Add incomplete grocy configuration

.EditorConfig

@@ -1,4 +0,0 @@
-root = true
-
-[*.nix]
-indent_style = "tab"

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "config/hosts/grondahl/services/ooye"]
-	path = config/hosts/grondahl/services/ooye
-	url = https://cgit.rory.gay/nix/OOYE-module.git

Makefile

@@ -1,12 +0,0 @@
-all: result
-	
-.PHONY: update result deploy
-
-result:
-	nix build -f deploy/default.nix
-
-update:
-	cd config/sources && niv update
-
-deploy:
-	./result

README.md

@@ -1,27 +1 @@
 NixOS deployments using [nixus](https://github.com/Infinisil/nixus).
-
-TL;DR:
-1. `make update`
-2. `make result`
-3. `make deploy`
-
-First make sure you have `niv` so you can upgrade dependency versions in `sources.json`.
-```sh
-nix-shell -p niv
-(cd config/sources && niv update)
-```
-Build with:
-```sh
-nix-build deploy/
-```
-Deploy by running the generated executable.
-```sh
-./result
-```
-
-## Switching nixpkgs branch
-```sh
-cd config/sources
-niv modify nixpkgs -b nixos-xx.yy
-```
-

config/common/configuration/documentation.nix

@@ -1,12 +0,0 @@
-{ ... }:
-
-{
-	# Some docs fail to build, so we need to disable some of it
-	documentation = {
-		enable = true;
-		man.enable = true;
-		doc.enable = true;
-		dev.enable = false;
-		nixos.enable = false;
-	};
-}

config/common/configuration/nix.nix

@@ -1,12 +0,0 @@
-{ ... }:
-
-# Configuration options for the nix package manager
-{
-	nix.gc = {
-		# Run garbage collection automatically
-		automatic = true;
-		# Run it once a week
-		dates = "weekly";
-		options = "--delete-older-than 30d";
-	};
-}

config/common/data/pubkeys/backup_host_ed25519_key.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4C5OgZpxoF42L5rPqwejs+Q1ViN9TM9o/fEbpnPFtA

config/common/data/pubkeys/despondos_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7

config/common/services/nginx.nix

@@ -20,26 +20,26 @@
       map $scheme $hsts_header {
           https   "max-age=31536000; includeSubdomains; preload";
       }
-      #add_header Strict-Transport-Security $hsts_header;
+      add_header Strict-Transport-Security $hsts_header;
 
       # Enable CSP for your services.
       #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
       # Minimize information leaked to other domains
-      #add_header 'Referrer-Policy' 'same-origin';
+      add_header 'Referrer-Policy' 'same-origin';
 
       # Disable embedding as a frame
-      #add_header X-Frame-Options DENY;
+      add_header X-Frame-Options DENY;
 
       # Prevent injection of code in other mime types (XSS Attacks)
-      #add_header X-Content-Type-Options nosniff;
+      add_header X-Content-Type-Options nosniff;
 
       # Enable XSS protection of the browser.
       # May be unnecessary when CSP is configured properly (see above)
-      #add_header X-XSS-Protection "1; mode=block";
+      add_header X-XSS-Protection "1; mode=block";
 
       # This might create errors
-      #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
   };
 }

config/common/services/ssh.nix

@@ -2,21 +2,19 @@
 {
   services.openssh = {
     enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
     hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ];
-    settings = {
+    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
-      KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
-      Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
-      PermitRootLogin = "no";
-      KbdInteractiveAuthentication = false;
-      PasswordAuthentication = false;
 
-    };
   };
 
   programs.ssh.knownHosts = {
-    backup = {
+    despondos = {
-      hostNames = [ "backup.graven.dev" ];
+      hostNames = [ "despondos.nao.sh" ];
-      publicKeyFile = ../data/pubkeys/backup_host_ed25519_key.pub;
+      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
     };
   };
 

config/common/services/tailscale.nix

@@ -1,37 +0,0 @@
-{ config, pkgs, ... }:
-{
-environment.systemPackages = [ pkgs.tailscale ];
-
-services.tailscale.enable = false;
-
-  # ...
-
-  # create a oneshot job to authenticate to Tailscale
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = with pkgs; ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey CHANGEME
-    '';
-  };
-
-}

config/common/users.nix

@@ -5,7 +5,8 @@
 			isNormalUser = true;
 			extraGroups = [ "wheel" ];
 			openssh.authorizedKeys.keys = [
-				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAn9xV1GA/hMkCFoP7DWzYyGmbeiri823fHMRz0ZVoxq emelie-personal-bw"
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+							"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed"
 
 			];
 		};
@@ -16,10 +17,6 @@
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwmREgBmckocQerEfO4XhB+dbKDsZopok37ePWHwCEj id_ed25519"
 				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILrZWS1PBVRbdmPh8IJdIPHhK0+ZuSnQCR10a8Bl11VZAAAABHNzaDo= amanda@sharpy"
 				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6v5D/aJuIhuIVcnzFA7ocxPMI8JgHEnxSPuD+SaLHX amanda@sharpy"
-				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+0x2uHcuXpFQdeXeUWeLGPefWo6Sd7yy2FJlyZy8V+ amanda@tappy"
-				"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKWhc20jOFF+pVVT/Mf1ACYOtppkYWkP7NkY0/fPvjPAAAAFHNzaDphMy1uazNhLXBlcnNvbmFs ssh:a3-nk3a-personal"
-				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMLbLay9KARrdb8QM4OLzmqWIN48rZMX6wCddBwYT/U amanda@gpg"
-				"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGMWTQc7A3W/LI4AgFWy/Uw/+oMucmSziuJKxC2rleo amanda@bitwarden"
 			];
 		};
 	};

config/hosts/grondahl/configuration.nix

@@ -5,26 +5,23 @@
     [ # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./data/secrets/secrets.nix
-    ../../common/configuration/nix.nix
-    ../../common/configuration/documentation.nix
     ../../common/services/ssh.nix
-    ../../common/services/tailscale.nix
+		../../common/users.nix
-    ../../common/users.nix
     ./services/acme.nix
-    ./services/borg.nix
     ./services/coturn.nix
     ./services/nginx.nix
+    ./services/restic.nix
     ./services/synapse.nix
     ./services/postgres.nix
-    ./services/ooye.nix
 		#./services/mail.nix
 		#./services/containers.nix
 		#./services/redis.nix
     ];
 
   boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
   boot.loader.grub.device = "/dev/vda";
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
   networking = {
     hostName = "grondahl";
     useDHCP = false;
@@ -52,9 +49,9 @@
 
   security.sudo.wheelNeedsPassword = false;
 
-  nix.settings = {
+  nix = {
-    auto-optimise-store = true;
+    autoOptimiseStore = true;
-    trusted-users = [
+    trustedUsers = [
       "root"
       "@wheel"
     ];
@@ -75,15 +72,9 @@
     dig
   ];
 
-  networking.firewall = {
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
-    enable = true;
+  networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
-    checkReversePath = "loose";
+  networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
-    trustedInterfaces = [ "tailscale0" ];
-    allowedUDPPorts = [ config.services.tailscale.port ];
-    allowedTCPPorts = [ 22 80 443 ];
-    allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
-    allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
-  };
 
   system.stateVersion = "21.05";
 

config/hosts/grondahl/hardware-configuration.nix

@@ -2,7 +2,7 @@
 {
   imports =
     [ (modulesPath + "/profiles/qemu-guest.nix")
-      #(modulesPath + "/profiles/minimal.nix")
+      (modulesPath + "/profiles/minimal.nix")
     ];
 
   boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];

config/hosts/grondahl/services/acme.nix

@@ -3,7 +3,12 @@
 {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "admin+certs@anarkafem.dev";
+    email = "admin+certs@anarkafem.dev";
+    certs."anarkafem.dev" = {
+      extraDomainNames = [ "*.anarkafem.dev" ];
+      dnsProvider = "hurricane";
+      credentialsFile = config.secrets.files.acme_anarkafem_dev.file;
+    };
   };
 }
 

config/hosts/grondahl/services/borg.nix

@@ -1,26 +0,0 @@
-{ config, ... }:
-
-{
-	services.borgbackup.jobs = {
-		postgres = {
-			paths = "/var/lib/postgresql/backup";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/postgres";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:15:00";
-			user = "postgres";
-		};
-		synapse = {
-			paths = "/var/lib/matrix-synapse";
-			repo =  "ssh://borg@backup.graven.dev//mnt/slab/backup/grondahl/synapse";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:45:00";
-			user = "matrix-synapse";
-		};
-	};
-}

config/hosts/grondahl/services/nginx.nix

@@ -1,13 +1,8 @@
 {
   imports = [ ../../../common/services/nginx.nix ];
   services.nginx.virtualHosts = {
-    "ooye.anarkafem.dev" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/".proxyPass = "http://127.0.0.1:6693/";
-    };
     "anarkafem.dev" = {
-      enableACME = true;
+      useACMEHost = "anarkafem.dev";
       forceSSL = true;
       locations."/".root = "/var/www/anarkafem.dev/public";
       locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
@@ -26,21 +21,14 @@
       };
     };
 		"cal.anarkafem.dev" = {
-			enableACME = true;
+			useACMEHost = "anarkafem.dev";
 			forceSSL = true;
 			locations."/".proxyPass = "http://127.0.0.1:4000";
 		};
 		"auth.anarkafem.dev" = {
-			enableACME = true;
+			useACMEHost = "anarkafem.dev";
 			forceSSL = true;
 			locations."/".proxyPass = "http://127.0.0.1:9000";
 		};
-    "beanz.one" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        root = "/var/www/beanz.one/public";
-      };
-    };
   };
 }

config/hosts/grondahl/services/ooye

@@ -1 +0,0 @@
-Subproject commit 11cc65efa2909bdc7e3e978bf1f56f6d141bf82a

config/hosts/grondahl/services/ooye.nix

@@ -1,16 +0,0 @@
-# Out of your Element prerequisites
-{ config, ... }:
-{
-  imports = [
-	./ooye/module.nix
-  ];
-  services.matrix-ooye = {
-	enable = true;
-	homeserver = "http://localhost:8008";
-	namespace = "_discord_";
-	discordClientSecretPath = builtins.toString config.secrets.files.ooye_client_secret.file;
-	discordTokenPath = builtins.toString config.secrets.files.ooye_token.file;
-	bridgeOrigin = "https://ooye.anarkafem.dev";
-	enableSynapseIntegration = true;
-  };
-}

config/hosts/grondahl/services/postgres.nix

@@ -2,8 +2,8 @@
 {
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_16;
+    package = pkgs.postgresql_13;
-		extensions = with config.services.postgresql.package.pkgs; [
+		extraPlugins = with config.services.postgresql.package.pkgs; [
 			postgis
 		];
     ensureDatabases = [ 
@@ -14,15 +14,15 @@
     ensureUsers = [
     	{
 				name = "matrix-synapse";
-				ensureDBOwnership = true;
+      	ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
     	}
 			{
 				name = "mobilizon";
-				ensureDBOwnership = true;
+      	ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES";
   		}
 			{ 
 				name = "authentik";
-				ensureDBOwnership = true;
+				ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES";
 			}
     ];
     initialScript = pkgs.writeText "synapse-init.sql" ''

config/hosts/grondahl/services/redis.nix

@@ -1,13 +1,11 @@
 { config, ...  }:
 {
   services.redis = {
+    enable = true;
+    unixSocket = "/run/redis/redis.sock";
     vmOverCommit = true;
-    servers."" = {
+    unixSocketPerm = 770;
-      enable = true;
+    #requirePassfile = config.secrets.files.redis_pass.file;
-      unixSocket = "/run/redis/redis.sock";
-      unixSocketPerm = 770;
-      #requirePassfile = config.secrets.files.redis_pass.file;
-    };
   }; 
 }
 

config/hosts/grondahl/services/restic.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  services.restic.backups = {
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
+    };
+    "synapse" = {
+      paths = [ "/var/lib/matrix-synapse" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:45"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
+    };
+  };
+}
+

config/hosts/grondahl/services/synapse.nix

@@ -3,76 +3,72 @@
 {
   services.matrix-synapse = {
     enable = true;
+    server_name = "anarkafem.dev";
+    enable_registration = false;
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    max_upload_size = "100M";
+    database_type = "psycopg2";
+		database_args = { 
+			password = builtins.toString config.secrets.files.synapse_db_password.file;
+		};
+    turn_uris = [
+      "turn:turn.anarkafem.dev:3478?transport=udp"
+      "turn:turn.anarkafem.dev:3478?transport=tcp"
+      "turn:turn.anarkafem.dev:3479?transport=udp"
+      "turn:turn.anarkafem.dev:3479?transport=tcp"
+      "turns:turn.anarkafem.dev:5349?transport=udp"
+      "turns:turn.anarkafem.dev:5349?transport=tcp"
+      "turns:turn.anarkafem.dev:5350?transport=udp"
+      "turns:turn.anarkafem.dev:5350?transport=tcp"
+    ];
+    report_stats = false;
     withJemalloc = true;
-    settings = {
+    servers = { "anarkafem.dev" = {}; };
-      database = {
+    extraConfig = ''
-        name = "psycopg2";
+      default_room_version: "9"
-        args.user = "matrix-synapse";
+      auto_join_rooms:
-        args.database = "matrix-synapse";
+        - "#suf-aalborg:anarkafem.dev"
-      };
+    '';
+    logConfig = ''
+      version: 1
 
-      server_name = "anarkafem.dev";
+      formatters:
-      enable_registration = false;
+          precise:
-      registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
-      turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
-      max_upload_size = "100M";
-      turn_uris = [
-        "turn:turn.anarkafem.dev:3478?transport=udp"
-        "turn:turn.anarkafem.dev:3478?transport=tcp"
-        "turn:turn.anarkafem.dev:3479?transport=udp"
-        "turn:turn.anarkafem.dev:3479?transport=tcp"
-        "turns:turn.anarkafem.dev:5349?transport=udp"
-        "turns:turn.anarkafem.dev:5349?transport=tcp"
-        "turns:turn.anarkafem.dev:5350?transport=udp"
-        "turns:turn.anarkafem.dev:5350?transport=tcp"
-      ];
-      report_stats = false;
-      servers = { "anarkafem.dev" = {}; };
-      extraConfig = ''
-        default_room_version: "9"
-        auto_join_rooms:
-          - "#suf-aalborg:anarkafem.dev"
-      '';
-      logConfig = ''
-        version: 1
 
-        formatters:
+      handlers:
-            precise:
+          console:
-                format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+              class: logging.StreamHandler
+              formatter: precise
 
-        handlers:
+      loggers:
-            console:
+          synapse.storage.SQL:
-                class: logging.StreamHandler
+              # beware: increasing this to DEBUG will make synapse log sensitive
-                formatter: precise
+              # information such as access tokens.
+              level: INFO
 
-        loggers:
+      root:
-            synapse.storage.SQL:
+          level: INFO
-                # beware: increasing this to DEBUG will make synapse log sensitive
+          handlers: [console]
-                # information such as access tokens.
-                level: INFO
 
-        root:
+      disable_existing_loggers: false
-            level: INFO
+    '';
-            handlers: [console]
+    listeners = [
-
+      {
-        disable_existing_loggers: false
+        port = 8008;
-      '';
+        bind_address = "127.0.0.1";
-      listeners = [
+        type = "http";
-        {
+        tls = false;
-          port = 8008;
+        x_forwarded = true;
-          bind_addresses = ["127.0.0.1"];
+        resources = [
-          type = "http";
+          { 
-          tls = false;
+            names = [ "client" "federation" ];
-          x_forwarded = true;
+            compress = false;
-          resources = [
+          }
-            { 
+        ];
-              names = [ "client" "federation" ];
+      }
-              compress = false;
+    ];
-            }
-          ];
-        }
-      ];
-    };
   };
 }
     

config/hosts/rudiger/configuration.nix

@@ -1,93 +1,83 @@
 { config, pkgs, ... }:
 
 {
-	imports = [
+  imports =
-		./hardware-configuration.nix
+    [
-		./data/secrets/secrets.nix
+      ./hardware-configuration.nix
-		../../common/configuration/nix.nix
+      ./data/secrets/secrets.nix
-		../../common/configuration/documentation.nix
+      ../../common/services/ssh.nix
-		../../common/services/ssh.nix
+			../../common/users.nix
-		../../common/services/tailscale.nix
+      ./services/acme.nix
-		../../common/users.nix
+      ./services/nextcloud.nix
-		./services/acme.nix
+      ./services/nginx.nix
-		./services/immich.nix
+      ./services/postgres.nix
-		./services/nextcloud.nix
+      ./services/redis.nix
-		./services/nginx.nix
+      ./services/restic.nix
-		./services/postgres.nix
+    ];
-		./services/redis.nix
-		./services/restic.nix
-	];
 
-	boot.loader.grub.enable = true;
+  boot.loader.grub.enable = true;
-	boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.version = 2;
-	boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  boot.loader.grub.device = "/dev/sda";
 
-	boot.supportedFilesystems = ["zfs"];
+  boot.supportedFilesystems = ["zfs"];
-	services.zfs.autoSnapshot.enable = false;
+  services.zfs.autoSnapshot.enable = true;
-	services.zfs.autoScrub.enable = true;
+  services.zfs.autoScrub.enable = true;
 
-	time.timeZone = "Europe/Copenhagen";
+  time.timeZone = "Europe/Copenhagen";
 
-	networking = {
+  networking = {
-		hostName = "rudiger";
+    hostName = "rudiger";
-		hostId = "8c7b66a4";
+    hostId = "8c7b66a4";
-		useDHCP = false;
+    useDHCP = false;
-		tempAddresses = "disabled";
+    tempAddresses = "disabled";
-		interfaces = {
+    interfaces = {
-			"ens3" = {
+      "ens3" = {
-				ipv4.addresses = [ {
+        ipv4.addresses = [ {
-					address = "202.61.202.170";
+          address = "202.61.202.170";
-					prefixLength = 22;
+          prefixLength = 22;
-				} ];
+        } ];
-				ipv6.addresses = [ {
+        ipv6.addresses = [ {
-					address = "2a03:4000:5a:c61::1";
+          address = "2a03:4000:5a:c61::1";
-					prefixLength = 64;
+          prefixLength = 64;
-				} ];
+        } ];
-			};
+      };
-		};
+    };
-		defaultGateway = "202.61.200.1";
+    defaultGateway = "202.61.200.1";
-		defaultGateway6 = {
+    defaultGateway6 = {
-			address = "fe80::1";
+      address = "fe80::1";
-			interface = "ens3";
+      interface = "ens3";
-		};
+    };
-		nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+    nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
-	};
+  };
 
 
-	nix.settings = {
+  nix = {
-		auto-optimise-store = true;
+    autoOptimiseStore = true;
-		trusted-users = [
+    trustedUsers = [
-			"root"
+      "root"
-			"@wheel"
+      "@wheel"
-		];
+    ];
-	};
+  };
 
-	environment.systemPackages = with pkgs; [
+  environment.systemPackages = with pkgs; [
-		vim
+    vim
-		wget
+    wget
-		htop
+    htop
-		iotop
+    iotop
-		dig
+    dig
-		tailscale
+  ];
-	];
+  security.sudo.wheelNeedsPassword = false;
-	security.sudo.wheelNeedsPassword = false;
 
-	systemd.services."nextcloud-setup" = {
+  systemd.services."nextcloud-setup" = {
-		requires = [ "postgresql.service" "redis.service" ];
+    requires = [ "postgresql.service" "redis.service" ];
-		after = [ "postgresql.service" "redis.service" ];
+    after = [ "postgresql.service" "redis.service" ];
-	};
+  };
 
-	users.groups.redis.members = [ "nextcloud" ];
+  users.groups.redis.members = [ "nextcloud" ];
-	users.groups.backup.members = [ "nextcloud" "postgres" ];
+  users.groups.backup.members = [ "nextcloud" "postgres" ];
 
-	networking.firewall = {
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
-		allowedTCPPorts = [ 22 80 443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
-		allowedUDPPorts = [ config.services.tailscale.port ];
+  system.stateVersion = "21.05";
-		trustedInterfaces = [ "tailscale0" ];
-		enable = true;
-		checkReversePath = "loose";
-	};
-	# networking.firewall.allowedUDPPorts = [ ... ];
-	system.stateVersion = "21.05";
 
 }

config/hosts/rudiger/hardware-configuration.nix

@@ -3,7 +3,7 @@
 {
   imports =
     [ (modulesPath + "/profiles/qemu-guest.nix")
-      #(modulesPath + "/profiles/minimal.nix")
+      (modulesPath + "/profiles/minimal.nix")
     ];
 
   boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];

config/hosts/rudiger/services/acme.nix

@@ -3,7 +3,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "admin+certs@graven.dev";
+    email = "admin+certs@graven.dev";
   };
 }
 

config/hosts/rudiger/services/borg.nix

@@ -1,27 +0,0 @@
-
-{ config, ... }:
-
-{
-	services.borgbackup.jobs = {
-		postgres = {
-			paths = "/var/lib/postgresql/backup";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/postgres";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:15:00";
-			user = "postgres";
-		};
-		synapse = {
-			paths = "/var/lib/nextcloud/data";
-			repo =  "ssh://borg@backup.graven.dev//mnt/slab/backup/rudiger/nextcloud";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:45:00";
-			user = "nextcloud";
-		};
-	};
-}

config/hosts/rudiger/services/immich.nix

@@ -1,9 +0,0 @@
-{ ... }:
-
-{
-	services.immich = {
-		enable = true;
-		port = 2283;
-		settings.server.externalDomain = "https://immich.graven.dev";
-	};
-}

config/hosts/rudiger/services/nextcloud.nix

@@ -1,25 +1,22 @@
 { config, pkgs, ... }:
 {
-	services.nextcloud = {
+  services.nextcloud = {
-		enable = true;
+    enable = true;
-		hostName = "cloud.graven.dev";
+    hostName = "cloud.graven.dev";
-		https = true;
+    https = true;
-		package = pkgs.nextcloud32;
+    package = pkgs.nextcloud22;
-		autoUpdateApps.enable = true;
+    autoUpdateApps.enable = true;
-		maxUploadSize = "10G";
+    maxUploadSize = "10G";
-		webfinger = true;
+    webfinger = true;
-		caching.redis = true;
+    caching.redis = true;
-		config = {
+    config = {
-			dbtype = "pgsql";
+      dbtype = "pgsql";
-			dbuser = "nextcloud";
+      dbuser = "nextcloud";
-			dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
-			dbname = "nextcloud";
+      dbname = "nextcloud";
-			adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
+      defaultPhoneRegion = "DK";
-			adminuser = "root";
+      adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
-		};
+      adminuser = "root";
-		settings = {
+    };
-			default_phone_region = "DK";
+  };
-		};
-		phpOptions."opcache.interned_strings_buffer" = "23";
-	};
 }

config/hosts/rudiger/services/nginx.nix

@@ -1,25 +1,8 @@
-{ config, ... }:
+{ ... }:
 {
   imports = [ ../../../common/services/nginx.nix ];
   services.nginx.virtualHosts."cloud.graven.dev" = {
     enableACME = true;
     forceSSL = true;
   };
-  services.nginx.virtualHosts."immich.graven.dev" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://[::1]:${toString config.services.immich.port}";      
-      proxyWebsockets = true;
-      recommendedProxySettings = true;
-      extraConfig = ''
-        client_max_body_size      50000M;
-        proxy_read_timeout        600s;
-        proxy_send_timeout        600s;
-        send_timeout              600s;
-        proxy_max_temp_file_size  0;
-        proxy_buffering           off;
-      '';
-    };
-  };
 }

config/hosts/rudiger/services/postgres.nix

@@ -1,15 +1,14 @@
-{ pkgs, ... }:
+{ ... }:
 {
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_15;
     ensureDatabases = [ 
 			"nextcloud"
 		];
     ensureUsers = [
     	{
 				name = "nextcloud";
-      	ensureDBOwnership = true;
+      	ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
     	}
     ];
   };

config/hosts/rudiger/services/redis.nix

@@ -1,12 +1,10 @@
 { config, ...  }:
 {
   services.redis = {
+    enable = true;
+    unixSocket = "/run/redis/redis.sock";
     vmOverCommit = true;
-    servers."" = {
+    unixSocketPerm = 770;
-      enable = true;
+    #requirePassfile = config.secrets.files.redis_pass.file;
-      unixSocket = "/run/redis/redis.sock";
+  }; 
-      unixSocketPerm = 770;
-      #requirePassfile = config.secrets.files.redis_pass.file;
-    };
-  };
 }

config/hosts/rudiger/services/restic.nix

@@ -3,21 +3,21 @@
   services.restic.backups = {
     "postgres" = {
       paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/postgres";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/postgres";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "04:15"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "postgres";
     };
     "nextcloud" = {
       paths = [ "/var/lib/nextcloud/data" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/rudiger/nextcloud";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/nextcloud";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "04:30"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "nextcloud";
     };

config/hosts/wind/configuration.nix

@@ -1,16 +1,13 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
-	imports = [
+	imports = [ 
-		./hardware-configuration.nix
+		./hardware-configuration.nix 
-		../../common/configuration/nix.nix
-		../../common/configuration/documentation.nix
 		../../common/services/ssh.nix
-		../../common/services/tailscale.nix
 		../../common/users.nix
 		./services/acme.nix
-		./services/borg.nix
 		./services/coturn.nix
+		#./services/grocy.nix
 		./services/nginx.nix
 		./services/postgres.nix
 		./services/synapse.nix
@@ -19,15 +16,15 @@
 		./services/restic.nix
 		./services/vaultwarden.nix
 		./services/wireguard.nix
-		./services/akkoma.nix
 		./data/secrets/secrets.nix
 		];
 
 	boot.loader.grub.enable = true;
+	boot.loader.grub.version = 2;
 	boot.loader.grub.device = "/dev/sda";
-	boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+	boot.kernelPackages = pkgs.linuxPackages_5_10;
 	boot.supportedFilesystems = ["zfs"];
-	services.zfs.autoSnapshot.enable = false;
+	services.zfs.autoSnapshot.enable = true;
 	services.zfs.autoScrub.enable = true;
 
 	networking.hostName = "wind";
@@ -41,7 +38,7 @@
 	users.users.deploy-web = {
 		isNormalUser = true;
 		extraGroups = [ "nginx" ];
-		openssh.authorizedKeys.keys = [
+		openssh.authorizedKeys.keys = [ 
 			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
 		];
 	};
@@ -53,12 +50,11 @@
 		htop
 		iotop
 		dig
-		tailscale
 	];
 
-	nix.settings = {
+	nix = {
-		auto-optimise-store = true;
+		autoOptimiseStore = true;
-		trusted-users = [
+		trustedUsers = [
 			"root"
 			"@wheel"
 		];

config/hosts/wind/hardware-configuration.nix

@@ -6,7 +6,7 @@
 {
   imports =
     [ (modulesPath + "/profiles/qemu-guest.nix")
-      #(modulesPath + "/profiles/minimal.nix")
+      (modulesPath + "/profiles/minimal.nix")
       #(modulesPath + "/profiles/hardened.nix")
     ];
 

config/hosts/wind/services/acme.nix

@@ -3,7 +3,19 @@
 {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "admin+certs@graven.dev";
+    email = "admin+certs@graven.dev";
+		certs = {
+			"graven.dev" = {
+				extraDomainNames = [ "*.graven.dev" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_dev.file;
+			};
+			"graven.se" = {
+				extraDomainNames = [ "*.graven.se" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_se.file;
+			};
+		};
   };
 }
 

config/hosts/wind/services/akkoma.nix

@@ -1,36 +0,0 @@
-{ config, pkgs, ... }:
-{
-
-  services.akkoma = {
-    enable = true;
-      config = {
-      ":pleroma" = {
-        ":instance" = {
-          name = "graven.se";
-          description = "Graven Fedi";
-          email = "charlie@graven.se";
-          registration_open = false;
-        };
-
-        "Pleroma.Web.Endpoint" = {
-          url.host = "fedi.graven.se";
-        };
-        "Pleroma.Web.Webfinger" = {
-          domain = "graven.se";
-        };
-        "Pleroma.Upload".filters =
-          map (pkgs.formats.elixirConf { }).lib.mkRaw
-            [
-              "Pleroma.Upload.Filter.Exiftool"
-              "Pleroma.Upload.Filter.Dedupe"
-              "Pleroma.Upload.Filter.AnonymizeFilename"
-            ];
-      };
-    };
-    nginx = {
-      enableACME = true;
-      forceSSL = true;
-      serverName = "fedi.graven.se";
-    };
-  };
-}

config/hosts/wind/services/borg.nix

@@ -1,36 +0,0 @@
-{ config, ... }:
-
-{
-	services.borgbackup.jobs = {
-		gitea = {
-			paths = "/var/lib/gitea";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/gitea";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_gitea.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_gitea.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 02:15:00";
-			user = "gitea";
-		};
-		postgres = {
-			paths = "/var/lib/postgresql/backup";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/postgres";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_postgres.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_postgres.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:15:00";
-			user = "postgres";
-		};
-		synapse = {
-			paths = "/var/lib/matrix-synapse";
-			repo = "ssh://borg@backup.graven.dev//mnt/slab/backup/wind/synapse";
-			encryption.mode = "repokey";
-			encryption.passCommand = "cat ${config.secrets.files.borg_pass_synapse.file}";
-			environment.BORG_RSH = "ssh -i ${config.secrets.files.ssh_key_synapse.file}";
-			compression = "auto,zstd";
-			startAt = "*-*-* 03:15:00";
-			user = "matrix-synapse";
-		};
-	};
-}

config/hosts/wind/services/coturn.nix

@@ -1,7 +1,7 @@
 { config, ... }:
 {
   services.coturn = {
-    enable = false;
+    enable = true;
     lt-cred-mech = true;
     use-auth-secret = true;
     static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;

config/hosts/wind/services/gitea.nix

@@ -1,32 +1,16 @@
 { ... }:
 
 {
-  services.forgejo = {
+  services.gitea = {
     enable = true;
-    user = "gitea";
+    domain = "git.graven.dev";
-    group = "gitea";
+    rootUrl = "https://git.graven.dev";
-    stateDir = "/var/lib/gitea";
+    enableUnixSocket = true;
+    cookieSecure = true;
+    appName = "Graven Gitea";
+    settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
     database = {
       type = "postgres";
-      name = "gitea";
-      user = "gitea";
-    };
-    settings = {
-      DEFAULT.APP_NAME = "Graven Gitea";
-      service.DISABLE_REGISTRATION = true;
-      session.COOKIE_SECURE = true;
-      server.DOMAIN = "git.graven.dev";
-      server.ROOT_URL = "https://git.graven.dev";
-      server.PROTOCOL = "http+unix";
     };
   };
-
-  users.users.gitea = {
-    home = "/var/lib/gitea";
-    useDefaultShell = true;
-    group = "gitea";
-    isSystemUser = true;
-  };
-
-  users.groups.gitea = {};
 }

config/hosts/wind/services/grocy.nix

@@ -0,0 +1,10 @@
+{
+	services.grocy = {
+		enable = true;
+		hostName = "grocy.graven.dev";
+		settings = {
+			currency = "DKK";
+			calendar.firstDayOfWeek = 1;
+		};
+	};
+}

config/hosts/wind/services/nginx.nix

@@ -2,13 +2,11 @@
 	imports = [ ../../../common/services/nginx.nix ];
 	services.nginx.virtualHosts = {
 		"graven.dev" = {
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			forceSSL = true;
 			locations."/".root = "/var/www/graven.dev/public";
-			locations."~ ^(\\/_matrix|\\/_synapse\\/client)" = {
+			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
-				proxyPass = "http://127.0.0.1:8008";
+			locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
-				priority = 1000;
-			};
 			locations."/.well-known/matrix/" = {
 				root = "/var/www/matrix/public";
 				extraConfig = ''
@@ -16,34 +14,24 @@
 					add_header Access-Control-Allow-Origin "*";
 					add_header Strict-Transport-Security $hsts_header;
 					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
 					add_header X-Content-Type-Options "nosniff";
 					add_header X-XSS-Protection "1; mode=block";
 				'';
 			};
 		};
-		# Fedi webfinger
-		"graven.se" = {
-			enableACME = true;
-			forceSSL = true;
-			locations."/.well-known/host-meta".return = "301 https://fedi.graven.se$request_uri";
-		};
-		"amanda.graven.dev" = {
-			enableACME = true;
-			forceSSL = true;
-			locations."/".root = "/var/www/amanda.graven.dev/public";
-		};
 		"rss.graven.dev" = {
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			forceSSL = true;
 		};
 		"git.graven.dev" = {
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			forceSSL = true;
-			locations."/".proxyPass = "http://unix:/run/forgejo/forgejo.sock:";
+			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
 		};
 		"vault.graven.dev" = {
 			forceSSL = true;
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			locations."/" = {
 				proxyPass = "http://localhost:8812";
 				proxyWebsockets = true;
@@ -59,7 +47,7 @@
 		};
 		"openpgpkey.graven.dev" = {
 			forceSSL = true;
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			locations."/" = {
 				root = "/var/www/openpgpkey";
 				extraConfig = ''
@@ -75,7 +63,7 @@
 		};
 		"openpgpkey.graven.se" = {
 			forceSSL = true;
-			enableACME = true;
+			useACMEHost = "graven.se";
 			locations."/" = {
 				root = "/var/www/openpgpkey";
 				extraConfig = ''
@@ -91,7 +79,7 @@
 		};
 		"tor.graven.dev" = {
 			forceSSL = true;
-			enableACME = true;
+			useACMEHost = "graven.dev";
 			locations."/" = {
 				root = "/var/www/tor";
 				extraConfig = ''

config/hosts/wind/services/postgres.nix

@@ -2,7 +2,7 @@
 {
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_16;
+    package = pkgs.postgresql_13;
     initialScript = pkgs.writeText "synapse-init.sql" ''
                       CREATE ROLE synapse;
                       CREATE DATABASE synapse WITH OWNER synapse

config/hosts/wind/services/restic.nix

@@ -5,41 +5,41 @@
   services.restic.backups = {
     "gitea" = {
       paths = [ "/var/lib/gitea" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/gitea";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "02:15"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "gitea";
     };
     "postgres" = {
       paths = [ "/var/lib/postgresql/backup" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/postgres";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "03:00"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "postgres";
     };
     "synapse" = {
       paths = [ "/var/lib/matrix-synapse" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/synapse";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "03:30"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "matrix-synapse";
     };
     "vaultwarden" = {
       paths = [ "/var/lib/bitwarden_rs" ];
-      repository = "sftp:restic@backup.graven.dev:/etheria/backup/wind/vaultwarden";
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "23:45"; };
-      extraOptions = [ "sftp.command='ssh restic@backup.graven.dev -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
       user = "vaultwarden";
     };

config/hosts/wind/services/synapse.nix

@@ -3,68 +3,87 @@
 {
   services.matrix-synapse = {
     enable = true;
+    server_name = "graven.dev";
+    enable_registration = false;
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    max_upload_size = "100M";
+    database_type = "psycopg2";
+    database_user = "synapse";
+    database_name = "synapse";
+    turn_uris = [
+      "turn:turn.graven.dev:3478?transport=udp"
+      "turn:turn.graven.dev:3478?transport=tcp"
+      "turn:turn.graven.dev:3479?transport=udp"
+      "turn:turn.graven.dev:3479?transport=tcp"
+      "turns:turn.graven.dev:5349?transport=udp"
+      "turns:turn.graven.dev:5349?transport=tcp"
+      "turns:turn.graven.dev:5350?transport=udp"
+      "turns:turn.graven.dev:5350?transport=tcp"
+    ];
+    report_stats = true;
     withJemalloc = true;
-    extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ];
-    settings = {
-      server_name = "graven.dev";
-      enable_registration = false;
-      registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
-      turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
-      max_upload_size = "100M";
-      database.name = "psycopg2";
-      database.args.user = "synapse";
-      database.args.database = "synapse";
-      turn_uris = [
-        "turn:turn.graven.dev:3478?transport=udp"
-        "turn:turn.graven.dev:3478?transport=tcp"
-        "turn:turn.graven.dev:3479?transport=udp"
-        "turn:turn.graven.dev:3479?transport=tcp"
-        "turns:turn.graven.dev:5349?transport=udp"
-        "turns:turn.graven.dev:5349?transport=tcp"
-        "turns:turn.graven.dev:5350?transport=udp"
-        "turns:turn.graven.dev:5350?transport=tcp"
-      ];
-      report_stats = true;
-      logConfig = ''
-  version: 1
 
-  formatters:
+    extraConfig = ''
-      precise:
+password_config:
-          format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+  enabled: false
+oidc_providers:
+  - idp_id: authentik
+    idp_name: authentik
+    discover: true
+    issuer: "https://auth.graven.dev/application/o/synapse/"
+    client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5"
+    client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55"
+    allow_existing_users: true
+    scopes:
+      - "openid"
+      - "profile"
+      - "email"
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.name }}"
+        display_name_template: "{{ user.name|capitalize }}"
+    '';
 
-  handlers:
+    logConfig = ''
-      console:
+version: 1
-          class: logging.StreamHandler
-          formatter: precise
 
-  loggers:
+formatters:
-      synapse.storage.SQL:
+    precise:
-          # beware: increasing this to DEBUG will make synapse log sensitive
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
-          # information such as access tokens.
-          level: WARN
 
-  root:
+handlers:
-      level: WARN
+    console:
-      handlers: [console]
+        class: logging.StreamHandler
+        formatter: precise
 
-  disable_existing_loggers: false
+loggers:
-      '';
+    synapse.storage.SQL:
-      listeners = [
+        # beware: increasing this to DEBUG will make synapse log sensitive
-        {
+        # information such as access tokens.
-          port = 8008;
+        level: WARN
-          bind_addresses = ["127.0.0.1"];
+
-          type = "http";
+root:
-          tls = false;
+    level: WARN
-          x_forwarded = true;
+    handlers: [console]
-          resources = [
+
-            { 
+disable_existing_loggers: false
-              names = [ "client" "federation" ];
+    '';
-              compress = false;
+    listeners = [
-            }
+      {
-          ];
+        port = 8008;
-        }
+        bind_address = "127.0.0.1";
-      ];
+        type = "http";
-    };
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          { 
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
   };
 }
     

config/hosts/wind/services/ttrss-plugins/fever.nix

@@ -1,37 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, tt-rss, ... }:
-
-stdenv.mkDerivation rec {
-	pname = "tt-rss-fever-api";
-	version = "2.3.0";
-
-	src = fetchFromGitHub {
-		owner = "DigitalDJ";
-		repo = "tinytinyrss-fever-plugin";
-		rev = "${version}";
-		sha256 = "fKHnF7pXMD04sWygoRnPH5hLUyWW4Dv/e4JWtfobX/g=";
-	};
-
-	installPhase = ''
-		mkdir -p $out/fever
-		cp -r fever_api.php index.php init.php $out/fever/
-	'';
-
-	meta = {
-		description = "Fever API for Tiny Tiny RSS";
-		longDescription = ''
-			This is a plugin for Tiny Tiny RSS (tt-rss).
-
-			It lets you use feed reader programs which interface with the Fever feed
-			reader API together with Tiny Tiny RSS
-		'';
-		license = lib.licenses.gpl3Only;
-		homepage = "https://github.com/DigitalDJ/tinytinyrss-fever-plugin";
-		maintainers = [ {
-			email = "amanda@graven.dev";
-			name = "Amanda Graven";
-			github = "agraven";
-			githubId = 23525639;
-		} ];
-		inherit (tt-rss.meta) platforms;
-	};
-}

config/hosts/wind/services/ttrss.nix

@@ -1,13 +1,10 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 
 {
-	services.tt-rss = {
+  services.tt-rss = {
-		enable = true;
+    enable = true;
-		registration.enable = false;
+    registration.enable = true;
-		virtualHost = "rss.graven.dev";
+    virtualHost = "rss.graven.dev";
-		selfUrlPath = "https://rss.graven.dev";
+    selfUrlPath = "https://rss.graven.dev";
-		pluginPackages = [
+  };
-			(pkgs.callPackage ./ttrss-plugins/fever.nix {})
-		];
-	};
 }

config/hosts/wind/services/vaultwarden.nix

@@ -3,7 +3,7 @@
   services.vaultwarden = {
     enable = true;
     environmentFile = config.secrets.files.vaultwarden_env.file;
-    backupDir = "/var/backup/vaultwarden";
+    backupDir = "/var/lib/bitwarden_rs/backup";
     config = {
       domain = "https://vault.graven.dev";
       signupsAllowed = false;

config/sources/nix/sources.json

@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "368268e45dee0c94d1cf898381a384856379ad76",
+        "rev": "df49d53b71ad5b6b5847b32e5254924d60703c46",
-        "sha256": "1k03n7qmaz6yf2r8i5sng4kii3rr1y36g8k70sg7piqz3npxisy3",
+        "sha256": "1j5p8mi1wi3pdcq0lfb881p97i232si07nb605dl92cjwnira88c",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/368268e45dee0c94d1cf898381a384856379ad76.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/df49d53b71ad5b6b5847b32e5254924d60703c46.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
+        "rev": "feceb4d24f582817d8f6e737cd40af9e162dee05",
-        "sha256": "1al72rhlaa6g725syx72klpismv8xygdd55smqfwa9xglhv35r34",
+        "sha256": "1q92jq6xf5b1pshai9j72cj17r0ah3fhrx669h3vc58rj7xvgiw7",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/2096f3f411ce46e88a79ae4eafcfc9df8ed41c61.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/feceb4d24f582817d8f6e737cd40af9e162dee05.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-25.11",
+        "branch": "nixos-21.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
+        "rev": "ccb90fb9e11459aeaf83cc28d5f8910816d90dd0",
-        "sha256": "0vma331213djanwmb7ibgmi5290952h6ri123xwb66mg58k8r200",
+        "sha256": "1jlyhw5nf7pcxg22k1bwkv13vm02p86d7jf6znihl3hczz1yfgi0",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a4bf06618f0b5ee50f14ed8f0da77d34ecc19160.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/ccb90fb9e11459aeaf83cc28d5f8910816d90dd0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "b12665bc80134ac167eef1fff2f4e41e1f8925cb",
+        "rev": "d1e1057a31f16a75d9f871e311c4aaaf664561b9",
-        "sha256": "11894412807mhg0kgkrn4bjbdk9b2a89b0plh0bpdn06c8pfg11g",
+        "sha256": "0d4576dssr6l4vdpi86rbf6dyn3jfl3csvmn9csd4n6dj53f5pqm",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/b12665bc80134ac167eef1fff2f4e41e1f8925cb.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/d1e1057a31f16a75d9f871e311c4aaaf664561b9.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

config/sources/nix/sources.nix

@@ -10,50 +10,29 @@ let
     let
       name' = sanitizeName name + "-src";
     in
-    if spec.builtin or true then
+      if spec.builtin or true then
-      builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
-    else
+      else
-      pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
 
   fetch_tarball = pkgs: name: spec:
     let
       name' = sanitizeName name + "-src";
     in
-    if spec.builtin or true then
+      if spec.builtin or true then
-      builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
-    else
+      else
-      pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
 
   fetch_git = name: spec:
     let
       ref =
-        spec.ref or (
+        if spec ? ref then spec.ref else
           if spec ? branch then "refs/heads/${spec.branch}" else
-          if spec ? tag then "refs/tags/${spec.tag}" else
+            if spec ? tag then "refs/tags/${spec.tag}" else
-          abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
+              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
-        );
-      submodules = spec.submodules or false;
-      submoduleArg =
-        let
-          nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
-          emptyArgWithWarning =
-            if submodules
-            then
-              builtins.trace
-                (
-                  "The niv input \"${name}\" uses submodules "
-                  + "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
-                  + "does not support them"
-                )
-                { }
-            else { };
-        in
-        if nixSupportsSubmodules
-        then { inherit submodules; }
-        else emptyArgWithWarning;
     in
-    builtins.fetchGit
+      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
-      ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
 
   fetch_local = spec: spec.path;
 
@@ -87,16 +66,16 @@ let
       hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
       hasThisAsNixpkgsPath = <nixpkgs> == ./.;
     in
-    if builtins.hasAttr "nixpkgs" sources
+      if builtins.hasAttr "nixpkgs" sources
-    then sourcesNixpkgs
+      then sourcesNixpkgs
-    else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
-      import <nixpkgs> { }
+        import <nixpkgs> {}
-    else
+      else
-      abort
+        abort
-        ''
+          ''
-          Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
-          add a package called "nixpkgs" to your sources.json.
+            add a package called "nixpkgs" to your sources.json.
-        '';
+          '';
 
   # The actual fetching function.
   fetch = pkgs: name: spec:
@@ -116,13 +95,13 @@ let
   # the path directly as opposed to the fetched source.
   replace = name: drv:
     let
-      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
+      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
       ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
     in
-    if ersatz == "" then drv else
+      if ersatz == "" then drv else
-      # this turns the string into an actual Nix path (for both absolute and
+        # this turns the string into an actual Nix path (for both absolute and
-      # relative paths)
+        # relative paths)
-    if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
+        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
 
   # Ports of functions for older nix versions
 
@@ -133,7 +112,7 @@ let
   );
 
   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
-  range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
+  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
 
   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
   stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
@@ -144,46 +123,43 @@ let
   concatStrings = builtins.concatStringsSep "";
 
   # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
-  optionalAttrs = cond: as: if cond then as else { };
+  optionalAttrs = cond: as: if cond then as else {};
 
   # fetchTarball version that is compatible between all the versions of Nix
   builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
     let
       inherit (builtins) lessThan nixVersion fetchTarball;
     in
-    if lessThan nixVersion "1.12" then
+      if lessThan nixVersion "1.12" then
-      fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
+        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
-    else
+      else
-      fetchTarball attrs;
+        fetchTarball attrs;
 
   # fetchurl version that is compatible between all the versions of Nix
   builtins_fetchurl = { url, name ? null, sha256 }@attrs:
     let
       inherit (builtins) lessThan nixVersion fetchurl;
     in
-    if lessThan nixVersion "1.12" then
+      if lessThan nixVersion "1.12" then
-      fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
+        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
-    else
+      else
-      fetchurl attrs;
+        fetchurl attrs;
 
   # Create the final "sources" from the config
   mkSources = config:
-    mapAttrs
+    mapAttrs (
-      (
+      name: spec:
-        name: spec:
+        if builtins.hasAttr "outPath" spec
-          if builtins.hasAttr "outPath" spec
+        then abort
-          then
+          "The values in sources.json should not have an 'outPath' attribute"
-            abort
+        else
-              "The values in sources.json should not have an 'outPath' attribute"
+          spec // { outPath = replace name (fetch config.pkgs name spec); }
-          else
+    ) config.sources;
-            spec // { outPath = replace name (fetch config.pkgs name spec); }
-      )
-      config.sources;
 
   # The "config" used by the fetchers
   mkConfig =
     { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
-    , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
+    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
     , system ? builtins.currentSystem
     , pkgs ? mkPkgs sources system
     }: rec {
@@ -195,4 +171,4 @@ let
     };
 
 in
-mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }
+mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }

deploy/default.nix

@@ -13,21 +13,21 @@ in import "${sources.nixus}" {} ({ config, ... }: {
 
   nodes = {
     wind = { lib, config, ... }: {
-      host = "graven.dev";
+      host = "emelie@graven.dev";
       configuration = ../config/hosts/wind/configuration.nix;
       switchTimeout = 300;
       successTimeout = 300;
       ignoreFailingSystemdUnits = true;
     };
     grondahl = { lib, config, ... }: {
-      host = "anarkafem.dev";
+      host = "emelie@anarkafem.dev";
       configuration = ../config/hosts/grondahl/configuration.nix;
       successTimeout = 300;
       switchTimeout = 300;
       ignoreFailingSystemdUnits = true;
     };
     rudiger = { lib, config, ... }: {
-      host = "cloud.graven.dev";
+      host = "emelie@cloud.graven.dev";
       configuration = ../config/hosts/rudiger/configuration.nix;
       switchTimeout = 300;
       successTimeout = 300;

shell.nix

@@ -1,7 +0,0 @@
-{ pkgs ? import <nixpkgs> {} }:
-
-pkgs.mkShell {
-	packages = with pkgs; [
-		niv
-	];
-}