ec505d35fcfafd212c424c5359fd",
+        "sha256": "0q9kxp7n7394f8s7nqm8852gmwka0xn973q2vf3qh5qrwkv441qj",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/580d1ea22a647908f159fb6b138083dfe5c8c7b0.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/ccafeb2aff99ec505d35fcfafd212c424c5359fd.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "bc40879a51c0739b83e3a0bd6381fe0bf51b0649",
-        "sha256": "0ky0dgrfpsgcgzk1jfzqzfa7f4pjrpqijjqbg97mpibwmxzj5qr4",
+        "rev": "aa276744ba7dcebeac40da37d7bf4d9d5409f17e",
+        "sha256": "1wfx055h1765zq7s1zzy06im8f715ydvp8qbhfcn6bpg44qr591b",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/bc40879a51c0739b83e3a0bd6381fe0bf51b0649.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/aa276744ba7dcebeac40da37d7bf4d9d5409f17e.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From 1c508735c0aebef748a1db8f0e013b24de655b20 Mon Sep 17 00:00:00 2001
From: Emelie Graven <e.graven@famedly.com>
Date: Sat, 17 Sep 2022 13:42:25 +0200
Subject: [PATCH 16/83] forgot to push last time oops

---
 config/common/users.nix                 | 4 +++-
 config/hosts/grondahl/configuration.nix | 6 +++---
 config/hosts/rudiger/configuration.nix  | 6 +++---
 config/hosts/wind/configuration.nix     | 6 +++---
 4 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 99f0c5e..d435718 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -6,8 +6,10 @@
 			extraGroups = [ "wheel" ];
 			openssh.authorizedKeys.keys = [
               			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBkWK8PsRh8tOz4800XFN3V2IUm2u95qOaVnuHnMknjiAAAABHNzaDo= emelie@em-work"
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAII25n47g35go0CaKcCaqZemuT3GiqtomYeqAQYYnRhEaAAAADHNzaDpwZXJzb25hbA=="
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINEZQucbj2M15Zs5uXlcMztn/QjOAKEeqL5PCnm4Xrv5AAAADHNzaDpwZXJzb25hbA=="
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIP4MsGRUg7DOHZ5AHbFrZJYJ2VeulOWmu8O7H/y/6GTdAAAADHNzaDpwZXJzb25hbA=="
 
 			];
 		};
diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix
index 6d317be..9303bed 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@@ -49,9 +49,9 @@
 
   security.sudo.wheelNeedsPassword = false;
 
-  nix = {
-    autoOptimiseStore = true;
-    trustedUsers = [
+  nix.settings = {
+    auto-optimise-store = true;
+    trusted-users = [
       "root"
       "@wheel"
     ];
diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix
index 0dabc0d..cede05c 100644
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@@ -51,9 +51,9 @@
   };
 
 
-  nix = {
-    autoOptimiseStore = true;
-    trustedUsers = [
+  nix.settings = {
+    auto-optimise-store = true;
+    trusted-users = [
       "root"
       "@wheel"
     ];
diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index 9df6c08..2242ae7 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -52,9 +52,9 @@
 		dig
 	];
 
-	nix = {
-		autoOptimiseStore = true;
-		trustedUsers = [
+	nix.settings = {
+		auto-optimise-store = true;
+		trusted-users = [
 			"root"
 			"@wheel"
 		];

From 487523ce555b6887a47edaf97fdb459cbf144b95 Mon Sep 17 00:00:00 2001
From: Emelie Graven <e.graven@famedly.com>
Date: Wed, 12 Oct 2022 05:21:22 +0200
Subject: [PATCH 17/83] Add resident ssh keys

---
 config/common/users.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/common/users.nix b/config/common/users.nix
index d435718..58ed82f 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -7,6 +7,9 @@
 			openssh.authorizedKeys.keys = [
               			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBkWK8PsRh8tOz4800XFN3V2IUm2u95qOaVnuHnMknjiAAAABHNzaDo= emelie@em-work"
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMo8Ki0Udte248BGhPGNueWI/aVL4YXDwyPMeI31TmXOAAAAEXNzaDpuazNhLXBlcnNvbmFs ssh:nk3a-personal"
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIG7CWaPat3WhohFYhwfH7YxZm2mXGd4q9DKiLTl8QebcAAAAEHNzaDp5NWEtcGVyc29uYWw= ssh:y5a-personal"
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIOogMO9/nl7nWFzJYrLlbeFrYLzzBnyKTqYFnn9TZtZAAAAEHNzaDp5NWMtcGVyc29uYWw= ssh:y5c-personal"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAII25n47g35go0CaKcCaqZemuT3GiqtomYeqAQYYnRhEaAAAADHNzaDpwZXJzb25hbA=="
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINEZQucbj2M15Zs5uXlcMztn/QjOAKEeqL5PCnm4Xrv5AAAADHNzaDpwZXJzb25hbA=="
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIP4MsGRUg7DOHZ5AHbFrZJYJ2VeulOWmu8O7H/y/6GTdAAAADHNzaDpwZXJzb25hbA=="

From b738c1451faf69400d737529379bc6a38c70a631 Mon Sep 17 00:00:00 2001
From: Emelie Graven <e.graven@famedly.com>
Date: Wed, 12 Oct 2022 05:25:46 +0200
Subject: [PATCH 18/83] Add grocy service

---
 config/hosts/wind/configuration.nix  |  1 +
 config/hosts/wind/services/grocy.nix | 10 ++++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 config/hosts/wind/services/grocy.nix

diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index 2242ae7..1698b1e 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -13,6 +13,7 @@
 		./services/synapse.nix
 		./services/ttrss.nix
 		./services/gitea.nix
+		./services/grocy.nix
 		./services/restic.nix
 		./services/vaultwarden.nix
 		./services/wireguard.nix
diff --git a/config/hosts/wind/services/grocy.nix b/config/hosts/wind/services/grocy.nix
new file mode 100644
index 0000000..6a296be
--- /dev/null
+++ b/config/hosts/wind/services/grocy.nix
@@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  services.grocy = {
+	enable = true;
+	hostName = grocy.graven.dev;
+	settings = {
+	  currency = "DKK";
+	  calendar.firstDayOfWeek = 1
+	}
+  }

From 25fb72c8ecb4feb3e94fe03d864648ab15adf787 Mon Sep 17 00:00:00 2001
From: Emelie Graven <e.graven@famedly.com>
Date: Mon, 24 Oct 2022 11:13:11 +0200
Subject: [PATCH 19/83] Add tailscale

---
 ]                                       | 88 +++++++++++++++++++++++++
 config/common/services/nginx.nix        |  2 +-
 config/common/services/tailscale.nix    | 37 +++++++++++
 config/hosts/grondahl/configuration.nix | 15 +++--
 config/hosts/rudiger/configuration.nix  | 12 +++-
 config/hosts/wind/configuration.nix     |  2 +
 config/hosts/wind/services/grocy.nix    |  9 +--
 config/hosts/wind/services/nginx.nix    |  1 -
 config/sources/nix/sources.json         | 24 +++----
 9 files changed, 166 insertions(+), 24 deletions(-)
 create mode 100644 ]
 create mode 100644 config/common/services/tailscale.nix

diff --git a/] b/]
new file mode 100644
index 0000000..683e050
--- /dev/null
+++ b/]
@@ -0,0 +1,88 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./data/secrets/secrets.nix
+    ../../common/services/ssh.nix
+    ../../common/services/tailscale.nix
+    ../../common/users.nix
+    ./services/acme.nix
+    ./services/coturn.nix
+    ./services/nginx.nix
+    ./services/restic.nix
+    ./services/synapse.nix
+    ./services/postgres.nix
+		#./services/mail.nix
+		#./services/containers.nix
+		#./services/redis.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/vda";
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
+  networking = {
+    hostName = "grondahl";
+    useDHCP = false;
+    interfaces = {
+      "ens3" = {
+        ipv4.addresses = [ {
+          address = "107.189.30.157";
+          prefixLength = 24;
+        } ];
+        ipv6.addresses = [ {
+          address = "2605:6400:30:ef32::1";
+          prefixLength = 48;
+        } ];
+      };
+    };
+    defaultGateway = "107.189.30.1";
+    defaultGateway6 = {
+      address = "2605:6400:30::1";
+      interface = "ens3";
+    };
+    nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+  };
+
+  time.timeZone = "Europe/Copenhagen";
+
+  security.sudo.wheelNeedsPassword = false;
+
+  nix.settings = {
+    auto-optimise-store = true;
+    trusted-users = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+
+
+  users.groups.acme.members = [ "nginx" "turnserver" ];
+  users.groups.backup.members = [ "matrix-synapse" "postgres" ];
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    iotop
+    dig
+  ];
+
+  networking.firewall = {
+    enable = true;
+    checkReversePaths = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+    allowedTCPPorts = [ 22 80 443 ];
+    allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
+    allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+  };
+
+  system.stateVersion = "21.05";
+
+}
diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix
index 6c375a6..ece567c 100644
--- a/config/common/services/nginx.nix
+++ b/config/common/services/nginx.nix
@@ -29,7 +29,7 @@
       add_header 'Referrer-Policy' 'same-origin';
 
       # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+      #add_header X-Frame-Options DENY;
 
       # Prevent injection of code in other mime types (XSS Attacks)
       add_header X-Content-Type-Options nosniff;
diff --git a/config/common/services/tailscale.nix b/config/common/services/tailscale.nix
new file mode 100644
index 0000000..c5bd6d5
--- /dev/null
+++ b/config/common/services/tailscale.nix
@@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+{
+environment.systemPackages = [ pkgs.tailscale ];
+
+services.tailscale.enable = true;
+
+  # ...
+
+  # create a oneshot job to authenticate to Tailscale
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey CHANGEME
+    '';
+  };
+
+}
diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix
index 9303bed..c693a9f 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@@ -6,7 +6,8 @@
     ./hardware-configuration.nix
     ./data/secrets/secrets.nix
     ../../common/services/ssh.nix
-		../../common/users.nix
+    ../../common/services/tailscale.nix
+    ../../common/users.nix
     ./services/acme.nix
     ./services/coturn.nix
     ./services/nginx.nix
@@ -72,9 +73,15 @@
     dig
   ];
 
-  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
-  networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
-  networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+  networking.firewall = {
+    enable = true;
+    checkReversePath = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+    allowedTCPPorts = [ 22 80 443 ];
+    allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
+    allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+  };
 
   system.stateVersion = "21.05";
 
diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix
index cede05c..0b7f6f5 100644
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@@ -6,7 +6,8 @@
       ./hardware-configuration.nix
       ./data/secrets/secrets.nix
       ../../common/services/ssh.nix
-			../../common/users.nix
+      ../../common/services/tailscale.nix
+      ../../common/users.nix
       ./services/acme.nix
       ./services/nextcloud.nix
       ./services/nginx.nix
@@ -65,6 +66,7 @@
     htop
     iotop
     dig
+    tailscale
   ];
   security.sudo.wheelNeedsPassword = false;
 
@@ -76,7 +78,13 @@
   users.groups.redis.members = [ "nextcloud" ];
   users.groups.backup.members = [ "nextcloud" "postgres" ];
 
-  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  networking.firewall = {
+    allowedTCPPorts = [ 22 80 443 ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+    trustedInterfaces = [ "tailscale0" ];
+    enable = true;
+    checkReversePath = "loose";
+  };
   # networking.firewall.allowedUDPPorts = [ ... ];
   system.stateVersion = "21.05";
 
diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index 1698b1e..a7c83f7 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -4,6 +4,7 @@
 	imports = [ 
 		./hardware-configuration.nix 
 		../../common/services/ssh.nix
+		../../common/services/tailscale.nix
 		../../common/users.nix
 		./services/acme.nix
 		./services/coturn.nix
@@ -51,6 +52,7 @@
 		htop
 		iotop
 		dig
+		tailscale
 	];
 
 	nix.settings = {
diff --git a/config/hosts/wind/services/grocy.nix b/config/hosts/wind/services/grocy.nix
index 6a296be..d6c31ef 100644
--- a/config/hosts/wind/services/grocy.nix
+++ b/config/hosts/wind/services/grocy.nix
@@ -2,9 +2,10 @@
 {
   services.grocy = {
 	enable = true;
-	hostName = grocy.graven.dev;
+	hostName = "grocy.graven.dev";
 	settings = {
 	  currency = "DKK";
-	  calendar.firstDayOfWeek = 1
-	}
-  }
+	  calendar.firstDayOfWeek = 1;
+	};
+  };
+}
diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index a440332..f9253bb 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -14,7 +14,6 @@
 					add_header Access-Control-Allow-Origin "*";
 					add_header Strict-Transport-Security $hsts_header;
 					add_header Referrer-Policy "same-origin";
-					add_header X-Frame-Options "DENY";
 					add_header X-Content-Type-Options "nosniff";
 					add_header X-XSS-Protection "1; mode=block";
 				'';
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 5ada689..098e2b1 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "82e5cd1ad3c387863f0545d7591512e76ab0fc41",
-        "sha256": "090l219mzc0gi33i3psgph6s2pwsc8qy4lyrqjdj4qzkvmaj65a7",
+        "rev": "351d8bc316bf901a81885bab5f52687ec8ccab6e",
+        "sha256": "1yzhz7ihkh6p2sxhp3amqfbmm2yqzaadqqii1xijymvl8alw5rrr",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/82e5cd1ad3c387863f0545d7591512e76ab0fc41.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/351d8bc316bf901a81885bab5f52687ec8ccab6e.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "1fec8fda86dac5701146c77d5f8a414b14ed1ff6",
-        "sha256": "18z2v5id3sad22f4nk8yjpablk9c693nwl5vix2n06h6s3kfmr10",
+        "rev": "0e6593630071440eb89cd97a52921497482b22c6",
+        "sha256": "01rnzb4qv53q7rf0vw2mxybryl5xgad26ww73fgsg2nihhhmmy9j",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/1fec8fda86dac5701146c77d5f8a414b14ed1ff6.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/0e6593630071440eb89cd97a52921497482b22c6.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ccafeb2aff99ec505d35fcfafd212c424c5359fd",
-        "sha256": "0q9kxp7n7394f8s7nqm8852gmwka0xn973q2vf3qh5qrwkv441qj",
+        "rev": "6b8ce46f34a9b3db1267f615463cd27548889ec2",
+        "sha256": "1minhg4q7vgbf69lf85blmamjxl1r7c1j26n7f80as9b0dn4aj7a",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/ccafeb2aff99ec505d35fcfafd212c424c5359fd.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/6b8ce46f34a9b3db1267f615463cd27548889ec2.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "aa276744ba7dcebeac40da37d7bf4d9d5409f17e",
-        "sha256": "1wfx055h1765zq7s1zzy06im8f715ydvp8qbhfcn6bpg44qr591b",
+        "rev": "329bf6bae94f54d5e4cac35253b1359f7b4f997a",
+        "sha256": "0g6k2r446a8vcqzab76qzvfw5k1kzk6i8m4032jmkdr1w5rhlg4b",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/aa276744ba7dcebeac40da37d7bf4d9d5409f17e.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/329bf6bae94f54d5e4cac35253b1359f7b4f997a.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From 965c43679ae884d1ad07c798bc2ed2650f140103 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Thu, 19 Jan 2023 19:52:00 +0100
Subject: [PATCH 20/83] Update to nixos 22.11

---
 ]                                           | 88 ---------------------
 config/hosts/rudiger/services/nextcloud.nix |  2 +-
 config/sources/nix/sources.json             | 26 +++---
 3 files changed, 14 insertions(+), 102 deletions(-)
 delete mode 100644 ]

diff --git a/] b/]
deleted file mode 100644
index 683e050..0000000
--- a/]
+++ /dev/null
@@ -1,88 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports =
-    [ # Include the results of the hardware scan.
-    ./hardware-configuration.nix
-    ./data/secrets/secrets.nix
-    ../../common/services/ssh.nix
-    ../../common/services/tailscale.nix
-    ../../common/users.nix
-    ./services/acme.nix
-    ./services/coturn.nix
-    ./services/nginx.nix
-    ./services/restic.nix
-    ./services/synapse.nix
-    ./services/postgres.nix
-		#./services/mail.nix
-		#./services/containers.nix
-		#./services/redis.nix
-    ];
-
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.device = "/dev/vda";
-  boot.kernelPackages = pkgs.linuxPackages_5_10;
-  networking = {
-    hostName = "grondahl";
-    useDHCP = false;
-    interfaces = {
-      "ens3" = {
-        ipv4.addresses = [ {
-          address = "107.189.30.157";
-          prefixLength = 24;
-        } ];
-        ipv6.addresses = [ {
-          address = "2605:6400:30:ef32::1";
-          prefixLength = 48;
-        } ];
-      };
-    };
-    defaultGateway = "107.189.30.1";
-    defaultGateway6 = {
-      address = "2605:6400:30::1";
-      interface = "ens3";
-    };
-    nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
-  };
-
-  time.timeZone = "Europe/Copenhagen";
-
-  security.sudo.wheelNeedsPassword = false;
-
-  nix.settings = {
-    auto-optimise-store = true;
-    trusted-users = [
-      "root"
-      "@wheel"
-    ];
-  };
-
-
-
-  users.groups.acme.members = [ "nginx" "turnserver" ];
-  users.groups.backup.members = [ "matrix-synapse" "postgres" ];
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    vim
-    wget
-    htop
-    iotop
-    dig
-  ];
-
-  networking.firewall = {
-    enable = true;
-    checkReversePaths = "loose";
-    trustedInterfaces = [ "tailscale0" ];
-    allowedUDPPorts = [ config.services.tailscale.port ];
-    allowedTCPPorts = [ 22 80 443 ];
-    allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
-    allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
-  };
-
-  system.stateVersion = "21.05";
-
-}
diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index b81b53e..07a1b93 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -4,7 +4,7 @@
     enable = true;
     hostName = "cloud.graven.dev";
     https = true;
-    package = pkgs.nextcloud24;
+    package = pkgs.nextcloud25;
     autoUpdateApps.enable = true;
     maxUploadSize = "10G";
     webfinger = true;
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 098e2b1..0450f1e 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "351d8bc316bf901a81885bab5f52687ec8ccab6e",
-        "sha256": "1yzhz7ihkh6p2sxhp3amqfbmm2yqzaadqqii1xijymvl8alw5rrr",
+        "rev": "689d0e5539eddd0b0f566aee7bb18629eee7df74",
+        "sha256": "1rld3lk42l6b01f2gcrhq8qm9vry1awmfl29zmpiqda9dy89vbx0",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/351d8bc316bf901a81885bab5f52687ec8ccab6e.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/689d0e5539eddd0b0f566aee7bb18629eee7df74.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "0e6593630071440eb89cd97a52921497482b22c6",
-        "sha256": "01rnzb4qv53q7rf0vw2mxybryl5xgad26ww73fgsg2nihhhmmy9j",
+        "rev": "7bd6b87b3712e68007823e8dd5c37ee9b114fee3",
+        "sha256": "0yz1xzwdq72avic7s6569i23xwbha75788jb57w08yspf6a478nd",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/0e6593630071440eb89cd97a52921497482b22c6.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/7bd6b87b3712e68007823e8dd5c37ee9b114fee3.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "release-22.05",
+        "branch": "release-22.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6b8ce46f34a9b3db1267f615463cd27548889ec2",
-        "sha256": "1minhg4q7vgbf69lf85blmamjxl1r7c1j26n7f80as9b0dn4aj7a",
+        "rev": "fc5b90fd72177d9bcf435b10c12bb943549748c6",
+        "sha256": "1nhfvc1d4dk4pp4i5f5ivjsnqkdq7kc1g1cpqmwjrmj5x8l4pf3q",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/6b8ce46f34a9b3db1267f615463cd27548889ec2.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/fc5b90fd72177d9bcf435b10c12bb943549748c6.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "329bf6bae94f54d5e4cac35253b1359f7b4f997a",
-        "sha256": "0g6k2r446a8vcqzab76qzvfw5k1kzk6i8m4032jmkdr1w5rhlg4b",
+        "rev": "16be55591873689dd9422143d3cc456b4bb97dfc",
+        "sha256": "0zfj4kr92bz0dajgqi3hy477jx58qr26qwdy1f76w5gk9y4kas4f",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/329bf6bae94f54d5e4cac35253b1359f7b4f997a.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/16be55591873689dd9422143d3cc456b4bb97dfc.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From 6b93088039a22208cab59ecc3ff94afc5e2c0925 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 22 Jan 2023 16:28:47 +0100
Subject: [PATCH 21/83] Tiny Tiny RSS: Disable registration

---
 config/hosts/wind/services/ttrss.nix | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/hosts/wind/services/ttrss.nix b/config/hosts/wind/services/ttrss.nix
index 3a30bee..3997afe 100644
--- a/config/hosts/wind/services/ttrss.nix
+++ b/config/hosts/wind/services/ttrss.nix
@@ -1,10 +1,10 @@
 { config, ... }:
 
 {
-  services.tt-rss = {
-    enable = true;
-    registration.enable = true;
-    virtualHost = "rss.graven.dev";
-    selfUrlPath = "https://rss.graven.dev";
-  };
+	services.tt-rss = {
+		enable = true;
+		registration.enable = false;
+		virtualHost = "rss.graven.dev";
+		selfUrlPath = "https://rss.graven.dev";
+	};
 }

From 708014dbdc15f6587f230b07c6d6e482b1954c15 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 22 Jan 2023 16:33:20 +0100
Subject: [PATCH 22/83] Update sources.json

---
 config/sources/nix/sources.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 0450f1e..d2a75b5 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fc5b90fd72177d9bcf435b10c12bb943549748c6",
-        "sha256": "1nhfvc1d4dk4pp4i5f5ivjsnqkdq7kc1g1cpqmwjrmj5x8l4pf3q",
+        "rev": "32b9320b43c15e743c9bc6b790d353330edf2419",
+        "sha256": "057ll5i95v90h6vgsbrw0f43wiynq8mzyh5ix1g2d5g4blym27va",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fc5b90fd72177d9bcf435b10c12bb943549748c6.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/32b9320b43c15e743c9bc6b790d353330edf2419.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 03650c11c034109873ca2d5d46f329215d7d840b Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 22 Jan 2023 19:29:10 +0100
Subject: [PATCH 23/83] Nextcloud: Disable at rest encryption for better SSL

---
 config/hosts/rudiger/services/nextcloud.nix | 40 +++++++++++----------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index 07a1b93..f8e7e92 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -1,22 +1,24 @@
 { config, pkgs, ... }:
 {
-  services.nextcloud = {
-    enable = true;
-    hostName = "cloud.graven.dev";
-    https = true;
-    package = pkgs.nextcloud25;
-    autoUpdateApps.enable = true;
-    maxUploadSize = "10G";
-    webfinger = true;
-    caching.redis = true;
-    config = {
-      dbtype = "pgsql";
-      dbuser = "nextcloud";
-      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
-      dbname = "nextcloud";
-      defaultPhoneRegion = "DK";
-      adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
-      adminuser = "root";
-    };
-  };
+	services.nextcloud = {
+		enable = true;
+# Disables server-side file encryption for stronger SSL
+		enableBrokenCiphersForSSE = false;
+		hostName = "cloud.graven.dev";
+		https = true;
+		package = pkgs.nextcloud25;
+		autoUpdateApps.enable = true;
+		maxUploadSize = "10G";
+		webfinger = true;
+		caching.redis = true;
+		config = {
+			dbtype = "pgsql";
+			dbuser = "nextcloud";
+			dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+				dbname = "nextcloud";
+			defaultPhoneRegion = "DK";
+			adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
+			adminuser = "root";
+		};
+	};
 }

From 7a784af41d812013c68c613e8a71539232878140 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 25 Jan 2023 19:34:07 +0100
Subject: [PATCH 24/83] gitea: Replace deprecated options

---
 config/hosts/wind/services/gitea.nix | 30 +++++++++++++++++-----------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/config/hosts/wind/services/gitea.nix b/config/hosts/wind/services/gitea.nix
index 58fc760..4a488d8 100644
--- a/config/hosts/wind/services/gitea.nix
+++ b/config/hosts/wind/services/gitea.nix
@@ -1,16 +1,22 @@
 { ... }:
 
 {
-  services.gitea = {
-    enable = true;
-    domain = "git.graven.dev";
-    rootUrl = "https://git.graven.dev";
-    enableUnixSocket = true;
-    cookieSecure = true;
-    appName = "Graven Gitea";
-    settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
-    database = {
-      type = "postgres";
-    };
-  };
+	services.gitea = {
+		enable = true;
+		domain = "git.graven.dev";
+		rootUrl = "https://git.graven.dev";
+		enableUnixSocket = true;
+		appName = "Graven Gitea";
+		settings = {
+			ui = {
+				"DEFAULT_THEME" = "arc-green";
+			};
+			session = {
+				"COOKIE_SECURE" = true;
+			};
+		};
+		database = {
+			type = "postgres";
+		};
+	};
 }

From 34df05f81a3e73d759f61989d81c357a51af0f9c Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 29 Jan 2023 18:47:19 +0100
Subject: [PATCH 25/83] Add and enable tinytinyrss fever api derivation

---
 .../wind/services/ttrss-plugins/fever.nix     | 37 +++++++++++++++++++
 config/hosts/wind/services/ttrss.nix          |  5 ++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 config/hosts/wind/services/ttrss-plugins/fever.nix

diff --git a/config/hosts/wind/services/ttrss-plugins/fever.nix b/config/hosts/wind/services/ttrss-plugins/fever.nix
new file mode 100644
index 0000000..e7e5080
--- /dev/null
+++ b/config/hosts/wind/services/ttrss-plugins/fever.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, tt-rss, ... }:
+
+stdenv.mkDerivation rec {
+	pname = "tt-rss-fever-api";
+	version = "2.3.0";
+
+	src = fetchFromGitHub {
+		owner = "DigitalDJ";
+		repo = "tinytinyrss-fever-plugin";
+		rev = "${version}";
+		sha256 = "fKHnF7pXMD04sWygoRnPH5hLUyWW4Dv/e4JWtfobX/g=";
+	};
+
+	installPhase = ''
+		mkdir -p $out/fever
+		cp -r fever_api.php index.php init.php $out/fever/
+	'';
+
+	meta = {
+		description = "Fever API for Tiny Tiny RSS";
+		longDescription = ''
+			This is a plugin for Tiny Tiny RSS (tt-rss).
+
+			It lets you use feed reader programs which interface with the Fever feed
+			reader API together with Tiny Tiny RSS
+		'';
+		license = lib.licenses.gpl3Only;
+		homepage = "https://github.com/DigitalDJ/tinytinyrss-fever-plugin";
+		maintainers = [ {
+			email = "amanda@graven.dev";
+			name = "Amanda Graven";
+			github = "agraven";
+			githubId = 23525639;
+		} ];
+		inherit (tt-rss.meta) platforms;
+	};
+}
diff --git a/config/hosts/wind/services/ttrss.nix b/config/hosts/wind/services/ttrss.nix
index 3997afe..a93a1af 100644
--- a/config/hosts/wind/services/ttrss.nix
+++ b/config/hosts/wind/services/ttrss.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 
 {
 	services.tt-rss = {
@@ -6,5 +6,8 @@
 		registration.enable = false;
 		virtualHost = "rss.graven.dev";
 		selfUrlPath = "https://rss.graven.dev";
+		pluginPackages = [
+			(pkgs.callPackage ./ttrss-plugins/fever.nix {})
+		];
 	};
 }

From 32ac87ee41e470ce6cc03825cfb426bfb8bf9104 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 21 Feb 2023 11:30:39 +0100
Subject: [PATCH 26/83] Add ssh keys, disable gitea reg

---
 config/common/users.nix              |  3 ++-
 config/hosts/wind/services/gitea.nix | 32 ++++++++++++----------------
 config/sources/nix/sources.json      | 18 ++++++++--------
 3 files changed, 25 insertions(+), 28 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index 58ed82f..b2e389c 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -23,7 +23,8 @@
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwmREgBmckocQerEfO4XhB+dbKDsZopok37ePWHwCEj id_ed25519"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILrZWS1PBVRbdmPh8IJdIPHhK0+ZuSnQCR10a8Bl11VZAAAABHNzaDo= amanda@sharpy"
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6v5D/aJuIhuIVcnzFA7ocxPMI8JgHEnxSPuD+SaLHX amanda@sharpy"
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH0o3EApXEP3vZMP9sVG9CQZ122KemUQuT6BZF2uhZnHAAAABHNzaDo= amanda@ed25519_resident_nk3"
+				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+0x2uHcuXpFQdeXeUWeLGPefWo6Sd7yy2FJlyZy8V+ amanda@tappy"
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKWhc20jOFF+pVVT/Mf1ACYOtppkYWkP7NkY0/fPvjPAAAAFHNzaDphMy1uazNhLXBlcnNvbmFs ssh:a3-nk3a-personal"
 			];
 		};
 	};
diff --git a/config/hosts/wind/services/gitea.nix b/config/hosts/wind/services/gitea.nix
index 4a488d8..87d1a5c 100644
--- a/config/hosts/wind/services/gitea.nix
+++ b/config/hosts/wind/services/gitea.nix
@@ -1,22 +1,18 @@
 { ... }:
 
 {
-	services.gitea = {
-		enable = true;
-		domain = "git.graven.dev";
-		rootUrl = "https://git.graven.dev";
-		enableUnixSocket = true;
-		appName = "Graven Gitea";
-		settings = {
-			ui = {
-				"DEFAULT_THEME" = "arc-green";
-			};
-			session = {
-				"COOKIE_SECURE" = true;
-			};
-		};
-		database = {
-			type = "postgres";
-		};
-	};
+  services.gitea = {
+    enable = true;
+    domain = "git.graven.dev";
+    rootUrl = "https://git.graven.dev";
+    enableUnixSocket = true;
+    cookieSecure = true;
+    appName = "Graven Gitea";
+    settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
+    database = {
+      type = "postgres";
+    };
+    settings.service.DISABLE_REGISTRATION = true;
+    settings.session.COOKIE_SECURE = true;
+  };
 }
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index d2a75b5..440f106 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "7bd6b87b3712e68007823e8dd5c37ee9b114fee3",
-        "sha256": "0yz1xzwdq72avic7s6569i23xwbha75788jb57w08yspf6a478nd",
+        "rev": "d24ea777c57b69c6b143cf11d83184ef71b0dbbf",
+        "sha256": "0hzjm3jvaplm9vrsmnc7ir6jpnf1hnchmm7f2m8r5rwgxkqvpkgg",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/7bd6b87b3712e68007823e8dd5c37ee9b114fee3.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/d24ea777c57b69c6b143cf11d83184ef71b0dbbf.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "32b9320b43c15e743c9bc6b790d353330edf2419",
-        "sha256": "057ll5i95v90h6vgsbrw0f43wiynq8mzyh5ix1g2d5g4blym27va",
+        "rev": "a7af1abd95b89782e24fd7f7b0fb1f12972785cd",
+        "sha256": "0g8vwn18n9vr14jpv1kd0a8qqdmhx47arjcf196x0ki5rqgvkpb5",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/32b9320b43c15e743c9bc6b790d353330edf2419.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/a7af1abd95b89782e24fd7f7b0fb1f12972785cd.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "16be55591873689dd9422143d3cc456b4bb97dfc",
-        "sha256": "0zfj4kr92bz0dajgqi3hy477jx58qr26qwdy1f76w5gk9y4kas4f",
+        "rev": "9ff2a3923f733849100f99102b57a0d6c7240f2e",
+        "sha256": "1a2dhfrckhv94j4m3q42va1z5k21qk5s25s3m1qj3gkqyxvpilc5",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/16be55591873689dd9422143d3cc456b4bb97dfc.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/9ff2a3923f733849100f99102b57a0d6c7240f2e.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From c0e5c26ae9f3f991a009dd6f14b06e77731e7baa Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 21 Feb 2023 14:33:54 +0100
Subject: [PATCH 27/83] remove old gitea conf flag

---
 config/hosts/wind/services/gitea.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/hosts/wind/services/gitea.nix b/config/hosts/wind/services/gitea.nix
index 87d1a5c..b9a86a2 100644
--- a/config/hosts/wind/services/gitea.nix
+++ b/config/hosts/wind/services/gitea.nix
@@ -6,7 +6,6 @@
     domain = "git.graven.dev";
     rootUrl = "https://git.graven.dev";
     enableUnixSocket = true;
-    cookieSecure = true;
     appName = "Graven Gitea";
     settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
     database = {

From e21bba436331e08407375231c2238dd3a82e54e6 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 17 Jun 2023 12:22:58 +0200
Subject: [PATCH 28/83] Upgrade to 23.05

---
 config/common/services/ssh.nix              |  12 ++-
 config/hosts/grondahl/configuration.nix     |   3 +-
 config/hosts/rudiger/configuration.nix      |   2 +-
 config/hosts/rudiger/services/nextcloud.nix |   2 +-
 config/hosts/wind/configuration.nix         |   9 +-
 config/sources/nix/sources.json             |  26 ++---
 config/sources/nix/sources.nix              | 114 ++++++++++----------
 deploy/default.nix                          |   6 +-
 8 files changed, 89 insertions(+), 85 deletions(-)

diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix
index 60dceee..6beb49c 100644
--- a/config/common/services/ssh.nix
+++ b/config/common/services/ssh.nix
@@ -2,13 +2,15 @@
 {
   services.openssh = {
     enable = true;
-    permitRootLogin = "no";
-    passwordAuthentication = false;
-    kbdInteractiveAuthentication = false;
     hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ];
-    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
-    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+    settings = {
+      KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+      Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+      PermitRootLogin = "no";
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
 
+    };
   };
 
   programs.ssh.knownHosts = {
diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix
index c693a9f..d260eca 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@@ -20,9 +20,8 @@
     ];
 
   boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
   boot.loader.grub.device = "/dev/vda";
-  boot.kernelPackages = pkgs.linuxPackages_5_10;
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
   networking = {
     hostName = "grondahl";
     useDHCP = false;
diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix
index 0b7f6f5..ba07653 100644
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@@ -17,8 +17,8 @@
     ];
 
   boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
   boot.loader.grub.device = "/dev/sda";
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 
   boot.supportedFilesystems = ["zfs"];
   services.zfs.autoSnapshot.enable = false;
diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index f8e7e92..8c2a635 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -6,7 +6,7 @@
 		enableBrokenCiphersForSSE = false;
 		hostName = "cloud.graven.dev";
 		https = true;
-		package = pkgs.nextcloud25;
+		package = pkgs.nextcloud26;
 		autoUpdateApps.enable = true;
 		maxUploadSize = "10G";
 		webfinger = true;
diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index a7c83f7..094c57d 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -1,8 +1,8 @@
 { config, pkgs, lib, ... }:
 
 {
-	imports = [ 
-		./hardware-configuration.nix 
+	imports = [
+		./hardware-configuration.nix
 		../../common/services/ssh.nix
 		../../common/services/tailscale.nix
 		../../common/users.nix
@@ -22,9 +22,8 @@
 		];
 
 	boot.loader.grub.enable = true;
-	boot.loader.grub.version = 2;
 	boot.loader.grub.device = "/dev/sda";
-	boot.kernelPackages = pkgs.linuxPackages_5_10;
+	boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 	boot.supportedFilesystems = ["zfs"];
 	services.zfs.autoSnapshot.enable = false;
 	services.zfs.autoScrub.enable = true;
@@ -40,7 +39,7 @@
 	users.users.deploy-web = {
 		isNormalUser = true;
 		extraGroups = [ "nginx" ];
-		openssh.authorizedKeys.keys = [ 
+		openssh.authorizedKeys.keys = [
 			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
 		];
 	};
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 440f106..fe11bbb 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "689d0e5539eddd0b0f566aee7bb18629eee7df74",
-        "sha256": "1rld3lk42l6b01f2gcrhq8qm9vry1awmfl29zmpiqda9dy89vbx0",
+        "rev": "0ebb80e003c26d5388a9b74645fbdcfca3bdd0ef",
+        "sha256": "0wpnk1n4vjyqwjjrm6dvkyh7xr7983rszfhfcg31v106qhfnh41c",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/689d0e5539eddd0b0f566aee7bb18629eee7df74.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/0ebb80e003c26d5388a9b74645fbdcfca3bdd0ef.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "d24ea777c57b69c6b143cf11d83184ef71b0dbbf",
-        "sha256": "0hzjm3jvaplm9vrsmnc7ir6jpnf1hnchmm7f2m8r5rwgxkqvpkgg",
+        "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
+        "sha256": "05a5cfxy9qzb6qq5jrkb65zasa0cmvsym592amjx9sbn7m8858ka",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/d24ea777c57b69c6b143cf11d83184ef71b0dbbf.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/429f232fe1dc398c5afea19a51aad6931ee0fb89.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "release-22.11",
+        "branch": "release-23.05",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a7af1abd95b89782e24fd7f7b0fb1f12972785cd",
-        "sha256": "0g8vwn18n9vr14jpv1kd0a8qqdmhx47arjcf196x0ki5rqgvkpb5",
+        "rev": "083cb1a04d196e35b9c8293a379266c854e284c1",
+        "sha256": "0fl9cq9h8i0dc50b1h0snmmcb3vsxz4d14jzsjw4ixfd2bm4dl0n",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a7af1abd95b89782e24fd7f7b0fb1f12972785cd.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/083cb1a04d196e35b9c8293a379266c854e284c1.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "9ff2a3923f733849100f99102b57a0d6c7240f2e",
-        "sha256": "1a2dhfrckhv94j4m3q42va1z5k21qk5s25s3m1qj3gkqyxvpilc5",
+        "rev": "d8c3e403978da7b11a5dea1d9e8fd4f918668fdd",
+        "sha256": "1k145w7yxiwg337hki4vwc398q94j7smhy7bs2j91jahcxy8fb2x",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/9ff2a3923f733849100f99102b57a0d6c7240f2e.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/d8c3e403978da7b11a5dea1d9e8fd4f918668fdd.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }
diff --git a/config/sources/nix/sources.nix b/config/sources/nix/sources.nix
index 9a01c8a..fe3dadf 100644
--- a/config/sources/nix/sources.nix
+++ b/config/sources/nix/sources.nix
@@ -10,33 +10,34 @@ let
     let
       name' = sanitizeName name + "-src";
     in
-      if spec.builtin or true then
-        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
-      else
-        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+    if spec.builtin or true then
+      builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+    else
+      pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
 
   fetch_tarball = pkgs: name: spec:
     let
       name' = sanitizeName name + "-src";
     in
-      if spec.builtin or true then
-        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
-      else
-        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+    if spec.builtin or true then
+      builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+    else
+      pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
 
   fetch_git = name: spec:
     let
       ref =
-        if spec ? ref then spec.ref else
+        spec.ref or (
           if spec ? branch then "refs/heads/${spec.branch}" else
-            if spec ? tag then "refs/tags/${spec.tag}" else
-              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
-      submodules = if spec ? submodules then spec.submodules else false;
+          if spec ? tag then "refs/tags/${spec.tag}" else
+          abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
+        );
+      submodules = spec.submodules or false;
       submoduleArg =
         let
           nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
           emptyArgWithWarning =
-            if submodules == true
+            if submodules
             then
               builtins.trace
                 (
@@ -44,15 +45,15 @@ let
                   + "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
                   + "does not support them"
                 )
-                {}
-            else {};
+                { }
+            else { };
         in
-          if nixSupportsSubmodules
-          then { inherit submodules; }
-          else emptyArgWithWarning;
+        if nixSupportsSubmodules
+        then { inherit submodules; }
+        else emptyArgWithWarning;
     in
-      builtins.fetchGit
-        ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
+    builtins.fetchGit
+      ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
 
   fetch_local = spec: spec.path;
 
@@ -86,16 +87,16 @@ let
       hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
       hasThisAsNixpkgsPath = <nixpkgs> == ./.;
     in
-      if builtins.hasAttr "nixpkgs" sources
-      then sourcesNixpkgs
-      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
-        import <nixpkgs> {}
-      else
-        abort
-          ''
-            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
-            add a package called "nixpkgs" to your sources.json.
-          '';
+    if builtins.hasAttr "nixpkgs" sources
+    then sourcesNixpkgs
+    else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+      import <nixpkgs> { }
+    else
+      abort
+        ''
+          Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+          add a package called "nixpkgs" to your sources.json.
+        '';
 
   # The actual fetching function.
   fetch = pkgs: name: spec:
@@ -115,13 +116,13 @@ let
   # the path directly as opposed to the fetched source.
   replace = name: drv:
     let
-      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
+      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
       ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
     in
-      if ersatz == "" then drv else
-        # this turns the string into an actual Nix path (for both absolute and
-        # relative paths)
-        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
+    if ersatz == "" then drv else
+      # this turns the string into an actual Nix path (for both absolute and
+      # relative paths)
+    if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
 
   # Ports of functions for older nix versions
 
@@ -132,7 +133,7 @@ let
   );
 
   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
-  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
+  range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
 
   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
   stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
@@ -143,43 +144,46 @@ let
   concatStrings = builtins.concatStringsSep "";
 
   # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
-  optionalAttrs = cond: as: if cond then as else {};
+  optionalAttrs = cond: as: if cond then as else { };
 
   # fetchTarball version that is compatible between all the versions of Nix
   builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
     let
       inherit (builtins) lessThan nixVersion fetchTarball;
     in
-      if lessThan nixVersion "1.12" then
-        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
-      else
-        fetchTarball attrs;
+    if lessThan nixVersion "1.12" then
+      fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
+    else
+      fetchTarball attrs;
 
   # fetchurl version that is compatible between all the versions of Nix
   builtins_fetchurl = { url, name ? null, sha256 }@attrs:
     let
       inherit (builtins) lessThan nixVersion fetchurl;
     in
-      if lessThan nixVersion "1.12" then
-        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
-      else
-        fetchurl attrs;
+    if lessThan nixVersion "1.12" then
+      fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
+    else
+      fetchurl attrs;
 
   # Create the final "sources" from the config
   mkSources = config:
-    mapAttrs (
-      name: spec:
-        if builtins.hasAttr "outPath" spec
-        then abort
-          "The values in sources.json should not have an 'outPath' attribute"
-        else
-          spec // { outPath = replace name (fetch config.pkgs name spec); }
-    ) config.sources;
+    mapAttrs
+      (
+        name: spec:
+          if builtins.hasAttr "outPath" spec
+          then
+            abort
+              "The values in sources.json should not have an 'outPath' attribute"
+          else
+            spec // { outPath = replace name (fetch config.pkgs name spec); }
+      )
+      config.sources;
 
   # The "config" used by the fetchers
   mkConfig =
     { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
-    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
+    , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
     , system ? builtins.currentSystem
     , pkgs ? mkPkgs sources system
     }: rec {
@@ -191,4 +195,4 @@ let
     };
 
 in
-mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
+mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }
diff --git a/deploy/default.nix b/deploy/default.nix
index ee07e2e..023444f 100644
--- a/deploy/default.nix
+++ b/deploy/default.nix
@@ -13,21 +13,21 @@ in import "${sources.nixus}" {} ({ config, ... }: {
 
   nodes = {
     wind = { lib, config, ... }: {
-      host = "emelie@graven.dev";
+      host = "graven.dev";
       configuration = ../config/hosts/wind/configuration.nix;
       switchTimeout = 300;
       successTimeout = 300;
       ignoreFailingSystemdUnits = true;
     };
     grondahl = { lib, config, ... }: {
-      host = "emelie@anarkafem.dev";
+      host = "anarkafem.dev";
       configuration = ../config/hosts/grondahl/configuration.nix;
       successTimeout = 300;
       switchTimeout = 300;
       ignoreFailingSystemdUnits = true;
     };
     rudiger = { lib, config, ... }: {
-      host = "emelie@cloud.graven.dev";
+      host = "cloud.graven.dev";
       configuration = ../config/hosts/rudiger/configuration.nix;
       switchTimeout = 300;
       successTimeout = 300;

From 69f780a9f26ed04f484cedd79ea2a5231da96126 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 17 Jun 2023 17:16:59 +0200
Subject: [PATCH 29/83] Configure borg backup for gitea

---
 .../pubkeys/despondos_host_ed25519_key.pub     |   2 +-
 config/hosts/wind/configuration.nix            |   1 +
 config/hosts/wind/data/secrets/borg_pass       | Bin 0 -> 87 bytes
 config/hosts/wind/data/secrets/secrets.nix     | Bin 977 -> 1206 bytes
 config/hosts/wind/data/secrets/ssh_key         | Bin 421 -> 421 bytes
 config/hosts/wind/data/secrets/ssh_key.pub     | Bin 115 -> 117 bytes
 config/hosts/wind/services/borg.nix            |  16 ++++++++++++++++
 config/hosts/wind/services/gitea.nix           |   6 +++---
 8 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 config/hosts/wind/data/secrets/borg_pass
 create mode 100644 config/hosts/wind/services/borg.nix

diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/config/common/data/pubkeys/despondos_host_ed25519_key.pub
index 6367ffa..6c326b4 100644
--- a/config/common/data/pubkeys/despondos_host_ed25519_key.pub
+++ b/config/common/data/pubkeys/despondos_host_ed25519_key.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4C5OgZpxoF42L5rPqwejs+Q1ViN9TM9o/fEbpnPFtA
diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index 094c57d..bb597df 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -7,6 +7,7 @@
 		../../common/services/tailscale.nix
 		../../common/users.nix
 		./services/acme.nix
+		./services/borg.nix
 		./services/coturn.nix
 		./services/nginx.nix
 		./services/nitter.nix
diff --git a/config/hosts/wind/data/secrets/borg_pass b/config/hosts/wind/data/secrets/borg_pass
new file mode 100644
index 0000000000000000000000000000000000000000..1d656217681bda45a8bf9c1de4d7cab1ab594aa5
GIT binary patch
literal 87
zcmZQ@_Y83kiVO&0sClve%B=S2i`A<0DsSFM3s9ZM!{nsF5}C6_NSA4v{)Htk;)S&v
uFI?DUdg)K2Tkpx!o6f|Y(Eap>|7d5|gVokIi=)p<@EyLP!?&-MEf)Zo>L||u

literal 0
HcmV?d00001

diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix
index b00061f2e447a3f121aedda3a1f0048dad8d45e4..7b552e07db4096a1ff3c56167436a11d6d78fd00 100644
GIT binary patch
literal 1206
zcmZQ@_Y83kiVO&0SZOlh<0b{^u3sAu-rcYEJ&@Pfm(j{2{|n2l&-{5k(ZAiEgoKJd
zYP#)q?ty%!j8WuWo2u6EtQV1=ll!#poM!L)TPO7LWz*3Jn_qRkap&5WGutNDzVyCu
zeUHxtRU5VqlOng<OPxIMQuXR&tI&Vj?WfIobYM@{L50Hnck=uPj>s)CXIY;=%OGLP
zi5YSCbDJLJ)_&*tq$d^}`MTfrn^dMi?!9FTXYaJqbD8jG)?tC#tdw+@McXo)&6OYZ
zPEpwGZ)Ee*zw`KBC7q5XZ?rgFIy4@BRQY|xIoUqGL@_>*=iwxWZPKp<4|`;&CTvwu
zFDtyd<iq~+7yNX-P2b#aA-ubd@qYT}#SCY*=$ZU&|Nj1=FzewhaUl~st;6P5*ggr@
zkzRgeU-61UEtiefMzhwc_%l55&3CK4?<M%xhMSq?d-m)J77CF;zvUihUi!S|x|+V^
zi)Wu+Y%QPbT9>_Hsnv~u7dA&GhrZH!^yXX3B$2}Bhf5BfR64J7@DJay19x(Nd**0)
z&kI(2<aAfMZ?ej~H(_~dyy9!zFZ~VAI(PHfGY{c+_FRu+v|6(BQX6OFz282ux$4=R
z>30<RCF1?ITkiVUzw>zXo2S!%yowFBa7bS%Hf_RW_bS$BfsX@O1iJ2q{ACJBoDr>d
z<tnQb>y5y}4=)^XI&&o8W6=KmR~CnV8Mg<sRcy8rK0iNCdH&8Xubbn)3)Qn_^ozYX
zYII9VzTwHy^ItUU<ISd=WPf?0d*kexno61f+;ksGX?Sg52@lz>z0zu{#g69nlM7bN
zUoP?X<ZthMrH&Iz(u;a-Nm*%ZcFVfhvg4WI?vwXh8f0H6Or3YcuU#tTfzq?ZOea`w
zhwnJyAfLnh{mhl`H<sPXWn|l){%Mc>qAxG~S8Yg5+0o`b<-cm;l8=X`I_>PUUi&s;
zYdRm#H_y}ey_cL(X`B9q`+UluUd?F-&i_%JxXo>igu?A0t)Fqt7gmMWH)dSRaJs+G
zs>4OqcTF3kh~ND9jLxau-HZ3uuf26<#SC7bAB-0_mWVcbo=yyzR=hzc{M%iT+Swe3
zzMPb}Hr?xm)2%Hw+h$a1x!-^M^6k;tO>^G7f1O;{WFE}??2hx2qe1_#On+H_#BdAC
zMYa4rzjjqEXrDQcA?;_LUuQ#qf!=TN{f74fHcc)+omH_U{`BF4m6vALa7=3bTH;uK
z&(<*NT_o@S`h|{m0Zr%Zx1=aa3;iy(C<wMpEB~LDU8*ua`)zk`lb8Ri>zPZHS;R%M
zFGOy<xAC0k_V3CZ`!0G0Rj9P@esy?XP$kQWs)AEhk_l%Dm^PT6=c%%Gb?(3G`-bIM
z)0~~wzlx4+%PfzX@KZl6aQD^Mx0nxTl$x(_ef?x*qkrD%sE!TSw7#9$w==GXb4T>1
zHyamP-WI)ez4=elRqlkcl=#D!ePUkje`z_tg}rWFs?7Pr2iIL)th4l4m&c>J`=<nT
zAAQp}Be_m{pM^%>y|`IZUTl2-`P-5_!3i5}w*663u>H4C@x;|W%fsIVL!U4o=sCT0
zUh0Kq{`YdaScJAelGM3rF?CIAQ1Qa`<?$(1b=L~S*EAizePOd>TEd2PZpGcR{W}?!
h&A9XN)9L7oUbP;=#q+oK^_r{Po;pEX!`(vv768rjY`y>h

literal 977
zcmZQ@_Y83kiVO&0DAE?V-18x*!Ryz|;-Hl5H@f#kf0ngwa9Vk&!SLOx_qWXb7zA#$
z%zM8-e{WSfcfQ5G*IW|{3J)gSI6Y&oTUih1#swZt7k}o5*ydLA&RUpz<oB0zY_|XF
zzFdC#@A`AOhV*ULk3^pHi?5r@WGr=g*4p!lky+xLho;&b%X2*@YIs_AY0Q5$tJ4_?
zvzjg>26ApLmwfxHRdkV4Xt<)DU=)9s<f4-y{gGK;o_}3&BmRDJpTdNvkrJgAQze;Z
z>oZlkUR3R>6lHv5@RcX9!QztH^>dRsp0{>t39Z&X+o<s)eaG4t`l~uuo=y2|`n0p+
zLeJ*Cp35DYjv3v1>bZp{GyT=VlM;^$DmfO{+}-}|NcHOJwhKMB8QeZMDcWP%mB%{;
z{UldhV}Gx>bhY13-V4Q+DLLDB@4CN=tKI7_SAf+G{tsfWoHrzu>*r1_uYRz>FGb7h
z7wdev$5U6zwBNm+c}DuPLXG17Er(uAes%n3!+Il*?S8i}m;7EBrR}M~k^lSJ=1&iW
zEw~I9x!6zA68dx^>E!#Q#XroiuAZWy@$l!IoT(>Uy5xo4EUK7#W3~A2G|lN@XZ&RZ
zcD8x8RCQPyzuCdP=>5S-WgG7~=tu>3y-8a>Rh8whaK{{p8m3V0TmP0-PTneQ-!`Lg
z%>{Xf)NWNS$?e-0Sn)4Rkng_p$$R;dZ@0hxSheKyOV3%Kv$;6Fn19?;9Li#9{Yf}c
zU)}A2LUgKC`ld%$#5ONB%RMg1yzfwkBJ0s==PgW}Z)BIx@vojVS$wa-+r}?R+Ui?2
zxLWkFBuw-?X2q=YTE<J`jn-G$1%JMkFk2nBJjHd#ZeLPB-@lW(-%FoNlGDC?Jj(d-
zww-?4KP0yOW?khX(9tcPALh2`*GdL8L$xDi-pb1ym@lZvncS@w{AV(6|F$=MZm&d=
zu6{`Rc{Av?h~;Th_bcr)?a%fFKd=4yX7c~#MymUm|1l-oi(lEbWbNs^ob)T-S1oid
zJig~)*H2TAACnl5ZjQZLoM@9{_tWv9VeH8hTh_C`R^PznR;1n6d9N_qb?PgIqj?T4
z9ip190`vE2&FVTJ5<Q6}roQt<hR}wGNAi#T-&#`DBT(4;d8Jv6?x{m;?bWYCQuwaB
z?zz;svyHR(bN<X7w`-JZ-({>@a%FGH@+s0+8E;L`&}Lu1bMMtd4pIANWJ>m@d^mDW
zaBDATiu$kn23J1|vwU6lYq_}0w}%PglfL*o{l90WJA-15#0`f}tM^{{QgP-@4x{<i
yjaN=<h__v0`;c;(;kGraaNBdqz6G2W((AqFu2Mc`{OD&zskG?l=F|35gIWOJ0_rIM

diff --git a/config/hosts/wind/data/secrets/ssh_key b/config/hosts/wind/data/secrets/ssh_key
index 6dd0719e0a2e01d535cfb2b09f4283ff2e5be8b2..eb6c6ce820f06bfcb86e35ac2be652bba1afba14 100644
GIT binary patch
literal 421
zcmZQ@_Y83kiVO&0`1>fIW9ieT-8KhH)@S_s<hrOaf@!wEBSVQEpGN6~XND2|M&F~>
zGTbWOx#o+=tIh1GmVL(3P4brNH`m22IKSj|d8SuJyll}%^Y0g4OiDX+wz1U4d;646
zFJ|u5Hn;q*Gf$`g-1CH{g$?W$(Lbz<Zi!j#+MXaSnQ{8CO6ZXz$=wo(t8F6LY^~q_
zIFxqw%aVPQL{C@t9};jnF8x#T=J8OO4N;*?`@S9W(b#aNT3??-foX9pXYYKsm!+QT
zr`+r6WXrMH^0`iom*qo$!TSG;#CR%N7W9-(e$tk?bGhLZ?>=EpiJG^6=LAnP*ci0+
z&~e3?YO8<Gu6Gi@=k-W{^-Y7fr|zc{8yJKu7OgoyEp+?zuQQlt$Z*^;s(#0Ietk`8
zK(N39@yA?!H4{yoma5zch;VwWfA+%B64R;O!jWAJsjT@7f6dQY_nr>U*lM2>l5^#)
zY%*VUK`iH8@2iSSV`si7@LqCy{-!?Xn=(tXyDrz|K3%uyB!k{{;ctp_q!t(FZJU~Q
i^6h=Qpi3%04b^8%z1=&hV@ZsrPTJnjZ|5a-{R99Pn9M)`

literal 421
zcmZQ@_Y83kiVO&0_+pv7JbUJ*S*-7?t0vA~_U<Wb=%!S+2`h@P<P=IuoY?#JzJ+_*
z+up0iO8ejbJ$tsc=+>M6l{^PliwlZ`idah3-0zz*rRnymmhHX2CW*yIEPTY>xrkeE
znbQippm%FsI_Eu`c5=Qx&*PRLACa&(oX&!wH})7#+i_X%L)(lek@~k^MAiIp@{x{u
zp(t>0w(`+*G2Qd&qIUw%?62er+*jCL68%Gp`Ep&ywP(xMUv80`GQaOoZo1c+%l-$~
zm%UsVAl&=<tc=Xw+3fl&GM7g4ulbtr=aJyyoLwh8)YnX#bLYd>eSZtS`?bs4#C%;H
zIwv>v$EQE{mb+?b#j)iWdgN_sQkt~WYx&+ip8q}g?{@Uab#;D9%QZEU5&bjulBk5<
zm+X^|rW*b_#PcPWbNQwBVnOG;F0$_wxqM03g<VrPX>H!^pMr%}o9Awp|9MR2r)rPU
zgRX-%tbga47ThfJ*^(!DSnPIQ#-<O?YIP%SUfsSs_fFTF4c>Cx^+LN%6<Uul`u&(S
kOR#EZaxwd5<=OY0o}4UTVsE_ezjb<C&6!NQb@P`203b}%xc~qF

diff --git a/config/hosts/wind/data/secrets/ssh_key.pub b/config/hosts/wind/data/secrets/ssh_key.pub
index 54b1d0ba842c0031de57ecff3ecabfdbedde5899..de5e67137b4b162f5f71220a0df95f5823c9e78c 100644
GIT binary patch
literal 117
zcmZQ@_Y83kiVO&0c#tM|mg(e$L(ID~6<2Lki1(0X_hUY_*Qv>*Gecw1UMY`z(<MF`
zH1Y4gabW3X7X4e=qF=*S{oQqX+2RSOZ*wK}3g7ZSzvaizQ*(|n+b|gL@jA(L%ij@~
aUSfXhnXu3Fzp0;67$@mGy=am!^C|$d$2GG6

literal 115
zcmZQ@_Y83kiVO&0SbI@0OZfD(ouBW$`55`X<Yv`A#{WOf>*ReD7u}qxa{0gkp5=AL
zaj8={gerWEIuyFUPJcCdN$T}Q%{sjAQf&8haW*|mxF?`vccO<cO;<qX;0DEzyY?Xm
X>w|7?mMHKES6h2_ySlkURL>j$U!OIo

diff --git a/config/hosts/wind/services/borg.nix b/config/hosts/wind/services/borg.nix
new file mode 100644
index 0000000..9c22666
--- /dev/null
+++ b/config/hosts/wind/services/borg.nix
@@ -0,0 +1,16 @@
+{ config, ... }:
+
+{
+	services.borgbackup.jobs = {
+		gitea = {
+			paths = "/var/lib/gitea";
+			repo = "ssh://borg@despondos.nao.sh//mnt/slab/backup/wind/gitea";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_gitea.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_gitea.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 02:15:00";
+			user = "gitea";
+		};
+	};
+}
diff --git a/config/hosts/wind/services/gitea.nix b/config/hosts/wind/services/gitea.nix
index b9a86a2..ec0d191 100644
--- a/config/hosts/wind/services/gitea.nix
+++ b/config/hosts/wind/services/gitea.nix
@@ -3,9 +3,6 @@
 {
   services.gitea = {
     enable = true;
-    domain = "git.graven.dev";
-    rootUrl = "https://git.graven.dev";
-    enableUnixSocket = true;
     appName = "Graven Gitea";
     settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
     database = {
@@ -13,5 +10,8 @@
     };
     settings.service.DISABLE_REGISTRATION = true;
     settings.session.COOKIE_SECURE = true;
+    settings.server.DOMAIN = "git.graven.dev";
+    settings.server.ROOT_URL = "https://git.graven.dev";
+    settings.server.PROTOCOL = "http+unix";
   };
 }

From 8c1c1e864b78c5a5a8d30be72c4bdc2e03a0c186 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 21 Jun 2023 17:35:12 +0200
Subject: [PATCH 30/83] Remaining backup jobs for wind

---
 config/hosts/wind/data/secrets/secrets.nix | Bin 1206 -> 1548 bytes
 config/hosts/wind/services/borg.nix        |  20 ++++++++++++++++++++
 config/sources/nix/sources.json            |  12 ++++++------
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix
index 7b552e07db4096a1ff3c56167436a11d6d78fd00..d95a37cdb202d2b8128269925995f2641737b549 100644
GIT binary patch
literal 1548
zcmZQ@_Y83kiVO&0ct4}$lXr_?i^i#ywr8u8k8a#8^fO0nx4d@NCfWS+b_S1T2u9A@
zzo$~&r7|P$<uT81*^cRzmqk*h_=%Zc(Asd~oXu*#6|G&r?LVcwi%Gnprj`BYhQ*I`
z%X#~HcocUmmnfbTy6Z{fGW*h-2OIAgH^l3nQ+pFxXUckfM~w#GdY3x6_d6bJRXQuw
zyW26+C+ECZ>tgG(KN^bfPx$KdC2YH0WKyF6<MO)8)z6)L6b^2@s(8D__;bL;xzSV3
z9KCRL+02T@db!3JUbo*~e}Xq0?n!30G}?4OcFu|uv#xP@-TdTlXMS{H#r@A)m7Nba
zTb-RN;1-+raYCI5hnMv7+O_xoaohK_9Bhy3|5xObqL<$H`PZ#E#np2U&3YmA@aT#M
zY&Yj+PA^z`<nlGf1p<Cq8pfw;>OOA#(HEz;{c_^6y@E^GnHbL>7J5B@@9qz=!Z)mp
zFIkp6NI$Q9@<u%W&DI@T{o@W!%Qc^Lru!yay5yn-XK$6W@Ff3TD8abnVe85RldmXy
zCbUg!@%XPFtrR*_fMun7;GHF=`))W_^MCsKgjFyu(RtD_9s?ooTXUa(xvTY4#$@J?
z3D46w6DL*(UkFlf2*2t#^DCS0oqI>`YJKf`wYq3Z-UstF&Tm$JueM^D_wno2r_1_m
zYxZXbJb9t+Wn9Y<l6PXx>K{sT*PUPCWAM2)`@+J~_o*lKHpS&7r|k4&{2iZUcUe$C
zW|Fh#QdtWlyMRL))@#=|-S};O=l9taO)FLRygqvH^*z^}MhmXC)c^Lhi+z2aE%Dj4
z$UmJKhvXQ(*z`80O<5uFcF*+<zs&g3qtpIZPL^l7v3_~m!ls+Ae(#IDyXo)Illzux
zO%v7G(4BZVa=*#E-Xp>5-Gy7vvR%99+Eb&+#mksKJ2rd0yKK<jv~S&M<=f2?)*h~3
zCHIg|@#Ds-MOyY2a{2L5N4~$B*L*ba&-Y;d%Zyt*4;C|As@Z*?>&)Z+H$OOkv!8$O
z*43<{5w=HXbJWr=M|Zg2cK)lkU4Lqba)@+9NX5-d+iRj6PPofPukq8+n8N#B@~Mzo
zg3y{(-XHG#Q3z74zdJwT;+zE<%9Xnkl(LG-d!i$`Qv%D@p5g5~7<qO7clOl&<(H=1
zJ;END@zmGm4DXENf0aHf=>HYUG{4^PV(kOFE4rSNuh@lip3i=l;cc@1M8o@kJt1t*
z3gn7J;)UamuDz_<vGv_nd%evIL^rr8y!oZ+X~{oJLELGfsiMNNKrU|24;5mZ!PQ<o
z^ZZm#FooK#nvnECD&tmy(1x2&k7%eI(LEvfJ7fFJ%{KY_zopFV|FzkGOVv-dbK=vP
zW-ZtA<|~G4=wu2CCOS(NFWPacO;#=@>DQ$z*WBXHs7Nz)+<&*}S3kc}hsVJ(PM)VN
zQSMgaDSpK}9zKXLu+fhH@@3|C@#z~9<Zg={opY5#Yony@tIa->A5ADdT9tK9b(S<&
z_N1>3$9yLoX6JEF+_bWF*Rgc%qcZoV|9M)QYqBoFF6d6+?$|{N8{3}#N~j2756_%c
zy7`mC;k!birwjiI)~tKGfAc3bwt(Vk+|^a#AG`d5xPw$!qjDZIyq#jc$@{;il#TG+
z$=h}NgxQJ?n}-$kC$?!W*{>1*kh50I<FuE<gUfsD^Y4ZSRTsPH1-}cL!<p#ZP>`@w
z@5oD4O~wp|<KA`;j@HTjmv`e<d*IoS!}H(k|LdC193At+OxyKrPaIG_x$U9*q<J&f
z&i=`(;Xdy$lXwi1#ie6~PM5!}p1?Afsb4r`eUV*{PF+qw=fsO$rm?wOYiFO#Fx?)b
zc&axdNLo+DkVi|TvrCVuY(m90H_Z@B>z8L0p2w-B*_*RXkxFR#y}j&RIkzIag!kq=
z=cy|;vMb#-n-lVQ@v+G3>QN?_*|bf1a(8T>KYRTqC&`7+d?F<>%92mtigV46iO~|i
zx9F|h?B8bLH+P<0zcg;g%mo3{Z#1UIP0?Lg>1O3LWxMa^T@0(!oia);ort`;Z_e~<
zO3xhLuJbh6IW=i%XRveyTNj_;B(^kBy#-}|XGneI6S+SBwc2ar<F~EVIlpA&IK7_N
ZoD$2+^7r>l)=2rF$%4B)#FjTP005|0^3VVP

literal 1206
zcmZQ@_Y83kiVO&0SZOlh<0b{^u3sAu-rcYEJ&@Pfm(j{2{|n2l&-{5k(ZAiEgoKJd
zYP#)q?ty%!j8WuWo2u6EtQV1=ll!#poM!L)TPO7LWz*3Jn_qRkap&5WGutNDzVyCu
zeUHxtRU5VqlOng<OPxIMQuXR&tI&Vj?WfIobYM@{L50Hnck=uPj>s)CXIY;=%OGLP
zi5YSCbDJLJ)_&*tq$d^}`MTfrn^dMi?!9FTXYaJqbD8jG)?tC#tdw+@McXo)&6OYZ
zPEpwGZ)Ee*zw`KBC7q5XZ?rgFIy4@BRQY|xIoUqGL@_>*=iwxWZPKp<4|`;&CTvwu
zFDtyd<iq~+7yNX-P2b#aA-ubd@qYT}#SCY*=$ZU&|Nj1=FzewhaUl~st;6P5*ggr@
zkzRgeU-61UEtiefMzhwc_%l55&3CK4?<M%xhMSq?d-m)J77CF;zvUihUi!S|x|+V^
zi)Wu+Y%QPbT9>_Hsnv~u7dA&GhrZH!^yXX3B$2}Bhf5BfR64J7@DJay19x(Nd**0)
z&kI(2<aAfMZ?ej~H(_~dyy9!zFZ~VAI(PHfGY{c+_FRu+v|6(BQX6OFz282ux$4=R
z>30<RCF1?ITkiVUzw>zXo2S!%yowFBa7bS%Hf_RW_bS$BfsX@O1iJ2q{ACJBoDr>d
z<tnQb>y5y}4=)^XI&&o8W6=KmR~CnV8Mg<sRcy8rK0iNCdH&8Xubbn)3)Qn_^ozYX
zYII9VzTwHy^ItUU<ISd=WPf?0d*kexno61f+;ksGX?Sg52@lz>z0zu{#g69nlM7bN
zUoP?X<ZthMrH&Iz(u;a-Nm*%ZcFVfhvg4WI?vwXh8f0H6Or3YcuU#tTfzq?ZOea`w
zhwnJyAfLnh{mhl`H<sPXWn|l){%Mc>qAxG~S8Yg5+0o`b<-cm;l8=X`I_>PUUi&s;
zYdRm#H_y}ey_cL(X`B9q`+UluUd?F-&i_%JxXo>igu?A0t)Fqt7gmMWH)dSRaJs+G
zs>4OqcTF3kh~ND9jLxau-HZ3uuf26<#SC7bAB-0_mWVcbo=yyzR=hzc{M%iT+Swe3
zzMPb}Hr?xm)2%Hw+h$a1x!-^M^6k;tO>^G7f1O;{WFE}??2hx2qe1_#On+H_#BdAC
zMYa4rzjjqEXrDQcA?;_LUuQ#qf!=TN{f74fHcc)+omH_U{`BF4m6vALa7=3bTH;uK
z&(<*NT_o@S`h|{m0Zr%Zx1=aa3;iy(C<wMpEB~LDU8*ua`)zk`lb8Ri>zPZHS;R%M
zFGOy<xAC0k_V3CZ`!0G0Rj9P@esy?XP$kQWs)AEhk_l%Dm^PT6=c%%Gb?(3G`-bIM
z)0~~wzlx4+%PfzX@KZl6aQD^Mx0nxTl$x(_ef?x*qkrD%sE!TSw7#9$w==GXb4T>1
zHyamP-WI)ez4=elRqlkcl=#D!ePUkje`z_tg}rWFs?7Pr2iIL)th4l4m&c>J`=<nT
zAAQp}Be_m{pM^%>y|`IZUTl2-`P-5_!3i5}w*663u>H4C@x;|W%fsIVL!U4o=sCT0
zUh0Kq{`YdaScJAelGM3rF?CIAQ1Qa`<?$(1b=L~S*EAizePOd>TEd2PZpGcR{W}?!
h&A9XN)9L7oUbP;=#q+oK^_r{Po;pEX!`(vv768rjY`y>h

diff --git a/config/hosts/wind/services/borg.nix b/config/hosts/wind/services/borg.nix
index 9c22666..7b8822e 100644
--- a/config/hosts/wind/services/borg.nix
+++ b/config/hosts/wind/services/borg.nix
@@ -12,5 +12,25 @@
 			startAt = "*-*-* 02:15:00";
 			user = "gitea";
 		};
+		postgres = {
+			paths = "/var/lib/postgresql/backup";
+			repo = "ssh://borg@despondos.nao.sh//mnt/slab/backup/wind/postgres";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:15:00";
+			user = "postgres";
+		};
+		synapse = {
+			paths = "/var/lib/matrix-synapse";
+			repo = "ssh://borg@despondos.nao.sh//mnt/slab/backup/wind/synapse";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:15:00";
+			user = "matrix-synapse";
+		};
 	};
 }
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index fe11bbb..73f29b7 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "0ebb80e003c26d5388a9b74645fbdcfca3bdd0ef",
-        "sha256": "0wpnk1n4vjyqwjjrm6dvkyh7xr7983rszfhfcg31v106qhfnh41c",
+        "rev": "914aba08a26cb10538b84d00d6cfb01c9776d80c",
+        "sha256": "0gx316gc7prjay5b0cr13x4zc2pdbiwxkfkpjvrlb2rml80lm4pm",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/0ebb80e003c26d5388a9b74645fbdcfca3bdd0ef.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/914aba08a26cb10538b84d00d6cfb01c9776d80c.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "083cb1a04d196e35b9c8293a379266c854e284c1",
-        "sha256": "0fl9cq9h8i0dc50b1h0snmmcb3vsxz4d14jzsjw4ixfd2bm4dl0n",
+        "rev": "c38961c681b546eb4bedc6ea6e5fb19b012a1612",
+        "sha256": "1xvf4q67k3wvq1y9wbm0mnmxpixm6ljniqagn5rbwmh0vd5gggrx",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/083cb1a04d196e35b9c8293a379266c854e284c1.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/c38961c681b546eb4bedc6ea6e5fb19b012a1612.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 33ba5078e7d7285014519ab2b834856d91f39aee Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Tue, 3 Oct 2023 17:03:44 +0200
Subject: [PATCH 31/83] Run nix gc weekly

---
 config/common/configuration/nix.nix     | 12 ++++++++++++
 config/hosts/grondahl/configuration.nix |  1 +
 config/hosts/rudiger/configuration.nix  |  1 +
 config/hosts/wind/configuration.nix     |  1 +
 4 files changed, 15 insertions(+)
 create mode 100644 config/common/configuration/nix.nix

diff --git a/config/common/configuration/nix.nix b/config/common/configuration/nix.nix
new file mode 100644
index 0000000..8540329
--- /dev/null
+++ b/config/common/configuration/nix.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+# Configuration options for the nix package manager
+{
+	nix.gc = {
+		# Run garbage collection automatically
+		automatic = true;
+		# Run it once a week
+		dates = "weekly";
+		options = "--delete-older-than 30d";
+	};
+}
diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix
index d260eca..1545408 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@@ -5,6 +5,7 @@
     [ # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./data/secrets/secrets.nix
+    ../../common/configuration/nix.nix
     ../../common/services/ssh.nix
     ../../common/services/tailscale.nix
     ../../common/users.nix
diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix
index ba07653..212a48c 100644
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@@ -5,6 +5,7 @@
     [
       ./hardware-configuration.nix
       ./data/secrets/secrets.nix
+      ../../common/configuration/nix.nix
       ../../common/services/ssh.nix
       ../../common/services/tailscale.nix
       ../../common/users.nix
diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index bb597df..01ce383 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -3,6 +3,7 @@
 {
 	imports = [
 		./hardware-configuration.nix
+		../../common/configuration/nix.nix
 		../../common/services/ssh.nix
 		../../common/services/tailscale.nix
 		../../common/users.nix

From 1c537e6c1bd04858ee1d5ffd3e82d3f1fa0e447c Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Mon, 9 Oct 2023 21:13:28 +0200
Subject: [PATCH 32/83] change from release to nixos branch

---
 config/sources/nix/sources.json | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 73f29b7..6c4cb37 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "914aba08a26cb10538b84d00d6cfb01c9776d80c",
-        "sha256": "0gx316gc7prjay5b0cr13x4zc2pdbiwxkfkpjvrlb2rml80lm4pm",
+        "rev": "9341b1027da2c2f95f8e808a3cb4b403e0a62c77",
+        "sha256": "1l996s518iv7bcfzzhxlsn35ahbslpbvhl3ds1zpnama7la23y9b",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/914aba08a26cb10538b84d00d6cfb01c9776d80c.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/9341b1027da2c2f95f8e808a3cb4b403e0a62c77.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
-        "sha256": "05a5cfxy9qzb6qq5jrkb65zasa0cmvsym592amjx9sbn7m8858ka",
+        "rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0",
+        "sha256": "0cv2aivvw83j1x0wafhjcnpwcnglrrz3z726i9nvs2nkxs29h34w",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/429f232fe1dc398c5afea19a51aad6931ee0fb89.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/bb2db418b616fea536b1be7f6ee72fb45c11afe0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "release-23.05",
+        "branch": "nixos-23.05",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c38961c681b546eb4bedc6ea6e5fb19b012a1612",
-        "sha256": "1xvf4q67k3wvq1y9wbm0mnmxpixm6ljniqagn5rbwmh0vd5gggrx",
+        "rev": "5a237aecb57296f67276ac9ab296a41c23981f56",
+        "sha256": "166yxg4ff2jxvl9mbngd90dr1k3rdj6xmiccga41xynhh2zr0vmb",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/c38961c681b546eb4bedc6ea6e5fb19b012a1612.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/5a237aecb57296f67276ac9ab296a41c23981f56.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "d8c3e403978da7b11a5dea1d9e8fd4f918668fdd",
-        "sha256": "1k145w7yxiwg337hki4vwc398q94j7smhy7bs2j91jahcxy8fb2x",
+        "rev": "b54dc6b332d4f26df1bed34c18ccec3d41e1ac40",
+        "sha256": "120ip3549sm1z79p7fvm0kv6gn0v7yb6nr530q25xdz537gq3a3p",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/d8c3e403978da7b11a5dea1d9e8fd4f918668fdd.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/b54dc6b332d4f26df1bed34c18ccec3d41e1ac40.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From b2bd89105d18e5120cf840c1776370a73c48a2df Mon Sep 17 00:00:00 2001
From: Emelie Graven <e.graven@famedly.com>
Date: Fri, 13 Oct 2023 13:32:53 +0200
Subject: [PATCH 33/83] feat: Add sliding sync proxy

---
 config/hosts/wind/services/nginx.nix   | 5 +++--
 config/hosts/wind/services/synapse.nix | 4 ++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index f9253bb..875a586 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -5,8 +5,9 @@
 			enableACME = true;
 			forceSSL = true;
 			locations."/".root = "/var/www/graven.dev/public";
-			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
-			locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+			locations."~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://127.0.0.1:8008";
+			locations."~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://127.0.0.1:8008";
+			locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)".proxyPass = "http://127.0.0.1:8009";
 			locations."/.well-known/matrix/" = {
 				root = "/var/www/matrix/public";
 				extraConfig = ''
diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix
index c5899eb..8e236e2 100644
--- a/config/hosts/wind/services/synapse.nix
+++ b/config/hosts/wind/services/synapse.nix
@@ -5,6 +5,10 @@
     enable = true;
     withJemalloc = true;
     extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ];
+    sliding-sync = {
+      enable = true;
+      settings.SYNCV3_SERVER = "https://graven.dev";
+    };
     settings = {
       server_name = "graven.dev";
       enable_registration = false;

From 86fef3990ed32d5cdd2e4b6825ec3ca94df3c99f Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Mon, 16 Oct 2023 07:56:23 +0200
Subject: [PATCH 34/83] Finish configuring sliding sync

---
 config/hosts/wind/data/secrets/secrets.nix    | Bin 1548 -> 1660 bytes
 .../wind/data/secrets/synapse_extra_config    | Bin 683 -> 22 bytes
 .../data/secrets/synapse_sliding_sync_env     | Bin 0 -> 103 bytes
 config/hosts/wind/services/nginx.nix          |  11 ++++++++---
 config/hosts/wind/services/synapse.nix        |   1 +
 5 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 config/hosts/wind/data/secrets/synapse_sliding_sync_env

diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix
index d95a37cdb202d2b8128269925995f2641737b549..47c5c6e576357d396caf46ad06a23932484a0caf 100644
GIT binary patch
literal 1660
zcmZQ@_Y83kiVO&05G+t`V4JD(`i$7=J5OSGo^stcvYnSafv2RTu>0w}P?aklFR!Nw
zGP?O?UD_GTFJh%~a^1^|=l@)KCieHr{@8>4Kld|6Z@9cfP~r0wuUgSpw;mY9v2Z>w
zv}W3D84|U<Ahxor{?O5&g<@StS6{BX)R*x7`1`L<58Z9gy(au-ThR9D7aN@O|5mR&
z=JT)JvS+UDq{^1{U$y4g&s48kzfMc(;!KHC?#6O)f67>z>`WKPcDZLBIMg1j;jFzd
zp5?08sX1Mj&V?4U7VHbwQv77#nYij*vdT60)xS=OampTf7&}|zpG>}I{H_HLf4+P^
z-SGNp8B5Ptm(5%BCM<qpyYtGOD6KcXti@V9PaI>P?Rf1ae4b&M#H5ZTMz``+eE$Vs
zog0=Wl6*4aV)1%DE|=@?XL#Spm0iU0BinB#$27fZ(a(-<?Q**JE~)W})29UCDMC8I
zK_!WQqc_N&PW-?e&hwrpE&torq^As=FD13)5B5o~j<#IxcF1Y9P2#-o<(xN~|D5w@
zzqKc!Xa<YPEr;s8-%p5MuR2k1qxg@O?#a1^r^K!_nZ&J{=@MG1dpqie;)3+sPmip<
z|La-h8|inUW#`USEq!Qkhp}XKs_bX?w>lh84*J-e-r`!}FK^_0>9u^<%<~hPbp`pF
z-a4g<MZ7sBmfAjRruO+mi*tgfb#A)6N@dgD3%7G_qzEmo$)0dBXp^4$mfZ`JCYAA-
zZ<UZwp3>JEYid>OaHQz%2XVGvGr6n;v`)NvaC6^ovn?9wX|fCdJ^pvSO3qyP$FJno
zK7z;2nehE{vX?sasI%N?{(ZhHKko6XNd5QA7i7Gn?-RCi+Qs~f*Cug(`fQr8=HcoC
z6FkJr_CGm0?^;3eTlt(RciCD!HgL^68LXf4$hGP4n-@A7S9Z<)-SyVumhRqn|JP<N
z+!uRPVXf1{-QqP(D)v7-C*L@<<vBy%(K_qI@QO$?1zpp~JeeuK{l0$L-Z^*wy=Pu=
zPCNI-vM*V|H`%lL?&l`~sdrw@%@1F+@$dugHT^~5o>r_4#-`C6_jzqu*B=V}8+JlN
zX?3U70r%re&R6;^7W%kPGbeJ#u0I}UTPCXnzYcJF-*)G1(Avbi|D?`2x`r?Q(fZ6~
z_X*|TZI(YPuP;A(>PB5=QDaoj&a8IV8pSAf=BzK5&-JQ3RJ`)+>8Y73{L3s8KQP7y
zcm3WQo^3FJIbha|4C9syEj5Z^nY^pMG}`3^wTZ;*E&q{G$L&A!v)kRu6XrkO?lG=t
ztvgn9iof3AJ>N5{yPw!Mc>4S5e$;OBIvdW<oIL+i?B1SbtrgomwG1X%%(&k<K|c6I
zcYD!|N}+{QUr+m5)^pV&>GJWk6p3ZaPZxer%WCIm%h}_6QEtBBTU+kqa>Amv>-}8q
z-qfxX?<x@Rm|;6L@pnJxRlVNpffYKht6SDg70&BsNa{1;wBPqL_{FacdvDD%i#TI<
zYRZ8t#_3M%$y0mkUjC1oQP%cUyIivFg3{{zlI_cEE^BxfIEk-ybDr=vnBkC$`_$uk
z92El6MQcwRSl^p}=s<XG{W2-(EXkxrl^ZT*cehOaet$!-<Vhwa<v!bodzbva+PC_-
z_I&4a3GRo}_Fp{t@zn+H2MxO%cS=Ug^7<ipJao|%=87J3G4H#LD=zReEjpB+lqx^B
zd2aOQwZ3^WtiF!3X3typIJ1M(DmzglgNyOUQhQVJ;(3LsK1Js{Y!6;w-uYHce9GNh
zmdg{8S{GdA;P#a6wJO_Ru5<H#lg^~MwYIE$oYRhHF5U9|()DMZ?;M|Qays<<k>Al-
z1|c^WFqRAE+<r2-dcW(zZ8zA<^gl$TKRPW}GpVTj{r_r(cj3FE-tD?L|K7Uv{q<2(
z4!&~RG^=QBJJUlY?swbe&oS&=<aY1uS+jGGY?kcNYJIo;NKdfFyZy5kA3pK9+1+`Q
zQ2vFfjQnysx}H7<S8!jsl#`VhAah&WI-R}FC&e$WPvXI;I*Uf$+Onlp?9)1)*Io*d
zRy5A3w5pr=|H$zluV>crO%F&8-LvHIYFF!I_w)#lx-(lk@7vv%<CxN#npKjme<AYM
z+e0N2-!jhMf4o8El>Ircm@tNv3k{OeOq)cnb*+-MG+>R{bm~*w8#BYe4~_Gu9uAGE
zb`$^jc*C5WP0rVYpUOJ%%?X+DvRyY^a+}$*e%8fI=2DLus@VKBITz-<Y1TMf*Cgt8
pZd=1#*$XXQ_5XHV`kDRx`PrHMD(w?|J2$_S`}{5U@BxD}3jl-2KKcLv

literal 1548
zcmZQ@_Y83kiVO&0ct4}$lXr_?i^i#ywr8u8k8a#8^fO0nx4d@NCfWS+b_S1T2u9A@
zzo$~&r7|P$<uT81*^cRzmqk*h_=%Zc(Asd~oXu*#6|G&r?LVcwi%Gnprj`BYhQ*I`
z%X#~HcocUmmnfbTy6Z{fGW*h-2OIAgH^l3nQ+pFxXUckfM~w#GdY3x6_d6bJRXQuw
zyW26+C+ECZ>tgG(KN^bfPx$KdC2YH0WKyF6<MO)8)z6)L6b^2@s(8D__;bL;xzSV3
z9KCRL+02T@db!3JUbo*~e}Xq0?n!30G}?4OcFu|uv#xP@-TdTlXMS{H#r@A)m7Nba
zTb-RN;1-+raYCI5hnMv7+O_xoaohK_9Bhy3|5xObqL<$H`PZ#E#np2U&3YmA@aT#M
zY&Yj+PA^z`<nlGf1p<Cq8pfw;>OOA#(HEz;{c_^6y@E^GnHbL>7J5B@@9qz=!Z)mp
zFIkp6NI$Q9@<u%W&DI@T{o@W!%Qc^Lru!yay5yn-XK$6W@Ff3TD8abnVe85RldmXy
zCbUg!@%XPFtrR*_fMun7;GHF=`))W_^MCsKgjFyu(RtD_9s?ooTXUa(xvTY4#$@J?
z3D46w6DL*(UkFlf2*2t#^DCS0oqI>`YJKf`wYq3Z-UstF&Tm$JueM^D_wno2r_1_m
zYxZXbJb9t+Wn9Y<l6PXx>K{sT*PUPCWAM2)`@+J~_o*lKHpS&7r|k4&{2iZUcUe$C
zW|Fh#QdtWlyMRL))@#=|-S};O=l9taO)FLRygqvH^*z^}MhmXC)c^Lhi+z2aE%Dj4
z$UmJKhvXQ(*z`80O<5uFcF*+<zs&g3qtpIZPL^l7v3_~m!ls+Ae(#IDyXo)Illzux
zO%v7G(4BZVa=*#E-Xp>5-Gy7vvR%99+Eb&+#mksKJ2rd0yKK<jv~S&M<=f2?)*h~3
zCHIg|@#Ds-MOyY2a{2L5N4~$B*L*ba&-Y;d%Zyt*4;C|As@Z*?>&)Z+H$OOkv!8$O
z*43<{5w=HXbJWr=M|Zg2cK)lkU4Lqba)@+9NX5-d+iRj6PPofPukq8+n8N#B@~Mzo
zg3y{(-XHG#Q3z74zdJwT;+zE<%9Xnkl(LG-d!i$`Qv%D@p5g5~7<qO7clOl&<(H=1
zJ;END@zmGm4DXENf0aHf=>HYUG{4^PV(kOFE4rSNuh@lip3i=l;cc@1M8o@kJt1t*
z3gn7J;)UamuDz_<vGv_nd%evIL^rr8y!oZ+X~{oJLELGfsiMNNKrU|24;5mZ!PQ<o
z^ZZm#FooK#nvnECD&tmy(1x2&k7%eI(LEvfJ7fFJ%{KY_zopFV|FzkGOVv-dbK=vP
zW-ZtA<|~G4=wu2CCOS(NFWPacO;#=@>DQ$z*WBXHs7Nz)+<&*}S3kc}hsVJ(PM)VN
zQSMgaDSpK}9zKXLu+fhH@@3|C@#z~9<Zg={opY5#Yony@tIa->A5ADdT9tK9b(S<&
z_N1>3$9yLoX6JEF+_bWF*Rgc%qcZoV|9M)QYqBoFF6d6+?$|{N8{3}#N~j2756_%c
zy7`mC;k!birwjiI)~tKGfAc3bwt(Vk+|^a#AG`d5xPw$!qjDZIyq#jc$@{;il#TG+
z$=h}NgxQJ?n}-$kC$?!W*{>1*kh50I<FuE<gUfsD^Y4ZSRTsPH1-}cL!<p#ZP>`@w
z@5oD4O~wp|<KA`;j@HTjmv`e<d*IoS!}H(k|LdC193At+OxyKrPaIG_x$U9*q<J&f
z&i=`(;Xdy$lXwi1#ie6~PM5!}p1?Afsb4r`eUV*{PF+qw=fsO$rm?wOYiFO#Fx?)b
zc&axdNLo+DkVi|TvrCVuY(m90H_Z@B>z8L0p2w-B*_*RXkxFR#y}j&RIkzIag!kq=
z=cy|;vMb#-n-lVQ@v+G3>QN?_*|bf1a(8T>KYRTqC&`7+d?F<>%92mtigV46iO~|i
zx9F|h?B8bLH+P<0zcg;g%mo3{Z#1UIP0?Lg>1O3LWxMa^T@0(!oia);ort`;Z_e~<
zO3xhLuJbh6IW=i%XRveyTNj_;B(^kBy#-}|XGneI6S+SBwc2ar<F~EVIlpA&IK7_N
ZoD$2+^7r>l)=2rF$%4B)#FjTP005|0^3VVP

diff --git a/config/hosts/wind/data/secrets/synapse_extra_config b/config/hosts/wind/data/secrets/synapse_extra_config
index 2b6eb7afca09f78437ed30d99c076e2d4022988d..34083055a5f57ba626f8ddbd0c9175d78597da85 100644
GIT binary patch
literal 22
dcmZQ@_Y83kiVO&02z~#2Peppn)D1$S3jtUk2&Mo4

literal 683
zcmZQ@_Y83kiVO&0xNt%I|Bn+jlf4&eZDMh~X?^0)(*3$G<LayKns-mwa&9tPXkpzX
zH$nNXDB+kyL8t!Mv#pWaReo=q`?3C*``)Wh1h&o>{rSbGznnwq0O$QliHYa`Ex2)1
zd5=2(v-=&tj(#w$vYG7U+pw+u@dx#{g<8ovQ*3sxZ>V{Bm+^#=;ajPoCr?kTXNcM;
zD!YC6DTR!$965jQ#l>`AStx(Xvp@Q}Q>^LQiiUXAw{Ax+$ynBTGZc7CKl%AXM8_d5
z*`51;YUrKHj@+-zmC>7e;Ap|Iw8nWEPr5t`bUS*V>g?S5>@<URNsL%P|H-_FCw&6x
zrU!DKD6-Wu{P<C#AaG?tseI9%zrk_~l!C<<E<1Dc&zrr1-G?5S8E)`otgMec#~}WC
z^@Dv=gm-RxmAte4X<$GNgUm(wzm1^=S-v|i1luTZ@qfzm-WGnW;aT6t32Xdz2AH0V
zmA>LNTW|V|NgRvb3ZFKT(3{ek$$Mncxt$GG?Vs|Od}!at=P715A^cI=x^-ry=VzFx
zG~1{Pmu^fE@3_J5x2wVaIxFkth>wSbHg-N|3oz5Y)w0^I$z)|)a$@NM9>E8TdrHD>
zw1ZA0oaAm2?vpIFDVdai=IzboKP%3<C5wHUp13jk-+?!J5=Y*2sOL}J!YVNFn4y&o
z$Ly^dk=ys)xH$FHNp9(Db3gdVWM@uY{`{V!vUBPEe&PGaLae%yD-t#YxNlMH^I7R`
zUUtxV)`k_qyQfXNV0Gmq*B*to(`Nz<dnI32`~Lo4<aA-~SC;EMnI`G+#{a7H<s;8G
z@%ptCI;?X1Slp~sEblCr$Tf>$>B?Xi$Np}vL@}KMzUPDL()M=grCPVSp6$7QJ@rf*
wZ^1Tm#plj!>E$o4?UAc+{af($pYnlSE6ZM{{WtBO-7?uWn%UyZe1q9V0M>p?&;S4c

diff --git a/config/hosts/wind/data/secrets/synapse_sliding_sync_env b/config/hosts/wind/data/secrets/synapse_sliding_sync_env
new file mode 100644
index 0000000000000000000000000000000000000000..b5b3eecbae3ada7fab4564adfb6cc539d87f10a3
GIT binary patch
literal 103
zcmZQ@_Y83kiVO&0IGw#;S%Iw~@!@GXe%)n!C3*+lwlG<%&F1V|SRVa+%I?%0|Dxcg
zSua1mPdlO^xnPIanGCxE9Y$td-U!>$)O795b6(qK-ECTw9CM4k;=<Zh`4N4)vR{bs
KtW{R(-Ut9+W-H+U

literal 0
HcmV?d00001

diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index 875a586..f6e97e6 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -5,9 +5,14 @@
 			enableACME = true;
 			forceSSL = true;
 			locations."/".root = "/var/www/graven.dev/public";
-			locations."~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://127.0.0.1:8008";
-			locations."~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://127.0.0.1:8008";
-			locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)".proxyPass = "http://127.0.0.1:8009";
+			locations."~ ^/(client|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+				proxyPass = "http://127.0.0.1:8009";
+				priority = 900;
+			};
+			locations."~ ^(\\/_matrix|\\/_synapse\\/client)" = {
+				proxyPass = "http://127.0.0.1:8008";
+				priority = 1000;
+			};
 			locations."/.well-known/matrix/" = {
 				root = "/var/www/matrix/public";
 				extraConfig = ''
diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix
index 8e236e2..48cb0b0 100644
--- a/config/hosts/wind/services/synapse.nix
+++ b/config/hosts/wind/services/synapse.nix
@@ -8,6 +8,7 @@
     sliding-sync = {
       enable = true;
       settings.SYNCV3_SERVER = "https://graven.dev";
+      environmentFile = builtins.toString config.secrets.files.synapse_sliding_sync_env.file;
     };
     settings = {
       server_name = "graven.dev";

From dac10cfe1af995759f19da890558f52537195699 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 22 Oct 2023 14:17:15 +0200
Subject: [PATCH 35/83] Remove grocy

---
 config/hosts/wind/configuration.nix  |  1 -
 config/hosts/wind/services/grocy.nix | 11 -----------
 2 files changed, 12 deletions(-)
 delete mode 100644 config/hosts/wind/services/grocy.nix

diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index 01ce383..c8c80b7 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -16,7 +16,6 @@
 		./services/synapse.nix
 		./services/ttrss.nix
 		./services/gitea.nix
-		./services/grocy.nix
 		./services/restic.nix
 		./services/vaultwarden.nix
 		./services/wireguard.nix
diff --git a/config/hosts/wind/services/grocy.nix b/config/hosts/wind/services/grocy.nix
deleted file mode 100644
index d6c31ef..0000000
--- a/config/hosts/wind/services/grocy.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ config, ... }:
-{
-  services.grocy = {
-	enable = true;
-	hostName = "grocy.graven.dev";
-	settings = {
-	  currency = "DKK";
-	  calendar.firstDayOfWeek = 1;
-	};
-  };
-}

From 8d718be3213c6b435c28f3124057295a3b65767d Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 22 Oct 2023 14:18:29 +0200
Subject: [PATCH 36/83] Update nixpkgs

---
 config/hosts/wind/configuration.nix |  2 +-
 config/sources/nix/sources.json     | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index c8c80b7..bbc8dea 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 
 {
 	imports = [
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 6c4cb37..ff4d63c 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "9341b1027da2c2f95f8e808a3cb4b403e0a62c77",
-        "sha256": "1l996s518iv7bcfzzhxlsn35ahbslpbvhl3ds1zpnama7la23y9b",
+        "rev": "723f0eeb969a730db3c30f977c2b66b9dce9fe4a",
+        "sha256": "0016l7230gd2kdh0g2w573r9a2krqb7x4ifcjhhsn4h1bwap7qr0",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/9341b1027da2c2f95f8e808a3cb4b403e0a62c77.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/723f0eeb969a730db3c30f977c2b66b9dce9fe4a.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0",
-        "sha256": "0cv2aivvw83j1x0wafhjcnpwcnglrrz3z726i9nvs2nkxs29h34w",
+        "rev": "72d53d51704295f1645d20384cd13aecc182f624",
+        "sha256": "0amvmkxp2x3sf1ya066wrsjn57q8vdhqi6fbsmyyvz04fpmq2m75",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/bb2db418b616fea536b1be7f6ee72fb45c11afe0.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/72d53d51704295f1645d20384cd13aecc182f624.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5a237aecb57296f67276ac9ab296a41c23981f56",
-        "sha256": "166yxg4ff2jxvl9mbngd90dr1k3rdj6xmiccga41xynhh2zr0vmb",
+        "rev": "679cadfdfed2b90311a247b2d6ef6dfd3d6cab73",
+        "sha256": "05iybhlry8sg6qdgf7qx1d8rvq43ph32qgpar53g8yja300x0swz",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5a237aecb57296f67276ac9ab296a41c23981f56.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/679cadfdfed2b90311a247b2d6ef6dfd3d6cab73.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From b43a55bb9f6b1ee45eb5274cf588384de51ad5fc Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Thu, 26 Oct 2023 16:56:34 +0200
Subject: [PATCH 37/83] Configure borg for grondahl

---
 config/hosts/grondahl/configuration.nix       |   2 +-
 config/hosts/grondahl/data/secrets/borg_pass  | Bin 0 -> 87 bytes
 .../hosts/grondahl/data/secrets/secrets.nix   | Bin 957 -> 1259 bytes
 config/hosts/grondahl/services/borg.nix       |  26 ++++++++++++++++++
 config/hosts/grondahl/services/restic.nix     |  26 ------------------
 5 files changed, 27 insertions(+), 27 deletions(-)
 create mode 100644 config/hosts/grondahl/data/secrets/borg_pass
 create mode 100644 config/hosts/grondahl/services/borg.nix
 delete mode 100644 config/hosts/grondahl/services/restic.nix

diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix
index 1545408..a79f9c8 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@@ -10,9 +10,9 @@
     ../../common/services/tailscale.nix
     ../../common/users.nix
     ./services/acme.nix
+    ./services/borg.nix
     ./services/coturn.nix
     ./services/nginx.nix
-    ./services/restic.nix
     ./services/synapse.nix
     ./services/postgres.nix
 		#./services/mail.nix
diff --git a/config/hosts/grondahl/data/secrets/borg_pass b/config/hosts/grondahl/data/secrets/borg_pass
new file mode 100644
index 0000000000000000000000000000000000000000..1d656217681bda45a8bf9c1de4d7cab1ab594aa5
GIT binary patch
literal 87
zcmZQ@_Y83kiVO&0sClve%B=S2i`A<0DsSFM3s9ZM!{nsF5}C6_NSA4v{)Htk;)S&v
uFI?DUdg)K2Tkpx!o6f|Y(Eap>|7d5|gVokIi=)p<@EyLP!?&-MEf)Zo>L||u

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix
index b79d57c072b44ce1ff1701aea03cdf0e5201cd67..1c37a019a94c1abab2e91d4a5b12b3aaee580246 100644
GIT binary patch
literal 1259
zcmZQ@_Y83kiVO&0I9{;$ng4>odv<j%wuvo$kY^s(GQq9)=GEj`N5%5I_a3}|dsg1f
zNnYXnvA=f-^dC#!cjrNE^v<m(Zxr9Z-V^(HlN3X;)UmpQ2GNbJr`8<ZBm154*b?De
zZxW7t<m&QSWLACiWcU4^ZC;ASVt3{oW6ZC-^E<IrH+@yHlyVsJHeu)BnBNz-lub;(
z_?IWjqs}md|NO>nd(;ZNvwwv>Z})zj{f{l*Wy%aT_NV8pg0^y8mDF)oeZ9QoUfA_6
zosv`aWpatf8YfkzGwn&%+HZKEbBez1)6H87in>1NN$@vqn3B^!OV>m5H?#EOCdt`%
ze=Td1^N&mVFiRp!u=B@mNB{I4d{<a!%ADlbX|7gSzUrm0)V&*7#lONW%2f>1C$WFN
z#@5jL^7~^0mL<n#7fgKqg1x}a?;nTMg@omD?<QTHw&V5&&wKCMHWj}UO!Qso>-FV*
z$W?{hjt{dv?)jwJmqxW*deI=vdDqfL{fOM}h~+QY4)hyL=DzUyXPUWCR_jY9!!J^&
z@A!5t6qixhkh8wv+g1fJ%gPOHyl;dj6{+2GQIu!pJ<d3DVtt7340D4^**DG|shsB}
zYT~|s%PJ4fT}yR>-F<JhY8?++w_A0=Jp<WBSyA2Zf3}@ln;oHNE0J=acdOI-wnuR<
zG&lWK(Y;@Px9-}!C*Kc!t6|lVvH73-XM$5zK~v+q&xh>`d!%@$^%!my{T*~<a)dX_
zYpFT*ccyyDJ0(uCTJYtF<MwkObc|#6EakBKd83l2vX!sL?K+$AQXR>T-TSq9`6f(R
zZnwDddM)$5?Tp=ll|tN;rzcM1OkhdelD&9l=Ff)wS-aLYerwwB_FJ(7&$;&JTWVz*
z?kcR1)~<>&Os+J^&zjfvi1pd81;66BxUaT{_xE3YS=L!_Wb(EZCyVkkPoI44eRk8K
zr4rUwZ(e`+>&N!m{+XX9cd%3R>J3S1t~E;{F79S#<p}#dq5LxIW%m=!n|w6PZMW4H
z+HL>y=<{>t#=Qkkq9=&Xba|aP>nE?S=btUFk3HvPC~iM?acSz?o~L_w<P;aVzn;n`
z7`&^FdBWvXjtzo#T3&}8_>50i>$>wAW}W_c(fZww9kMH=)(a)^y$xEh<bhD@64tI2
z@%@FfLvmmLDDAVk#nxEwpZ)gKN3ZMRdkfZwoMzZ$5Pq^Ey}eoM=$olp)d!c=Z!bvC
zKcAoTE0trrv&kFdhxh$9p4sitcTP1{`KX=99{+`c(>?Z_s(8P7QRC@2x9Kxf3t1|@
zv~Im|bwch!^`}KXckh_&)~f$@WuA~s&zJ3|6OSx57ZP#2aW+))=3TKq=9+zu?r%Eh
z=RK%P^>w`x|94wJ5sOJ=xBepTQW>|4slI|*t5@!uQr$9n`mWRYyqDHaFTE{TaJ=f0
z`JHqop5uxq=h&zye}1tushrQrOVQ?1smaWo$uk^MJZ?@d7CxfMx}adgi927;@7!VV
z!SVg-zz?r%4~8i6HZ(fNIozLnEdNAv;1#1pRjaEaewt@wPE5C1an4W4w`)ydh_qT%
z{<MVero6q%2bIm<Pn<b>vA|sWXX{#@T1%|%W$V51hEdtTmm^Zs{f}%x#qKMMcdM{Z
zkNxrg=pT)mx=E3fkIuN}+8ed{x@)rLkvB)(&tzY|p5P=HvR3pHdxG%McQf|v-nRR)
i<?277GMCrP-Zrc2Z{l9_rJ;K*atco8I=6fGNdf>Y(rw59

literal 957
zcmZQ@_Y83kiVO&0$iHQ`McZnB%QWTI;v<hUOkZoVeV_SPbm{8b+Cf`#RNE6oo=y0_
zZ^FC#u|M<ApRZKa-Q?GD{;s{;t0`J{tbD{hZ6f&RN~vkQWqF*tXrICg-;(_cuWhX1
z<GKIcK=1r3laD@6Y8`iRMxF7nd8l?|>ACzlG9QnYi=|xnxA@Vk_=Vf2E1X`vqBu}@
zOHqv6gY^t$Q<}Z6O78g?HE;LPe*dtIY#dQv)ZKg*njilnwK##Z=gxL6q3|n7^W9I0
z>#fLjG@2!_Zw}L%v`^dW7dmGZ#pxe7lH+~z=9jt3lYcJU<@o001oa&;oO|W&+URPY
zew4c7u*x4JuWd15%kRIAy!hzcHSgF@b4^6q>?bUED(&-zInS`#Kws$p#-%$sHdk4_
zn6L6$a!q}k+|h(5?tWfhGAzFu=g<Fq_4@&z1&Y7-EckuW&cfCD?6x_krJ~#W5^_F7
z=(K!sc-FYscG`Q>2^Aq7ThwbF><Q4&VT`>Ru3ZvyK(s6L*^}p=;-AE5zcpLL*}eT-
z%CC^lV<ou>HZyrQ&l2P96Ro~ES9jH}!Yl5cZqhQ%>b8}$SR#K;VV?SFbIKJjjThyq
ziHX0;vRX9aZ^u7Lxz4f6#Uiow$b}^;M+1_oVjWjZx@kQ(exqP0f8?}Ple#)wKb0-I
z7N$P6(qTs8KQUj${`k3n?lS6pVRKbA;z{)k)-2t9Yehh|_;K0ip?=$r2t}1dr`}?_
zT_LY5ef90Dl!a_PH3w}n)lOxrZZ-dR_I>`1Eh47np*!}lM}6P?DZASzuYAW_bycy|
zj4ku#aHLEYdZ>0r!BOt}v79-Nvc*1Gwj1Y4SZ!N(MebL&S4H>78DeLSwycz`uq`$|
z&-MD(l76q0V=Aqkm(C?T+Mh2`R^_=S_QM_Po&~lJ&koG`n0D!7(zO<zcR?~rmz8%K
zByF!>`@Q~kf7sots(bF95O4L0E}QVq{@ohuO^YVy-{BICIebBWEm!7_lgl^9$;2#V
ze51EPSbfi#DW&K99I~(Mk#acMpv6!){h~$ZmXa4oQY|)~G>H1S%(F@0jn4JfInjHT
ztyeteWEfTZ@{MDZbxyUyA*UKHN40)+(Tu(QOEY-0%tgv&<eE~wIK<!0-8nC5k<|wq
zl}C%2mmGAgj(hGeSj;h9cwx!bJ&fAx=jEuS9e%mE>-heyzN!=a)*nB1_q1l9iQAnQ
z+3&AQ`J}x#nw`G%^lXQJ?wfwC*{=3#f&8n&3ug}hne;}yS@UdwVoKQRvs1Urn4afK
cP?~VGhS|(wb###L>-4hd)Hw$uI9t~P0DrpI>i_@%

diff --git a/config/hosts/grondahl/services/borg.nix b/config/hosts/grondahl/services/borg.nix
new file mode 100644
index 0000000..6134c7f
--- /dev/null
+++ b/config/hosts/grondahl/services/borg.nix
@@ -0,0 +1,26 @@
+{ config, ... }:
+
+{
+	services.borgbackup.jobs = {
+		postgres = {
+			paths = "/var/lib/postgresql/backup";
+			repo = "ssh://borg@despondos.nao.sh//mnt/slab/backup/grondahl/postgres";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:15:00";
+			user = "postgres";
+		};
+		synapse = {
+			paths = "/var/lib/matrix-synapse";
+			repo =  "ssh://borg@despondos.nao.sh//mnt/slab/backup/grondahl/synapse";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:45:00";
+			user = "matrix-synapse";
+		};
+	};
+}
diff --git a/config/hosts/grondahl/services/restic.nix b/config/hosts/grondahl/services/restic.nix
deleted file mode 100644
index f92203e..0000000
--- a/config/hosts/grondahl/services/restic.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ config, ... }:
-{
-  services.restic.backups = {
-    "postgres" = {
-      paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres";
-      initialize = true;
-      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
-      timerConfig = { "OnCalendar" = "03:15"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
-      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
-      user = "postgres";
-    };
-    "synapse" = {
-      paths = [ "/var/lib/matrix-synapse" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse";
-      initialize = true;
-      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
-      timerConfig = { "OnCalendar" = "03:45"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
-      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
-      user = "matrix-synapse";
-    };
-  };
-}
-

From ed2a33f3a66b2b45c50d3650dd314aa9ced1850b Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 29 Nov 2023 15:09:10 +0100
Subject: [PATCH 38/83] Disable minimal profile

---
 .EditorConfig                                 |   4 +
 Makefile                                      |  12 ++
 config/common/configuration/documentation.nix |  12 ++
 config/hosts/grondahl/configuration.nix       |   1 +
 .../hosts/grondahl/hardware-configuration.nix |   2 +-
 config/hosts/rudiger/configuration.nix        | 154 +++++++++---------
 .../hosts/rudiger/hardware-configuration.nix  |   2 +-
 config/hosts/rudiger/services/nextcloud.nix   |   4 +-
 config/hosts/wind/configuration.nix           |   1 +
 config/hosts/wind/hardware-configuration.nix  |   2 +-
 config/sources/nix/sources.json               |  24 +--
 shell.nix                                     |   7 +
 12 files changed, 131 insertions(+), 94 deletions(-)
 create mode 100644 .EditorConfig
 create mode 100644 Makefile
 create mode 100644 config/common/configuration/documentation.nix
 create mode 100644 shell.nix

diff --git a/.EditorConfig b/.EditorConfig
new file mode 100644
index 0000000..24f2e16
--- /dev/null
+++ b/.EditorConfig
@@ -0,0 +1,4 @@
+root = true
+
+[*.nix]
+indent_style = "tab"
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..af79aff
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,12 @@
+all: result
+	
+.PHONY: update result deploy
+
+result:
+	nix build -f deploy/default.nix
+
+update:
+	cd config/sources && niv update
+
+deploy:
+	./result
diff --git a/config/common/configuration/documentation.nix b/config/common/configuration/documentation.nix
new file mode 100644
index 0000000..bc47744
--- /dev/null
+++ b/config/common/configuration/documentation.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+	# Some docs fail to build, so we need to disable some of it
+	documentation = {
+		enable = true;
+		man.enable = true;
+		doc.enable = true;
+		dev.enable = false;
+		nixos.enable = false;
+	};
+}
diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix
index a79f9c8..a7ac181 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@@ -6,6 +6,7 @@
     ./hardware-configuration.nix
     ./data/secrets/secrets.nix
     ../../common/configuration/nix.nix
+    ../../common/configuration/documentation.nix
     ../../common/services/ssh.nix
     ../../common/services/tailscale.nix
     ../../common/users.nix
diff --git a/config/hosts/grondahl/hardware-configuration.nix b/config/hosts/grondahl/hardware-configuration.nix
index 1460245..47e53af 100644
--- a/config/hosts/grondahl/hardware-configuration.nix
+++ b/config/hosts/grondahl/hardware-configuration.nix
@@ -2,7 +2,7 @@
 {
   imports =
     [ (modulesPath + "/profiles/qemu-guest.nix")
-      (modulesPath + "/profiles/minimal.nix")
+      #(modulesPath + "/profiles/minimal.nix")
     ];
 
   boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix
index 212a48c..632a8fe 100644
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@@ -1,92 +1,92 @@
 { config, pkgs, ... }:
 
 {
-  imports =
-    [
-      ./hardware-configuration.nix
-      ./data/secrets/secrets.nix
-      ../../common/configuration/nix.nix
-      ../../common/services/ssh.nix
-      ../../common/services/tailscale.nix
-      ../../common/users.nix
-      ./services/acme.nix
-      ./services/nextcloud.nix
-      ./services/nginx.nix
-      ./services/postgres.nix
-      ./services/redis.nix
-      ./services/restic.nix
-    ];
+	imports = [
+		./hardware-configuration.nix
+		./data/secrets/secrets.nix
+		../../common/configuration/nix.nix
+		../../common/configuration/documentation.nix
+		../../common/services/ssh.nix
+		../../common/services/tailscale.nix
+		../../common/users.nix
+		./services/acme.nix
+		./services/nextcloud.nix
+		./services/nginx.nix
+		./services/postgres.nix
+		./services/redis.nix
+		./services/restic.nix
+	];
 
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+	boot.loader.grub.enable = true;
+	boot.loader.grub.device = "/dev/sda";
+	boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 
-  boot.supportedFilesystems = ["zfs"];
-  services.zfs.autoSnapshot.enable = false;
-  services.zfs.autoScrub.enable = true;
+	boot.supportedFilesystems = ["zfs"];
+	services.zfs.autoSnapshot.enable = false;
+	services.zfs.autoScrub.enable = true;
 
-  time.timeZone = "Europe/Copenhagen";
+	time.timeZone = "Europe/Copenhagen";
 
-  networking = {
-    hostName = "rudiger";
-    hostId = "8c7b66a4";
-    useDHCP = false;
-    tempAddresses = "disabled";
-    interfaces = {
-      "ens3" = {
-        ipv4.addresses = [ {
-          address = "202.61.202.170";
-          prefixLength = 22;
-        } ];
-        ipv6.addresses = [ {
-          address = "2a03:4000:5a:c61::1";
-          prefixLength = 64;
-        } ];
-      };
-    };
-    defaultGateway = "202.61.200.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "ens3";
-    };
-    nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
-  };
+	networking = {
+		hostName = "rudiger";
+		hostId = "8c7b66a4";
+		useDHCP = false;
+		tempAddresses = "disabled";
+		interfaces = {
+			"ens3" = {
+				ipv4.addresses = [ {
+					address = "202.61.202.170";
+					prefixLength = 22;
+				} ];
+				ipv6.addresses = [ {
+					address = "2a03:4000:5a:c61::1";
+					prefixLength = 64;
+				} ];
+			};
+		};
+		defaultGateway = "202.61.200.1";
+		defaultGateway6 = {
+			address = "fe80::1";
+			interface = "ens3";
+		};
+		nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+	};
 
 
-  nix.settings = {
-    auto-optimise-store = true;
-    trusted-users = [
-      "root"
-      "@wheel"
-    ];
-  };
+	nix.settings = {
+		auto-optimise-store = true;
+		trusted-users = [
+			"root"
+			"@wheel"
+		];
+	};
 
-  environment.systemPackages = with pkgs; [
-    vim
-    wget
-    htop
-    iotop
-    dig
-    tailscale
-  ];
-  security.sudo.wheelNeedsPassword = false;
+	environment.systemPackages = with pkgs; [
+		vim
+		wget
+		htop
+		iotop
+		dig
+		tailscale
+	];
+	security.sudo.wheelNeedsPassword = false;
 
-  systemd.services."nextcloud-setup" = {
-    requires = [ "postgresql.service" "redis.service" ];
-    after = [ "postgresql.service" "redis.service" ];
-  };
+	systemd.services."nextcloud-setup" = {
+		requires = [ "postgresql.service" "redis.service" ];
+		after = [ "postgresql.service" "redis.service" ];
+	};
 
-  users.groups.redis.members = [ "nextcloud" ];
-  users.groups.backup.members = [ "nextcloud" "postgres" ];
+	users.groups.redis.members = [ "nextcloud" ];
+	users.groups.backup.members = [ "nextcloud" "postgres" ];
 
-  networking.firewall = {
-    allowedTCPPorts = [ 22 80 443 ];
-    allowedUDPPorts = [ config.services.tailscale.port ];
-    trustedInterfaces = [ "tailscale0" ];
-    enable = true;
-    checkReversePath = "loose";
-  };
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  system.stateVersion = "21.05";
+	networking.firewall = {
+		allowedTCPPorts = [ 22 80 443 ];
+		allowedUDPPorts = [ config.services.tailscale.port ];
+		trustedInterfaces = [ "tailscale0" ];
+		enable = true;
+		checkReversePath = "loose";
+	};
+	# networking.firewall.allowedUDPPorts = [ ... ];
+	system.stateVersion = "21.05";
 
 }
diff --git a/config/hosts/rudiger/hardware-configuration.nix b/config/hosts/rudiger/hardware-configuration.nix
index 1e82882..283b86a 100644
--- a/config/hosts/rudiger/hardware-configuration.nix
+++ b/config/hosts/rudiger/hardware-configuration.nix
@@ -3,7 +3,7 @@
 {
   imports =
     [ (modulesPath + "/profiles/qemu-guest.nix")
-      (modulesPath + "/profiles/minimal.nix")
+      #(modulesPath + "/profiles/minimal.nix")
     ];
 
   boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index 8c2a635..f2c442f 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -2,7 +2,7 @@
 {
 	services.nextcloud = {
 		enable = true;
-# Disables server-side file encryption for stronger SSL
+		# Disable server-side file encryption for stronger SSL
 		enableBrokenCiphersForSSE = false;
 		hostName = "cloud.graven.dev";
 		https = true;
@@ -15,7 +15,7 @@
 			dbtype = "pgsql";
 			dbuser = "nextcloud";
 			dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
-				dbname = "nextcloud";
+			dbname = "nextcloud";
 			defaultPhoneRegion = "DK";
 			adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
 			adminuser = "root";
diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index bbc8dea..fc12055 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -4,6 +4,7 @@
 	imports = [
 		./hardware-configuration.nix
 		../../common/configuration/nix.nix
+		../../common/configuration/documentation.nix
 		../../common/services/ssh.nix
 		../../common/services/tailscale.nix
 		../../common/users.nix
diff --git a/config/hosts/wind/hardware-configuration.nix b/config/hosts/wind/hardware-configuration.nix
index 50c7560..ee338a2 100644
--- a/config/hosts/wind/hardware-configuration.nix
+++ b/config/hosts/wind/hardware-configuration.nix
@@ -6,7 +6,7 @@
 {
   imports =
     [ (modulesPath + "/profiles/qemu-guest.nix")
-      (modulesPath + "/profiles/minimal.nix")
+      #(modulesPath + "/profiles/minimal.nix")
       #(modulesPath + "/profiles/hardened.nix")
     ];
 
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index ff4d63c..6b04181 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "723f0eeb969a730db3c30f977c2b66b9dce9fe4a",
-        "sha256": "0016l7230gd2kdh0g2w573r9a2krqb7x4ifcjhhsn4h1bwap7qr0",
+        "rev": "7b76374b2b44152bfbf41fcb60162c2ce9182e7a",
+        "sha256": "1ql11hzgxdahj9x0b20b70izcmayb22rinrg82kgp5z19bvpsgrp",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/723f0eeb969a730db3c30f977c2b66b9dce9fe4a.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/7b76374b2b44152bfbf41fcb60162c2ce9182e7a.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "72d53d51704295f1645d20384cd13aecc182f624",
-        "sha256": "0amvmkxp2x3sf1ya066wrsjn57q8vdhqi6fbsmyyvz04fpmq2m75",
+        "rev": "8772491ed75f150f02552c60694e1beff9f46013",
+        "sha256": "07m3i4g10ka2klmqfpqfxjfsnidk3cw53andqr33lxhy7rrvf6x2",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/72d53d51704295f1645d20384cd13aecc182f624.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/8772491ed75f150f02552c60694e1beff9f46013.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "679cadfdfed2b90311a247b2d6ef6dfd3d6cab73",
-        "sha256": "05iybhlry8sg6qdgf7qx1d8rvq43ph32qgpar53g8yja300x0swz",
+        "rev": "5b528f99f73c4fad127118a8c1126b5e003b01a9",
+        "sha256": "0pchhv9rrki70j0rrpj8pgj29cl7a595s6msh05ah5naasn3n17i",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/679cadfdfed2b90311a247b2d6ef6dfd3d6cab73.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/5b528f99f73c4fad127118a8c1126b5e003b01a9.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "b54dc6b332d4f26df1bed34c18ccec3d41e1ac40",
-        "sha256": "120ip3549sm1z79p7fvm0kv6gn0v7yb6nr530q25xdz537gq3a3p",
+        "rev": "3d829c74b3dff74f211ef21d64def233532e9e5d",
+        "sha256": "1vwg567jafcwaikkbdgckyirhnb0hd7r8x25j5wsb5a5563bpi65",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/b54dc6b332d4f26df1bed34c18ccec3d41e1ac40.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/3d829c74b3dff74f211ef21d64def233532e9e5d.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..d11b0d4
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1,7 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.mkShell {
+	packages = with pkgs; [
+		niv
+	];
+}

From bdd876cdfdb59e1bb298634547ceac6dba415ab6 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Fri, 8 Dec 2023 13:33:57 +0100
Subject: [PATCH 39/83] Upgrade rudiger to postgres 15

---
 config/hosts/rudiger/services/postgres.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/hosts/rudiger/services/postgres.nix b/config/hosts/rudiger/services/postgres.nix
index af4cc48..12f6dad 100644
--- a/config/hosts/rudiger/services/postgres.nix
+++ b/config/hosts/rudiger/services/postgres.nix
@@ -1,7 +1,8 @@
-{ ... }:
+{ pkgs, ... }:
 {
   services.postgresql = {
     enable = true;
+    package = pkgs.postgresql_15;
     ensureDatabases = [ 
 			"nextcloud"
 		];

From 2895a51862f1c5edc7fec60bca49b7309171b1b0 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Fri, 8 Dec 2023 14:05:12 +0100
Subject: [PATCH 40/83] Upgrade nixpkgs to 23.11

---
 config/hosts/grondahl/services/postgres.nix |  6 +++---
 config/hosts/rudiger/services/nextcloud.nix |  2 --
 config/hosts/rudiger/services/postgres.nix  |  2 +-
 config/sources/nix/sources.json             | 20 ++++++++++----------
 4 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/config/hosts/grondahl/services/postgres.nix b/config/hosts/grondahl/services/postgres.nix
index 950c67a..30f4f83 100644
--- a/config/hosts/grondahl/services/postgres.nix
+++ b/config/hosts/grondahl/services/postgres.nix
@@ -14,15 +14,15 @@
     ensureUsers = [
     	{
 				name = "matrix-synapse";
-      	ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
+				ensureDBOwnership = true;
     	}
 			{
 				name = "mobilizon";
-      	ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES";
+				ensureDBOwnership = true;
   		}
 			{ 
 				name = "authentik";
-				ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES";
+				ensureDBOwnership = true;
 			}
     ];
     initialScript = pkgs.writeText "synapse-init.sql" ''
diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index f2c442f..54cf8ab 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -2,8 +2,6 @@
 {
 	services.nextcloud = {
 		enable = true;
-		# Disable server-side file encryption for stronger SSL
-		enableBrokenCiphersForSSE = false;
 		hostName = "cloud.graven.dev";
 		https = true;
 		package = pkgs.nextcloud26;
diff --git a/config/hosts/rudiger/services/postgres.nix b/config/hosts/rudiger/services/postgres.nix
index 12f6dad..cee84a2 100644
--- a/config/hosts/rudiger/services/postgres.nix
+++ b/config/hosts/rudiger/services/postgres.nix
@@ -9,7 +9,7 @@
     ensureUsers = [
     	{
 				name = "nextcloud";
-      	ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      	ensureDBOwnership = true;
     	}
     ];
   };
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 6b04181..da19c15 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "7b76374b2b44152bfbf41fcb60162c2ce9182e7a",
-        "sha256": "1ql11hzgxdahj9x0b20b70izcmayb22rinrg82kgp5z19bvpsgrp",
+        "rev": "6bd7cd686220bf3db0e212481faf9578e8c8ff0f",
+        "sha256": "15claxlj6y15db67qc7kb4vzyn6sv7r13z4q502vq7a4z2488z94",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/7b76374b2b44152bfbf41fcb60162c2ce9182e7a.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/6bd7cd686220bf3db0e212481faf9578e8c8ff0f.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "8772491ed75f150f02552c60694e1beff9f46013",
-        "sha256": "07m3i4g10ka2klmqfpqfxjfsnidk3cw53andqr33lxhy7rrvf6x2",
+        "rev": "fa194fc484fd7270ab324bb985593f71102e84d1",
+        "sha256": "06yn179lbhql3vkk4cjca4mdwr6lfdh6n1vqma3a4266dap6hcf4",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/8772491ed75f150f02552c60694e1beff9f46013.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/fa194fc484fd7270ab324bb985593f71102e84d1.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-23.05",
+        "branch": "nixos-23.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5b528f99f73c4fad127118a8c1126b5e003b01a9",
-        "sha256": "0pchhv9rrki70j0rrpj8pgj29cl7a595s6msh05ah5naasn3n17i",
+        "rev": "b4372c4924d9182034066c823df76d6eaf1f4ec4",
+        "sha256": "03daj0laqlqdp053wr2fznwjfbkkyh12qq1wa87zdsgdnnrgd6sc",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5b528f99f73c4fad127118a8c1126b5e003b01a9.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/b4372c4924d9182034066c823df76d6eaf1f4ec4.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 71c97ab7a54f9a51939fd53088da3c8bc6fef212 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Fri, 8 Dec 2023 14:41:08 +0100
Subject: [PATCH 41/83] Upgrade grondahl to postgres 16

---
 config/hosts/grondahl/services/postgres.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/grondahl/services/postgres.nix b/config/hosts/grondahl/services/postgres.nix
index 30f4f83..7b0e3ee 100644
--- a/config/hosts/grondahl/services/postgres.nix
+++ b/config/hosts/grondahl/services/postgres.nix
@@ -2,7 +2,7 @@
 {
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_13;
+    package = pkgs.postgresql_16;
 		extraPlugins = with config.services.postgresql.package.pkgs; [
 			postgis
 		];

From fec23849d3fbcaee406254d5055b17dd8ced3a10 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Fri, 8 Dec 2023 14:58:35 +0100
Subject: [PATCH 42/83] Upgrade wind to postgres 16

---
 config/hosts/wind/services/postgres.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/wind/services/postgres.nix b/config/hosts/wind/services/postgres.nix
index 79cf378..e7712e4 100644
--- a/config/hosts/wind/services/postgres.nix
+++ b/config/hosts/wind/services/postgres.nix
@@ -2,7 +2,7 @@
 {
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_13;
+    package = pkgs.postgresql_16;
     initialScript = pkgs.writeText "synapse-init.sql" ''
                       CREATE ROLE synapse;
                       CREATE DATABASE synapse WITH OWNER synapse

From d3c8c253f2be859080e8a6ab669d13f143dd959f Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Fri, 8 Dec 2023 17:38:51 +0100
Subject: [PATCH 43/83] Upgrade to nextcloud 27

---
 config/hosts/rudiger/services/nextcloud.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index 54cf8ab..96ecc98 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -4,7 +4,7 @@
 		enable = true;
 		hostName = "cloud.graven.dev";
 		https = true;
-		package = pkgs.nextcloud26;
+		package = pkgs.nextcloud27;
 		autoUpdateApps.enable = true;
 		maxUploadSize = "10G";
 		webfinger = true;

From 5b36b4089dac4be53110ad7494eb149997f2a888 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 13 Dec 2023 20:27:13 +0100
Subject: [PATCH 44/83] Replace gitea with forgejo

---
 config/hosts/wind/services/gitea.nix | 32 +++++++++++++++++++++-------
 config/hosts/wind/services/nginx.nix |  2 +-
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/config/hosts/wind/services/gitea.nix b/config/hosts/wind/services/gitea.nix
index ec0d191..cb40734 100644
--- a/config/hosts/wind/services/gitea.nix
+++ b/config/hosts/wind/services/gitea.nix
@@ -1,17 +1,33 @@
 { ... }:
 
 {
-  services.gitea = {
+  services.forgejo = {
     enable = true;
-    appName = "Graven Gitea";
-    settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
+    user = "gitea";
+    group = "gitea";
+    stateDir = "/var/lib/gitea";
     database = {
       type = "postgres";
+      name = "gitea";
+      user = "gitea";
+    };
+    settings = {
+      DEFAULT.APP_NAME = "Graven Gitea";
+      service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
+      server.DOMAIN = "git.graven.dev";
+      server.ROOT_URL = "https://git.graven.dev";
+      server.PROTOCOL = "http+unix";
+      ui.DEFAULT_THEME = "arc-green";
     };
-    settings.service.DISABLE_REGISTRATION = true;
-    settings.session.COOKIE_SECURE = true;
-    settings.server.DOMAIN = "git.graven.dev";
-    settings.server.ROOT_URL = "https://git.graven.dev";
-    settings.server.PROTOCOL = "http+unix";
   };
+
+  users.users.gitea = {
+    home = "/var/lib/gitea";
+    useDefaultShell = true;
+    group = "gitea";
+    isSystemUser = true;
+  };
+
+  users.groups.gitea = {};
 }
diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index f6e97e6..ebafed1 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -32,7 +32,7 @@
 		"git.graven.dev" = {
 			enableACME = true;
 			forceSSL = true;
-			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
+			locations."/".proxyPass = "http://unix:/run/forgejo/forgejo.sock:";
 		};
 		"vault.graven.dev" = {
 			forceSSL = true;

From 840bcd4cea078d81b1970d5273571486a2cfb76d Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 6 Jan 2024 09:32:52 +0100
Subject: [PATCH 45/83] nixpkgs update

---
 README.md                       |  7 ++++++-
 config/sources/nix/sources.json | 12 ++++++------
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index fbd43da..b9a9709 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,10 @@
 NixOS deployments using [nixus](https://github.com/Infinisil/nixus).
 
+TL;DR:
+1. `make update`
+2. `make result`
+3. `make deploy`
+
 First make sure you have `niv` so you can upgrade dependency versions in `sources.json`.
 ```sh
 $ nix-shell -p niv
@@ -11,5 +16,5 @@ $ nix-build deploy/
 ```
 Deploy by running the generated executable.
 ```sh
-$ ./results
+$ ./result
 ```
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index da19c15..baf5556 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "fa194fc484fd7270ab324bb985593f71102e84d1",
-        "sha256": "06yn179lbhql3vkk4cjca4mdwr6lfdh6n1vqma3a4266dap6hcf4",
+        "rev": "172385318068519900a7d71c1024242fa6af75f0",
+        "sha256": "189sxqrr2g9da1jfz15pvvlhknamymgrpzczx3nbm79aw895i83z",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/fa194fc484fd7270ab324bb985593f71102e84d1.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/172385318068519900a7d71c1024242fa6af75f0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b4372c4924d9182034066c823df76d6eaf1f4ec4",
-        "sha256": "03daj0laqlqdp053wr2fznwjfbkkyh12qq1wa87zdsgdnnrgd6sc",
+        "rev": "b0b2c5445c64191fd8d0b31f2b1a34e45a64547d",
+        "sha256": "1kvscvl8in723440i0w0sv2j2pawdxjkbiqgx85jda2cz92l6rpm",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/b4372c4924d9182034066c823df76d6eaf1f4ec4.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/b0b2c5445c64191fd8d0b31f2b1a34e45a64547d.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From d3f12d97e983d41c77a4e1bac35ca49af41b7f16 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 3 Mar 2024 13:03:12 +0100
Subject: [PATCH 46/83] Update

---
 config/sources/nix/sources.json | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index baf5556..eb09bb1 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "6bd7cd686220bf3db0e212481faf9578e8c8ff0f",
-        "sha256": "15claxlj6y15db67qc7kb4vzyn6sv7r13z4q502vq7a4z2488z94",
+        "rev": "d67c25f29716fd2087e71352783fcce194303a9a",
+        "sha256": "1813r42sz4pmv1syn38s281lmg2l7h779q4r33nn5azm7wy45yrh",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/6bd7cd686220bf3db0e212481faf9578e8c8ff0f.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/d67c25f29716fd2087e71352783fcce194303a9a.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "172385318068519900a7d71c1024242fa6af75f0",
-        "sha256": "189sxqrr2g9da1jfz15pvvlhknamymgrpzczx3nbm79aw895i83z",
+        "rev": "33a97b5814d36ddd65ad678ad07ce43b1a67f159",
+        "sha256": "1m7nv1ky9ikrcqr728mc2ks0c5268bkjbb2qxq4wdd42hrdcr5dy",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/172385318068519900a7d71c1024242fa6af75f0.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/33a97b5814d36ddd65ad678ad07ce43b1a67f159.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b0b2c5445c64191fd8d0b31f2b1a34e45a64547d",
-        "sha256": "1kvscvl8in723440i0w0sv2j2pawdxjkbiqgx85jda2cz92l6rpm",
+        "rev": "c8e74c2f83fe12b4e5a8bd1abbc090575b0f7611",
+        "sha256": "1b6953zxrbvvy2x4qw5v4s1350jljlngr27pwd36i040mzsyyshr",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/b0b2c5445c64191fd8d0b31f2b1a34e45a64547d.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/c8e74c2f83fe12b4e5a8bd1abbc090575b0f7611.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From cfd54d3f7ffe05f9bb6038a4cc4b46524fe2f2e7 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 10 Mar 2024 21:57:17 +0100
Subject: [PATCH 47/83] Version update

---
 config/sources/nix/sources.json | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index eb09bb1..b2ccbcc 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "d67c25f29716fd2087e71352783fcce194303a9a",
-        "sha256": "1813r42sz4pmv1syn38s281lmg2l7h779q4r33nn5azm7wy45yrh",
+        "rev": "6f6529db3a69cf3c4dd81eebcb5b46f1d34170e5",
+        "sha256": "1qbyprn08917cszfm5syppi4r5p467qii4fzb2v1s0lrqqn0das4",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/d67c25f29716fd2087e71352783fcce194303a9a.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/6f6529db3a69cf3c4dd81eebcb5b46f1d34170e5.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "33a97b5814d36ddd65ad678ad07ce43b1a67f159",
-        "sha256": "1m7nv1ky9ikrcqr728mc2ks0c5268bkjbb2qxq4wdd42hrdcr5dy",
+        "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
+        "sha256": "1z4nzv6nzy5gfsx893h802xikizcnm16p7n4f9qbk69vhi995hvs",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/33a97b5814d36ddd65ad678ad07ce43b1a67f159.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/59e37017b9ed31dee303dbbd4531c594df95cfbc.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c8e74c2f83fe12b4e5a8bd1abbc090575b0f7611",
-        "sha256": "1b6953zxrbvvy2x4qw5v4s1350jljlngr27pwd36i040mzsyyshr",
+        "rev": "b94a96839afcc56de3551aa7472b8d9a3e77e05d",
+        "sha256": "1j5vs24bgy2arl342lrh3znc1pdz68kcjp2rpgy3sccpd9sibqqn",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/c8e74c2f83fe12b4e5a8bd1abbc090575b0f7611.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/b94a96839afcc56de3551aa7472b8d9a3e77e05d.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 8ffde247cf9e484d0aef82ec926b330d2944ce9d Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Mon, 1 Apr 2024 18:23:02 +0200
Subject: [PATCH 48/83] Update nixpkgs

---
 config/sources/nix/sources.json | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index b2ccbcc..0f76857 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
-        "sha256": "1z4nzv6nzy5gfsx893h802xikizcnm16p7n4f9qbk69vhi995hvs",
+        "rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0",
+        "sha256": "1dfpr7aq5avrsagfdxj8rh8jy25sg806dl5m17pp9p529y5fmswn",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/59e37017b9ed31dee303dbbd4531c594df95cfbc.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/9a763a7acc4cfbb8603bb0231fec3eda864f81c0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b94a96839afcc56de3551aa7472b8d9a3e77e05d",
-        "sha256": "1j5vs24bgy2arl342lrh3znc1pdz68kcjp2rpgy3sccpd9sibqqn",
+        "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
+        "sha256": "065jy7qivlbdqmbvd7r9h97b23f21axmc4r7sqmq2h0j82rmymxv",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/b94a96839afcc56de3551aa7472b8d9a3e77e05d.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/219951b495fc2eac67b1456824cc1ec1fd2ee659.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "3d829c74b3dff74f211ef21d64def233532e9e5d",
-        "sha256": "1vwg567jafcwaikkbdgckyirhnb0hd7r8x25j5wsb5a5563bpi65",
+        "rev": "5257be6a58e6093d0ef7540cee1bf764194e72af",
+        "sha256": "0lc8d69mjw3swxmvsiyri08f68x3yqh3fzpg0j6jzib8z3bbj659",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/3d829c74b3dff74f211ef21d64def233532e9e5d.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/5257be6a58e6093d0ef7540cee1bf764194e72af.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From 57b2d2f051399c4c2bc6adf7bce05f1fea5bcbd0 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Thu, 25 Apr 2024 20:26:20 +0200
Subject: [PATCH 49/83] Update nixpkgs

---
 config/sources/nix/sources.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 0f76857..72e8ebf 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0",
-        "sha256": "1dfpr7aq5avrsagfdxj8rh8jy25sg806dl5m17pp9p529y5fmswn",
+        "rev": "797f8d8082c7cc3259cba7275c699d4991b09ecc",
+        "sha256": "0l3m2jhy1xqr5ijz311cb371wp6z4qf5l47b2i0c3bi4j4qc64zw",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/9a763a7acc4cfbb8603bb0231fec3eda864f81c0.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/797f8d8082c7cc3259cba7275c699d4991b09ecc.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
-        "sha256": "065jy7qivlbdqmbvd7r9h97b23f21axmc4r7sqmq2h0j82rmymxv",
+        "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
+        "sha256": "1nxd4dqci8rs94a7cypx30axgj778p2wydkx16q298n29crkflbw",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/219951b495fc2eac67b1456824cc1ec1fd2ee659.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/dd37924974b9202f8226ed5d74a252a9785aedf8.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From b38af9cce32f8f2d641a2d096b54011d98981093 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 15 May 2024 22:01:00 +0200
Subject: [PATCH 50/83] Update nixpkgs

---
 config/sources/nix/sources.json | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 72e8ebf..ead3f42 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "6f6529db3a69cf3c4dd81eebcb5b46f1d34170e5",
-        "sha256": "1qbyprn08917cszfm5syppi4r5p467qii4fzb2v1s0lrqqn0das4",
+        "rev": "04c1cec14801d2b18fc1a771cf40cec249cb8670",
+        "sha256": "1xl4mni4az9wiwq3ygk0f53gwkjw5pnfgrl69r5vwji2jqc96a11",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/6f6529db3a69cf3c4dd81eebcb5b46f1d34170e5.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/04c1cec14801d2b18fc1a771cf40cec249cb8670.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "797f8d8082c7cc3259cba7275c699d4991b09ecc",
-        "sha256": "0l3m2jhy1xqr5ijz311cb371wp6z4qf5l47b2i0c3bi4j4qc64zw",
+        "rev": "a4e2b7909fc1bdf30c30ef21d388fde0b5cdde4a",
+        "sha256": "188r4q1sv19paa85spwcb634g9mllxd7bmn8335lvmrp2r7n674m",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/797f8d8082c7cc3259cba7275c699d4991b09ecc.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/a4e2b7909fc1bdf30c30ef21d388fde0b5cdde4a.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
-        "sha256": "1nxd4dqci8rs94a7cypx30axgj778p2wydkx16q298n29crkflbw",
+        "rev": "9ddcaffecdf098822d944d4147dd8da30b4e6843",
+        "sha256": "1w1r95a2zw5y64gwpy4jncap8c6syjhlm5ffa76l0vb48hxbd7n6",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/dd37924974b9202f8226ed5d74a252a9785aedf8.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/9ddcaffecdf098822d944d4147dd8da30b4e6843.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "5257be6a58e6093d0ef7540cee1bf764194e72af",
-        "sha256": "0lc8d69mjw3swxmvsiyri08f68x3yqh3fzpg0j6jzib8z3bbj659",
+        "rev": "9becb43c79661b3f407c2fdb90e2ae1bc64b8c95",
+        "sha256": "1q34x4wsrd4g1h6vikrj1pqzv0gq2yr2kqiqvdy6bqr4pqffvdxj",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/5257be6a58e6093d0ef7540cee1bf764194e72af.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/9becb43c79661b3f407c2fdb90e2ae1bc64b8c95.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From aa404c2de63735c632f9e9c02d2c2a75fb157e3f Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 1 Jun 2024 22:56:32 +0200
Subject: [PATCH 51/83] Version update

---
 config/sources/nix/sources.json | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index ead3f42..546d71b 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "04c1cec14801d2b18fc1a771cf40cec249cb8670",
-        "sha256": "1xl4mni4az9wiwq3ygk0f53gwkjw5pnfgrl69r5vwji2jqc96a11",
+        "rev": "f7c538837892dd2eb83567c9f380a11efb59b53f",
+        "sha256": "0xl33k24vfc29cg9lnp95kvcq69qbq5fzb7jk9ig4lgrhaarh651",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/04c1cec14801d2b18fc1a771cf40cec249cb8670.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/f7c538837892dd2eb83567c9f380a11efb59b53f.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "a4e2b7909fc1bdf30c30ef21d388fde0b5cdde4a",
-        "sha256": "188r4q1sv19paa85spwcb634g9mllxd7bmn8335lvmrp2r7n674m",
+        "rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
+        "sha256": "1v8lddagjyjy4xm9l103qbqplh13hblkf030yc9r8760d1wzdibv",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/a4e2b7909fc1bdf30c30ef21d388fde0b5cdde4a.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/7b49d3967613d9aacac5b340ef158d493906ba79.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9ddcaffecdf098822d944d4147dd8da30b4e6843",
-        "sha256": "1w1r95a2zw5y64gwpy4jncap8c6syjhlm5ffa76l0vb48hxbd7n6",
+        "rev": "25cf937a30bf0801447f6bf544fc7486c6309234",
+        "sha256": "1j5vs24bgy2arl342lrh3znc1pdz68kcjp2rpgy3sccpd9sibqqn",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/9ddcaffecdf098822d944d4147dd8da30b4e6843.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/25cf937a30bf0801447f6bf544fc7486c6309234.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From b1ff58b3d999f12cf126927cf5c95e2d1c8e4d3d Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 3 Aug 2024 20:40:14 +0200
Subject: [PATCH 52/83] Upgrade nixpkgs to 24.05

---
 README.md                                   |  7 +++++++
 config/hosts/rudiger/services/nextcloud.nix |  7 +++++--
 config/hosts/wind/services/synapse.nix      | 10 +++++-----
 config/sources/nix/sources.json             | 20 ++++++++++----------
 4 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index b9a9709..0388c24 100644
--- a/README.md
+++ b/README.md
@@ -18,3 +18,10 @@ Deploy by running the generated executable.
 ```sh
 $ ./result
 ```
+
+## Switching nixpkgs branch
+```sh
+cd config/sources
+niv modify nixpkgs -b nixos-xx.yy
+```
+
diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index 96ecc98..940166a 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -4,7 +4,7 @@
 		enable = true;
 		hostName = "cloud.graven.dev";
 		https = true;
-		package = pkgs.nextcloud27;
+		package = pkgs.nextcloud29;
 		autoUpdateApps.enable = true;
 		maxUploadSize = "10G";
 		webfinger = true;
@@ -14,9 +14,12 @@
 			dbuser = "nextcloud";
 			dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
 			dbname = "nextcloud";
-			defaultPhoneRegion = "DK";
 			adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
 			adminuser = "root";
 		};
+		settings = {
+			default_phone_region = "DK";
+		};
+		phpOptions."opcache.interned_strings_buffer" = "23";
 	};
 }
diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix
index 48cb0b0..8d4ab4d 100644
--- a/config/hosts/wind/services/synapse.nix
+++ b/config/hosts/wind/services/synapse.nix
@@ -5,11 +5,6 @@
     enable = true;
     withJemalloc = true;
     extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ];
-    sliding-sync = {
-      enable = true;
-      settings.SYNCV3_SERVER = "https://graven.dev";
-      environmentFile = builtins.toString config.secrets.files.synapse_sliding_sync_env.file;
-    };
     settings = {
       server_name = "graven.dev";
       enable_registration = false;
@@ -71,5 +66,10 @@
       ];
     };
   };
+  services.matrix-sliding-sync = {
+    enable = true;
+    settings.SYNCV3_SERVER = "https://graven.dev";
+    environmentFile = builtins.toString config.secrets.files.synapse_sliding_sync_env.file;
+  };
 }
     
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 546d71b..af306ef 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
-        "sha256": "1v8lddagjyjy4xm9l103qbqplh13hblkf030yc9r8760d1wzdibv",
+        "rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
+        "sha256": "0598kqgr03zk3i6bzqsphs7l2vav83901h2gs7i1fh1rqzicq4nv",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/7b49d3967613d9aacac5b340ef158d493906ba79.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/14c333162ba53c02853add87a0000cbd7aa230c2.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-23.11",
+        "branch": "nixos-24.05",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "25cf937a30bf0801447f6bf544fc7486c6309234",
-        "sha256": "1j5vs24bgy2arl342lrh3znc1pdz68kcjp2rpgy3sccpd9sibqqn",
+        "rev": "05405724efa137a0b899cce5ab4dde463b4fd30b",
+        "sha256": "06490pn22x9xl4chfx12iwdgx7nlbn14v8x05rnv2y1nancljisl",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/25cf937a30bf0801447f6bf544fc7486c6309234.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/05405724efa137a0b899cce5ab4dde463b4fd30b.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "9becb43c79661b3f407c2fdb90e2ae1bc64b8c95",
-        "sha256": "1q34x4wsrd4g1h6vikrj1pqzv0gq2yr2kqiqvdy6bqr4pqffvdxj",
+        "rev": "0aa59229988b741006743de6a64952bda85a3905",
+        "sha256": "129pvwr38vadwnd70mzp2lyavr7h1yh8jjk347lqqchsl4107zjb",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/9becb43c79661b3f407c2fdb90e2ae1bc64b8c95.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/0aa59229988b741006743de6a64952bda85a3905.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From da1928e8ca9b4a19baa06d34f5f8157299f78513 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 19 Oct 2024 18:03:34 +0200
Subject: [PATCH 53/83] Update nixpkgs, remove nitter

---
 config/hosts/wind/configuration.nix           |   1 -
 .../wind/data/secrets/synapse_extra_config    | Bin 22 -> 55 bytes
 config/hosts/wind/services/nitter.nix         |  12 ------------
 config/sources/nix/sources.json               |  18 +++++++++---------
 4 files changed, 9 insertions(+), 22 deletions(-)
 delete mode 100644 config/hosts/wind/services/nitter.nix

diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index fc12055..d375d2a 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -12,7 +12,6 @@
 		./services/borg.nix
 		./services/coturn.nix
 		./services/nginx.nix
-		./services/nitter.nix
 		./services/postgres.nix
 		./services/synapse.nix
 		./services/ttrss.nix
diff --git a/config/hosts/wind/data/secrets/synapse_extra_config b/config/hosts/wind/data/secrets/synapse_extra_config
index 34083055a5f57ba626f8ddbd0c9175d78597da85..7307817e1f30144f7fc48c5520add59518437e16 100644
GIT binary patch
literal 55
zcmZQ@_Y83kiVO&0xUzR)%KkHXYuSy&_DQdFT_kyXXZqo|FOK&QEIqdLZWQackg4n3
N*n@I}O{Zip1puN58AJd8

literal 22
dcmZQ@_Y83kiVO&02z~#2Peppn)D1$S3jtUk2&Mo4

diff --git a/config/hosts/wind/services/nitter.nix b/config/hosts/wind/services/nitter.nix
deleted file mode 100644
index 2755b18..0000000
--- a/config/hosts/wind/services/nitter.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ config, ... }:
-{
-	services.nitter = {
-		enable = true;
-		server = {
-			port = 4992;
-			# Only save cookies on HTTPS
-			address = "127.0.0.1";
-
-		};
-	};
-}
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index af306ef..07bd927 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "f7c538837892dd2eb83567c9f380a11efb59b53f",
-        "sha256": "0xl33k24vfc29cg9lnp95kvcq69qbq5fzb7jk9ig4lgrhaarh651",
+        "rev": "e80fc8fae87cc91f449533fca6b9cadf8be69e6c",
+        "sha256": "024hnxvqk8z5n2n54rj05l91q38g9y8nwvrj46xml13kjmg4shb3",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/f7c538837892dd2eb83567c9f380a11efb59b53f.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/e80fc8fae87cc91f449533fca6b9cadf8be69e6c.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
-        "sha256": "0598kqgr03zk3i6bzqsphs7l2vav83901h2gs7i1fh1rqzicq4nv",
+        "rev": "38279034170b1e2929b2be33bdaedbf14a57bfeb",
+        "sha256": "1grc0z1s4imnfy0xn17qg50lsy27d856l48zlk6k0nyhxmhsskrm",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/14c333162ba53c02853add87a0000cbd7aa230c2.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/38279034170b1e2929b2be33bdaedbf14a57bfeb.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "05405724efa137a0b899cce5ab4dde463b4fd30b",
-        "sha256": "06490pn22x9xl4chfx12iwdgx7nlbn14v8x05rnv2y1nancljisl",
+        "rev": "4eb33fe664af7b41a4c446f87d20c9a0a6321fa3",
+        "sha256": "0wmz8y0ac88r53jd61m83bp55h36hdxvdk848iiz1yg51n2qyf1c",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/05405724efa137a0b899cce5ab4dde463b4fd30b.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/4eb33fe664af7b41a4c446f87d20c9a0a6321fa3.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From c7d5cf033bb9678a5c20e77b6556d816a6e8e318 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 6 Nov 2024 17:44:06 +0100
Subject: [PATCH 54/83] Disable sliding sync proxy

---
 config/hosts/wind/data/secrets/secrets.nix | Bin 1660 -> 1548 bytes
 config/hosts/wind/services/nginx.nix       |   4 ----
 config/hosts/wind/services/synapse.nix     |   5 -----
 3 files changed, 9 deletions(-)

diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix
index 47c5c6e576357d396caf46ad06a23932484a0caf..d95a37cdb202d2b8128269925995f2641737b549 100644
GIT binary patch
literal 1548
zcmZQ@_Y83kiVO&0ct4}$lXr_?i^i#ywr8u8k8a#8^fO0nx4d@NCfWS+b_S1T2u9A@
zzo$~&r7|P$<uT81*^cRzmqk*h_=%Zc(Asd~oXu*#6|G&r?LVcwi%Gnprj`BYhQ*I`
z%X#~HcocUmmnfbTy6Z{fGW*h-2OIAgH^l3nQ+pFxXUckfM~w#GdY3x6_d6bJRXQuw
zyW26+C+ECZ>tgG(KN^bfPx$KdC2YH0WKyF6<MO)8)z6)L6b^2@s(8D__;bL;xzSV3
z9KCRL+02T@db!3JUbo*~e}Xq0?n!30G}?4OcFu|uv#xP@-TdTlXMS{H#r@A)m7Nba
zTb-RN;1-+raYCI5hnMv7+O_xoaohK_9Bhy3|5xObqL<$H`PZ#E#np2U&3YmA@aT#M
zY&Yj+PA^z`<nlGf1p<Cq8pfw;>OOA#(HEz;{c_^6y@E^GnHbL>7J5B@@9qz=!Z)mp
zFIkp6NI$Q9@<u%W&DI@T{o@W!%Qc^Lru!yay5yn-XK$6W@Ff3TD8abnVe85RldmXy
zCbUg!@%XPFtrR*_fMun7;GHF=`))W_^MCsKgjFyu(RtD_9s?ooTXUa(xvTY4#$@J?
z3D46w6DL*(UkFlf2*2t#^DCS0oqI>`YJKf`wYq3Z-UstF&Tm$JueM^D_wno2r_1_m
zYxZXbJb9t+Wn9Y<l6PXx>K{sT*PUPCWAM2)`@+J~_o*lKHpS&7r|k4&{2iZUcUe$C
zW|Fh#QdtWlyMRL))@#=|-S};O=l9taO)FLRygqvH^*z^}MhmXC)c^Lhi+z2aE%Dj4
z$UmJKhvXQ(*z`80O<5uFcF*+<zs&g3qtpIZPL^l7v3_~m!ls+Ae(#IDyXo)Illzux
zO%v7G(4BZVa=*#E-Xp>5-Gy7vvR%99+Eb&+#mksKJ2rd0yKK<jv~S&M<=f2?)*h~3
zCHIg|@#Ds-MOyY2a{2L5N4~$B*L*ba&-Y;d%Zyt*4;C|As@Z*?>&)Z+H$OOkv!8$O
z*43<{5w=HXbJWr=M|Zg2cK)lkU4Lqba)@+9NX5-d+iRj6PPofPukq8+n8N#B@~Mzo
zg3y{(-XHG#Q3z74zdJwT;+zE<%9Xnkl(LG-d!i$`Qv%D@p5g5~7<qO7clOl&<(H=1
zJ;END@zmGm4DXENf0aHf=>HYUG{4^PV(kOFE4rSNuh@lip3i=l;cc@1M8o@kJt1t*
z3gn7J;)UamuDz_<vGv_nd%evIL^rr8y!oZ+X~{oJLELGfsiMNNKrU|24;5mZ!PQ<o
z^ZZm#FooK#nvnECD&tmy(1x2&k7%eI(LEvfJ7fFJ%{KY_zopFV|FzkGOVv-dbK=vP
zW-ZtA<|~G4=wu2CCOS(NFWPacO;#=@>DQ$z*WBXHs7Nz)+<&*}S3kc}hsVJ(PM)VN
zQSMgaDSpK}9zKXLu+fhH@@3|C@#z~9<Zg={opY5#Yony@tIa->A5ADdT9tK9b(S<&
z_N1>3$9yLoX6JEF+_bWF*Rgc%qcZoV|9M)QYqBoFF6d6+?$|{N8{3}#N~j2756_%c
zy7`mC;k!birwjiI)~tKGfAc3bwt(Vk+|^a#AG`d5xPw$!qjDZIyq#jc$@{;il#TG+
z$=h}NgxQJ?n}-$kC$?!W*{>1*kh50I<FuE<gUfsD^Y4ZSRTsPH1-}cL!<p#ZP>`@w
z@5oD4O~wp|<KA`;j@HTjmv`e<d*IoS!}H(k|LdC193At+OxyKrPaIG_x$U9*q<J&f
z&i=`(;Xdy$lXwi1#ie6~PM5!}p1?Afsb4r`eUV*{PF+qw=fsO$rm?wOYiFO#Fx?)b
zc&axdNLo+DkVi|TvrCVuY(m90H_Z@B>z8L0p2w-B*_*RXkxFR#y}j&RIkzIag!kq=
z=cy|;vMb#-n-lVQ@v+G3>QN?_*|bf1a(8T>KYRTqC&`7+d?F<>%92mtigV46iO~|i
zx9F|h?B8bLH+P<0zcg;g%mo3{Z#1UIP0?Lg>1O3LWxMa^T@0(!oia);ort`;Z_e~<
zO3xhLuJbh6IW=i%XRveyTNj_;B(^kBy#-}|XGneI6S+SBwc2ar<F~EVIlpA&IK7_N
ZoD$2+^7r>l)=2rF$%4B)#FjTP005|0^3VVP

literal 1660
zcmZQ@_Y83kiVO&05G+t`V4JD(`i$7=J5OSGo^stcvYnSafv2RTu>0w}P?aklFR!Nw
zGP?O?UD_GTFJh%~a^1^|=l@)KCieHr{@8>4Kld|6Z@9cfP~r0wuUgSpw;mY9v2Z>w
zv}W3D84|U<Ahxor{?O5&g<@StS6{BX)R*x7`1`L<58Z9gy(au-ThR9D7aN@O|5mR&
z=JT)JvS+UDq{^1{U$y4g&s48kzfMc(;!KHC?#6O)f67>z>`WKPcDZLBIMg1j;jFzd
zp5?08sX1Mj&V?4U7VHbwQv77#nYij*vdT60)xS=OampTf7&}|zpG>}I{H_HLf4+P^
z-SGNp8B5Ptm(5%BCM<qpyYtGOD6KcXti@V9PaI>P?Rf1ae4b&M#H5ZTMz``+eE$Vs
zog0=Wl6*4aV)1%DE|=@?XL#Spm0iU0BinB#$27fZ(a(-<?Q**JE~)W})29UCDMC8I
zK_!WQqc_N&PW-?e&hwrpE&torq^As=FD13)5B5o~j<#IxcF1Y9P2#-o<(xN~|D5w@
zzqKc!Xa<YPEr;s8-%p5MuR2k1qxg@O?#a1^r^K!_nZ&J{=@MG1dpqie;)3+sPmip<
z|La-h8|inUW#`USEq!Qkhp}XKs_bX?w>lh84*J-e-r`!}FK^_0>9u^<%<~hPbp`pF
z-a4g<MZ7sBmfAjRruO+mi*tgfb#A)6N@dgD3%7G_qzEmo$)0dBXp^4$mfZ`JCYAA-
zZ<UZwp3>JEYid>OaHQz%2XVGvGr6n;v`)NvaC6^ovn?9wX|fCdJ^pvSO3qyP$FJno
zK7z;2nehE{vX?sasI%N?{(ZhHKko6XNd5QA7i7Gn?-RCi+Qs~f*Cug(`fQr8=HcoC
z6FkJr_CGm0?^;3eTlt(RciCD!HgL^68LXf4$hGP4n-@A7S9Z<)-SyVumhRqn|JP<N
z+!uRPVXf1{-QqP(D)v7-C*L@<<vBy%(K_qI@QO$?1zpp~JeeuK{l0$L-Z^*wy=Pu=
zPCNI-vM*V|H`%lL?&l`~sdrw@%@1F+@$dugHT^~5o>r_4#-`C6_jzqu*B=V}8+JlN
zX?3U70r%re&R6;^7W%kPGbeJ#u0I}UTPCXnzYcJF-*)G1(Avbi|D?`2x`r?Q(fZ6~
z_X*|TZI(YPuP;A(>PB5=QDaoj&a8IV8pSAf=BzK5&-JQ3RJ`)+>8Y73{L3s8KQP7y
zcm3WQo^3FJIbha|4C9syEj5Z^nY^pMG}`3^wTZ;*E&q{G$L&A!v)kRu6XrkO?lG=t
ztvgn9iof3AJ>N5{yPw!Mc>4S5e$;OBIvdW<oIL+i?B1SbtrgomwG1X%%(&k<K|c6I
zcYD!|N}+{QUr+m5)^pV&>GJWk6p3ZaPZxer%WCIm%h}_6QEtBBTU+kqa>Amv>-}8q
z-qfxX?<x@Rm|;6L@pnJxRlVNpffYKht6SDg70&BsNa{1;wBPqL_{FacdvDD%i#TI<
zYRZ8t#_3M%$y0mkUjC1oQP%cUyIivFg3{{zlI_cEE^BxfIEk-ybDr=vnBkC$`_$uk
z92El6MQcwRSl^p}=s<XG{W2-(EXkxrl^ZT*cehOaet$!-<Vhwa<v!bodzbva+PC_-
z_I&4a3GRo}_Fp{t@zn+H2MxO%cS=Ug^7<ipJao|%=87J3G4H#LD=zReEjpB+lqx^B
zd2aOQwZ3^WtiF!3X3typIJ1M(DmzglgNyOUQhQVJ;(3LsK1Js{Y!6;w-uYHce9GNh
zmdg{8S{GdA;P#a6wJO_Ru5<H#lg^~MwYIE$oYRhHF5U9|()DMZ?;M|Qays<<k>Al-
z1|c^WFqRAE+<r2-dcW(zZ8zA<^gl$TKRPW}GpVTj{r_r(cj3FE-tD?L|K7Uv{q<2(
z4!&~RG^=QBJJUlY?swbe&oS&=<aY1uS+jGGY?kcNYJIo;NKdfFyZy5kA3pK9+1+`Q
zQ2vFfjQnysx}H7<S8!jsl#`VhAah&WI-R}FC&e$WPvXI;I*Uf$+Onlp?9)1)*Io*d
zRy5A3w5pr=|H$zluV>crO%F&8-LvHIYFF!I_w)#lx-(lk@7vv%<CxN#npKjme<AYM
z+e0N2-!jhMf4o8El>Ircm@tNv3k{OeOq)cnb*+-MG+>R{bm~*w8#BYe4~_Gu9uAGE
zb`$^jc*C5WP0rVYpUOJ%%?X+DvRyY^a+}$*e%8fI=2DLus@VKBITz-<Y1TMf*Cgt8
pZd=1#*$XXQ_5XHV`kDRx`PrHMD(w?|J2$_S`}{5U@BxD}3jl-2KKcLv

diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index ebafed1..48176d7 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -5,10 +5,6 @@
 			enableACME = true;
 			forceSSL = true;
 			locations."/".root = "/var/www/graven.dev/public";
-			locations."~ ^/(client|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
-				proxyPass = "http://127.0.0.1:8009";
-				priority = 900;
-			};
 			locations."~ ^(\\/_matrix|\\/_synapse\\/client)" = {
 				proxyPass = "http://127.0.0.1:8008";
 				priority = 1000;
diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix
index 8d4ab4d..c5899eb 100644
--- a/config/hosts/wind/services/synapse.nix
+++ b/config/hosts/wind/services/synapse.nix
@@ -66,10 +66,5 @@
       ];
     };
   };
-  services.matrix-sliding-sync = {
-    enable = true;
-    settings.SYNCV3_SERVER = "https://graven.dev";
-    environmentFile = builtins.toString config.secrets.files.synapse_sliding_sync_env.file;
-  };
 }
     

From 3d8655d208408a0462ca6902ead1a508ba2f6f20 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 6 Nov 2024 17:44:33 +0100
Subject: [PATCH 55/83] Bump nixpkgs

---
 config/sources/nix/sources.json | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 07bd927..c961849 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "e80fc8fae87cc91f449533fca6b9cadf8be69e6c",
-        "sha256": "024hnxvqk8z5n2n54rj05l91q38g9y8nwvrj46xml13kjmg4shb3",
+        "rev": "55422d6f2618cd2195eeafa3f16ae63fde723c15",
+        "sha256": "1s6m41hhsydf3lw6ihksc904vcpyd5agwiqq8hb8plyqvsyn74ba",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/e80fc8fae87cc91f449533fca6b9cadf8be69e6c.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/55422d6f2618cd2195eeafa3f16ae63fde723c15.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "38279034170b1e2929b2be33bdaedbf14a57bfeb",
-        "sha256": "1grc0z1s4imnfy0xn17qg50lsy27d856l48zlk6k0nyhxmhsskrm",
+        "rev": "90642a0deae927fa911d49d4f7c5616257105141",
+        "sha256": "0y2vp5jvjn0bldnram5nw5rbiiky6crzkf2ix5m6qd1mcd26s9n0",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/38279034170b1e2929b2be33bdaedbf14a57bfeb.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/90642a0deae927fa911d49d4f7c5616257105141.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4eb33fe664af7b41a4c446f87d20c9a0a6321fa3",
-        "sha256": "0wmz8y0ac88r53jd61m83bp55h36hdxvdk848iiz1yg51n2qyf1c",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "sha256": "0nh2q19pcw3nccdsr3318zsbsdanfs6ckapi4wrnm4bxdmcbrnbr",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/4eb33fe664af7b41a4c446f87d20c9a0a6321fa3.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/d063c1dd113c91ab27959ba540c0d9753409edf3.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 43f898a7c5b0883259f6370e89846723dc033405 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Tue, 10 Dec 2024 21:06:11 +0100
Subject: [PATCH 56/83] Bump nixpkgs

---
 config/sources/nix/sources.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index c961849..94d3284 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "90642a0deae927fa911d49d4f7c5616257105141",
-        "sha256": "0y2vp5jvjn0bldnram5nw5rbiiky6crzkf2ix5m6qd1mcd26s9n0",
+        "rev": "e563803af3526852b6b1d77107a81908c66a9fcf",
+        "sha256": "12z4iq20kwrv1150k81pqiwijx008kwfmkvzhw957m8dmv2xnb91",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/90642a0deae927fa911d49d4f7c5616257105141.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/e563803af3526852b6b1d77107a81908c66a9fcf.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
-        "sha256": "0nh2q19pcw3nccdsr3318zsbsdanfs6ckapi4wrnm4bxdmcbrnbr",
+        "rev": "7109b680d161993918b0a126f38bc39763e5a709",
+        "sha256": "16rv6mbq4bd0xlpm4fshx5mnx6rk01s19hby3ijjc4w5rngvnlkn",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/d063c1dd113c91ab27959ba540c0d9753409edf3.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/7109b680d161993918b0a126f38bc39763e5a709.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From beb429d72d8813199c654bb28a8fef6ddb60aa57 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 8 Jan 2025 19:45:36 +0100
Subject: [PATCH 57/83] Upgrade to nixos-24.11

---
 config/hosts/rudiger/services/nextcloud.nix |  2 +-
 config/hosts/wind/services/vaultwarden.nix  |  2 +-
 config/sources/nix/sources.json             | 20 ++++++++++----------
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index 940166a..9dcccc2 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -4,7 +4,7 @@
 		enable = true;
 		hostName = "cloud.graven.dev";
 		https = true;
-		package = pkgs.nextcloud29;
+		package = pkgs.nextcloud30;
 		autoUpdateApps.enable = true;
 		maxUploadSize = "10G";
 		webfinger = true;
diff --git a/config/hosts/wind/services/vaultwarden.nix b/config/hosts/wind/services/vaultwarden.nix
index bf6c7d3..987466a 100644
--- a/config/hosts/wind/services/vaultwarden.nix
+++ b/config/hosts/wind/services/vaultwarden.nix
@@ -3,7 +3,7 @@
   services.vaultwarden = {
     enable = true;
     environmentFile = config.secrets.files.vaultwarden_env.file;
-    backupDir = "/var/lib/bitwarden_rs/backup";
+    backupDir = "/var/backup/vaultwarden";
     config = {
       domain = "https://vault.graven.dev";
       signupsAllowed = false;
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 94d3284..3295cd2 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e563803af3526852b6b1d77107a81908c66a9fcf",
-        "sha256": "12z4iq20kwrv1150k81pqiwijx008kwfmkvzhw957m8dmv2xnb91",
+        "rev": "4f339f6be2b61662f957c2ee9eda0fa597d8a6d6",
+        "sha256": "0hyq5q31asx6f48p88yzqc47mi1cj0v64qcmrdnh65xi6xylav84",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/e563803af3526852b6b1d77107a81908c66a9fcf.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/4f339f6be2b61662f957c2ee9eda0fa597d8a6d6.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-24.05",
+        "branch": "nixos-24.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7109b680d161993918b0a126f38bc39763e5a709",
-        "sha256": "16rv6mbq4bd0xlpm4fshx5mnx6rk01s19hby3ijjc4w5rngvnlkn",
+        "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751",
+        "sha256": "10i7fllqjzq171afzhdf2d9r1pk9irvmq5n55h92rc47vlaabvr4",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/7109b680d161993918b0a126f38bc39763e5a709.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/3f0a8ac25fb674611b98089ca3a5dd6480175751.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "0aa59229988b741006743de6a64952bda85a3905",
-        "sha256": "129pvwr38vadwnd70mzp2lyavr7h1yh8jjk347lqqchsl4107zjb",
+        "rev": "f3010b72d15520cd9a9e87cc0e7a1f1f2727a5cf",
+        "sha256": "0cydhq2zh3bxnlj1cp18wnlhniz8z3nnjjjnwdm6936al4a9jy3b",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/0aa59229988b741006743de6a64952bda85a3905.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/f3010b72d15520cd9a9e87cc0e7a1f1f2727a5cf.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

From 997aa93cdc342607c438d5ab9ce9b77a330d0f1f Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 8 Feb 2025 09:44:57 +0100
Subject: [PATCH 58/83] Bump nixpkgs

---
 config/sources/nix/sources.json | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 3295cd2..e5d8530 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "55422d6f2618cd2195eeafa3f16ae63fde723c15",
-        "sha256": "1s6m41hhsydf3lw6ihksc904vcpyd5agwiqq8hb8plyqvsyn74ba",
+        "rev": "e2f66fe558481d6b569358d27db06f7e972ed71b",
+        "sha256": "1xn822jajags6bigdr1ssxvfiyd7d3adhnmmrr9x3maphchkr0x0",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/55422d6f2618cd2195eeafa3f16ae63fde723c15.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/e2f66fe558481d6b569358d27db06f7e972ed71b.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "4f339f6be2b61662f957c2ee9eda0fa597d8a6d6",
-        "sha256": "0hyq5q31asx6f48p88yzqc47mi1cj0v64qcmrdnh65xi6xylav84",
+        "rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
+        "sha256": "18mvkhlzlws28brxmjw2igwmxsrh8v3plixywlbrg6hpiy1na977",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/4f339f6be2b61662f957c2ee9eda0fa597d8a6d6.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/2eccff41bab80839b1d25b303b53d339fbb07087.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751",
-        "sha256": "10i7fllqjzq171afzhdf2d9r1pk9irvmq5n55h92rc47vlaabvr4",
+        "rev": "f5a32fa27df91dfc4b762671a0e0a859a8a0058f",
+        "sha256": "0w84lcpxxqzpab7qrdrf4szpij27q906kgckclqxb3q533ir07zg",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/3f0a8ac25fb674611b98089ca3a5dd6480175751.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/f5a32fa27df91dfc4b762671a0e0a859a8a0058f.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 2210d8eecf88f9a6686441c08f1f91e9efc811e8 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 23 Mar 2025 18:10:23 +0100
Subject: [PATCH 59/83] Bump nixpkgs

---
 config/sources/nix/sources.json | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index e5d8530..11c32e7 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "e2f66fe558481d6b569358d27db06f7e972ed71b",
-        "sha256": "1xn822jajags6bigdr1ssxvfiyd7d3adhnmmrr9x3maphchkr0x0",
+        "rev": "dd678782cae74508d6b4824580d2b0935308011e",
+        "sha256": "0dk8dhh9vla2s409anmrfkva6h3r32xmz3cm8ha09wyk8iyf1f87",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/e2f66fe558481d6b569358d27db06f7e972ed71b.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/dd678782cae74508d6b4824580d2b0935308011e.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
-        "sha256": "18mvkhlzlws28brxmjw2igwmxsrh8v3plixywlbrg6hpiy1na977",
+        "rev": "380ed15bcd6440606c6856db44a99140d422b46f",
+        "sha256": "1gry924avdpja2hmxycjsii09ryz56jrils6jx90q65c14wcx7f8",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/2eccff41bab80839b1d25b303b53d339fbb07087.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/380ed15bcd6440606c6856db44a99140d422b46f.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f5a32fa27df91dfc4b762671a0e0a859a8a0058f",
-        "sha256": "0w84lcpxxqzpab7qrdrf4szpij27q906kgckclqxb3q533ir07zg",
+        "rev": "7105ae3957700a9646cc4b766f5815b23ed0c682",
+        "sha256": "0j3jd82iyyck4hpmz7pkak1v27l7pydl0c3vvyz6wfpi612x8xzi",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/f5a32fa27df91dfc4b762671a0e0a859a8a0058f.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/7105ae3957700a9646cc4b766f5815b23ed0c682.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 68bd97fe3a25299559305a4977728ff1ba91b92c Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 23 Mar 2025 18:10:55 +0100
Subject: [PATCH 60/83] Add immich

---
 config/hosts/rudiger/configuration.nix   |  1 +
 config/hosts/rudiger/services/immich.nix |  8 ++++++++
 config/hosts/rudiger/services/nginx.nix  | 17 ++++++++++++++++-
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 config/hosts/rudiger/services/immich.nix

diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix
index 632a8fe..b096665 100644
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@@ -10,6 +10,7 @@
 		../../common/services/tailscale.nix
 		../../common/users.nix
 		./services/acme.nix
+		./services/immich.nix
 		./services/nextcloud.nix
 		./services/nginx.nix
 		./services/postgres.nix
diff --git a/config/hosts/rudiger/services/immich.nix b/config/hosts/rudiger/services/immich.nix
new file mode 100644
index 0000000..1825eda
--- /dev/null
+++ b/config/hosts/rudiger/services/immich.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+	services.immich = {
+		enable = true;
+		port = 2283;
+	};
+}
diff --git a/config/hosts/rudiger/services/nginx.nix b/config/hosts/rudiger/services/nginx.nix
index d896bab..0440b9d 100644
--- a/config/hosts/rudiger/services/nginx.nix
+++ b/config/hosts/rudiger/services/nginx.nix
@@ -1,8 +1,23 @@
-{ ... }:
+{ config, ... }:
 {
   imports = [ ../../../common/services/nginx.nix ];
   services.nginx.virtualHosts."cloud.graven.dev" = {
     enableACME = true;
     forceSSL = true;
   };
+  services.nginx.virtualHosts."immich.graven.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://[::1]:${toString config.services.immich.port}";      
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+      extraConfig = ''
+        client_max_body_size 50000M;
+        proxy_read_timeout   600s;
+        proxy_send_timeout   600s;
+        send_timeout         600s;
+      '';
+    };
+  };
 }

From 0a01c859abe7bc7f4c0e3d270a7d29c10d332403 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 29 Mar 2025 15:05:09 +0100
Subject: [PATCH 61/83] Route amanda.graven.dev to wind

---
 config/hosts/wind/services/nginx.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index 48176d7..81b3086 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -21,6 +21,11 @@
 				'';
 			};
 		};
+		"amanda.graven.dev" = {
+			enableACME = true;
+			forceSSL = true;
+			locations."/".root = "/var/www/amanda.graven.dev/public";
+		};
 		"rss.graven.dev" = {
 			enableACME = true;
 			forceSSL = true;

From b41fbbe6f8298117a2a1698f77969e7e645924a7 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 5 Apr 2025 16:04:10 +0200
Subject: [PATCH 62/83] Update ssh keys

---
 config/common/users.nix | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/config/common/users.nix b/config/common/users.nix
index b2e389c..1f7b321 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -5,14 +5,7 @@
 			isNormalUser = true;
 			extraGroups = [ "wheel" ];
 			openssh.authorizedKeys.keys = [
-              			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBkWK8PsRh8tOz4800XFN3V2IUm2u95qOaVnuHnMknjiAAAABHNzaDo= emelie@em-work"
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMo8Ki0Udte248BGhPGNueWI/aVL4YXDwyPMeI31TmXOAAAAEXNzaDpuazNhLXBlcnNvbmFs ssh:nk3a-personal"
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIG7CWaPat3WhohFYhwfH7YxZm2mXGd4q9DKiLTl8QebcAAAAEHNzaDp5NWEtcGVyc29uYWw= ssh:y5a-personal"
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIOogMO9/nl7nWFzJYrLlbeFrYLzzBnyKTqYFnn9TZtZAAAAEHNzaDp5NWMtcGVyc29uYWw= ssh:y5c-personal"
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAII25n47g35go0CaKcCaqZemuT3GiqtomYeqAQYYnRhEaAAAADHNzaDpwZXJzb25hbA=="
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINEZQucbj2M15Zs5uXlcMztn/QjOAKEeqL5PCnm4Xrv5AAAADHNzaDpwZXJzb25hbA=="
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIP4MsGRUg7DOHZ5AHbFrZJYJ2VeulOWmu8O7H/y/6GTdAAAADHNzaDpwZXJzb25hbA=="
+				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAn9xV1GA/hMkCFoP7DWzYyGmbeiri823fHMRz0ZVoxq emelie-personal-bw"
 
 			];
 		};
@@ -25,6 +18,7 @@
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6v5D/aJuIhuIVcnzFA7ocxPMI8JgHEnxSPuD+SaLHX amanda@sharpy"
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+0x2uHcuXpFQdeXeUWeLGPefWo6Sd7yy2FJlyZy8V+ amanda@tappy"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKWhc20jOFF+pVVT/Mf1ACYOtppkYWkP7NkY0/fPvjPAAAAFHNzaDphMy1uazNhLXBlcnNvbmFs ssh:a3-nk3a-personal"
+				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMLbLay9KARrdb8QM4OLzmqWIN48rZMX6wCddBwYT/U amanda@gpg"
 			];
 		};
 	};

From 25391e326135a26baceaacb108a4685d0283f9c4 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 5 Apr 2025 16:05:09 +0200
Subject: [PATCH 63/83] Add Out of Your Element

---
 .gitmodules                                   |   3 +++
 config/hosts/grondahl/configuration.nix       |   1 +
 .../grondahl/data/secrets/ooye_client_secret  | Bin 0 -> 55 bytes
 config/hosts/grondahl/data/secrets/ooye_token | Bin 0 -> 95 bytes
 .../hosts/grondahl/data/secrets/secrets.nix   | Bin 1259 -> 1403 bytes
 config/hosts/grondahl/services/nginx.nix      |   5 +++++
 config/hosts/grondahl/services/ooye           |   1 +
 config/hosts/grondahl/services/ooye.nix       |  16 ++++++++++++++++
 8 files changed, 26 insertions(+)
 create mode 100644 .gitmodules
 create mode 100644 config/hosts/grondahl/data/secrets/ooye_client_secret
 create mode 100644 config/hosts/grondahl/data/secrets/ooye_token
 create mode 160000 config/hosts/grondahl/services/ooye
 create mode 100644 config/hosts/grondahl/services/ooye.nix

diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..b988793
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "config/hosts/grondahl/services/ooye"]
+	path = config/hosts/grondahl/services/ooye
+	url = https://cgit.rory.gay/nix/OOYE-module.git
diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix
index a7ac181..a4bb6cf 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@@ -16,6 +16,7 @@
     ./services/nginx.nix
     ./services/synapse.nix
     ./services/postgres.nix
+    ./services/ooye.nix
 		#./services/mail.nix
 		#./services/containers.nix
 		#./services/redis.nix
diff --git a/config/hosts/grondahl/data/secrets/ooye_client_secret b/config/hosts/grondahl/data/secrets/ooye_client_secret
new file mode 100644
index 0000000000000000000000000000000000000000..719fb6ee2bebc3e59a11b31ce0daddb3f9451225
GIT binary patch
literal 55
zcmZQ@_Y83kiVO&0;ASq*IQg_tuvS!b=hN?6&z7b9Uij>7;)C8#za6=jq->q1_q4dj
M@AHgY3DL(Q0GOp3HUIzs

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/ooye_token b/config/hosts/grondahl/data/secrets/ooye_token
new file mode 100644
index 0000000000000000000000000000000000000000..99de1112cf2d08f6b8b4bd35be3e97aee5595b71
GIT binary patch
literal 95
zcmZQ@_Y83kiVO&0xL0AN#Fcq`^ZwA)pWL?f{Ns|D*1ak9ZpPP@+w!OQuVwFySpPFU
zsv^5%j_Z>ThLwwW#U@PLCM@&cSm2zH$FjLE!kv|`a=p3my8WWfq@d@_Zw<anyUzpw
DEl4eL

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix
index 1c37a019a94c1abab2e91d4a5b12b3aaee580246..88d71554f78cfd88e9f15d7381aeeac7e26fb5d9 100644
GIT binary patch
literal 1403
zcmZQ@_Y83kiVO&0xPM@o=ivwZ@8unC6*QZz&am^&*~1?Z^zpWVD8t+Gnu+W+>!e@K
zxpHhye1eCTZ|eEP)|;nA<t(4BTK&~8RQXx!fy$*>A7|aQ>esv!aQ|Ap)rEU?ukW7L
z|H^PYJM-$hMIpV8azUzn+KiWu$@>PCM{Si$D@@sc%B%LnqWRlDXi6P2SIt|Lc=bvr
z)9U4%51hjHxz193`_yIM$@ZX`@A*xW1*ZRy*cQhvq#xGny8Zj-1;T%Yvkv|$(vn$v
z-?TBCfBuc*$IOIIouA1mcA2N~XfNaD_VvsBvR2yIefs6RL?k%%(VNpZe>p#2x-yS*
zo${e@pQ9{izgryX_Prr<p)h-AU#g+>t)-rG<O8~eUN>*CEBL;*%2R!n;;Zn>{Iz9?
z7vFB!z^|)+ftU5a3ClUtMIvec3$3|0Tr(Ck7R~)9@GnQ}XexWYWBSG`Hx2GKovB@4
zRsAWq+i^p+z`u8#lHdLPbQRxdTOG*jIim5cW8cXee*2p5IXwE>UoodMKZ@79dF7P(
z9=12y-B(+d#5t$k$de68Rhj2spU!hUf7XvZ4<5e0w9M4j=HEO9&2Li@^4>=YPdMs!
zT_g6z^&k1RFOGJIO`Un!)Y#hL<JUH=D#10on=T*8{rO{sewLma>ryrKe)|uHEl(U=
z>a%T96L(DMtZdorP$juj4lQLTTQ9G=tsHVQ_}XoM-``6%X*R!#+V#A^jZLoNicbcQ
z)9m%em&6W#tD3FWY1E<f_39lP+si`F#rMBHRy&nr@%7TeNyp~g5c*>o#AjpGaBSUE
zzR<7kkFxSqW+;>%6T6@q|3UYYkS|-!w)y$bzN@TLeIs?hYDQwwv>nbTHtW1~?&W#w
zaDI!`Tsh{8Pvp}%lmvJ*?(E$Ee%n>suM@LM{{7qCA?DCl<M3$OgyTk?m0Aa8?FgP`
z@~7`JACHr#_~DWxIYBp9>{NbWzd(0|qG`>ZvTS$mIQ|neJtLB%?#$R-S+VkGaevb1
z6E+`f<lnuS_~U8zfg78)eAu{1c1dX>gTB?wXWCnKO>uZF*%18y>P-HxXQuf*++LeB
z>GMAIPmBC>9lIv)Z=SF6#;|Mh5v9v_YPJ_$<(0laFUC`@Q|HpM&0*>pDMhY*K^_Tf
zN)Cqqm%aQ}<<pJe#tt4%tM43&N1w(|vW(b0^F>@?w)RoWa{|6Uu4<G#x!@&I;2kP*
zGFPnMeZ>Wjic0YVCh|Qshx%W%3x<?Ce_iHR={R)~hg!PCa^A<k72fT5;Mq{XZ@lG`
z{sFyf(Pwt8P)L+n+g^1n)}UwOyL(>i9FDAx&F(K&Id)lqHF?7U=@|+S8{^u`PO3a;
z;!#Knk<fhqCM8kP*xYIPV-JaG?^$LX>^h&ZK1Qgt^LD_#<<oca%_(QeSie7umuHIF
z!~NUdb$j%GlYP8ozs{=v&V9kV<X?OBm9F}2b#zL^iVSA%`CE%Qr(Rjwl+W_Kc6q<`
znoPar`a69hGCYonAKl2)#~gi>_3Ez3a~prntFUi;P<wRQ(nD7*{XAm!fBL_-t9HgM
zRfDU=D_GkVk56;`*l|Z<^}VpoKUo;KKDyt17Ic5QUFk)a<yWhE3nQy1_UFsqyxlr$
zi_wePsdfkM#fcj{u<S{;IndOl>2~m@YtYt^`?p{D_sj2BseJBwz0<v(v;RPFRfF%;
z`D?fCn!UVt))j?|nZ5t_h#!3-vEsu^gWFLLCttEUAY+>C@hd9J>5>rp?+sIuzFukC
zf9C&|OZC|oOw?wqDyY8DuXx>3EcM;(eO6Cr-{yL)$JD~C|Nj_k=~GS}v(2pR?(R)2
zmKNI042$oC&rH^rWvsB(627mrW~-6Thi{kGGq3$w_wKl;NW`*lfpeA{@@sxyRN;Qg
eP2z9;|J8a0%`4>3lq*)U&*FX7d++68tsVee1ix4S

literal 1259
zcmZQ@_Y83kiVO&0I9{;$ng4>odv<j%wuvo$kY^s(GQq9)=GEj`N5%5I_a3}|dsg1f
zNnYXnvA=f-^dC#!cjrNE^v<m(Zxr9Z-V^(HlN3X;)UmpQ2GNbJr`8<ZBm154*b?De
zZxW7t<m&QSWLACiWcU4^ZC;ASVt3{oW6ZC-^E<IrH+@yHlyVsJHeu)BnBNz-lub;(
z_?IWjqs}md|NO>nd(;ZNvwwv>Z})zj{f{l*Wy%aT_NV8pg0^y8mDF)oeZ9QoUfA_6
zosv`aWpatf8YfkzGwn&%+HZKEbBez1)6H87in>1NN$@vqn3B^!OV>m5H?#EOCdt`%
ze=Td1^N&mVFiRp!u=B@mNB{I4d{<a!%ADlbX|7gSzUrm0)V&*7#lONW%2f>1C$WFN
z#@5jL^7~^0mL<n#7fgKqg1x}a?;nTMg@omD?<QTHw&V5&&wKCMHWj}UO!Qso>-FV*
z$W?{hjt{dv?)jwJmqxW*deI=vdDqfL{fOM}h~+QY4)hyL=DzUyXPUWCR_jY9!!J^&
z@A!5t6qixhkh8wv+g1fJ%gPOHyl;dj6{+2GQIu!pJ<d3DVtt7340D4^**DG|shsB}
zYT~|s%PJ4fT}yR>-F<JhY8?++w_A0=Jp<WBSyA2Zf3}@ln;oHNE0J=acdOI-wnuR<
zG&lWK(Y;@Px9-}!C*Kc!t6|lVvH73-XM$5zK~v+q&xh>`d!%@$^%!my{T*~<a)dX_
zYpFT*ccyyDJ0(uCTJYtF<MwkObc|#6EakBKd83l2vX!sL?K+$AQXR>T-TSq9`6f(R
zZnwDddM)$5?Tp=ll|tN;rzcM1OkhdelD&9l=Ff)wS-aLYerwwB_FJ(7&$;&JTWVz*
z?kcR1)~<>&Os+J^&zjfvi1pd81;66BxUaT{_xE3YS=L!_Wb(EZCyVkkPoI44eRk8K
zr4rUwZ(e`+>&N!m{+XX9cd%3R>J3S1t~E;{F79S#<p}#dq5LxIW%m=!n|w6PZMW4H
z+HL>y=<{>t#=Qkkq9=&Xba|aP>nE?S=btUFk3HvPC~iM?acSz?o~L_w<P;aVzn;n`
z7`&^FdBWvXjtzo#T3&}8_>50i>$>wAW}W_c(fZww9kMH=)(a)^y$xEh<bhD@64tI2
z@%@FfLvmmLDDAVk#nxEwpZ)gKN3ZMRdkfZwoMzZ$5Pq^Ey}eoM=$olp)d!c=Z!bvC
zKcAoTE0trrv&kFdhxh$9p4sitcTP1{`KX=99{+`c(>?Z_s(8P7QRC@2x9Kxf3t1|@
zv~Im|bwch!^`}KXckh_&)~f$@WuA~s&zJ3|6OSx57ZP#2aW+))=3TKq=9+zu?r%Eh
z=RK%P^>w`x|94wJ5sOJ=xBepTQW>|4slI|*t5@!uQr$9n`mWRYyqDHaFTE{TaJ=f0
z`JHqop5uxq=h&zye}1tushrQrOVQ?1smaWo$uk^MJZ?@d7CxfMx}adgi927;@7!VV
z!SVg-zz?r%4~8i6HZ(fNIozLnEdNAv;1#1pRjaEaewt@wPE5C1an4W4w`)ydh_qT%
z{<MVero6q%2bIm<Pn<b>vA|sWXX{#@T1%|%W$V51hEdtTmm^Zs{f}%x#qKMMcdM{Z
zkNxrg=pT)mx=E3fkIuN}+8ed{x@)rLkvB)(&tzY|p5P=HvR3pHdxG%McQf|v-nRR)
i<?277GMCrP-Zrc2Z{l9_rJ;K*atco8I=6fGNdf>Y(rw59

diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix
index 2195ebe..7b5d306 100644
--- a/config/hosts/grondahl/services/nginx.nix
+++ b/config/hosts/grondahl/services/nginx.nix
@@ -1,6 +1,11 @@
 {
   imports = [ ../../../common/services/nginx.nix ];
   services.nginx.virtualHosts = {
+    "ooye.anarkafem.dev" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:6693/";
+    };
     "anarkafem.dev" = {
       enableACME = true;
       forceSSL = true;
diff --git a/config/hosts/grondahl/services/ooye b/config/hosts/grondahl/services/ooye
new file mode 160000
index 0000000..11cc65e
--- /dev/null
+++ b/config/hosts/grondahl/services/ooye
@@ -0,0 +1 @@
+Subproject commit 11cc65efa2909bdc7e3e978bf1f56f6d141bf82a
diff --git a/config/hosts/grondahl/services/ooye.nix b/config/hosts/grondahl/services/ooye.nix
new file mode 100644
index 0000000..f739cf3
--- /dev/null
+++ b/config/hosts/grondahl/services/ooye.nix
@@ -0,0 +1,16 @@
+# Out of your Element prerequisites
+{ config, ... }:
+{
+  imports = [
+	./ooye/module.nix
+  ];
+  services.matrix-ooye = {
+	enable = true;
+	homeserver = "http://localhost:8008";
+	namespace = "_discord_";
+	discordClientSecretPath = builtins.toString config.secrets.files.ooye_client_secret.file;
+	discordTokenPath = builtins.toString config.secrets.files.ooye_token.file;
+	bridgeOrigin = "https://ooye.anarkafem.dev";
+	enableSynapseIntegration = true;
+  };
+}

From f444c9a9ea5d10904a173c6d389cc4b7c52b863c Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 5 Apr 2025 16:05:32 +0200
Subject: [PATCH 64/83] Accommodate postgres renaming extraPlugins to
 extensions

---
 config/hosts/grondahl/services/postgres.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/grondahl/services/postgres.nix b/config/hosts/grondahl/services/postgres.nix
index 7b0e3ee..8a1c392 100644
--- a/config/hosts/grondahl/services/postgres.nix
+++ b/config/hosts/grondahl/services/postgres.nix
@@ -3,7 +3,7 @@
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_16;
-		extraPlugins = with config.services.postgresql.package.pkgs; [
+		extensions = with config.services.postgresql.package.pkgs; [
 			postgis
 		];
     ensureDatabases = [ 

From 4ebfb8274611ca7d7d09d4415a2c810e7f0394df Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sat, 5 Apr 2025 16:46:52 +0200
Subject: [PATCH 65/83] Update nixpkgs

---
 config/sources/nix/sources.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 11c32e7..b5b996b 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "380ed15bcd6440606c6856db44a99140d422b46f",
-        "sha256": "1gry924avdpja2hmxycjsii09ryz56jrils6jx90q65c14wcx7f8",
+        "rev": "de6fc5551121c59c01e2a3d45b277a6d05077bc4",
+        "sha256": "0yi5jb00zrlads7p00cp9cg74bxa6x1006wqcl6n2bhj6h6b3xvg",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/380ed15bcd6440606c6856db44a99140d422b46f.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/de6fc5551121c59c01e2a3d45b277a6d05077bc4.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7105ae3957700a9646cc4b766f5815b23ed0c682",
-        "sha256": "0j3jd82iyyck4hpmz7pkak1v27l7pydl0c3vvyz6wfpi612x8xzi",
+        "rev": "bdb91860de2f719b57eef819b5617762f7120c70",
+        "sha256": "16qxwcv06kimml219dp69dj83nf7wdfskvysnszaqyn40868nlmk",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/7105ae3957700a9646cc4b766f5815b23ed0c682.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/bdb91860de2f719b57eef819b5617762f7120c70.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 1ad4f3a59871540e1198da4a7d60ec7a37236f22 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@Emelies-MacBook-Pro.local>
Date: Sat, 5 Apr 2025 19:07:51 +0200
Subject: [PATCH 66/83] update to new domain

---
 ...19_key.pub => backup_host_ed25519_key.pub} |  0
 config/common/services/ssh.nix                |  6 ++---
 config/hosts/grondahl/services/borg.nix       |  4 +--
 config/hosts/rudiger/services/borg.nix        | 27 +++++++++++++++++++
 config/hosts/rudiger/services/restic.nix      |  8 +++---
 config/hosts/wind/services/borg.nix           |  6 ++---
 config/hosts/wind/services/restic.nix         | 16 +++++------
 7 files changed, 47 insertions(+), 20 deletions(-)
 rename config/common/data/pubkeys/{despondos_host_ed25519_key.pub => backup_host_ed25519_key.pub} (100%)
 create mode 100644 config/hosts/rudiger/services/borg.nix

diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/config/common/data/pubkeys/backup_host_ed25519_key.pub
similarity index 100%
rename from config/common/data/pubkeys/despondos_host_ed25519_key.pub
rename to config/common/data/pubkeys/backup_host_ed25519_key.pub
diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix
index 6beb49c..c7d5528 100644
--- a/config/common/services/ssh.nix
+++ b/config/common/services/ssh.nix
@@ -14,9 +14,9 @@
   };
 
   programs.ssh.knownHosts = {
-    despondos = {
-      hostNames = [ "despondos.nao.sh" ];
-      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+    backup = {
+      hostNames = [ "backup.graven.dev" ];
+      publicKeyFile = ../data/pubkeys/backup_host_ed25519_key.pub;
     };
   };
 
diff --git a/config/hosts/grondahl/services/borg.nix b/config/hosts/grondahl/services/borg.nix
index 6134c7f..bb86d9d 100644
--- a/config/hosts/grondahl/services/borg.nix
+++ b/config/hosts/grondahl/services/borg.nix
@@ -4,7 +4,7 @@
 	services.borgbackup.jobs = {
 		postgres = {
 			paths = "/var/lib/postgresql/backup";
-			repo = "ssh://borg@despondos.nao.sh//mnt/slab/backup/grondahl/postgres";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/postgres";
 			encryption.mode = "repokey";
 			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
 			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
@@ -14,7 +14,7 @@
 		};
 		synapse = {
 			paths = "/var/lib/matrix-synapse";
-			repo =  "ssh://borg@despondos.nao.sh//mnt/slab/backup/grondahl/synapse";
+			repo =  "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/synapse";
 			encryption.mode = "repokey";
 			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
 			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
diff --git a/config/hosts/rudiger/services/borg.nix b/config/hosts/rudiger/services/borg.nix
new file mode 100644
index 0000000..28f5790
--- /dev/null
+++ b/config/hosts/rudiger/services/borg.nix
@@ -0,0 +1,27 @@
+
+{ config, ... }:
+
+{
+	services.borgbackup.jobs = {
+		postgres = {
+			paths = "/var/lib/postgresql/backup";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/postgres";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:15:00";
+			user = "postgres";
+		};
+		synapse = {
+			paths = "/var/lib/nextcloud/data";
+			repo =  "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/nextcloud";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:45:00";
+			user = "nextcloud";
+		};
+	};
+}
diff --git a/config/hosts/rudiger/services/restic.nix b/config/hosts/rudiger/services/restic.nix
index dc6ad4d..a639bd2 100644
--- a/config/hosts/rudiger/services/restic.nix
+++ b/config/hosts/rudiger/services/restic.nix
@@ -3,21 +3,21 @@
   services.restic.backups = {
     "postgres" = {
       paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/postgres";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/postgres";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "04:15"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "postgres";
     };
     "nextcloud" = {
       paths = [ "/var/lib/nextcloud/data" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/nextcloud";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/nextcloud";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "04:30"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "nextcloud";
     };
diff --git a/config/hosts/wind/services/borg.nix b/config/hosts/wind/services/borg.nix
index 7b8822e..776f91d 100644
--- a/config/hosts/wind/services/borg.nix
+++ b/config/hosts/wind/services/borg.nix
@@ -4,7 +4,7 @@
 	services.borgbackup.jobs = {
 		gitea = {
 			paths = "/var/lib/gitea";
-			repo = "ssh://borg@despondos.nao.sh//mnt/slab/backup/wind/gitea";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/gitea";
 			encryption.mode = "repokey";
 			encryption.passCommand = "cat ${config.secrets.files.borg_pass_gitea.file}";
 			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_gitea.file}";
@@ -14,7 +14,7 @@
 		};
 		postgres = {
 			paths = "/var/lib/postgresql/backup";
-			repo = "ssh://borg@despondos.nao.sh//mnt/slab/backup/wind/postgres";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/postgres";
 			encryption.mode = "repokey";
 			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
 			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
@@ -24,7 +24,7 @@
 		};
 		synapse = {
 			paths = "/var/lib/matrix-synapse";
-			repo = "ssh://borg@despondos.nao.sh//mnt/slab/backup/wind/synapse";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/synapse";
 			encryption.mode = "repokey";
 			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
 			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
diff --git a/config/hosts/wind/services/restic.nix b/config/hosts/wind/services/restic.nix
index 083e4cc..7f06514 100644
--- a/config/hosts/wind/services/restic.nix
+++ b/config/hosts/wind/services/restic.nix
@@ -5,41 +5,41 @@
   services.restic.backups = {
     "gitea" = {
       paths = [ "/var/lib/gitea" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/gitea";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "02:15"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "gitea";
     };
     "postgres" = {
       paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/postgres";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "03:00"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "postgres";
     };
     "synapse" = {
       paths = [ "/var/lib/matrix-synapse" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/synapse";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "03:30"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "matrix-synapse";
     };
     "vaultwarden" = {
       paths = [ "/var/lib/bitwarden_rs" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/vaultwarden";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "23:45"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "vaultwarden";
     };

From 17b279a41bd246b530f40d937f0657a0c7cb39ca Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 28 May 2025 19:14:04 +0200
Subject: [PATCH 67/83] Disable coturn

---
 config/hosts/wind/services/coturn.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/wind/services/coturn.nix b/config/hosts/wind/services/coturn.nix
index 6481466..b2c61c8 100644
--- a/config/hosts/wind/services/coturn.nix
+++ b/config/hosts/wind/services/coturn.nix
@@ -1,7 +1,7 @@
 { config, ... }:
 {
   services.coturn = {
-    enable = true;
+    enable = false;
     lt-cred-mech = true;
     use-auth-secret = true;
     static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;

From 68359e345d018e7d613717250811eeb6bd577579 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Wed, 28 May 2025 19:14:12 +0200
Subject: [PATCH 68/83] Bump nixpkgs

---
 config/sources/nix/sources.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index b5b996b..bd4a7fe 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "de6fc5551121c59c01e2a3d45b277a6d05077bc4",
-        "sha256": "0yi5jb00zrlads7p00cp9cg74bxa6x1006wqcl6n2bhj6h6b3xvg",
+        "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
+        "sha256": "166nv0i8p4lsmyjxx99ldy6srx5v5v8v66awdvil8b3i1wzbhzkn",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/de6fc5551121c59c01e2a3d45b277a6d05077bc4.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/11f2d9ea49c3e964315215d6baa73a8d42672f06.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bdb91860de2f719b57eef819b5617762f7120c70",
-        "sha256": "16qxwcv06kimml219dp69dj83nf7wdfskvysnszaqyn40868nlmk",
+        "rev": "f09dede81861f3a83f7f06641ead34f02f37597f",
+        "sha256": "1ybhmmb9ph8ki7yicsnnvav4hxlh771zg82y642drsbbjs3f4szp",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/bdb91860de2f719b57eef819b5617762f7120c70.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/f09dede81861f3a83f7f06641ead34f02f37597f.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 41f68392eb236d4f206d08ba2ec8758bd0aedb5c Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Fri, 15 Aug 2025 19:11:04 +0200
Subject: [PATCH 69/83] Upgrade to 25.05

---
 config/common/services/tailscale.nix        |  2 +-
 config/hosts/rudiger/services/nextcloud.nix |  2 +-
 config/sources/nix/sources.json             | 14 +++++++-------
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/common/services/tailscale.nix b/config/common/services/tailscale.nix
index c5bd6d5..18afac7 100644
--- a/config/common/services/tailscale.nix
+++ b/config/common/services/tailscale.nix
@@ -2,7 +2,7 @@
 {
 environment.systemPackages = [ pkgs.tailscale ];
 
-services.tailscale.enable = true;
+services.tailscale.enable = false;
 
   # ...
 
diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index 9dcccc2..c220250 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -4,7 +4,7 @@
 		enable = true;
 		hostName = "cloud.graven.dev";
 		https = true;
-		package = pkgs.nextcloud30;
+		package = pkgs.nextcloud31;
 		autoUpdateApps.enable = true;
 		maxUploadSize = "10G";
 		webfinger = true;
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index bd4a7fe..8abde37 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
-        "sha256": "166nv0i8p4lsmyjxx99ldy6srx5v5v8v66awdvil8b3i1wzbhzkn",
+        "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
+        "sha256": "0l2xkflhjyhppiqh4j6gvl3vw9f5pm2656pk73rnikdfy7gg8gbp",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/11f2d9ea49c3e964315215d6baa73a8d42672f06.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-24.11",
+        "branch": "nixos-25.05",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f09dede81861f3a83f7f06641ead34f02f37597f",
-        "sha256": "1ybhmmb9ph8ki7yicsnnvav4hxlh771zg82y642drsbbjs3f4szp",
+        "rev": "3385ca0cd7e14c1a1eb80401fe011705ff012323",
+        "sha256": "11hcc63hbjiq935ldi9sqp5qri5ss3qli2029jxfrqi2796f1vqy",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/f09dede81861f3a83f7f06641ead34f02f37597f.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/3385ca0cd7e14c1a1eb80401fe011705ff012323.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From ca16e3af504c59d16c0eae037cbf884249a954fe Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 14 Dec 2025 19:52:00 +0100
Subject: [PATCH 70/83] Disable global headers to appease nginx linter

---
 config/common/services/nginx.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix
index ece567c..95b1c60 100644
--- a/config/common/services/nginx.nix
+++ b/config/common/services/nginx.nix
@@ -20,23 +20,23 @@
       map $scheme $hsts_header {
           https   "max-age=31536000; includeSubdomains; preload";
       }
-      add_header Strict-Transport-Security $hsts_header;
+      #add_header Strict-Transport-Security $hsts_header;
 
       # Enable CSP for your services.
       #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
       # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'same-origin';
+      #add_header 'Referrer-Policy' 'same-origin';
 
       # Disable embedding as a frame
       #add_header X-Frame-Options DENY;
 
       # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
+      #add_header X-Content-Type-Options nosniff;
 
       # Enable XSS protection of the browser.
       # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
+      #add_header X-XSS-Protection "1; mode=block";
 
       # This might create errors
       proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";

From 1844cb7ef3990eebe16ffec5e255ab33fa6d44f9 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 14 Dec 2025 19:52:17 +0100
Subject: [PATCH 71/83] Bump nixpkgs

---
 config/sources/nix/sources.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 8abde37..9897944 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
-        "sha256": "0l2xkflhjyhppiqh4j6gvl3vw9f5pm2656pk73rnikdfy7gg8gbp",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
+        "sha256": "1vmlcda7864ya2byxivnpzkqf41cavj9ms5hjh6i0h8anls56lk6",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/9154f4569b6cdfd3c595851a6ba51bfaa472d9f3.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3385ca0cd7e14c1a1eb80401fe011705ff012323",
-        "sha256": "11hcc63hbjiq935ldi9sqp5qri5ss3qli2029jxfrqi2796f1vqy",
+        "rev": "d2b1213bf5ec5e62d96b003ab4b5cbc42abfc0d0",
+        "sha256": "1z0hb7pxqpn142wxcznd31zm0zflbim0cmfcxvmrrn9zgxdg2bfw",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/3385ca0cd7e14c1a1eb80401fe011705ff012323.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/d2b1213bf5ec5e62d96b003ab4b5cbc42abfc0d0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 317f1bfb0d10126f64a3223ee58b3fe50e1c1edf Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Fri, 9 Jan 2026 18:34:33 +0100
Subject: [PATCH 72/83] Remove $ prefix from shell code fences

---
 README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 0388c24..6852b72 100644
--- a/README.md
+++ b/README.md
@@ -7,16 +7,16 @@ TL;DR:
 
 First make sure you have `niv` so you can upgrade dependency versions in `sources.json`.
 ```sh
-$ nix-shell -p niv
-$ (cd config/sources && niv update)
+nix-shell -p niv
+(cd config/sources && niv update)
 ```
 Build with:
 ```sh
-$ nix-build deploy/
+nix-build deploy/
 ```
 Deploy by running the generated executable.
 ```sh
-$ ./result
+./result
 ```
 
 ## Switching nixpkgs branch

From 2e2e7c13a62fa912c74c4ca2ea7d0da40dd797c2 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Fri, 9 Jan 2026 18:35:40 +0100
Subject: [PATCH 73/83] Add amanda@bitwarden ssh key

---
 config/common/users.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/common/users.nix b/config/common/users.nix
index 1f7b321..ec351ab 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -19,6 +19,7 @@
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+0x2uHcuXpFQdeXeUWeLGPefWo6Sd7yy2FJlyZy8V+ amanda@tappy"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKWhc20jOFF+pVVT/Mf1ACYOtppkYWkP7NkY0/fPvjPAAAAFHNzaDphMy1uazNhLXBlcnNvbmFs ssh:a3-nk3a-personal"
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMLbLay9KARrdb8QM4OLzmqWIN48rZMX6wCddBwYT/U amanda@gpg"
+				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGMWTQc7A3W/LI4AgFWy/Uw/+oMucmSziuJKxC2rleo amanda@bitwarden"
 			];
 		};
 	};

From a4968bffc173dbf8f5acd86ad38f13d4bda0bb7c Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Mon, 12 Jan 2026 20:37:27 +0100
Subject: [PATCH 74/83] Upgrade nixpkgs to 25.11

---
 config/sources/nix/sources.json | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 9897944..1aad222 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
-        "sha256": "1vmlcda7864ya2byxivnpzkqf41cavj9ms5hjh6i0h8anls56lk6",
+        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
+        "sha256": "197v6xxdq5j4w8kil6q21ij9x6ng8z6j72brkwwjim23798c2c4n",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/9154f4569b6cdfd3c595851a6ba51bfaa472d9f3.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/40b1a28dce561bea34858287fbb23052c3ee63fe.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-25.05",
+        "branch": "nixos-25.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d2b1213bf5ec5e62d96b003ab4b5cbc42abfc0d0",
-        "sha256": "1z0hb7pxqpn142wxcznd31zm0zflbim0cmfcxvmrrn9zgxdg2bfw",
+        "rev": "d03088749a110d52a4739348f39a63f84bb0be14",
+        "sha256": "0fn62pxa160krchzxj0pfzy79bin984cslvz5c5znbhyxwmq6ip7",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/d2b1213bf5ec5e62d96b003ab4b5cbc42abfc0d0.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/d03088749a110d52a4739348f39a63f84bb0be14.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 3fa70d15e119280f85a1c58cf9553f635ae3a32a Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.se>
Date: Sun, 1 Feb 2026 12:32:17 +0100
Subject: [PATCH 75/83] Add akkoma

---
 config/hosts/wind/configuration.nix   |  1 +
 config/hosts/wind/services/akkoma.nix | 33 +++++++++++++++++++++++++++
 config/sources/nix/sources.json       | 12 +++++-----
 3 files changed, 40 insertions(+), 6 deletions(-)
 create mode 100644 config/hosts/wind/services/akkoma.nix

diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index d375d2a..bf8aeb0 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -19,6 +19,7 @@
 		./services/restic.nix
 		./services/vaultwarden.nix
 		./services/wireguard.nix
+		./services/akkoma.nix
 		./data/secrets/secrets.nix
 		];
 
diff --git a/config/hosts/wind/services/akkoma.nix b/config/hosts/wind/services/akkoma.nix
new file mode 100644
index 0000000..29eef63
--- /dev/null
+++ b/config/hosts/wind/services/akkoma.nix
@@ -0,0 +1,33 @@
+{ config, ... }:
+{
+
+  services.akkoma = {
+    enable = true;
+      config = {
+      ":pleroma" = {
+        ":instance" = {
+          name = "graven.se";
+          description = "Graven Fedi";
+          email = "charlie@graven.se";
+          registration_open = false;
+        };
+
+        "Pleroma.Web.Endpoint" = {
+          url.host = "fedi.graven.se";
+        };
+        "Pleroma.Upload".filters =
+          map (pkgs.formats.elixirConf { }).lib.mkRaw
+            [
+              "Pleroma.Upload.Filter.Exiftool"
+              "Pleroma.Upload.Filter.Dedupe"
+              "Pleroma.Upload.Filter.AnonymizeFilename"
+            ];
+      };
+    };
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+      serverName = "fedi.graven.se"
+    }
+  };
+}
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 1aad222..5347bd3 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
-        "sha256": "197v6xxdq5j4w8kil6q21ij9x6ng8z6j72brkwwjim23798c2c4n",
+        "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8",
+        "sha256": "1nyr1jrdy2bcm69s4zv2ifpsshrwma68fibrybqwcfi4s5rfsh20",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/40b1a28dce561bea34858287fbb23052c3ee63fe.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/a351494b0e35fd7c0b7a1aae82f0afddf4907aa8.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d03088749a110d52a4739348f39a63f84bb0be14",
-        "sha256": "0fn62pxa160krchzxj0pfzy79bin984cslvz5c5znbhyxwmq6ip7",
+        "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
+        "sha256": "1jig9kwjd52brwfm6n4pipqn1qfjlpasjhfsb8di70cb87z4xdbv",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/d03088749a110d52a4739348f39a63f84bb0be14.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/fa83fd837f3098e3e678e6cf017b2b36102c7211.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {

From 0a05b244b9cd9e78b4dca09093c2d5e8216d525f Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.se>
Date: Fri, 6 Feb 2026 20:21:47 +0100
Subject: [PATCH 76/83] Configure webfinger

---
 config/hosts/wind/services/akkoma.nix | 3 +++
 config/hosts/wind/services/nginx.nix  | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/config/hosts/wind/services/akkoma.nix b/config/hosts/wind/services/akkoma.nix
index 29eef63..8e29bb2 100644
--- a/config/hosts/wind/services/akkoma.nix
+++ b/config/hosts/wind/services/akkoma.nix
@@ -15,6 +15,9 @@
         "Pleroma.Web.Endpoint" = {
           url.host = "fedi.graven.se";
         };
+        "Pleroma.Web.Webfinger" = {
+          domain = "graven.se";
+        };
         "Pleroma.Upload".filters =
           map (pkgs.formats.elixirConf { }).lib.mkRaw
             [
diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix
index 81b3086..b7b7b77 100644
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@@ -21,6 +21,12 @@
 				'';
 			};
 		};
+		# Fedi webfinger
+		"graven.se" = {
+			enableACME = true;
+			forceSSL = true;
+			locations."/.well-known/host-meta".return = "301 https://fedi.graven.se$request_uri";
+		};
 		"amanda.graven.dev" = {
 			enableACME = true;
 			forceSSL = true;

From 7d3a905a5b41196b733e6fc9bcd8ee61e22a5d3f Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.se>
Date: Sun, 22 Feb 2026 13:05:43 +0100
Subject: [PATCH 77/83] fix: Attempt to fix immich

---
 config/hosts/rudiger/services/immich.nix |  1 +
 config/hosts/rudiger/services/nginx.nix  | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/config/hosts/rudiger/services/immich.nix b/config/hosts/rudiger/services/immich.nix
index 1825eda..a290263 100644
--- a/config/hosts/rudiger/services/immich.nix
+++ b/config/hosts/rudiger/services/immich.nix
@@ -4,5 +4,6 @@
 	services.immich = {
 		enable = true;
 		port = 2283;
+		host = "immich.graven.dev";
 	};
 }
diff --git a/config/hosts/rudiger/services/nginx.nix b/config/hosts/rudiger/services/nginx.nix
index 0440b9d..6335fcb 100644
--- a/config/hosts/rudiger/services/nginx.nix
+++ b/config/hosts/rudiger/services/nginx.nix
@@ -13,10 +13,12 @@
       proxyWebsockets = true;
       recommendedProxySettings = true;
       extraConfig = ''
-        client_max_body_size 50000M;
-        proxy_read_timeout   600s;
-        proxy_send_timeout   600s;
-        send_timeout         600s;
+        client_max_body_size      50000M;
+        proxy_read_timeout        600s;
+        proxy_send_timeout        600s;
+        send_timeout              600s;
+        proxy_max_temp_file_size  0;
+        proxy_buffering           off;
       '';
     };
   };

From b2482bcd0ed13ac9935b61c7bb6f120d22662b5f Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 22 Feb 2026 14:48:03 +0100
Subject: [PATCH 78/83] Bump Nextcloud to 32

---
 config/hosts/rudiger/services/nextcloud.nix | 2 +-
 config/hosts/wind/services/akkoma.nix       | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix
index c220250..4f1a9da 100644
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@@ -4,7 +4,7 @@
 		enable = true;
 		hostName = "cloud.graven.dev";
 		https = true;
-		package = pkgs.nextcloud31;
+		package = pkgs.nextcloud32;
 		autoUpdateApps.enable = true;
 		maxUploadSize = "10G";
 		webfinger = true;
diff --git a/config/hosts/wind/services/akkoma.nix b/config/hosts/wind/services/akkoma.nix
index 8e29bb2..3dabcf5 100644
--- a/config/hosts/wind/services/akkoma.nix
+++ b/config/hosts/wind/services/akkoma.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 {
 
   services.akkoma = {
@@ -30,7 +30,7 @@
     nginx = {
       enableACME = true;
       forceSSL = true;
-      serverName = "fedi.graven.se"
-    }
+      serverName = "fedi.graven.se";
+    };
   };
 }

From 932a0210a3f043a3c976f7fa44117c233c17c679 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 22 Feb 2026 14:52:38 +0100
Subject: [PATCH 79/83] Add 1 git-crypt collaborator

New collaborators:

    8D0BB1659F9F9198F9D24406AFB2896A1FA1B827
        Charlie Graven <charlie@graven.se>
---
 .../8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg  | Bin 0 -> 298 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 .git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg

diff --git a/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg b/.git-crypt/keys/default/0/8D0BB1659F9F9198F9D24406AFB2896A1FA1B827.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..802570779347c6651be1109c370c14932a33dcff
GIT binary patch
literal 298
zcmZpPV~+4Sq85>+-7Cb%?r<!9UEx#V-Y=!<I;F2BYsXyQ^f>JKmMuMzM;CiW3U<{S
z{9%rMzdS48p$+G@o%Z{3&SyND@{Z?l)qAI7jF#KxMwqR*Uh}(;p-b%AyE(gMt+hHX
z9bjiH@?UEH?bs@{J$pUUR6lr4SaX#*c0$4Dq~psOCPik|&rG%0HTBBBsUpR*8UESD
zYF1UgoGfUY`^+`L@R_J=<-$(GU(pF#OYeD3zPt1C>2L|A6TX^npU(~W^NxWbukelC
z;Uzs!-}~%HR928xIBb2$B{|{hvagdKhAeupOyuDVTj8l2e3I9&bY*&+5j9x#XVs+n
zVWw(n+Gp54yft-Se8a6&D#J9S@A0!!D|X!|^IO(9tt+beP41OXS%Rq*>WA6H_Ej-<
J`5Ml?3jogal8OKT

literal 0
HcmV?d00001


From 74a073513b0bf16df17b37f0bb999473a3c53034 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 22 Feb 2026 15:04:44 +0100
Subject: [PATCH 80/83] Remove default gitea theme

---
 config/hosts/wind/services/gitea.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/hosts/wind/services/gitea.nix b/config/hosts/wind/services/gitea.nix
index cb40734..3d3966e 100644
--- a/config/hosts/wind/services/gitea.nix
+++ b/config/hosts/wind/services/gitea.nix
@@ -18,7 +18,6 @@
       server.DOMAIN = "git.graven.dev";
       server.ROOT_URL = "https://git.graven.dev";
       server.PROTOCOL = "http+unix";
-      ui.DEFAULT_THEME = "arc-green";
     };
   };
 

From 6b002df0c8ef509b2555620b3cdb98546c1ff81f Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.se>
Date: Sun, 22 Feb 2026 15:09:13 +0100
Subject: [PATCH 81/83] fix: Attempt to fix immich again

---
 config/hosts/rudiger/services/immich.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/rudiger/services/immich.nix b/config/hosts/rudiger/services/immich.nix
index a290263..fe71843 100644
--- a/config/hosts/rudiger/services/immich.nix
+++ b/config/hosts/rudiger/services/immich.nix
@@ -4,6 +4,6 @@
 	services.immich = {
 		enable = true;
 		port = 2283;
-		host = "immich.graven.dev";
+		settings.server.externalDomain = "https://immich.graven.dev";
 	};
 }

From 6c9e6893b97aa0f2dbc219dbe072587ac4356951 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Sun, 22 Feb 2026 15:13:32 +0100
Subject: [PATCH 82/83] remove proxy_cookie_path nginx setting

---
 config/common/services/nginx.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix
index 95b1c60..b6f3187 100644
--- a/config/common/services/nginx.nix
+++ b/config/common/services/nginx.nix
@@ -39,7 +39,7 @@
       #add_header X-XSS-Protection "1; mode=block";
 
       # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
   };
 }

From c35695282933b9c52fb69eb58ac6806cbd927f90 Mon Sep 17 00:00:00 2001
From: Amanda Graven <amanda@graven.dev>
Date: Tue, 28 Apr 2026 21:12:34 +0200
Subject: [PATCH 83/83] Bump nixpkgs

---
 config/sources/nix/sources.json | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 5347bd3..349dfba 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "dd678782cae74508d6b4824580d2b0935308011e",
-        "sha256": "0dk8dhh9vla2s409anmrfkva6h3r32xmz3cm8ha09wyk8iyf1f87",
+        "rev": "368268e45dee0c94d1cf898381a384856379ad76",
+        "sha256": "1k03n7qmaz6yf2r8i5sng4kii3rr1y36g8k70sg7piqz3npxisy3",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/dd678782cae74508d6b4824580d2b0935308011e.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/368268e45dee0c94d1cf898381a384856379ad76.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8",
-        "sha256": "1nyr1jrdy2bcm69s4zv2ifpsshrwma68fibrybqwcfi4s5rfsh20",
+        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "sha256": "1al72rhlaa6g725syx72klpismv8xygdd55smqfwa9xglhv35r34",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/a351494b0e35fd7c0b7a1aae82f0afddf4907aa8.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/2096f3f411ce46e88a79ae4eafcfc9df8ed41c61.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
-        "sha256": "1jig9kwjd52brwfm6n4pipqn1qfjlpasjhfsb8di70cb87z4xdbv",
+        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
+        "sha256": "0vma331213djanwmb7ibgmi5290952h6ri123xwb66mg58k8r200",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fa83fd837f3098e3e678e6cf017b2b36102c7211.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/a4bf06618f0b5ee50f14ed8f0da77d34ecc19160.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "f3010b72d15520cd9a9e87cc0e7a1f1f2727a5cf",
-        "sha256": "0cydhq2zh3bxnlj1cp18wnlhniz8z3nnjjjnwdm6936al4a9jy3b",
+        "rev": "b12665bc80134ac167eef1fff2f4e41e1f8925cb",
+        "sha256": "11894412807mhg0kgkrn4bjbdk9b2a89b0plh0bpdn06c8pfg11g",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/f3010b72d15520cd9a9e87cc0e7a1f1f2727a5cf.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/b12665bc80134ac167eef1fff2f4e41e1f8925cb.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }