diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix index a454669..60dceee 100644 --- a/config/common/services/ssh.nix +++ b/config/common/services/ssh.nix @@ -4,7 +4,7 @@ enable = true; permitRootLogin = "no"; passwordAuthentication = false; - challengeResponseAuthentication = false; + kbdInteractiveAuthentication = false; hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ]; kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; diff --git a/config/common/users.nix b/config/common/users.nix index e39133d..8d92c93 100644 --- a/config/common/users.nix +++ b/config/common/users.nix @@ -5,8 +5,9 @@ isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBkWK8PsRh8tOz4800XFN3V2IUm2u95qOaVnuHnMknjiAAAABHNzaDo= emelie@em-work" ]; }; diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix index 249edb2..b79d57c 100644 Binary files a/config/hosts/grondahl/data/secrets/secrets.nix and b/config/hosts/grondahl/data/secrets/secrets.nix differ diff --git a/config/hosts/grondahl/data/secrets/synapse_db_password b/config/hosts/grondahl/data/secrets/synapse_db_password deleted file mode 100644 index c2cd71a..0000000 Binary files a/config/hosts/grondahl/data/secrets/synapse_db_password and /dev/null differ diff --git a/config/hosts/grondahl/data/secrets/synapse_extra_config b/config/hosts/grondahl/data/secrets/synapse_extra_config new file mode 100644 index 0000000..c33b2c0 Binary files /dev/null and b/config/hosts/grondahl/data/secrets/synapse_extra_config differ diff --git a/config/hosts/grondahl/services/acme.nix b/config/hosts/grondahl/services/acme.nix index 076f91c..687ea2a 100644 --- a/config/hosts/grondahl/services/acme.nix +++ b/config/hosts/grondahl/services/acme.nix @@ -3,7 +3,7 @@ { security.acme = { acceptTerms = true; - email = "admin+certs@anarkafem.dev"; + defaults.email = "admin+certs@anarkafem.dev"; }; } diff --git a/config/hosts/grondahl/services/redis.nix b/config/hosts/grondahl/services/redis.nix index 6a001e1..94a915e 100644 --- a/config/hosts/grondahl/services/redis.nix +++ b/config/hosts/grondahl/services/redis.nix @@ -1,11 +1,13 @@ { config, ... }: { services.redis = { - enable = true; - unixSocket = "/run/redis/redis.sock"; vmOverCommit = true; - unixSocketPerm = 770; - #requirePassfile = config.secrets.files.redis_pass.file; + servers."" = { + enable = true; + unixSocket = "/run/redis/redis.sock"; + unixSocketPerm = 770; + #requirePassfile = config.secrets.files.redis_pass.file; + }; }; } diff --git a/config/hosts/grondahl/services/synapse.nix b/config/hosts/grondahl/services/synapse.nix index 210914f..3155a21 100644 --- a/config/hosts/grondahl/services/synapse.nix +++ b/config/hosts/grondahl/services/synapse.nix @@ -3,72 +3,72 @@ { services.matrix-synapse = { enable = true; - server_name = "anarkafem.dev"; - enable_registration = false; - registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; - turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; - max_upload_size = "100M"; - database_type = "psycopg2"; - database_args = { - password = builtins.toString config.secrets.files.synapse_db_password.file; - }; - turn_uris = [ - "turn:turn.anarkafem.dev:3478?transport=udp" - "turn:turn.anarkafem.dev:3478?transport=tcp" - "turn:turn.anarkafem.dev:3479?transport=udp" - "turn:turn.anarkafem.dev:3479?transport=tcp" - "turns:turn.anarkafem.dev:5349?transport=udp" - "turns:turn.anarkafem.dev:5349?transport=tcp" - "turns:turn.anarkafem.dev:5350?transport=udp" - "turns:turn.anarkafem.dev:5350?transport=tcp" - ]; - report_stats = false; - withJemalloc = true; - servers = { "anarkafem.dev" = {}; }; - extraConfig = '' - default_room_version: "9" - auto_join_rooms: - - "#suf-aalborg:anarkafem.dev" - ''; - logConfig = '' - version: 1 + extraConfigFiles = [ config.secrets.files.synapse_extra_config.file ]; + settings = { - formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + server_name = "anarkafem.dev"; + enable_registration = false; + registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; + turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; + max_upload_size = "100M"; + turn_uris = [ + "turn:turn.anarkafem.dev:3478?transport=udp" + "turn:turn.anarkafem.dev:3478?transport=tcp" + "turn:turn.anarkafem.dev:3479?transport=udp" + "turn:turn.anarkafem.dev:3479?transport=tcp" + "turns:turn.anarkafem.dev:5349?transport=udp" + "turns:turn.anarkafem.dev:5349?transport=tcp" + "turns:turn.anarkafem.dev:5350?transport=udp" + "turns:turn.anarkafem.dev:5350?transport=tcp" + ]; + report_stats = false; + withJemalloc = true; + servers = { "anarkafem.dev" = {}; }; + extraConfig = '' + default_room_version: "9" + auto_join_rooms: + - "#suf-aalborg:anarkafem.dev" + ''; + logConfig = '' + version: 1 - handlers: - console: - class: logging.StreamHandler - formatter: precise + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' - loggers: - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: INFO + handlers: + console: + class: logging.StreamHandler + formatter: precise - root: - level: INFO - handlers: [console] + loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO - disable_existing_loggers: false - ''; - listeners = [ - { - port = 8008; - bind_address = "127.0.0.1"; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; + root: + level: INFO + handlers: [console] + + disable_existing_loggers: false + ''; + listeners = [ + { + port = 8008; + bind_addresses = ["127.0.0.1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + }; }; } diff --git a/config/hosts/rudiger/services/acme.nix b/config/hosts/rudiger/services/acme.nix index 62ae467..693e006 100644 --- a/config/hosts/rudiger/services/acme.nix +++ b/config/hosts/rudiger/services/acme.nix @@ -3,7 +3,7 @@ { security.acme = { acceptTerms = true; - email = "admin+certs@graven.dev"; + defaults.email = "admin+certs@graven.dev"; }; } diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix index fd2a274..b81b53e 100644 --- a/config/hosts/rudiger/services/nextcloud.nix +++ b/config/hosts/rudiger/services/nextcloud.nix @@ -4,7 +4,7 @@ enable = true; hostName = "cloud.graven.dev"; https = true; - package = pkgs.nextcloud22; + package = pkgs.nextcloud24; autoUpdateApps.enable = true; maxUploadSize = "10G"; webfinger = true; diff --git a/config/hosts/rudiger/services/redis.nix b/config/hosts/rudiger/services/redis.nix index 2db61e7..87b2587 100644 --- a/config/hosts/rudiger/services/redis.nix +++ b/config/hosts/rudiger/services/redis.nix @@ -1,10 +1,12 @@ { config, ... }: { services.redis = { - enable = true; - unixSocket = "/run/redis/redis.sock"; vmOverCommit = true; - unixSocketPerm = 770; - #requirePassfile = config.secrets.files.redis_pass.file; - }; + servers."" = { + enable = true; + unixSocket = "/run/redis/redis.sock"; + unixSocketPerm = 770; + #requirePassfile = config.secrets.files.redis_pass.file; + }; + }; } diff --git a/config/hosts/wind/services/acme.nix b/config/hosts/wind/services/acme.nix index 62ae467..693e006 100644 --- a/config/hosts/wind/services/acme.nix +++ b/config/hosts/wind/services/acme.nix @@ -3,7 +3,7 @@ { security.acme = { acceptTerms = true; - email = "admin+certs@graven.dev"; + defaults.email = "admin+certs@graven.dev"; }; } diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix index e88e79e..7d9feb2 100644 --- a/config/hosts/wind/services/synapse.nix +++ b/config/hosts/wind/services/synapse.nix @@ -3,87 +3,89 @@ { services.matrix-synapse = { enable = true; - server_name = "graven.dev"; - enable_registration = false; - registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; - turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; - max_upload_size = "100M"; - database_type = "psycopg2"; - database_user = "synapse"; - database_name = "synapse"; - turn_uris = [ - "turn:turn.graven.dev:3478?transport=udp" - "turn:turn.graven.dev:3478?transport=tcp" - "turn:turn.graven.dev:3479?transport=udp" - "turn:turn.graven.dev:3479?transport=tcp" - "turns:turn.graven.dev:5349?transport=udp" - "turns:turn.graven.dev:5349?transport=tcp" - "turns:turn.graven.dev:5350?transport=udp" - "turns:turn.graven.dev:5350?transport=tcp" - ]; - report_stats = true; withJemalloc = true; + settings = { + server_name = "graven.dev"; + enable_registration = false; + registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; + turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; + max_upload_size = "100M"; + database.name = "psycopg2"; + database.args.user = "synapse"; + database.args.database = "synapse"; + turn_uris = [ + "turn:turn.graven.dev:3478?transport=udp" + "turn:turn.graven.dev:3478?transport=tcp" + "turn:turn.graven.dev:3479?transport=udp" + "turn:turn.graven.dev:3479?transport=tcp" + "turns:turn.graven.dev:5349?transport=udp" + "turns:turn.graven.dev:5349?transport=tcp" + "turns:turn.graven.dev:5350?transport=udp" + "turns:turn.graven.dev:5350?transport=tcp" + ]; + report_stats = true; - extraConfig = '' -password_config: - enabled: false -oidc_providers: - - idp_id: authentik - idp_name: authentik - discover: true - issuer: "https://auth.graven.dev/application/o/synapse/" - client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5" - client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55" - allow_existing_users: true - scopes: - - "openid" - - "profile" - - "email" - user_mapping_provider: - config: - localpart_template: "{{ user.name }}" - display_name_template: "{{ user.name|capitalize }}" - ''; + extraConfig = '' + password_config: + enabled: false + oidc_providers: + - idp_id: authentik + idp_name: authentik + discover: true + issuer: "https://auth.graven.dev/application/o/synapse/" + client_id: "7a77036d3b360265895f2ab5a51264ba586c93d5" + client_secret: "a9f9146fd13338230481a71c824d122bfb5e8a2118f2cdaf882746ad6726aeecd50ef522338acec89d3f8ccb8014124e022a6af6769807ea4271931f219a3f55" + allow_existing_users: true + scopes: + - "openid" + - "profile" + - "email" + user_mapping_provider: + config: + localpart_template: "{{ user.name }}" + display_name_template: "{{ user.name|capitalize }}" + ''; - logConfig = '' -version: 1 + logConfig = '' + version: 1 -formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' -handlers: - console: - class: logging.StreamHandler - formatter: precise + handlers: + console: + class: logging.StreamHandler + formatter: precise -loggers: - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: WARN + loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN -root: - level: WARN - handlers: [console] + root: + level: WARN + handlers: [console] -disable_existing_loggers: false - ''; - listeners = [ - { - port = 8008; - bind_address = "127.0.0.1"; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; + disable_existing_loggers: false + ''; + listeners = [ + { + port = 8008; + bind_addresses = ["127.0.0.1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + }; }; } diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json index e5d4f86..b49671b 100644 --- a/config/sources/nix/sources.json +++ b/config/sources/nix/sources.json @@ -5,10 +5,10 @@ "homepage": "https://github.com/nmattia/niv", "owner": "nmattia", "repo": "niv", - "rev": "df49d53b71ad5b6b5847b32e5254924d60703c46", - "sha256": "1j5p8mi1wi3pdcq0lfb881p97i232si07nb605dl92cjwnira88c", + "rev": "82e5cd1ad3c387863f0545d7591512e76ab0fc41", + "sha256": "090l219mzc0gi33i3psgph6s2pwsc8qy4lyrqjdj4qzkvmaj65a7", "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/df49d53b71ad5b6b5847b32e5254924d60703c46.tar.gz", + "url": "https://github.com/nmattia/niv/archive/82e5cd1ad3c387863f0545d7591512e76ab0fc41.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixos-hardware": { @@ -17,22 +17,22 @@ "homepage": "", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "f4160a629bac3538939a3005c8b5c7fb320bcf59", - "sha256": "0w4k1fis534iafc72cjmig72697pz4s3fjj211fhzf443zh49in7", + "rev": "ea3efc80f8ab83cb73aec39f4e76fe87afb15a08", + "sha256": "0h87y6z42ch128j6yslydvdzajqcrqzhihi4nrpwida4js2pl1ak", "type": "tarball", - "url": "https://github.com/NixOS/nixos-hardware/archive/f4160a629bac3538939a3005c8b5c7fb320bcf59.tar.gz", + "url": "https://github.com/NixOS/nixos-hardware/archive/ea3efc80f8ab83cb73aec39f4e76fe87afb15a08.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { - "branch": "release-21.11", + "branch": "release-22.05", "description": "Nix Packages collection", "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "838eefb4f93f2306d4614aafb9b2375f315d917f", - "sha256": "1bm8cmh1wx4h8b4fhbs75hjci3gcrpi7k1m1pmiy3nc0gjim9vkg", + "rev": "c55096e021c6ab0be3945be2535b3b4324e4f571", + "sha256": "0smvw72cv80zq1y1y5vjfjbz0bv6mg8iznhv779s2vn5dz1s3kwx", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/838eefb4f93f2306d4614aafb9b2375f315d917f.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/c55096e021c6ab0be3945be2535b3b4324e4f571.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": { @@ -41,10 +41,10 @@ "homepage": "", "owner": "Infinisil", "repo": "nixus", - "rev": "d1e1057a31f16a75d9f871e311c4aaaf664561b9", - "sha256": "0d4576dssr6l4vdpi86rbf6dyn3jfl3csvmn9csd4n6dj53f5pqm", + "rev": "a7b742f2f4c9d37cd84b8f0ab7ee57c4b3d9f393", + "sha256": "0pyplivs96vxnnnj3w8drd806xxzhrxcn969hh1bhbds4h4s5k16", "type": "tarball", - "url": "https://github.com/Infinisil/nixus/archive/d1e1057a31f16a75d9f871e311c4aaaf664561b9.tar.gz", + "url": "https://github.com/Infinisil/nixus/archive/a7b742f2f4c9d37cd84b8f0ab7ee57c4b3d9f393.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } }