From 8f8da2a071d5247179df32c21761e61647d7441c Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Mon, 14 Feb 2022 12:29:36 +0100
Subject: [PATCH] Restructure DB config, add ssh keys

---
 config/common/users.nix                       |   3 +-
 config/hosts/grondahl/configuration.nix       |   3 +
 .../hosts/grondahl/data/secrets/authentik_env | Bin 0 -> 907 bytes
 .../hosts/grondahl/data/secrets/email_noreply | Bin 83 -> 83 bytes
 .../hosts/grondahl/data/secrets/mobilizon_env | Bin 0 -> 1041 bytes
 .../hosts/grondahl/data/secrets/secrets.nix   | Bin 716 -> 961 bytes
 .../grondahl/data/secrets/synapse_db_password | Bin 0 -> 87 bytes
 config/hosts/grondahl/services/containers.nix |  53 ++++++++++++++++++
 config/hosts/grondahl/services/mail.nix       |  29 ++++++++++
 config/hosts/grondahl/services/nginx.nix      |  10 ++++
 config/hosts/grondahl/services/postgres.nix   |  45 ++++++++++++---
 config/hosts/grondahl/services/redis.nix      |  11 ++++
 config/hosts/grondahl/services/synapse.nix    |   5 +-
 config/hosts/rudiger/services/postgres.nix    |  13 +++--
 14 files changed, 155 insertions(+), 17 deletions(-)
 create mode 100644 config/hosts/grondahl/data/secrets/authentik_env
 create mode 100644 config/hosts/grondahl/data/secrets/mobilizon_env
 create mode 100644 config/hosts/grondahl/data/secrets/synapse_db_password
 create mode 100644 config/hosts/grondahl/services/containers.nix
 create mode 100644 config/hosts/grondahl/services/mail.nix
 create mode 100644 config/hosts/grondahl/services/redis.nix

diff --git a/config/common/users.nix b/config/common/users.nix
index 1f17e6b..6bc7138 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -6,8 +6,7 @@
 			extraGroups = [ "wheel" ];
 			openssh.authorizedKeys.keys = [
               "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
-              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKHlANxRo9NEU6GHMCiAhv3Kxbxd6mOrOiMBw3bGohOAAAABHNzaDo= emelie@flap-fed"
-							"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE7/U/Mk1jGofcommKmPfG+qwybiFH1nFkXzUqGiXSy/AAAABHNzaDo= emelie@thinky-fed"
+							"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed"
 
 			];
 		};
diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix
index 2c929e1..6d317be 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@@ -13,6 +13,9 @@
     ./services/restic.nix
     ./services/synapse.nix
     ./services/postgres.nix
+		#./services/mail.nix
+		#./services/containers.nix
+		#./services/redis.nix
     ];
 
   boot.loader.grub.enable = true;
diff --git a/config/hosts/grondahl/data/secrets/authentik_env b/config/hosts/grondahl/data/secrets/authentik_env
new file mode 100644
index 0000000000000000000000000000000000000000..52c163146482dc943e2f5964462dbafd62d91525
GIT binary patch
literal 907
zcmV;619bcVM@dveQdv+`05PXQQ_^Tytk79=MhQ7hX_B;)>>*NP+>`L_dbr!i{|RE2
z5TdwT%^|>Hi53P{xErDpx*PU^L0fZFIv}9yfRY<YEER@#j>Yp)#~^Pfu`o{BP7fHJ
zv1_Ie&=yC*k90m(k%xJ>uE1Yspv<K|Vn7|ltRlstgL(YX^7!3dS=%`TJb2VF&0er$
zzM-2ZW)p$$nG0?gm201}(&zg-b6~7KW_<Hgwvx+WS=>;NZx$HBXz_JZ@|rJ}?&5*E
z0%d(LhEfGtOP$FqZ7kYS0O*#AL>INOBW39768z1#uJ~LpJ?!K)$(H7lw10!o?BK|u
zfFvWaIzviwSo9eG_8vwpikQN1@($tp8|@$jJk^|i{mV*yrzHn>0CXVR*#cear=XAY
zMf7_w?1r?xu(eF|@4%aw@NF&fyJ`(pC5#r1>UFeQL{ezp&V5(aHgV(&q;Q9hRnZW1
zYHXKe5Iad*1`{fXNm$6^nFCkkhUNP2vv?Z6ong@kU|!u_fu)x$Wf|A%m-FPjC{Px9
zVGG7+*~D8Z%q(TlShU|tz$6CZNZ1x$@=oko>Wz?!Nj>c^BB-F{<Sj-V2_7gK{dVqH
zvo0gw(hBVZ0!YKFQxDN0cm4_OoVrW_eedqUP%FWsrT{P+;&@%-bSTEvFMz@)7NiLW
zyuk$^&xQxccwo7%EHA^l(p^BQXgtx);F=*}sd`ug*&ixK?~0HBULip^g>YiYf2#Dd
zt!Ig?Tx69USsOasN~+U0fVmzE;%iS!V$4#xQGu59>#PE5*T==#ApXJ9ux{XVNdI7>
zQZkt#khZjlm4kk+nU(T`CtgVEapH!t^~?X8meW{Ny=tOoBY-luoA#73^Tv^6!t5ID
zFq2jV_HOJg(Lp2Ru+6Q-uWRzYM)CMev`Z1{Dq&Ylim)b+qWtx&LACvW*mkrKIbSjh
z9wi`xdSrn<YqYZ;+?7!T<%*_IfW3))d%CYQl2rOqWNaP%Npsd13~)LMh*{09io8H4
zBvQ_88XmrQ=dlV`Y^}S_mFhyRoto(Wv~TWv_93hfTk5IgwJf3lE?$_i-HraY>HqrV
z&LLz`CX4&=3wz})mtJxY1m!eiUQ5BS_6tr}1$=$!VLrFAUor(?bE+D8<6<zI4ggtZ
hQ0f`jQ-mr9xB8i~qfR{@RlGblnv42*$=UesN?m&?#;yPW

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/email_noreply b/config/hosts/grondahl/data/secrets/email_noreply
index babe205fdffc5ed70027ac188d4ca5a80652c8ca..851aa9fd71a788e0c32971efb104308135efa87e 100644
GIT binary patch
literal 83
zcmV-Z0IdH2M@dveQdv+`0LMOIk@J@I&LDlEe_LCoe|nzJ$CY7#uUqXzH!DD1pZxC5
pdN_7h9pSgUmw%%8I(q*#0#U<#bjFx^UE(}gQrW9~>PUiy>R*KRDi;6%

literal 83
zcmV-Z0IdH2M@dveQdv+`0PSY?KMc6`J8dBlyegkvme_3S&1<s8vx1e(8Mx7S(^6pN
pK}g%$^mYA2zn$&Ul6TZ%4wG0K2;J^+F@_WDzFoLLEx1)k3gw#0Db@f0

diff --git a/config/hosts/grondahl/data/secrets/mobilizon_env b/config/hosts/grondahl/data/secrets/mobilizon_env
new file mode 100644
index 0000000000000000000000000000000000000000..2f1635d9c4826c40c8c3d78743fd7c168a6bd9fd
GIT binary patch
literal 1041
zcmV+s1n&C)M@dveQdv+`0BEpCyph~@?B;lAKCR2KM_iQ`+#ScAy_<ur$hvId{>?@N
zmR&FQM2-k<1XFu8&Y%@0%9~jj!If*94vrhu22IB%FoOG4%&;P<Ac-dX^RLu&a7wG>
znlU>x>&n03EuN7cEH&kc`|Kf}d?FM4h%!KdUhu2t*RpgRXnr6{-&}O{Hhowtg4z2+
zkG5-A>a&>)g}}yLs#J+54>y(Rq|>DHqYYuq6AWDRi2sq`@3)-_R<4R4tbx_1WPj66
znZ&&0>KQ|du_O+#Ma!IV$%;mkLUIhD8>|a9?>(l}23D?@k2;>7d@jDLO(o}q3h1*G
zf;Hii@f@O2p8EHRJy;~gP_2*~IP?vz+oX=os}0bnOUT{|U|z81R7C#QRi-+4z6Qpt
z8_IV{7^$%mTk8<Lyry=^XhY!yhKo9UR8jvzNrc)-{P>%s7iu0KxQ7S5y#+D*ZxFQ)
zkY22JO#wh#^E;H+iT)FTXrn5jW;W!O{VGe(uUV#>%l5+`fM??1Lb*Aia%Yhv#h5<6
zRQnPXN%;7ABON^2^c+a|8k8X3>fz!V;@{KE$0`>E!Tp;a)keS|ht)<E2BxECo_gy4
z#wW-c_RNi6`uOWVPU+cb{G%fnK~{6l<{qA$@!%z`Tnov(%5;u5Olci3KutPT17Dgc
z_-*=Go_fnzQj0g;^<jBUj_I{6o)oPsdwu3{?%osx(ijWlig!I<!Do;8qdb?0fSgL3
z-HaM|4m`MHw(!xK8*r_8xX$(8nh0w_l%ma=9W>4{A^j$iINt_tSZEP251DU(55NY+
z1qol5zJ5n>&9j!@q1}*DJ<Xl@xm&tx=bmlaKLGS0^+j5Sn}}CBz{-sQf6ma<lX?6;
z!P}h0aRNQ=Gsh6DAe83O_1Y)J*cxE$xAzfc=;4^<>q{AReC8s%an9cQ-c0$)=N}M<
zF>v(+#X|LpEFl$o4(jaeO9(VP?5Z&k@HvJSjO^tZImXSPiw@OxQcO(OoEU4ZJ1Q2O
zXuUkkJ$=tUTD3%vc&HB_wW?=!$akaz?W{5mI&sLa8=^!lnRf!=q5A25i9%eeQ8;Um
zZBxggynkvSv2h_a!zPJl&zqdQKs|5<0Bygo88Ctqa(ilmpQ8-uv;W16x~d#rQMFW4
z!>^<AR1OBjmE3E*JEzWOapu6}ik_#E&63RMK{W-QHYk7vkOr3OFSw!<+&oFe9*-ja
zSt9!2>d)P7BUd4M><t^t!+%~E9&31eyOQ)s-{Vp=n3=&GQ}^F474;yP5`9Xz?zuMV
zkTg|Gu}V5jI2o;}>@!XBCPH2iV=BLbwZE(@Qd-m5%-T@F{yl+;FQ2>c9P1~xD?6@Y
LF1XQTF?F73LqrW2

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix
index 89f5c0189c4ec860b213ee2cb7fbf3083cab9735..2b87a11d869139930add82ebfe871e322cc9bcd0 100644
GIT binary patch
literal 961
zcmV;y13vr!M@dveQdv+`0R0Anu&bv5ciJ36+NIfw#$KuRCaw&1AofW_2z2S#XsGkF
zf4vg3>?E+e4Jtu={GE+9iJfz5gu@(`<YJWM_#y#X!|F{cGV_7b4x9iqhT)*_hna+A
z8Qg`CYqE_KogL4|QHO8&m`|Hd^LNKjfPqcsTK)k>CxCVk%lh2*en5+d=$y30es;H`
z`gHix-U0{%*Ok2hmz#?x&Ycb$dvSf-AhLO<t8_Kcrgz+816S*V%3NAx6KEbL)nYYW
zPpW|}pKIJpfNfZT^4`#moR=MqLkc}HKC`^-6)56T9YEumN`!Z?VhH>KX<c5+jT%o&
z>KHrO+M&TNov6z`F}ri)nZ~(9CNZ26$R2XkRRk4d^x*HIRU-_)grM0=Qp?r6w{eeW
z!2&9FIa7ypJ)UU!86UfQxqu@)&-_g6$JjNFe%L%Jh1B}?E+yL_z;3md2%w`!i?j{}
z5G2^s+K75VyI4Xu%v4(hv+;3A;qeZar?h6Iz6X|`%+zTq@b<FpQBDQydj|lWtN28d
zZXn>}Pyhw*ec3uo`TEGt@XBBY8dcroo>fKabgO1~SD1yUhokU*A=QSEW^jWrn8Dv1
zFU~b4)d>18Y}iF$7fWFPEmiGRtjtm3u3z36ju{Hw^TCtHeTs#pt2)p=X&|kCy?o^x
z^h9_?c{?LYd)@mwk7f10qHG^a0zYut9=&pE`2X9V2*{N?SVxp{i*I{YFlYj0z{IX<
zuCq{6CxM?zm4{(bWbyc$F;cNm0n)EHT2^}|1%+<@9(8O%G!FfC;?x}q=;ppZXT|&1
z8%Z`zP;*x<hoB;%^Fog6@#bv>q*>>7?80jB7nW&MC{PSkT?%gUu>`s*`CXkJMB?TW
z+YN>fom+EZBc8X#Ffij5kpx!`)MparSXi37e%x*>r>TqSieHB!C_!jYQvXZJ8{Zyk
zJY89@H*IUja#IZ|b5rnjzQeGQLO;s$D%pVQaVU}5fu3-;6(XMBk|Lk<c+_$_GAxaX
z<Qz@M<YpTEy};z5*^KfwDsN1*A1|j=fSreHz*IN77!nKg{Q~9e@Rj0)=lnAS-dKij
zF1i(|csB1;^&vE`#{0|HRrYyAO4a?o&<r+b)(<|8=IMwL-Z3LrS*hz;_D`*<XE*f6
zP?toY!|@G!O~z9b(DM9%F29Jk^gKg~COe&)xfdy`s{@l=v4SypQq~M@-Ua5`3=tQr
jMadCZDc)XxHoc@>)*x!^Lc+J7h4_RyXu{?ptbM>B<H_E*

literal 716
zcmV;-0yF&pM@dveQdv+`06&aCWok;Fb8yIhD1iKse?x^O@}kAP;OQyYLhe88&*6l9
zGE^I5*g;=MO7X)nMTl&udDxAE;8r%&US(LUApRzaG<E^K_#;EkWHPRixr!E~M!|eg
zqg_sHx8IlX<LsEdDCUX+VniOI5|{b6V)-7z(j&!7{06xyJYwpt;LM8w*%&0$Qe-N6
z%#VgUQx(#PY8!NPE6;k9Z}fPJJrDWgg$*Kcc38tQ<jS6c8jwv%m_pc?$caq$t8VTw
z1b#Up$T<Z>=;i0rtMtl3sxnB2M?ae&W;Q~UlE5W0pq+pM)PHc4?H*lElUYAfRJ!na
zMu`^f6|PL%6C0QDIgB~NYH_O#Tm{}}7OP=1dmMS=lu)v)?aN6I*XiM8B}1gl!Yje$
zj6o75<~m38g`Lu5$I6)#oZ!XKxWtkY*W@wr=&NvmcW5}P%}*YbUoVN1VEkbg_5xYH
z9V^UN5;1^vo7-v3o}l?mhn4fgLE3bHw0U6yM+ISQMME{$Ue3llh_$laPZeNp15TK1
z!G`dKxNrl>s#X_lw5l@U?~gwjLEUJ}lsW*gI%tH6nk8EBBvpc3?zRgZIC1jOmt@NM
zE6g#5;3X67+DCI+Dw<}ZQ3lWxNW4dvis9p+9`YEYL4Th&7z`=^_pYRytm0(vlRPRu
z{c$Ep0#|vvQ8ba+wHk*(ZF|X;GYHdslekVJ%EG%p#X2mb@$%|R>YAQ2Kb9kpfU}rY
zGq-{8E*nT*I#y0<UGt4xpSLmss~D<EKjq8vkf1M2E?LO1sd-_+J~d{VnlWvDVTMx;
z3bg$y%QXV6JxCH1^@66Ww%YCWRg}3GH$*Wu(C+3IjO`u>m{v139&GuyoLI7?Em3!_
y#!bomxBN(8HBOH-5usA!hg2wr6gqInx$y>6QXaIbJ|HVnTwj7Ru=}e@3?Bb87h2Z<

diff --git a/config/hosts/grondahl/data/secrets/synapse_db_password b/config/hosts/grondahl/data/secrets/synapse_db_password
new file mode 100644
index 0000000000000000000000000000000000000000..c2cd71a63320dc7ed02275b19236d533922d8808
GIT binary patch
literal 87
zcmV-d0I2@}M@dveQdv+`0Bnn$Xa>+}R`O(rfZoWyfev@rB>h6&jE`aBMGqC<WbKvI
tXuf`WzUvJM%SVz_xK&+snj~J~hXFTDw@`uMtFdhT!@n_5gbn_K_patUD(nCN

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/services/containers.nix b/config/hosts/grondahl/services/containers.nix
new file mode 100644
index 0000000..7d814f0
--- /dev/null
+++ b/config/hosts/grondahl/services/containers.nix
@@ -0,0 +1,53 @@
+{ config, pkgs, ... }:
+
+{
+	config.virtualisation.oci-containers = {
+		backend = "podman";
+		containers = {
+			#mobilizon = {
+			#	image = "framasoft/mobilizon";
+		#		ports = [ "127.0.0.1:4000:4000" ];
+		#		volumes = [
+		#			"/var/lib/mobilizon/uploads:/var/lib/mobilizon/uploads"
+		#			"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
+		#		];
+		#		environmentFiles = [ config.secrets.files.mobilizon_env.file ];
+		#	};
+			authentik-server = {
+				image = "ghcr.io/goauthentik/server:stable";
+				ports = [
+					"127.0.0.1:9000:9000"
+					"127.0.0.1:9443:9443"
+				];
+				volumes = [
+					"/var/lib/authentik/media:/media"
+					"/var/lib/authentik/templates:/templates"
+					"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
+					"/run/redis/redis.sock:/run/redis/redis.sock"
+				];
+				environmentFiles = [ config.secrets.files.authentik_env.file ];
+				cmd = ["server"];
+			};
+			authentik-worker = {
+				image = "ghcr.io/goauthentik/server:stable";
+				volumes = [
+					"/var/lib/authentik/backups:/backups"
+					"/var/lib/authentik/media:/media"
+					"/var/lib/authentik/certs:/certs"
+					"/var/lib/authentik/templates:/templates"
+				];
+				environmentFiles = [ config.secrets.files.authentik_env.file ];
+				cmd = ["worker"];
+			};
+		};
+	};
+
+	config.systemd.services.create-authentik-pod = with config.virtualisation.oci-containers; {
+		serviceConfig.Type = "oneshot";
+		wantedBy = [ "podman-authentik-server.service" "podman-authentik-worker.service" ];
+		script = ''
+			${pkgs.podman}/bin/podman pod exists authentik || \
+				${pkgs.podman}/bin/podman pod create -n authentik -p '127.0.0.1:9000:9000' -p '127.0.0.1:9443:9443'
+		'';
+	};
+}
diff --git a/config/hosts/grondahl/services/mail.nix b/config/hosts/grondahl/services/mail.nix
new file mode 100644
index 0000000..6aef8d3
--- /dev/null
+++ b/config/hosts/grondahl/services/mail.nix
@@ -0,0 +1,29 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a commit from the branch you are interested in
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz";
+      # And set its hash
+      sha256 = "1i56llz037x416bw698v8j6arvv622qc0vsycd20lx3yx8n77n44";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "anarkafem.dev";
+    domains = [ "anarkafem.dev" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
+    loginAccounts = {
+        "noreply@anarkafem.dev" = {
+            hashedPasswordFile = config.secrets.files.email_noreply.file;
+        };
+    };
+
+		keyFile = config.security.acme.certs."anarkafem.dev".directory + "/key.pem";
+		certificateFile = config.security.acme.certs."anarkafem.dev".directory + "/cert.pem";
+    certificateScheme = 1;
+  };
+}
diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix
index 505f79b..d313927 100644
--- a/config/hosts/grondahl/services/nginx.nix
+++ b/config/hosts/grondahl/services/nginx.nix
@@ -20,5 +20,15 @@
         '';
       };
     };
+		"cal.anarkafem.dev" = {
+			useACMEHost = "anarkafem.dev";
+			forceSSL = true;
+			locations."/".proxyPass = "http://127.0.0.1:4000";
+		};
+		"auth.anarkafem.dev" = {
+			useACMEHost = "anarkafem.dev";
+			forceSSL = true;
+			locations."/".proxyPass = "http://127.0.0.1:9000";
+		};
   };
 }
diff --git a/config/hosts/grondahl/services/postgres.nix b/config/hosts/grondahl/services/postgres.nix
index e092165..950c67a 100644
--- a/config/hosts/grondahl/services/postgres.nix
+++ b/config/hosts/grondahl/services/postgres.nix
@@ -1,26 +1,55 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_13;
+		extraPlugins = with config.services.postgresql.package.pkgs; [
+			postgis
+		];
+    ensureDatabases = [ 
+			"matrix-synapse"
+			"mobilizon"
+			"authentik"
+		];
+    ensureUsers = [
+    	{
+				name = "matrix-synapse";
+      	ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
+    	}
+			{
+				name = "mobilizon";
+      	ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES";
+  		}
+			{ 
+				name = "authentik";
+				ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES";
+			}
+    ];
     initialScript = pkgs.writeText "synapse-init.sql" ''
-                      CREATE ROLE synapse;
-                      CREATE DATABASE synapse WITH OWNER synapse
+                      CREATE ROLE matrix-synapse;
+                      CREATE DATABASE matrix-synapse WITH OWNER matrix-synapse
                           TEMPLATE template0
                           LC_COLLATE = "C"
                           LC_CTYPE = "C"
                           ENCODING = "UTF8";
     '';
-    authentication = pkgs.lib.mkOverride 10 ''
-        local all all trust
-        host all all ::1/128 trust
-    '';
+		settings = { password_encryption = "scram-sha-256"; };
+		authentication = pkgs.lib.mkForce ''
+			local all postgres peer
+			local all matrix-synapse peer
+			local all mobilizon scram-sha-256
+			local all authentik scram-sha-256
+		'';
   };
 
   services.postgresqlBackup = {
     enable = true;
     location = "/var/lib/postgresql/backup";
-    databases = [ "synapse" ];
+    databases = [ 
+			"matrix-synapse"
+			"mobilizon"
+			"authentik"
+		];
     startAt = "02:30";
     compression = "none";
   };
diff --git a/config/hosts/grondahl/services/redis.nix b/config/hosts/grondahl/services/redis.nix
new file mode 100644
index 0000000..6a001e1
--- /dev/null
+++ b/config/hosts/grondahl/services/redis.nix
@@ -0,0 +1,11 @@
+{ config, ...  }:
+{
+  services.redis = {
+    enable = true;
+    unixSocket = "/run/redis/redis.sock";
+    vmOverCommit = true;
+    unixSocketPerm = 770;
+    #requirePassfile = config.secrets.files.redis_pass.file;
+  }; 
+}
+
diff --git a/config/hosts/grondahl/services/synapse.nix b/config/hosts/grondahl/services/synapse.nix
index 9d0c32e..210914f 100644
--- a/config/hosts/grondahl/services/synapse.nix
+++ b/config/hosts/grondahl/services/synapse.nix
@@ -9,8 +9,9 @@
     turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
     max_upload_size = "100M";
     database_type = "psycopg2";
-    database_user = "synapse";
-    database_name = "synapse";
+		database_args = { 
+			password = builtins.toString config.secrets.files.synapse_db_password.file;
+		};
     turn_uris = [
       "turn:turn.anarkafem.dev:3478?transport=udp"
       "turn:turn.anarkafem.dev:3478?transport=tcp"
diff --git a/config/hosts/rudiger/services/postgres.nix b/config/hosts/rudiger/services/postgres.nix
index 4651a6e..af4cc48 100644
--- a/config/hosts/rudiger/services/postgres.nix
+++ b/config/hosts/rudiger/services/postgres.nix
@@ -2,18 +2,21 @@
 {
   services.postgresql = {
     enable = true;
-    ensureDatabases = [ "nextcloud" ];
+    ensureDatabases = [ 
+			"nextcloud"
+		];
     ensureUsers = [
-     { name = "nextcloud";
-       ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
-     }
+    	{
+				name = "nextcloud";
+      	ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+    	}
     ];
   };
 
   services.postgresqlBackup = {
     enable = true;
     location = "/var/lib/postgresql/backup";
-    databases = [ "synapse" ];
+    databases = [ "nextcloud" ];
     startAt = "02:30";
     compression = "none";
   };