Add testbench and rudiger

2021-09-27 14:55:55 +02:00 · 2021-09-27 14:55:55 +02:00 · 6d318bddaa
parent 0969b36564
commit 6d318bddaa
21 changed files with 415 additions and 173 deletions
--- a/config/common/data/pubkeys/despondos_host_ed25519_key.pub
+++ b/config/common/data/pubkeys/despondos_host_ed25519_key.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7
--- a/config/common/services/nginx.nix
+++ b/config/common/services/nginx.nix
@ -0,0 +1,43 @@
+{ ... }:
+{
+    services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}
--- a/config/common/services/openssh.nix
+++ b/config/common/services/openssh.nix
@ -9,4 +9,16 @@
    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
  };
+
+  programs.ssh.knownHosts = {
+    despondos = {
+      hostNames = [ "despondos.nao.sh" ];
+      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+    };
+  };
+
+  services.sshguard = {
+    enable = true;
+    blocktime = 300;
+  };
 }
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@ -5,12 +5,11 @@
    [ # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./data/secrets/secrets.nix
-    ../../common/services/openssh.nix
+    ../../common/services/ssh.nix
    ./services/acme.nix
    ./services/coturn.nix
    ./services/nginx.nix
    ./services/restic.nix
-    ./services/sshguard.nix
    ./services/synapse.nix
    ./services/postgres.nix
    ];
@ -18,7 +17,7 @@
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";
-
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
  networking = {
    hostName = "grondahl";
    useDHCP = false;
@ -65,8 +64,7 @@
  };

  users.groups.acme.members = [ "nginx" "turnserver" ];
-  users.groups.postgres.members = [ "restic" ];
-  users.groups.matrix-synapse.members = [ "restic" ];
+  users.groups.backup.members = [ "matrix-synapse" "postgres" ];

  # List packages installed in system profile. To search, run:
  # $ nix search wget
--- a/config/hosts/grondahl/services/nginx.nix
+++ b/config/hosts/grondahl/services/nginx.nix
@ -1,64 +1,24 @@
 {
-  services.nginx = {
-    enable = true;
-
-    # Use recommended settings
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    # Only allow PFS-enabled ciphers with AES256
-    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
-
-    commonHttpConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
-
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
-
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
-
-      # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-    '';
-
-    virtualHosts = {
-      "anarkafem.dev" = {
-        useACMEHost = "anarkafem.dev";
-        forceSSL = true;
-        locations."/".root = "/var/www/anarkafem.dev/public";
-        locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
-        locations."/_matrix/federation".return = "403";
-        locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
-        locations."/.well-known/matrix/" = {
-          root = "/var/www/matrix/public";
-          extraConfig = ''
-            default_type application/json;
-            add_header Access-Control-Allow-Origin "*";
-            add_header Strict-Transport-Security $hsts_header;
-            add_header Referrer-Policy "origin-when-cross-origin";
-            add_header X-Frame-Options "DENY";
-            add_header X-Content-Type-Options "nosniff";
-            add_header X-XSS-Protection "1; mode=block";
-          '';
-        };
+  imports = [ ../../../common/services/nginx.nix ];
+  services.nginx.virtualHosts = {
+    "anarkafem.dev" = {
+      useACMEHost = "anarkafem.dev";
+      forceSSL = true;
+      locations."/".root = "/var/www/anarkafem.dev/public";
+      locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
+      locations."/_matrix/federation".return = "403";
+      locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
+      locations."/.well-known/matrix/" = {
+        root = "/var/www/matrix/public";
+        extraConfig = ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin "*";
+          add_header Strict-Transport-Security $hsts_header;
+          add_header Referrer-Policy "origin-when-cross-origin";
+          add_header X-Frame-Options "DENY";
+          add_header X-Content-Type-Options "nosniff";
+          add_header X-XSS-Protection "1; mode=block";
+        '';
      };
    };
  };
--- a/config/hosts/grondahl/services/restic.nix
+++ b/config/hosts/grondahl/services/restic.nix
@ -9,6 +9,7 @@
      timerConfig = { "OnCalendar" = "03:15"; };
      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
    };
    "synapse" = {
      paths = [ "/var/lib/matrix-synapse" ];
@ -18,6 +19,7 @@
      timerConfig = { "OnCalendar" = "03:45"; };
      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
    };
  };
 }
--- a/config/hosts/grondahl/services/sshguard.nix
+++ b/config/hosts/grondahl/services/sshguard.nix
@ -1,7 +0,0 @@
-{ ... }:
-{
-  services.sshguard = {
-    enable = true;
-    blocktime = 300;
-  };
-}
--- a/config/hosts/nixos-testbed/configuration.nix
+++ b/config/hosts/nixos-testbed/configuration.nix
@ -0,0 +1,49 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../common/services/ssh.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+  networking.hostName = "nixos-testbed";
+  time.timeZone = "Europe/Copenhagen";
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    iotop
+    dig
+  ];
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+  # Use hetzner firewall instead
+  networking.firewall.enable = false;
+
+  system.stateVersion = "21.05";
+
+}
--- a/config/hosts/nixos-testbed/hardware-configuration.nix
+++ b/config/hosts/nixos-testbed/hardware-configuration.nix
@ -0,0 +1,26 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/b5f08f96-c7aa-4c02-86a2-15cfe4134f4d";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/f36e61f8-337f-4b77-bd63-9b1d0146d73d"; }
+    ];
+
+}
--- a/config/hosts/nixos-testbed/services/nextcloud.nix
+++ b/config/hosts/nixos-testbed/services/nextcloud.nix
@ -0,0 +1,9 @@
+{ ... }: {
+  services.nextcloud = {
+    enable = true;
+    https = true;
+    webfinger = true;
+    hostname = "cloud-test.graven.dev";
+
+  };
+}
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@ -0,0 +1,81 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./data/secrets/secrets.nix
+      ../../common/services/ssh.nix
+      ./services/nextcloud.nix
+      ./services/nginx.nix
+      ./services/postgres.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  boot.supportedFilesystems = ["zfs"];
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;
+
+  time.timeZone = "Europe/Copenhagen";
+
+  networking = {
+    hostName = "rudiger";
+    hostId = "8c7b66a4";
+    useDHCP = false;
+    tempAddresses = "disabled";
+    interfaces = {
+      "ens3" = {
+        ipv4.addresses = [ {
+          address = "202.61.202.170";
+          prefixLength = 22;
+        } ];
+        ipv6.addresses = [ {
+          address = "2a03:4000:5a:c61::1";
+          prefixLength = 64;
+        } ];
+      };
+    };
+    defaultGateway = "202.61.200.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "ens3";
+    };
+    nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+  };
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    iotop
+    dig
+  ];
+  security.sudo.wheelNeedsPassword = false;
+
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  system.stateVersion = "21.05";
+
+}
--- a/config/hosts/rudiger/hardware-configuration.nix
+++ b/config/hosts/rudiger/hardware-configuration.nix
@ -0,0 +1,42 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/safe/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/F220-781F";
+      fsType = "vfat";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/nextcloud" =
+    { device = "rpool/safe/nextcloud";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/52f7db16-b51b-4b8c-bfea-46184bb3099e"; }
+    ];
+}
--- a/config/hosts/rudiger/services/nextcloud.nix
+++ b/config/hosts/rudiger/services/nextcloud.nix
@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+{
+  services.nextcloud = {
+    enable = true;
+    hostName = "cloud.graven.dev";
+    #https = true;
+    package = pkgs.nextcloud22;
+    autoUpdateApps.enable = true;
+    maxUploadSize = "10G";
+    webfinger = true;
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
+      adminuser = "root";
+    };
+  };
+}
--- a/config/hosts/rudiger/services/nginx.nix
+++ b/config/hosts/rudiger/services/nginx.nix
@ -0,0 +1,4 @@
+{ ... }:
+{
+  imports = [ ../../../common/services/nginx.nix ];
+}
--- a/config/hosts/rudiger/services/postgres.nix
+++ b/config/hosts/rudiger/services/postgres.nix
@ -0,0 +1,12 @@
+{ ... }:
+{
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+     { name = "nextcloud";
+       ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+     }
+    ];
+  };
+}
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@ -3,7 +3,7 @@
 {
  imports = [ 
    ./hardware-configuration.nix 
-    ../../common/services/openssh.nix
+    ../../common/services/ssh.nix
    ./services/acme.nix
    ./services/coturn.nix
    ./services/nginx.nix
@ -12,7 +12,6 @@
    ./services/ttrss.nix
    ./services/gitea.nix
    ./services/restic.nix
-    ./services/sshguard.nix
    ./services/vaultwarden.nix
    ./data/secrets/secrets.nix
    ];
@ -20,6 +19,7 @@
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/sda";
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
  boot.supportedFilesystems = ["zfs"];
  services.zfs.autoSnapshot.enable = true;
  services.zfs.autoScrub.enable = true;
@ -65,10 +65,7 @@
  # networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];

  users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
-  users.groups.postgres.members = [ "restic" ];
-  users.groups.gitea.members = [ "restic" ];
-  users.groups.matrix-synapse.members = [ "restic" ];
-
+  users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ];

  system.stateVersion = "21.05";

--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@ -1,89 +1,79 @@
 {
-  services.nginx = {
-    enable = true;
-
-    # Use recommended settings
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    # Only allow PFS-enabled ciphers with AES256
-    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
-
-    commonHttpConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
-
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
-
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
-
-      # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-    '';
-
-    virtualHosts = {
-      "graven.dev" = {
-        useACMEHost = "graven.dev";
-        forceSSL = true;
-        locations."/".root = "/var/www/graven.dev/public";
-        locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
-        locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
-        locations."/.well-known/matrix/" = {
-          root = "/var/www/matrix/public";
-          extraConfig = ''
-            default_type application/json;
-            add_header Access-Control-Allow-Origin "*";
-            add_header Strict-Transport-Security $hsts_header;
-            add_header Referrer-Policy "origin-when-cross-origin";
-            add_header X-Frame-Options "DENY";
-            add_header X-Content-Type-Options "nosniff";
-            add_header X-XSS-Protection "1; mode=block";
-          '';
-        };
+  imports = [ ../../../common/services/nginx.nix ];
+  services.nginx.virtualHosts = {
+    "graven.dev" = {
+      useACMEHost = "graven.dev";
+      forceSSL = true;
+      locations."/".root = "/var/www/graven.dev/public";
+      locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+      locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+      locations."/.well-known/matrix/" = {
+        root = "/var/www/matrix/public";
+        extraConfig = ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin "*";
+          add_header Strict-Transport-Security $hsts_header;
+          add_header Referrer-Policy "origin-when-cross-origin";
+          add_header X-Frame-Options "DENY";
+          add_header X-Content-Type-Options "nosniff";
+          add_header X-XSS-Protection "1; mode=block";
+        '';
      };
-      "rss.graven.dev" = {
-        useACMEHost = "graven.dev";
-        forceSSL = true;
+    };
+    "rss.graven.dev" = {
+      useACMEHost = "graven.dev";
+      forceSSL = true;
+    };
+    "git.graven.dev" = {
+      useACMEHost = "graven.dev";
+      forceSSL = true;
+      locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
+    };
+    "vault.graven.dev" = {
+      forceSSL = true;
+      useACMEHost = "graven.dev";
+      locations."/" = {
+        proxyPass = "http://localhost:8812";
+        proxyWebsockets = true;
      };
-      "git.graven.dev" = {
-        useACMEHost = "graven.dev";
-        forceSSL = true;
-        locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
+      locations."/notifications/hub" = {
+        proxyPass = "http://localhost:3012";
+        proxyWebsockets = true;
      };
-      "vault.graven.dev" = {
-        forceSSL = true;
-        useACMEHost = "graven.dev";
-        locations."/" = {
-          proxyPass = "http://localhost:8812";
-          proxyWebsockets = true;
-        };
-        locations."/notifications/hub" = {
-          proxyPass = "http://localhost:3012";
-          proxyWebsockets = true;
-        };
-        locations."/notifications/hub/negotiate" = {
-          proxyPass = "http://localhost:8812";
-          proxyWebsockets = true;
-        };
+      locations."/notifications/hub/negotiate" = {
+        proxyPass = "http://localhost:8812";
+        proxyWebsockets = true;
      };
    };
+    "mta-sts.graven.dev" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/var/www/mta-sts/public";
+    };
+    "mta-sts.graven.se" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/var/www/mta-sts/public";
+    };
+    "mta-sts.nao.sh" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/var/www/mta-sts/public";
+    };
+    "mta-sts.amandag.net" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/var/www/mta-sts/public";
+    };
+    "mta-sts.queersin.space" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/var/www/mta-sts/public";
+    };
+    "mta-sts.anarkafem.dev" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/var/www/mta-sts/public";
+    };
  };
 }
--- a/config/hosts/wind/services/restic.nix
+++ b/config/hosts/wind/services/restic.nix
@ -11,6 +11,7 @@
      timerConfig = { "OnCalendar" = "02:15"; };
      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "gitea";
    };
    "postgres" = {
      paths = [ "/var/lib/postgresql/backup" ];
@ -20,6 +21,7 @@
      timerConfig = { "OnCalendar" = "03:00"; };
      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
    };
    "synapse" = {
      paths = [ "/var/lib/matrix-synapse" ];
@ -29,15 +31,17 @@
      timerConfig = { "OnCalendar" = "03:30"; };
      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
    };
    "vaultwarden" = {
-      paths = [ "/var/lib/vaultwarden" ];
+      paths = [ "/var/lib/bitwarden_rs" ];
      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "23:45"; };
      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "vaultwarden";
    };
  };
 }
--- a/config/hosts/wind/services/sshguard.nix
+++ b/config/hosts/wind/services/sshguard.nix
@ -1,7 +0,0 @@
-{ ... }:
-{
-  services.sshguard = {
-    enable = true;
-    blocktime = 300;
-  };
-}
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@ -17,10 +17,10 @@
        "homepage": "",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "16fca9df230408608846940981b4037762420b1b",
-        "sha256": "0nvak6dmlcgc4m5s6di82c06c95cmc4iys1ky14y5di27r7qnrma",
+        "rev": "3cc8c47af31798040ea62499090540413279f832",
+        "sha256": "0l4pflis99q0095rrmxahp1w8jz38znq5pyni4x8n7cgcrv5gwq2",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/16fca9df230408608846940981b4037762420b1b.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/3cc8c47af31798040ea62499090540413279f832.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs": {
@ -29,10 +29,10 @@
        "homepage": "",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d6b683c0527a7f777b5f2b4db2555891cd5a85f5",
-        "sha256": "0mkinbg2s4mg1ngh773h7rqc898siyigwy2wfz8jaai8k9srpx1n",
+        "rev": "d0220562772b787d58c48df3434f36da1f552bdc",
+        "sha256": "1nhh4afidrq7crb82ax3f5gqn17scxi7rl6zlxnzcplnwr0waczq",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/d6b683c0527a7f777b5f2b4db2555891cd5a85f5.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/d0220562772b787d58c48df3434f36da1f552bdc.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixus": {
--- a/deploy/default.nix
+++ b/deploy/default.nix
@ -24,6 +24,12 @@ in import "${sources.nixus}" {} ({ config, ... }: {
      switchTimeout = 300;
      successTimeout = 300;
    };
+    rudiger = { lib, config, ... }: {
+      host = "emelie@cloud.graven.dev";
+      configuration = ../config/hosts/rudiger/configuration.nix;
+      switchTimeout = 300;
+      successTimeout = 300;
+    };
  };
 })
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7`