From 6dd6a4021f29cad7f57ef8af892b4bd41e9c9091 Mon Sep 17 00:00:00 2001 From: Lucy Hochkamp Date: Mon, 11 Aug 2025 19:37:52 +0200 Subject: [PATCH] beep --- flake.lock | 58 ++++++++++------ flake.nix | 6 +- hosts/picard/default.nix | 35 ++++------ hosts/picard/plausible.nix | 67 +++++++++---------- hosts/picard/xynospace-matrix.nix | 9 ++- nixos-modules/services/bitwarden.nix | 2 +- nixos-modules/services/caddy/custom-caddy.nix | 2 +- 7 files changed, 95 insertions(+), 84 deletions(-) diff --git a/flake.lock b/flake.lock index 67b3474a..010d7c5e 100644 --- a/flake.lock +++ b/flake.lock @@ -167,11 +167,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -319,15 +319,15 @@ "lix": { "flake": false, "locked": { - "lastModified": 1729298361, - "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=", - "rev": "ad9d06f7838a25beec425ff406fe68721fef73be", + "lastModified": 1753223229, + "narHash": "sha256-tkT4aCZZE6IEmjYotOzKKa2rV3pGpH3ZREeQn7ACgdU=", + "rev": "7ac20fc47cf2f1b7469c7a2f379e5a3a51a6789a", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/7ac20fc47cf2f1b7469c7a2f379e5a3a51a6789a.tar.gz?rev=7ac20fc47cf2f1b7469c7a2f379e5a3a51a6789a" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz" } }, "lix-module": { @@ -340,15 +340,15 @@ ] }, "locked": { - "lastModified": 1732605668, - "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=", - "rev": "f19bd752910bbe3a861c9cad269bd078689d50fe", + "lastModified": 1753282722, + "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=", + "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/f19bd752910bbe3a861c9cad269bd078689d50fe.tar.gz" + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873.tar.gz" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz" + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.3-1.tar.gz" } }, "miro": { @@ -450,11 +450,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1754931599, - "narHash": "sha256-wmhQI99Cbg/JYGScSkSwWDbjc6Mfuvxfx16HLf2HNeQ=", + "lastModified": 1754936341, + "narHash": "sha256-7S5tCdS1vWtpLbnRGDdd4OxM5AqSqzKH4qFDa2DChbI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b8ca88d4cbb6b636734aba10a6e1aba8cb5ceb45", + "rev": "69034f60c492a39891848ba906fef1081a5e933b", "type": "github" }, "original": { @@ -482,16 +482,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", + "lastModified": 1754767907, + "narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", + "rev": "c5f08b62ed75415439d48152c2a784e36909b1bc", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } @@ -577,6 +577,7 @@ "pandoc-latex-template": "pandoc-latex-template", "quadlet-nix": "quadlet-nix", "spoons": "spoons", + "synapse": "synapse", "utils": "utils", "wired": "wired", "x": "x", @@ -639,6 +640,23 @@ "type": "github" } }, + "synapse": { + "flake": false, + "locked": { + "lastModified": 1754934810, + "narHash": "sha256-4HAA9Xq4C3DHxz0BgqBitfM4wZwPSEu+IO/OPfHzLVw=", + "owner": "element-hq", + "repo": "synapse", + "rev": "4054d956f75056ace9edc729ee488edcbf00d1a2", + "type": "github" + }, + "original": { + "owner": "element-hq", + "repo": "synapse", + "rev": "4054d956f75056ace9edc729ee488edcbf00d1a2", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index ed91eef1..4514b2c9 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ utils.url = "github:numtide/flake-utils"; ## nixos/nix-darwin dependencies - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-24.05-darwin"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; agenix.url = "github:ryantm/agenix/main"; @@ -20,7 +20,7 @@ quadlet-nix.inputs.nixpkgs.follows = "nixpkgs"; lix-module = { - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"; + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.3-1.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -36,6 +36,8 @@ attic.url = "github:zhaofengli/attic"; attic.inputs.nixpkgs.follows = "nixpkgs"; + synapse.url = "github:element-hq/synapse?rev=4054d956f75056ace9edc729ee488edcbf00d1a2"; + synapse.flake = false; kmonad = { url = "git+https://github.com/jokesper/kmonad?dir=nix&ref=feat-tap-overlap"; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index ca25d461..9eeb89ca 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -109,6 +109,13 @@ } ''; virtualHosts."*.hailsatan.eu".extraConfig = '' + tls ssl@xyno.systems { + propagation_delay 1m + ca https://acme-v02.api.letsencrypt.org/directory # hard coded so zerossl doesn't get used + dns desec { + token "{$TOKEN}" + } + } reverse_proxy https://ds9.kangaroo-galaxy.ts.net { transport http { tls_server_name {host} @@ -118,29 +125,6 @@ virtualHosts."l621.net".extraConfig = '' reverse_proxy http://127.0.0.1:8186 ''; - virtualHosts."*.ragon.xyz".extraConfig = '' - # @8081 host 8081.ragon.xyz - # handle @8081 { - # reverse_proxy http://[::1]:8081 - # } - # @files host files.ragon.xyz - # handle @files { - # encode zstd gzip - # root * /srv/www - # file_server browse - # basicauth * { - # {$BAUSER} {$BAPASSWD} - # } - # } - @bw host bw.ragon.xyz - handle @bw { - reverse_proxy http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort} - } - - handle { - abort - } - ''; virtualHosts."xyno.space".extraConfig = let fqdn = "matrix.xyno.space"; @@ -227,6 +211,11 @@ handle @ntfy { reverse_proxy http://127.0.0.1:15992 } + @bw host bw.xyno.systems + handle @bw { + reverse_proxy http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort} + } + handle { abort diff --git a/hosts/picard/plausible.nix b/hosts/picard/plausible.nix index bc9a7631..a4d6f4e2 100644 --- a/hosts/picard/plausible.nix +++ b/hosts/picard/plausible.nix @@ -15,51 +15,48 @@ in { IP_GEOLOCATION_DB = "${pkgs.unstable.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb"; DATABASE_URL = "postgresql:///plausible?host=/run/postgresql"; }; - systemd.services.plausible.script = - let cfg = config.services.plausible; in lib.mkForce '' - # Elixir does not start up if `RELEASE_COOKIE` is not set, - # even though we set `RELEASE_DISTRIBUTION=none` so the cookie should be unused. - # Thus, make a random one, which should then be ignored. - export RELEASE_COOKIE=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 20) - export ADMIN_USER_PWD="$(< $CREDENTIALS_DIRECTORY/ADMIN_USER_PWD )" - export SECRET_KEY_BASE="$(< $CREDENTIALS_DIRECTORY/SECRET_KEY_BASE )" + # systemd.services.plausible.script = + # let cfg = config.services.plausible; in lib.mkForce '' + # # Elixir does not start up if `RELEASE_COOKIE` is not set, + # # even though we set `RELEASE_DISTRIBUTION=none` so the cookie should be unused. + # # Thus, make a random one, which should then be ignored. + # export RELEASE_COOKIE=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 20) + # export ADMIN_USER_PWD="$(< $CREDENTIALS_DIRECTORY/ADMIN_USER_PWD )" + # export SECRET_KEY_BASE="$(< $CREDENTIALS_DIRECTORY/SECRET_KEY_BASE )" - ${lib.optionalString ( - cfg.mail.smtp.passwordFile != null - ) ''export SMTP_USER_PWD="$(< $CREDENTIALS_DIRECTORY/SMTP_USER_PWD )"''} + # ${lib.optionalString ( + # cfg.mail.smtp.passwordFile != null + # ) ''export SMTP_USER_PWD="$(< $CREDENTIALS_DIRECTORY/SMTP_USER_PWD )"''} - echo setup - ${lib.optionalString cfg.database.postgres.setup '' - # setup - ${cfg.package}/createdb.sh - ''} + # echo setup + # ${lib.optionalString cfg.database.postgres.setup '' + # # setup + # ${cfg.package}/createdb.sh + # ''} - echo migrate - ${cfg.package}/migrate.sh - export IP_GEOLOCATION_DB=${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb - # ${cfg.package}/bin/plausible eval "(Plausible.Release.prepare() ; Plausible.Auth.create_user(\"$ADMIN_USER_NAME\", \"$ADMIN_USER_EMAIL\", \"$ADMIN_USER_PWD\"))" - ${lib.optionalString cfg.adminUser.activate '' - psql -d plausible <<< "UPDATE users SET email_verified=true where email = '$ADMIN_USER_EMAIL';" - ''} + # echo migrate + # ${cfg.package}/migrate.sh + # export IP_GEOLOCATION_DB=${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb + # # ${cfg.package}/bin/plausible eval "(Plausible.Release.prepare() ; Plausible.Auth.create_user(\"$ADMIN_USER_NAME\", \"$ADMIN_USER_EMAIL\", \"$ADMIN_USER_PWD\"))" - echo start - exec plausible start + # echo start + # exec plausible start - ''; + # ''; services.plausible = { enable = true; package = pkgs.unstable.plausible; # releaseCookiePath = config.age.secrets.plausibleSecretKeybase.path; - adminUser = { - # activate is used to skip the email verification of the admin-user that's - # automatically created by plausible. This is only supported if - # postgresql is configured by the module. This is done by default, but - # can be turned off with services.plausible.database.postgres.setup. - activate = true; - email = "plausible@xyno.space"; - passwordFile = config.age.secrets.plausibleAdminPw.path; - }; + # adminUser = { + # # activate is used to skip the email verification of the admin-user that's + # # automatically created by plausible. This is only supported if + # # postgresql is configured by the module. This is done by default, but + # # can be turned off with services.plausible.database.postgres.setup. + # activate = true; + # email = "plausible@xyno.space"; + # passwordFile = config.age.secrets.plausibleAdminPw.path; + # }; server = { baseUrl = "https://${domain}"; diff --git a/hosts/picard/xynospace-matrix.nix b/hosts/picard/xynospace-matrix.nix index 1577037e..cc5b671b 100644 --- a/hosts/picard/xynospace-matrix.nix +++ b/hosts/picard/xynospace-matrix.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib,inputs, ... }: let fqdn = "matrix.xyno.space"; serverName = "xyno.space"; @@ -62,7 +62,12 @@ in containers.xynospace-matrix = let ms = config.age.secrets.matrixSecrets.path; unst = pkgs.unstable; in { config = { config, pkgs, ... }: { nixpkgs.overlays = [(self: super: { - matrix-synapse-unwrapped = unst.matrix-synapse-unwrapped; + matrix-synapse-unwrapped = super.matrix-synapse-unwrapped.overrideAttrs (super: self: { + src = inputs.synapse; + # cargoHash = "sha256-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="; + + + }); })]; system.stateVersion = stateVer; networking.firewall.allowedTCPPorts = [ 8008 ]; diff --git a/nixos-modules/services/bitwarden.nix b/nixos-modules/services/bitwarden.nix index 65c1774e..87442824 100644 --- a/nixos-modules/services/bitwarden.nix +++ b/nixos-modules/services/bitwarden.nix @@ -7,7 +7,7 @@ in options.ragon.services.bitwarden.domain = lib.mkOption { type = lib.types.str; - default = "bw.ragon.xyz"; + default = "bw.xyno.systems"; }; config = lib.mkIf cfg.enable { services.vaultwarden = { diff --git a/nixos-modules/services/caddy/custom-caddy.nix b/nixos-modules/services/caddy/custom-caddy.nix index 4c92e8b1..6b5d0ef2 100644 --- a/nixos-modules/services/caddy/custom-caddy.nix +++ b/nixos-modules/services/caddy/custom-caddy.nix @@ -37,7 +37,7 @@ caddy.override { cp -r --reflink=auto . $out ''; - outputHash = "sha256-ZNimtuxtSz1mRZ9V0h/0jAyvwGb+OvfZSzHRaySTEWU="; + outputHash = "sha256-r4+WK8UhGLAuIvdV6uiH2bMh/SjTfY4CzKcpHU0Gu5s="; outputHashMode = "recursive"; };