Bump nixpkgs

New collaborators:

    8D0BB1659F9F9198F9D24406AFB2896A1FA1B827
        Charlie Graven <charlie@graven.se>

.EditorConfig

@@ -0,0 +1,4 @@
+root = true
+
+[*.nix]
+indent_style = "tab"

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "config/hosts/grondahl/services/ooye"]
+	path = config/hosts/grondahl/services/ooye
+	url = https://cgit.rory.gay/nix/OOYE-module.git

Makefile

@@ -0,0 +1,12 @@
+all: result
+	
+.PHONY: update result deploy
+
+result:
+	nix build -f deploy/default.nix
+
+update:
+	cd config/sources && niv update
+
+deploy:
+	./result

README.md

@@ -1 +1,27 @@
 NixOS deployments using [nixus](https://github.com/Infinisil/nixus).
+
+TL;DR:
+1. `make update`
+2. `make result`
+3. `make deploy`
+
+First make sure you have `niv` so you can upgrade dependency versions in `sources.json`.
+```sh
+nix-shell -p niv
+(cd config/sources && niv update)
+```
+Build with:
+```sh
+nix-build deploy/
+```
+Deploy by running the generated executable.
+```sh
+./result
+```
+
+## Switching nixpkgs branch
+```sh
+cd config/sources
+niv modify nixpkgs -b nixos-xx.yy
+```
+

config/common/configuration/documentation.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+	# Some docs fail to build, so we need to disable some of it
+	documentation = {
+		enable = true;
+		man.enable = true;
+		doc.enable = true;
+		dev.enable = false;
+		nixos.enable = false;
+	};
+}

config/common/configuration/nix.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+# Configuration options for the nix package manager
+{
+	nix.gc = {
+		# Run garbage collection automatically
+		automatic = true;
+		# Run it once a week
+		dates = "weekly";
+		options = "--delete-older-than 30d";
+	};
+}

config/common/data/pubkeys/backup_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4C5OgZpxoF42L5rPqwejs+Q1ViN9TM9o/fEbpnPFtA

config/common/data/pubkeys/despondos_host_ed25519_key.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7

config/common/services/nginx.nix

@@ -20,26 +20,26 @@
       map $scheme $hsts_header {
           https   "max-age=31536000; includeSubdomains; preload";
       }
-      add_header Strict-Transport-Security $hsts_header;
+      #add_header Strict-Transport-Security $hsts_header;
 
       # Enable CSP for your services.
       #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
       # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'same-origin';
+      #add_header 'Referrer-Policy' 'same-origin';
 
       # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+      #add_header X-Frame-Options DENY;
 
       # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
+      #add_header X-Content-Type-Options nosniff;
 
       # Enable XSS protection of the browser.
       # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
+      #add_header X-XSS-Protection "1; mode=block";
 
       # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
   };
 }

config/common/services/ssh.nix

@@ -2,19 +2,21 @@
 {
   services.openssh = {
     enable = true;
-    permitRootLogin = "no";
-    passwordAuthentication = false;
-    challengeResponseAuthentication = false;
     hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ];
-    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+    settings = {
-    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+      KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+      Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+      PermitRootLogin = "no";
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
 
     };
+  };
 
   programs.ssh.knownHosts = {
-    despondos = {
+    backup = {
-      hostNames = [ "despondos.nao.sh" ];
+      hostNames = [ "backup.graven.dev" ];
-      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+      publicKeyFile = ../data/pubkeys/backup_host_ed25519_key.pub;
     };
   };
 

config/common/services/tailscale.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+{
+environment.systemPackages = [ pkgs.tailscale ];
+
+services.tailscale.enable = false;
+
+  # ...
+
+  # create a oneshot job to authenticate to Tailscale
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey CHANGEME
+    '';
+  };
+
+}

config/common/users.nix

@@ -5,8 +5,7 @@
 			isNormalUser = true;
 			extraGroups = [ "wheel" ];
 			openssh.authorizedKeys.keys = [
-              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAn9xV1GA/hMkCFoP7DWzYyGmbeiri823fHMRz0ZVoxq emelie-personal-bw"
-							"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed"
 
 			];
 		};
@@ -17,6 +16,10 @@
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwmREgBmckocQerEfO4XhB+dbKDsZopok37ePWHwCEj id_ed25519"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILrZWS1PBVRbdmPh8IJdIPHhK0+ZuSnQCR10a8Bl11VZAAAABHNzaDo= amanda@sharpy"
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6v5D/aJuIhuIVcnzFA7ocxPMI8JgHEnxSPuD+SaLHX amanda@sharpy"
+				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+0x2uHcuXpFQdeXeUWeLGPefWo6Sd7yy2FJlyZy8V+ amanda@tappy"
+				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKWhc20jOFF+pVVT/Mf1ACYOtppkYWkP7NkY0/fPvjPAAAAFHNzaDphMy1uazNhLXBlcnNvbmFs ssh:a3-nk3a-personal"
+				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMLbLay9KARrdb8QM4OLzmqWIN48rZMX6wCddBwYT/U amanda@gpg"
+				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGMWTQc7A3W/LI4AgFWy/Uw/+oMucmSziuJKxC2rleo amanda@bitwarden"
 			];
 		};
 	};

config/hosts/grondahl/configuration.nix

@@ -5,23 +5,26 @@
     [ # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./data/secrets/secrets.nix
+    ../../common/configuration/nix.nix
+    ../../common/configuration/documentation.nix
     ../../common/services/ssh.nix
+    ../../common/services/tailscale.nix
     ../../common/users.nix
     ./services/acme.nix
+    ./services/borg.nix
     ./services/coturn.nix
     ./services/nginx.nix
-    ./services/restic.nix
     ./services/synapse.nix
     ./services/postgres.nix
+    ./services/ooye.nix
 		#./services/mail.nix
 		#./services/containers.nix
 		#./services/redis.nix
     ];
 
   boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
   boot.loader.grub.device = "/dev/vda";
-  boot.kernelPackages = pkgs.linuxPackages_5_10;
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
   networking = {
     hostName = "grondahl";
     useDHCP = false;
@@ -49,9 +52,9 @@
 
   security.sudo.wheelNeedsPassword = false;
 
-  nix = {
+  nix.settings = {
-    autoOptimiseStore = true;
+    auto-optimise-store = true;
-    trustedUsers = [
+    trusted-users = [
       "root"
       "@wheel"
     ];
@@ -72,9 +75,15 @@
     dig
   ];
 
-  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  networking.firewall = {
-  networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
+    enable = true;
-  networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+    checkReversePath = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+    allowedTCPPorts = [ 22 80 443 ];
+    allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
+    allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+  };
 
   system.stateVersion = "21.05";
 

config/hosts/grondahl/hardware-configuration.nix

@@ -2,7 +2,7 @@
 {
   imports =
     [ (modulesPath + "/profiles/qemu-guest.nix")
-      (modulesPath + "/profiles/minimal.nix")
+      #(modulesPath + "/profiles/minimal.nix")
     ];
 
   boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];

config/hosts/grondahl/services/acme.nix

@@ -3,12 +3,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    email = "admin+certs@anarkafem.dev";
+    defaults.email = "admin+certs@anarkafem.dev";
-    certs."anarkafem.dev" = {
-      extraDomainNames = [ "*.anarkafem.dev" ];
-      dnsProvider = "hurricane";
-      credentialsFile = config.secrets.files.acme_anarkafem_dev.file;
-    };
   };
 }
 

config/hosts/grondahl/services/borg.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+
+{
+	services.borgbackup.jobs = {
+		postgres = {
+			paths = "/var/lib/postgresql/backup";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/postgres";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:15:00";
+			user = "postgres";
+		};
+		synapse = {
+			paths = "/var/lib/matrix-synapse";
+			repo =  "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/synapse";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:45:00";
+			user = "matrix-synapse";
+		};
+	};
+}

config/hosts/grondahl/services/nginx.nix

@@ -1,8 +1,13 @@
 {
   imports = [ ../../../common/services/nginx.nix ];
   services.nginx.virtualHosts = {
+    "ooye.anarkafem.dev" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:6693/";
+    };
     "anarkafem.dev" = {
-      useACMEHost = "anarkafem.dev";
+      enableACME = true;
       forceSSL = true;
       locations."/".root = "/var/www/anarkafem.dev/public";
       locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
@@ -21,14 +26,21 @@
       };
     };
 		"cal.anarkafem.dev" = {
-			useACMEHost = "anarkafem.dev";
+			enableACME = true;
 			forceSSL = true;
 			locations."/".proxyPass = "http://127.0.0.1:4000";
 		};
 		"auth.anarkafem.dev" = {
-			useACMEHost = "anarkafem.dev";
+			enableACME = true;
 			forceSSL = true;
 			locations."/".proxyPass = "http://127.0.0.1:9000";
 		};
+    "beanz.one" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        root = "/var/www/beanz.one/public";
+      };
+    };
   };
 }

config/hosts/grondahl/services/ooye

@@ -0,0 +1 @@
+Subproject commit 11cc65efa2909bdc7e3e978bf1f56f6d141bf82a

config/hosts/grondahl/services/ooye.nix

@@ -0,0 +1,16 @@
+# Out of your Element prerequisites
+{ config, ... }:
+{
+  imports = [
+	./ooye/module.nix
+  ];
+  services.matrix-ooye = {
+	enable = true;
+	homeserver = "http://localhost:8008";
+	namespace = "_discord_";
+	discordClientSecretPath = builtins.toString config.secrets.files.ooye_client_secret.file;
+	discordTokenPath = builtins.toString config.secrets.files.ooye_token.file;
+	bridgeOrigin = "https://ooye.anarkafem.dev";
+	enableSynapseIntegration = true;
+  };
+}

config/hosts/grondahl/services/postgres.nix

@@ -2,8 +2,8 @@
 {
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_13;
+    package = pkgs.postgresql_16;
-		extraPlugins = with config.services.postgresql.package.pkgs; [
+		extensions = with config.services.postgresql.package.pkgs; [
 			postgis
 		];
     ensureDatabases = [ 
@@ -14,15 +14,15 @@
     ensureUsers = [
     	{
 				name = "matrix-synapse";
-      	ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
+				ensureDBOwnership = true;
     	}
 			{
 				name = "mobilizon";
-      	ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES";
+				ensureDBOwnership = true;
   		}
 			{ 
 				name = "authentik";
-				ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES";
+				ensureDBOwnership = true;
 			}
     ];
     initialScript = pkgs.writeText "synapse-init.sql" ''

config/hosts/grondahl/services/redis.nix

@@ -1,11 +1,13 @@
 { config, ...  }:
 {
   services.redis = {
+    vmOverCommit = true;
+    servers."" = {
       enable = true;
       unixSocket = "/run/redis/redis.sock";
-    vmOverCommit = true;
       unixSocketPerm = 770;
       #requirePassfile = config.secrets.files.redis_pass.file;
     };
+  }; 
 }
 

config/hosts/grondahl/services/restic.nix

@@ -1,26 +0,0 @@
-{ config, ... }:
-{
-  services.restic.backups = {
-    "postgres" = {
-      paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres";
-      initialize = true;
-      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
-      timerConfig = { "OnCalendar" = "03:15"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
-      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
-      user = "postgres";
-    };
-    "synapse" = {
-      paths = [ "/var/lib/matrix-synapse" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse";
-      initialize = true;
-      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
-      timerConfig = { "OnCalendar" = "03:45"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
-      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
-      user = "matrix-synapse";
-    };
-  };
-}
-

config/hosts/grondahl/services/synapse.nix

@@ -3,15 +3,19 @@
 {
   services.matrix-synapse = {
     enable = true;
+    withJemalloc = true;
+    settings = {
+      database = {
+        name = "psycopg2";
+        args.user = "matrix-synapse";
+        args.database = "matrix-synapse";
+      };
+
       server_name = "anarkafem.dev";
       enable_registration = false;
       registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
       turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
       max_upload_size = "100M";
-    database_type = "psycopg2";
-		database_args = { 
-			password = builtins.toString config.secrets.files.synapse_db_password.file;
-		};
       turn_uris = [
         "turn:turn.anarkafem.dev:3478?transport=udp"
         "turn:turn.anarkafem.dev:3478?transport=tcp"
@@ -23,7 +27,6 @@
         "turns:turn.anarkafem.dev:5350?transport=tcp"
       ];
       report_stats = false;
-    withJemalloc = true;
       servers = { "anarkafem.dev" = {}; };
       extraConfig = ''
         default_room_version: "9"
@@ -57,7 +60,7 @@
       listeners = [
         {
           port = 8008;
-        bind_address = "127.0.0.1";
+          bind_addresses = ["127.0.0.1"];
           type = "http";
           tls = false;
           x_forwarded = true;
@@ -70,5 +73,6 @@
         }
       ];
     };
+  };
 }
     

config/hosts/rudiger/configuration.nix

@@ -1,13 +1,16 @@
 { config, pkgs, ... }:
 
 {
-  imports =
+	imports = [
-    [
 		./hardware-configuration.nix
 		./data/secrets/secrets.nix
+		../../common/configuration/nix.nix
+		../../common/configuration/documentation.nix
 		../../common/services/ssh.nix
+		../../common/services/tailscale.nix
 		../../common/users.nix
 		./services/acme.nix
+		./services/immich.nix
 		./services/nextcloud.nix
 		./services/nginx.nix
 		./services/postgres.nix
@@ -16,11 +19,11 @@
 	];
 
 	boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
 	boot.loader.grub.device = "/dev/sda";
+	boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 
 	boot.supportedFilesystems = ["zfs"];
-  services.zfs.autoSnapshot.enable = true;
+	services.zfs.autoSnapshot.enable = false;
 	services.zfs.autoScrub.enable = true;
 
 	time.timeZone = "Europe/Copenhagen";
@@ -51,9 +54,9 @@
 	};
 
 
-  nix = {
+	nix.settings = {
-    autoOptimiseStore = true;
+		auto-optimise-store = true;
-    trustedUsers = [
+		trusted-users = [
 			"root"
 			"@wheel"
 		];
@@ -65,6 +68,7 @@
 		htop
 		iotop
 		dig
+		tailscale
 	];
 	security.sudo.wheelNeedsPassword = false;
 
@@ -76,7 +80,13 @@
 	users.groups.redis.members = [ "nextcloud" ];
 	users.groups.backup.members = [ "nextcloud" "postgres" ];
 
-  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+	networking.firewall = {
+		allowedTCPPorts = [ 22 80 443 ];
+		allowedUDPPorts = [ config.services.tailscale.port ];
+		trustedInterfaces = [ "tailscale0" ];
+		enable = true;
+		checkReversePath = "loose";
+	};
 	# networking.firewall.allowedUDPPorts = [ ... ];
 	system.stateVersion = "21.05";
 

config/hosts/rudiger/hardware-configuration.nix

@@ -3,7 +3,7 @@
 {
   imports =
     [ (modulesPath + "/profiles/qemu-guest.nix")
-      (modulesPath + "/profiles/minimal.nix")
+      #(modulesPath + "/profiles/minimal.nix")
     ];
 
   boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];

config/hosts/rudiger/services/acme.nix

@@ -3,7 +3,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    email = "admin+certs@graven.dev";
+    defaults.email = "admin+certs@graven.dev";
   };
 }
 

config/hosts/rudiger/services/borg.nix

@@ -0,0 +1,27 @@
+
+{ config, ... }:
+
+{
+	services.borgbackup.jobs = {
+		postgres = {
+			paths = "/var/lib/postgresql/backup";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/postgres";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:15:00";
+			user = "postgres";
+		};
+		synapse = {
+			paths = "/var/lib/nextcloud/data";
+			repo =  "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/nextcloud";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:45:00";
+			user = "nextcloud";
+		};
+	};
+}

config/hosts/rudiger/services/immich.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+	services.immich = {
+		enable = true;
+		port = 2283;
+		settings.server.externalDomain = "https://immich.graven.dev";
+	};
+}

config/hosts/rudiger/services/nextcloud.nix

@@ -4,7 +4,7 @@
 		enable = true;
 		hostName = "cloud.graven.dev";
 		https = true;
-    package = pkgs.nextcloud22;
+		package = pkgs.nextcloud32;
 		autoUpdateApps.enable = true;
 		maxUploadSize = "10G";
 		webfinger = true;
@@ -14,9 +14,12 @@
 			dbuser = "nextcloud";
 			dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
 			dbname = "nextcloud";
-      defaultPhoneRegion = "DK";
 			adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
 			adminuser = "root";
 		};
+		settings = {
+			default_phone_region = "DK";
+		};
+		phpOptions."opcache.interned_strings_buffer" = "23";
 	};
 }

config/hosts/rudiger/services/nginx.nix

@@ -1,8 +1,25 @@
-{ ... }:
+{ config, ... }:
 {
   imports = [ ../../../common/services/nginx.nix ];
   services.nginx.virtualHosts."cloud.graven.dev" = {
     enableACME = true;
     forceSSL = true;
   };
+  services.nginx.virtualHosts."immich.graven.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://[::1]:${toString config.services.immich.port}";      
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+      extraConfig = ''
+        client_max_body_size      50000M;
+        proxy_read_timeout        600s;
+        proxy_send_timeout        600s;
+        send_timeout              600s;
+        proxy_max_temp_file_size  0;
+        proxy_buffering           off;
+      '';
+    };
+  };
 }

config/hosts/rudiger/services/postgres.nix

@@ -1,14 +1,15 @@
-{ ... }:
+{ pkgs, ... }:
 {
   services.postgresql = {
     enable = true;
+    package = pkgs.postgresql_15;
     ensureDatabases = [ 
 			"nextcloud"
 		];
     ensureUsers = [
     	{
 				name = "nextcloud";
-      	ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      	ensureDBOwnership = true;
     	}
     ];
   };

config/hosts/rudiger/services/redis.nix

@@ -1,10 +1,12 @@
 { config, ...  }:
 {
   services.redis = {
+    vmOverCommit = true;
+    servers."" = {
       enable = true;
       unixSocket = "/run/redis/redis.sock";
-    vmOverCommit = true;
       unixSocketPerm = 770;
       #requirePassfile = config.secrets.files.redis_pass.file;
     };
+  };
 }

config/hosts/rudiger/services/restic.nix

@@ -3,21 +3,21 @@
   services.restic.backups = {
     "postgres" = {
       paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/postgres";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/postgres";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "04:15"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "postgres";
     };
     "nextcloud" = {
       paths = [ "/var/lib/nextcloud/data" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/nextcloud";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/nextcloud";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "04:30"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "nextcloud";
     };

config/hosts/wind/configuration.nix

@@ -1,11 +1,15 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 
 {
 	imports = [
 		./hardware-configuration.nix
+		../../common/configuration/nix.nix
+		../../common/configuration/documentation.nix
 		../../common/services/ssh.nix
+		../../common/services/tailscale.nix
 		../../common/users.nix
 		./services/acme.nix
+		./services/borg.nix
 		./services/coturn.nix
 		./services/nginx.nix
 		./services/postgres.nix
@@ -15,15 +19,15 @@
 		./services/restic.nix
 		./services/vaultwarden.nix
 		./services/wireguard.nix
+		./services/akkoma.nix
 		./data/secrets/secrets.nix
 		];
 
 	boot.loader.grub.enable = true;
-	boot.loader.grub.version = 2;
 	boot.loader.grub.device = "/dev/sda";
-	boot.kernelPackages = pkgs.linuxPackages_5_10;
+	boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 	boot.supportedFilesystems = ["zfs"];
-	services.zfs.autoSnapshot.enable = true;
+	services.zfs.autoSnapshot.enable = false;
 	services.zfs.autoScrub.enable = true;
 
 	networking.hostName = "wind";
@@ -49,11 +53,12 @@
 		htop
 		iotop
 		dig
+		tailscale
 	];
 
-	nix = {
+	nix.settings = {
-		autoOptimiseStore = true;
+		auto-optimise-store = true;
-		trustedUsers = [
+		trusted-users = [
 			"root"
 			"@wheel"
 		];

config/hosts/wind/hardware-configuration.nix

@@ -6,7 +6,7 @@
 {
   imports =
     [ (modulesPath + "/profiles/qemu-guest.nix")
-      (modulesPath + "/profiles/minimal.nix")
+      #(modulesPath + "/profiles/minimal.nix")
       #(modulesPath + "/profiles/hardened.nix")
     ];
 

config/hosts/wind/services/acme.nix

@@ -3,19 +3,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    email = "admin+certs@graven.dev";
+    defaults.email = "admin+certs@graven.dev";
-		certs = {
-			"graven.dev" = {
-				extraDomainNames = [ "*.graven.dev" ];
-				dnsProvider = "hurricane";
-				credentialsFile = config.secrets.files.acme_graven_dev.file;
-			};
-			"graven.se" = {
-				extraDomainNames = [ "*.graven.se" ];
-				dnsProvider = "hurricane";
-				credentialsFile = config.secrets.files.acme_graven_se.file;
-			};
-		};
   };
 }
 

config/hosts/wind/services/akkoma.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+{
+
+  services.akkoma = {
+    enable = true;
+      config = {
+      ":pleroma" = {
+        ":instance" = {
+          name = "graven.se";
+          description = "Graven Fedi";
+          email = "charlie@graven.se";
+          registration_open = false;
+        };
+
+        "Pleroma.Web.Endpoint" = {
+          url.host = "fedi.graven.se";
+        };
+        "Pleroma.Web.Webfinger" = {
+          domain = "graven.se";
+        };
+        "Pleroma.Upload".filters =
+          map (pkgs.formats.elixirConf { }).lib.mkRaw
+            [
+              "Pleroma.Upload.Filter.Exiftool"
+              "Pleroma.Upload.Filter.Dedupe"
+              "Pleroma.Upload.Filter.AnonymizeFilename"
+            ];
+      };
+    };
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+      serverName = "fedi.graven.se";
+    };
+  };
+}

config/hosts/wind/services/borg.nix

@@ -0,0 +1,36 @@
+{ config, ... }:
+
+{
+	services.borgbackup.jobs = {
+		gitea = {
+			paths = "/var/lib/gitea";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/gitea";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_gitea.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_gitea.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 02:15:00";
+			user = "gitea";
+		};
+		postgres = {
+			paths = "/var/lib/postgresql/backup";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/postgres";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:15:00";
+			user = "postgres";
+		};
+		synapse = {
+			paths = "/var/lib/matrix-synapse";
+			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/synapse";
+			encryption.mode = "repokey";
+			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
+			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
+			compression = "auto,zstd";
+			startAt = "*-*-* 03:15:00";
+			user = "matrix-synapse";
+		};
+	};
+}

config/hosts/wind/services/coturn.nix

@@ -1,7 +1,7 @@
 { config, ... }:
 {
   services.coturn = {
-    enable = true;
+    enable = false;
     lt-cred-mech = true;
     use-auth-secret = true;
     static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;

config/hosts/wind/services/gitea.nix

@@ -1,16 +1,32 @@
 { ... }:
 
 {
-  services.gitea = {
+  services.forgejo = {
     enable = true;
-    domain = "git.graven.dev";
+    user = "gitea";
-    rootUrl = "https://git.graven.dev";
+    group = "gitea";
-    enableUnixSocket = true;
+    stateDir = "/var/lib/gitea";
-    cookieSecure = true;
-    appName = "Graven Gitea";
-    settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
     database = {
       type = "postgres";
+      name = "gitea";
+      user = "gitea";
+    };
+    settings = {
+      DEFAULT.APP_NAME = "Graven Gitea";
+      service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
+      server.DOMAIN = "git.graven.dev";
+      server.ROOT_URL = "https://git.graven.dev";
+      server.PROTOCOL = "http+unix";
     };
   };
+
+  users.users.gitea = {
+    home = "/var/lib/gitea";
+    useDefaultShell = true;
+    group = "gitea";
+    isSystemUser = true;
+  };
+
+  users.groups.gitea = {};
 }

config/hosts/wind/services/nginx.nix

@@ -2,11 +2,13 @@
 	imports = [ ../../../common/services/nginx.nix ];
 	services.nginx.virtualHosts = {
 		"graven.dev" = {
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			forceSSL = true;
 			locations."/".root = "/var/www/graven.dev/public";
-			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+			locations."~ ^(\\/_matrix|\\/_synapse\\/client)" = {
-			locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+				proxyPass = "http://127.0.0.1:8008";
+				priority = 1000;
+			};
 			locations."/.well-known/matrix/" = {
 				root = "/var/www/matrix/public";
 				extraConfig = ''
@@ -14,24 +16,34 @@
 					add_header Access-Control-Allow-Origin "*";
 					add_header Strict-Transport-Security $hsts_header;
 					add_header Referrer-Policy "same-origin";
-					add_header X-Frame-Options "DENY";
 					add_header X-Content-Type-Options "nosniff";
 					add_header X-XSS-Protection "1; mode=block";
 				'';
 			};
 		};
+		# Fedi webfinger
+		"graven.se" = {
+			enableACME = true;
+			forceSSL = true;
+			locations."/.well-known/host-meta".return = "301 https://fedi.graven.se$request_uri";
+		};
+		"amanda.graven.dev" = {
+			enableACME = true;
+			forceSSL = true;
+			locations."/".root = "/var/www/amanda.graven.dev/public";
+		};
 		"rss.graven.dev" = {
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			forceSSL = true;
 		};
 		"git.graven.dev" = {
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			forceSSL = true;
-			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
+			locations."/".proxyPass = "http://unix:/run/forgejo/forgejo.sock:";
 		};
 		"vault.graven.dev" = {
 			forceSSL = true;
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			locations."/" = {
 				proxyPass = "http://localhost:8812";
 				proxyWebsockets = true;
@@ -47,7 +59,7 @@
 		};
 		"openpgpkey.graven.dev" = {
 			forceSSL = true;
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			locations."/" = {
 				root = "/var/www/openpgpkey";
 				extraConfig = ''
@@ -63,7 +75,7 @@
 		};
 		"openpgpkey.graven.se" = {
 			forceSSL = true;
-			useACMEHost = "graven.se";
+			enableACME = true;
 			locations."/" = {
 				root = "/var/www/openpgpkey";
 				extraConfig = ''
@@ -79,7 +91,7 @@
 		};
 		"tor.graven.dev" = {
 			forceSSL = true;
-			useACMEHost = "graven.dev";
+			enableACME = true;
 			locations."/" = {
 				root = "/var/www/tor";
 				extraConfig = ''

config/hosts/wind/services/postgres.nix

@@ -2,7 +2,7 @@
 {
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_13;
+    package = pkgs.postgresql_16;
     initialScript = pkgs.writeText "synapse-init.sql" ''
                       CREATE ROLE synapse;
                       CREATE DATABASE synapse WITH OWNER synapse

config/hosts/wind/services/restic.nix

@@ -5,41 +5,41 @@
   services.restic.backups = {
     "gitea" = {
       paths = [ "/var/lib/gitea" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/gitea";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "02:15"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "gitea";
     };
     "postgres" = {
       paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/postgres";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "03:00"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "postgres";
     };
     "synapse" = {
       paths = [ "/var/lib/matrix-synapse" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/synapse";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "03:30"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "matrix-synapse";
     };
     "vaultwarden" = {
       paths = [ "/var/lib/bitwarden_rs" ];
-      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
+      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/vaultwarden";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "23:45"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "vaultwarden";
     };

config/hosts/wind/services/synapse.nix

@@ -3,14 +3,17 @@
 {
   services.matrix-synapse = {
     enable = true;
+    withJemalloc = true;
+    extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ];
+    settings = {
       server_name = "graven.dev";
       enable_registration = false;
       registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
       turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
       max_upload_size = "100M";
-    database_type = "psycopg2";
+      database.name = "psycopg2";
-    database_user = "synapse";
+      database.args.user = "synapse";
-    database_name = "synapse";
+      database.args.database = "synapse";
       turn_uris = [
         "turn:turn.graven.dev:3478?transport=udp"
         "turn:turn.graven.dev:3478?transport=tcp"
@@ -22,29 +25,6 @@
         "turns:turn.graven.dev:5350?transport=tcp"
       ];
       report_stats = true;
-    withJemalloc = true;
-
-    extraConfig = ''
-password_config:
-  enabled: false
-oidc_providers:
-  - idp_id: authentik
-    idp_name: authentik
-    discover: true
-    issuer: "https://auth.graven.dev/application/o/synapse/"
-    client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5"
-    client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55"
-    allow_existing_users: true
-    scopes:
-      - "openid"
-      - "profile"
-      - "email"
-    user_mapping_provider:
-      config:
-        localpart_template: "{{ user.name }}"
-        display_name_template: "{{ user.name|capitalize }}"
-    '';
-
       logConfig = ''
   version: 1
 
@@ -72,7 +52,7 @@ disable_existing_loggers: false
       listeners = [
         {
           port = 8008;
-        bind_address = "127.0.0.1";
+          bind_addresses = ["127.0.0.1"];
           type = "http";
           tls = false;
           x_forwarded = true;
@@ -85,5 +65,6 @@ disable_existing_loggers: false
         }
       ];
     };
+  };
 }
     

config/hosts/wind/services/ttrss-plugins/fever.nix

@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, tt-rss, ... }:
+
+stdenv.mkDerivation rec {
+	pname = "tt-rss-fever-api";
+	version = "2.3.0";
+
+	src = fetchFromGitHub {
+		owner = "DigitalDJ";
+		repo = "tinytinyrss-fever-plugin";
+		rev = "${version}";
+		sha256 = "fKHnF7pXMD04sWygoRnPH5hLUyWW4Dv/e4JWtfobX/g=";
+	};
+
+	installPhase = ''
+		mkdir -p $out/fever
+		cp -r fever_api.php index.php init.php $out/fever/
+	'';
+
+	meta = {
+		description = "Fever API for Tiny Tiny RSS";
+		longDescription = ''
+			This is a plugin for Tiny Tiny RSS (tt-rss).
+
+			It lets you use feed reader programs which interface with the Fever feed
+			reader API together with Tiny Tiny RSS
+		'';
+		license = lib.licenses.gpl3Only;
+		homepage = "https://github.com/DigitalDJ/tinytinyrss-fever-plugin";
+		maintainers = [ {
+			email = "amanda@graven.dev";
+			name = "Amanda Graven";
+			github = "agraven";
+			githubId = 23525639;
+		} ];
+		inherit (tt-rss.meta) platforms;
+	};
+}

config/hosts/wind/services/ttrss.nix

@@ -1,10 +1,13 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 
 {
 	services.tt-rss = {
 		enable = true;
-    registration.enable = true;
+		registration.enable = false;
 		virtualHost = "rss.graven.dev";
 		selfUrlPath = "https://rss.graven.dev";
+		pluginPackages = [
+			(pkgs.callPackage ./ttrss-plugins/fever.nix {})
+		];
 	};
 }

config/hosts/wind/services/vaultwarden.nix

@@ -3,7 +3,7 @@
   services.vaultwarden = {
     enable = true;
     environmentFile = config.secrets.files.vaultwarden_env.file;
-    backupDir = "/var/lib/bitwarden_rs/backup";
+    backupDir = "/var/backup/vaultwarden";
     config = {
       domain = "https://vault.graven.dev";
       signupsAllowed = false;

config/sources/nix/sources.json

@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "df49d53b71ad5b6b5847b32e5254924d60703c46",
+        "rev": "368268e45dee0c94d1cf898381a384856379ad76",
-        "sha256": "1j5p8mi1wi3pdcq0lfb881p97i232si07nb605dl92cjwnira88c",
+        "sha256": "1k03n7qmaz6yf2r8i5sng4kii3rr1y36g8k70sg7piqz3npxisy3",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/df49d53b71ad5b6b5847b32e5254924d60703c46.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/368268e45dee0c94d1cf898381a384856379ad76.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "feceb4d24f582817d8f6e737cd40af9e162dee05",
+        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
-        "sha256": "1q92jq6xf5b1pshai9j72cj17r0ah3fhrx669h3vc58rj7xvgiw7",
+        "sha256": "1al72rhlaa6g725syx72klpismv8xygdd55smqfwa9xglhv35r34",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/feceb4d24f582817d8f6e737cd40af9e162dee05.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/2096f3f411ce46e88a79ae4eafcfc9df8ed41c61.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-21.11",
+        "branch": "nixos-25.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ccb90fb9e11459aeaf83cc28d5f8910816d90dd0",
+        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
-        "sha256": "1jlyhw5nf7pcxg22k1bwkv13vm02p86d7jf6znihl3hczz1yfgi0",
+        "sha256": "0vma331213djanwmb7ibgmi5290952h6ri123xwb66mg58k8r200",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/ccb90fb9e11459aeaf83cc28d5f8910816d90dd0.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/a4bf06618f0b5ee50f14ed8f0da77d34ecc19160.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "d1e1057a31f16a75d9f871e311c4aaaf664561b9",
+        "rev": "b12665bc80134ac167eef1fff2f4e41e1f8925cb",
-        "sha256": "0d4576dssr6l4vdpi86rbf6dyn3jfl3csvmn9csd4n6dj53f5pqm",
+        "sha256": "11894412807mhg0kgkrn4bjbdk9b2a89b0plh0bpdn06c8pfg11g",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/d1e1057a31f16a75d9f871e311c4aaaf664561b9.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/b12665bc80134ac167eef1fff2f4e41e1f8925cb.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

config/sources/nix/sources.nix

@@ -27,12 +27,33 @@ let
   fetch_git = name: spec:
     let
       ref =
-        if spec ? ref then spec.ref else
+        spec.ref or (
           if spec ? branch then "refs/heads/${spec.branch}" else
           if spec ? tag then "refs/tags/${spec.tag}" else
-              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
+          abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
+        );
+      submodules = spec.submodules or false;
+      submoduleArg =
+        let
+          nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
+          emptyArgWithWarning =
+            if submodules
+            then
+              builtins.trace
+                (
+                  "The niv input \"${name}\" uses submodules "
+                  + "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
+                  + "does not support them"
+                )
+                { }
+            else { };
         in
-      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
+        if nixSupportsSubmodules
+        then { inherit submodules; }
+        else emptyArgWithWarning;
+    in
+    builtins.fetchGit
+      ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
 
   fetch_local = spec: spec.path;
 
@@ -95,7 +116,7 @@ let
   # the path directly as opposed to the fetched source.
   replace = name: drv:
     let
-      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
+      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
       ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
     in
     if ersatz == "" then drv else
@@ -131,7 +152,7 @@ let
       inherit (builtins) lessThan nixVersion fetchTarball;
     in
     if lessThan nixVersion "1.12" then
-        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
     else
       fetchTarball attrs;
 
@@ -141,25 +162,28 @@ let
       inherit (builtins) lessThan nixVersion fetchurl;
     in
     if lessThan nixVersion "1.12" then
-        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
     else
       fetchurl attrs;
 
   # Create the final "sources" from the config
   mkSources = config:
-    mapAttrs (
+    mapAttrs
+      (
         name: spec:
           if builtins.hasAttr "outPath" spec
-        then abort
+          then
+            abort
               "The values in sources.json should not have an 'outPath' attribute"
           else
             spec // { outPath = replace name (fetch config.pkgs name spec); }
-    ) config.sources;
+      )
+      config.sources;
 
   # The "config" used by the fetchers
   mkConfig =
     { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
-    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
+    , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
     , system ? builtins.currentSystem
     , pkgs ? mkPkgs sources system
     }: rec {

deploy/default.nix

@@ -13,21 +13,21 @@ in import "${sources.nixus}" {} ({ config, ... }: {
 
   nodes = {
     wind = { lib, config, ... }: {
-      host = "emelie@graven.dev";
+      host = "graven.dev";
       configuration = ../config/hosts/wind/configuration.nix;
       switchTimeout = 300;
       successTimeout = 300;
       ignoreFailingSystemdUnits = true;
     };
     grondahl = { lib, config, ... }: {
-      host = "emelie@anarkafem.dev";
+      host = "anarkafem.dev";
       configuration = ../config/hosts/grondahl/configuration.nix;
       successTimeout = 300;
       switchTimeout = 300;
       ignoreFailingSystemdUnits = true;
     };
     rudiger = { lib, config, ... }: {
-      host = "emelie@cloud.graven.dev";
+      host = "cloud.graven.dev";
       configuration = ../config/hosts/rudiger/configuration.nix;
       switchTimeout = 300;
       successTimeout = 300;

shell.nix

@@ -0,0 +1,7 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.mkShell {
+	packages = with pkgs; [
+		niv
+	];
+}