From 7fe499ee1ff7ecd88b4ecfc96b200ed2704468a7 Mon Sep 17 00:00:00 2001 From: Soispha Date: Thu, 27 Jul 2023 09:45:30 +0200 Subject: Feat(system/services/matrix/bridges): Add mautrix-whatsapp bridge --- system/impermanence/mods/matrix.nix | 6 + .../services/matrix/bridges/mautrix-whatsapp.nix | 149 +++++++++++++++++++++ system/services/matrix/default.nix | 27 ++++ 3 files changed, 182 insertions(+) create mode 100644 system/services/matrix/bridges/mautrix-whatsapp.nix diff --git a/system/impermanence/mods/matrix.nix b/system/impermanence/mods/matrix.nix index 7f02609..3af6530 100644 --- a/system/impermanence/mods/matrix.nix +++ b/system/impermanence/mods/matrix.nix @@ -6,6 +6,12 @@ group = "matrix-synapse"; mode = "0700"; } + { + directory = "/var/lib/mautrix-whatsapp"; + user = "mautrix-whatsapp"; + group = "matrix-synapse"; + mode = "0750"; + } ]; systemd.tmpfiles.rules = [ "d /etc/matrix 0755 matrix-synapse matrix-synapse" diff --git a/system/services/matrix/bridges/mautrix-whatsapp.nix b/system/services/matrix/bridges/mautrix-whatsapp.nix new file mode 100644 index 0000000..1c68af9 --- /dev/null +++ b/system/services/matrix/bridges/mautrix-whatsapp.nix @@ -0,0 +1,149 @@ +# TAKEN FROM: https://raw.githubusercontent.com/Vskilet/nixpkgs/mautrix-whatsapp2/nixos/modules/services/matrix/mautrix-whatsapp.nix +{ + lib, + config, + pkgs, + ... +}: +with lib; let + cfg = config.services.mautrix-whatsapp; + dataDir = "/var/lib/mautrix-whatsapp"; + settingsFormat = pkgs.formats.json {}; + + registrationFile = "${dataDir}/whatsapp-registration.yaml"; + settingsFile = settingsFormat.generate "config.json" cfg.settings; + + startupScript = '' + ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token + | .[0].appservice.hs_token = .[1].hs_token + | .[0]' ${settingsFile} ${registrationFile} \ + > ${dataDir}/config.yml + + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --config='${dataDir}/config.yml' \ + --registration='${registrationFile}' + ''; +in { + options.services.mautrix-whatsapp = { + enable = mkEnableOption "Mautrix-whatsapp, a puppeting bridge between Matrix and WhatsApp."; + + settings = mkOption rec { + apply = recursiveUpdate default; + inherit (settingsFormat) type; + + description = lib.mdDoc '' + {file}`config.yaml` configuration as a Nix attribute set. + Configuration options should match those described in + [example-config.yaml](https://github.com/mautrix/whatsapp/blob/master/example-config.yaml). + ''; + default = { + homeserver = { + domain = config.services.matrix-synapse.settings.server_name; + }; + appservice = { + address = "http://localhost:29318"; + hostname = "0.0.0.0"; + port = 29318; + database = { + type = "sqlite3"; + uri = "${dataDir}/mautrix-whatsapp.db"; + }; + id = "whatsapp"; + bot = { + username = "whatsappbot"; + displayname = "WhatsApp Bot"; + }; + as_token = ""; + hs_token = ""; + }; + bridge = { + username_template = "whatsapp_{{.}}"; + displayname_template = "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}"; + command_prefix = "!wa"; + permissions."*" = "relay"; + }; + relay = { + enabled = true; + management = "!whatsappbot:${toString config.services.matrix-synapse.settings.server_name}"; + }; + logging = { + directory = "${dataDir}/logs"; + file_name_format = "{{.Date}}-{{.Index}}.log"; + file_date_format = "2006-01-02"; + file_mode = 0384; + timestamp_format = "Jan _2, 2006 15:04:05"; + print_level = "info"; + }; + }; + example = { + settings = { + homeserver.address = "https://matrix.myhomeserver.org"; + bridge.permissions = { + "@admin:myhomeserver.org" = "admin"; + }; + }; + }; + }; + + serviceDependencies = mkOption { + type = with types; listOf str; + default = optional config.services.matrix-synapse.enable "matrix-synapse.service"; + defaultText = literalExpression '' + optional config.services.matrix-synapse.enable "matrix-synapse.service" + ''; + description = lib.mdDoc '' + List of Systemd services to require and wait for when starting the application service. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.mautrix-whatsapp = { + description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix"; + + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"] ++ cfg.serviceDependencies; + after = ["network-online.target"] ++ cfg.serviceDependencies; + + preStart = '' + # generate the appservice's registration file if absent + if [ ! -f '${registrationFile}' ]; then + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --generate-registration \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + fi + chmod 640 ${registrationFile} + ''; + + script = startupScript; + + serviceConfig = { + Type = "simple"; + #DynamicUser = true; + PrivateTmp = true; + StateDirectory = baseNameOf dataDir; + WorkingDirectory = "${dataDir}"; + + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + User = "mautrix-whatsapp"; + Group = "matrix-synapse"; + SupplementaryGroups = "matrix-synapse"; + UMask = 0027; + Restart = "always"; + }; + }; + + users.groups.mautrix-whatsapp = {}; + users.users.mautrix-whatsapp = { + isSystemUser = true; + group = "mautrix-whatsapp"; + home = dataDir; + }; + services.matrix-synapse.settings.app_service_config_files = ["${registrationFile}"]; + }; +} diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index 62345a7..5fe9e9b 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -12,6 +12,10 @@ return 200 '${builtins.toJSON data}'; ''; in { + imports = [ + ./bridges/mautrix-whatsapp.nix + ]; + networking.firewall.allowedTCPPorts = [80 443]; services.postgresql.enable = true; @@ -52,6 +56,29 @@ in { }; }; + services.mautrix-whatsapp = { + enable = true; + settings = { + appservice = { + database = { + type = "postgres"; + uri = "postgres:///dbname?host=/var/run/postgresql"; + }; + whatsapp = { + # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. + # This also determints the whatsapp icon + browser_name = "unknown"; + }; + }; + homeserver.address = "https://matrix.vhack.eu"; + bridge.permissions = { + "@soispha:vhack.eu" = "admin"; + "@sils:vhack.eu" = "admin"; + "@nightingale:vhack.eu" = "admin"; + }; + }; + }; + services.matrix-synapse = { enable = true; dataDir = "/var/lib/matrix"; -- cgit 1.4.1 From 595ab5cfd8bf28c41dfe1bc3ae043c1e407e6d4e Mon Sep 17 00:00:00 2001 From: Soispha Date: Thu, 27 Jul 2023 10:05:04 +0200 Subject: Fix(system/impermanence): Keycloak was actually postgresql --- system/impermanence/default.nix | 2 +- system/impermanence/mods/keycloak.nix | 5 ----- system/impermanence/mods/postgresql.nix | 5 +++++ 3 files changed, 6 insertions(+), 6 deletions(-) delete mode 100644 system/impermanence/mods/keycloak.nix create mode 100644 system/impermanence/mods/postgresql.nix diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 0595078..b60eb4c 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -2,12 +2,12 @@ # TODO: Only activate them if their module is also active imports = [ ./mods/acme.nix - ./mods/keycloak.nix ./mods/mail.nix ./mods/matrix.nix ./mods/minecraft.nix ./mods/nix-sync.nix ./mods/openssh.nix + ./mods/postgresql.nix ./mods/users.nix ]; diff --git a/system/impermanence/mods/keycloak.nix b/system/impermanence/mods/keycloak.nix deleted file mode 100644 index 63b02f5..0000000 --- a/system/impermanence/mods/keycloak.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - "/var/lib/postgresql" - ]; -} diff --git a/system/impermanence/mods/postgresql.nix b/system/impermanence/mods/postgresql.nix new file mode 100644 index 0000000..63b02f5 --- /dev/null +++ b/system/impermanence/mods/postgresql.nix @@ -0,0 +1,5 @@ +{...}: { + environment.persistence."/srv".directories = [ + "/var/lib/postgresql" + ]; +} -- cgit 1.4.1 From 30c0434571c975892dc09a65aaa8f3fd066017a9 Mon Sep 17 00:00:00 2001 From: Soispha Date: Thu, 27 Jul 2023 10:05:20 +0200 Subject: Fix(system/services/matrix/bridges/m-wa): Correct postgresql uri --- system/services/matrix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index 5fe9e9b..b0219ef 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -62,7 +62,7 @@ in { appservice = { database = { type = "postgres"; - uri = "postgres:///dbname?host=/var/run/postgresql"; + uri = "postgres:///matrix-synapse?host=/run/postgresql"; }; whatsapp = { # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. -- cgit 1.4.1 From 911c3a166b08e2a6a4864980fa197b04cba83fa7 Mon Sep 17 00:00:00 2001 From: Soispha Date: Thu, 27 Jul 2023 10:12:00 +0200 Subject: Fix(system/services/matrix/bridges/m-wa): Use own database --- system/services/matrix/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index b0219ef..ed3b567 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -20,11 +20,19 @@ in { services.postgresql.enable = true; services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + --Matrix: CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; + + --Whatsapp-bridge: + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; ''; services.nginx = { @@ -62,7 +70,7 @@ in { appservice = { database = { type = "postgres"; - uri = "postgres:///matrix-synapse?host=/run/postgresql"; + uri = "postgres:///mautrix-whatsapp?host=/run/postgresql"; }; whatsapp = { # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. -- cgit 1.4.1 From 620d4790f027bc65d18248d14cd0e179e731c248 Mon Sep 17 00:00:00 2001 From: Soispha Date: Thu, 27 Jul 2023 10:26:41 +0200 Subject: chore(version): v0.5.0 --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 41fb768..8cba530 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,17 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.5.0 - 2023-07-27 +#### Bug Fixes +- **(system/impermanence)** Keycloak was actually postgresql - (595ab5c) - Soispha +- **(system/mail)** Add User - (8423cea) - sils +- **(system/services/matrix/bridges/m-wa)** Use own database - (911c3a1) - Soispha +- **(system/services/matrix/bridges/m-wa)** Correct postgresql uri - (30c0434) - Soispha +#### Features +- **(system/services/matrix/bridges)** Add mautrix-whatsapp bridge - (7fe499e) - Soispha + +- - - + ## v0.4.1 - 2023-07-25 #### Bug Fixes - **(system/services/mail)** Add new user - (e03e490) - sils -- cgit 1.4.1 From fe5da037e82d3344d4fec5d4c1bf0d9286237ac0 Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 28 Jul 2023 11:43:19 +0200 Subject: Fix(system/services/mail): Update mail users --- system/services/mail/users.nix | Bin 716 -> 954 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index 60f41a9..9bc6749 100644 Binary files a/system/services/mail/users.nix and b/system/services/mail/users.nix differ -- cgit 1.4.1 From 4c48873ace5e953db8681d8b7732b780934a9e8a Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 28 Jul 2023 11:47:26 +0200 Subject: chore(version): v0.5.1 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8cba530..602f6db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.5.1 - 2023-07-28 +#### Bug Fixes +- **(system/services/mail)** Update mail users - (fe5da03) - sils + +- - - + ## v0.5.0 - 2023-07-27 #### Bug Fixes - **(system/impermanence)** Keycloak was actually postgresql - (595ab5c) - Soispha -- cgit 1.4.1 From 2b766df421b359b2d2cd10c32f3fa04611b22999 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 28 Jul 2023 17:57:10 +0200 Subject: Refactor(system/services/nginx): Reduce encrypted stuff to a minimum --- system/services/nginx/default.nix | 40 ++++++++++++++++++++++++++++++++++---- system/services/nginx/hosts.nix | Bin 976 -> 298 bytes 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix index 404c167..8544475 100644 --- a/system/services/nginx/default.nix +++ b/system/services/nginx/default.nix @@ -1,7 +1,33 @@ -{...}: { - imports = [ - ./hosts.nix - ]; +{...}: let + domains = import ./hosts.nix {}; + mkVirtHost = { + domain, + root, + url, + }: { + name = "${domain}"; + value = { + forceSSL = true; + enableACME = true; + root = "${root}"; + }; + }; + + mkNixSyncRepository = { + domain, + root, + url, + }: { + name = "${domain}"; + value = { + path = "${root}"; + uri = "${url}"; + }; + }; + + virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains); + nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains); +in { security.acme = { acceptTerms = true; defaults = { @@ -15,5 +41,11 @@ }; services.nginx = { enable = true; + virtualHosts = virtHosts; + }; + + services.nix-sync = { + enable = true; + repositories = nixSyncRepositories; }; } diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index 1590756..b209b69 100644 Binary files a/system/services/nginx/hosts.nix and b/system/services/nginx/hosts.nix differ -- cgit 1.4.1 From a3eed534642ac3bd367ce16925d5d8ebd182fecf Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 28 Jul 2023 18:07:28 +0200 Subject: Feat(system/services/mail/users): Add mailusers --- system/services/mail/users.nix | Bin 954 -> 1136 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index 9bc6749..0b8952a 100644 Binary files a/system/services/mail/users.nix and b/system/services/mail/users.nix differ -- cgit 1.4.1 From 8350b2ebe1f8da0a54c13a2b1c6e50fc77f2367d Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 28 Jul 2023 18:13:31 +0200 Subject: Fix(treewide): Use correct function argument specification --- system/services/mail/users.nix | Bin 1136 -> 1138 bytes system/services/nginx/hosts.nix | Bin 298 -> 300 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index 0b8952a..a30d547 100644 Binary files a/system/services/mail/users.nix and b/system/services/mail/users.nix differ diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index b209b69..3abd841 100644 Binary files a/system/services/nginx/hosts.nix and b/system/services/nginx/hosts.nix differ -- cgit 1.4.1 From 6808ac4dbe19a04d56d4a381ef9ff9d205e47b0e Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 28 Jul 2023 22:28:01 +0200 Subject: chore(version): v0.6.0 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 602f6db..6aeb4a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.6.0 - 2023-07-28 +#### Bug Fixes +- **(treewide)** Use correct function argument specification - (8350b2e) - Soispha +#### Features +- **(system/services/mail/users)** Add mailusers - (a3eed53) - Soispha +#### Refactoring +- **(system/services/nginx)** Reduce encrypted stuff to a minimum - (2b766df) - Soispha + +- - - + ## v0.5.1 - 2023-07-28 #### Bug Fixes - **(system/services/mail)** Update mail users - (fe5da03) - sils -- cgit 1.4.1 From 81bf11240f8a254fe311c72d96adbcacb12d124b Mon Sep 17 00:00:00 2001 From: Soispha Date: Mon, 31 Jul 2023 18:16:29 +0200 Subject: Feat(system/services/nginx/hosts): Add another domain --- system/services/nginx/hosts.nix | Bin 300 -> 454 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index 3abd841..550c28f 100644 Binary files a/system/services/nginx/hosts.nix and b/system/services/nginx/hosts.nix differ -- cgit 1.4.1 From 18aa0c5687d9b047b06ad00132d6881bce1a74a0 Mon Sep 17 00:00:00 2001 From: Soispha Date: Mon, 31 Jul 2023 23:03:06 +0200 Subject: Fix(system/services/nix-sync): Make the timer relative to the unit start The timer before hand started `repo.interval` after it self was started, i.e., it was a oneshot timer. This change now fixes this by make the point the timer activates relative to the time elapsed, since the associated unit was last started. --- system/services/nix-sync/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 44348c0..482c268 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -10,7 +10,7 @@ description = "Nix sync ${name} timer"; wantedBy = ["timers.target"]; timerConfig = { - OnActiveSec = repo.interval; + OnUnitActiveSec = repo.interval; }; after = ["network-online.target"]; }; -- cgit 1.4.1 From 8d9ef95d74fe58302b7fff945162beb01c3e6d33 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 1 Aug 2023 23:58:16 +0200 Subject: Fix(system/services/nix-sync): Rebase on pulls, to allow for force pushes As the nix-sync service should _never_ commit new stuff, this rebase should always be a fast-forward, i.e. it works without manual intervention. Without the rebase as argument, this services would break, when the history gets rewritten, for example on a amended commit. --- system/services/nix-sync/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 482c268..cedbb91 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -37,7 +37,7 @@ branch="$(git rev-parse @)"; if ! [ "$origin" = "$branch" ]; then - git pull; + git pull --rebase; out_paths=$(mktemp); nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; @@ -66,7 +66,7 @@ if ! [ -L ${esa repo.path} ]; then cd ${esa repoCachePath}; - git pull; + git pull --rebase; out_paths=$(mktemp); nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; -- cgit 1.4.1 From dfb847a3c9d3bdd73aa187e590c239f3531f5e07 Mon Sep 17 00:00:00 2001 From: Soispha Date: Mon, 31 Jul 2023 18:27:09 +0200 Subject: Fix(system/services/nix-sync): Remove timeout on build The unit had the potential to fail, if the build took longer than the default timeout. This is obviously not ideal, so the timeout was removed, as all nix builds should be safe enough not to devour resources. --- system/services/nix-sync/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index cedbb91..8c466b8 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -88,6 +88,7 @@ preStart = execStartPreScript; serviceConfig = { + TimeoutSec = 0; ExecStart = execStartScript; Restart = "on-abort"; # User and group -- cgit 1.4.1 From 7e153ea52c61dbcf4005277fe1b6bf1c0a6e1406 Mon Sep 17 00:00:00 2001 From: Soispha Date: Wed, 2 Aug 2023 16:18:18 +0200 Subject: Build(flake): Update --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index bc45c24..ae7cc7f 100644 --- a/flake.lock +++ b/flake.lock @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1690278259, - "narHash": "sha256-0Ujy0ZD1Yg5+QDaEnk4TeYhIZ6AckRORrXLGsAEhFKE=", + "lastModified": 1690739034, + "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=", "owner": "nix-community", "repo": "disko", - "rev": "5b19fb2e74df312751cecbf0f668217eb59d9170", + "rev": "4015740375676402a2ee6adebc3c30ea625b9a94", "type": "github" }, "original": { @@ -168,11 +168,11 @@ }, "impermanence": { "locked": { - "lastModified": 1684264534, - "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=", + "lastModified": 1690797372, + "narHash": "sha256-GImz19e33SeVcIvBB7NnhbJSbTpFFmNtWLh7Z85Y188=", "owner": "nix-community", "repo": "impermanence", - "rev": "89253fb1518063556edd5e54509c30ac3089d5e6", + "rev": "e3a7acd113903269a1b5c8b527e84ce7ee859851", "type": "github" }, "original": { @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690231403, - "narHash": "sha256-R9IcQpnzarV34znupG9Bq3PCRamswvZW0BMXLqkh5cw=", + "lastModified": 1690934545, + "narHash": "sha256-8Kl8YtcjnvyIAlHMWQWGtk+B89ZQIjBmceAZXlrRYLU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0108b255ea1ea0e230a664f375c8bde1644bcc18", + "rev": "146e8f5424579d5b0680fa4957ee99814361a9d8", "type": "github" }, "original": { @@ -284,11 +284,11 @@ ] }, "locked": { - "lastModified": 1690252178, - "narHash": "sha256-9oEz822bvbHobfCUjJLDor2BqW3I5tycIauzDlzOALY=", + "lastModified": 1690942540, + "narHash": "sha256-eafSSO3Y+/TFuy+CHKyolYfGvC33IAWNx4W2NA7LfZM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "8d64353ca827002fb8459e44d49116c78d868eba", + "rev": "aa3994f054038262df55122dfa552b9eab71a994", "type": "github" }, "original": { -- cgit 1.4.1 From 1256cabb7981cfed4bf02c70940c4553edc557a6 Mon Sep 17 00:00:00 2001 From: Soispha Date: Wed, 2 Aug 2023 14:19:21 +0200 Subject: Feat(system/services/snapper): Add --- system/services/default.nix | 1 + system/services/snapper/default.nix | 41 +++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 system/services/snapper/default.nix diff --git a/system/services/default.nix b/system/services/default.nix index 7bf26c3..8f5540f 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -10,5 +10,6 @@ ./nix-sync ./openssh ./rust-motd + ./snapper ]; } diff --git a/system/services/snapper/default.nix b/system/services/snapper/default.nix new file mode 100644 index 0000000..cdebf8d --- /dev/null +++ b/system/services/snapper/default.nix @@ -0,0 +1,41 @@ +{...}: { + services.snapper = { + configs = { + srv = { + SUBVOLUME = "/srv"; + FSTYPE = "btrfs"; + # users and groups allowed to work with config + ALLOW_GROUPS = ["wheel"]; + + # sync users and groups from ALLOW_USERS and ALLOW_GROUPS to .snapshots + # directory + SYNC_ACL = true; + + # run daily number cleanup + NUMBER_CLEANUP = false; + + # limit for number cleanup + NUMBER_MIN_AGE = 1800; + NUMBER_LIMIT = 50; + NUMBER_LIMIT_IMPORTANT = 10; + + # create hourly snapshots + TIMELINE_CREATE = true; + + # cleanup hourly snapshots after some time + TIMELINE_CLEANUP = true; + + # limits for timeline cleanup + TIMELINE_MIN_AGE = 1800; + TIMELINE_LIMIT_HOURLY = 7; + TIMELINE_LIMIT_DAILY = 3; + TIMELINE_LIMIT_WEEKLY = 2; + TIMELINE_LIMIT_MONTHLY = 2; + TIMELINE_LIMIT_YEARLY = 2; + + # cleanup empty pre-post-pairs + EMPTY_PRE_POST_CLEANUP = true; + }; + }; + }; +} -- cgit 1.4.1 From 6e2578eae0de92e83a8136a956a452e77e786f67 Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 4 Aug 2023 14:32:57 +0200 Subject: Feat(system/users): Add nixremote This user is intended to be used for remote-builds --- system/users/default.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/system/users/default.nix b/system/users/default.nix index 822c94b..7578126 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -48,6 +48,20 @@ openssh.authorizedKeys.keys = [ ]; }; + nixremote = { + name = "nixremote"; + isSystemUser = true; + createHome = true; + home = "/home/nixremote"; + uid = 1003; + group = "nixremote"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbSWqFzb+WTq2JVoRGoTkCkP7AM3bNY91bsUBeoQQc8gKAWuqCrpAOmr2Q2QMaTTGEOM0CsWfWLs3ZYtynHmc7wIFc4T/sUloV+dB9oSCmOk5ePxtj8+gpPK35Ja+ug5zmXsaI4s+n9mEbuuEjn33MxDYCUzAI+aWvWe68u/j+FM3u9c3Ta009rotajjSZ/cmIltgNLsG1rnAZRpwmLVg5UL4cb9um54o/NLYFd2KAekQFVbwUQDzzqriZhWmzkfhnznBMDblf9R1xvZ18Lqv3JF21shdaR43NW1wtuntBvAdsVYK2VUEbj+3MxTkK0aQ/E9SHMtH8MRE4oxU74TeTWfIhuSZk9/wekzSNMkHP3ReFC6B9xCMYa+ZqaTaGSWLQi78AQDeM2F9rAfp3hQzyRa7T7qKlgbae/hEb07xZglqmG7eml9vPSt4AHv5Y176Q95NiiWduGoLQOmjvSBMU9/KEGrGKyLfGH1Wa2EOfPxKKcvcHW0Xi9PlPiuP0nYk= root@thinklappi" + ]; + }; + }; + groups.nixremote = { + gid = 1004; }; }; } -- cgit 1.4.1 From e3264768163d603b1d6e28023b5f74239690f035 Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 4 Aug 2023 14:40:28 +0200 Subject: Fix(system/users): declare nixremote as normal user --- system/users/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/users/default.nix b/system/users/default.nix index 7578126..06020a6 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -50,7 +50,7 @@ }; nixremote = { name = "nixremote"; - isSystemUser = true; + isNormalUser = true; createHome = true; home = "/home/nixremote"; uid = 1003; -- cgit 1.4.1 From c6e4151849662e3a4769a2d58c8d81e57d04e32d Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 4 Aug 2023 14:57:41 +0200 Subject: chore(version): v0.7.0 --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6aeb4a2..cc864f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,20 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.7.0 - 2023-08-04 +#### Bug Fixes +- **(system/services/nix-sync)** Remove timeout on build - (dfb847a) - Soispha +- **(system/services/nix-sync)** Rebase on pulls, to allow for force pushes - (8d9ef95) - Soispha +- **(system/services/nix-sync)** Make the timer relative to the unit start - (18aa0c5) - Soispha +- **(system/users)** declare nixremote as normal user - (e326476) - sils +#### Build system +- **(flake)** Update - (7e153ea) - Soispha +#### Features +- **(system/services/nginx/hosts)** Add another domain - (81bf112) - Soispha +- **(system/users)** Add nixremote - (6e2578e) - sils + +- - - + ## v0.6.0 - 2023-07-28 #### Bug Fixes - **(treewide)** Use correct function argument specification - (8350b2e) - Soispha -- cgit 1.4.1 From e1f0250d5c333f583faaf41fb8bc25931c897e38 Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 24 Jul 2023 13:42:13 +0200 Subject: Refactor(system/secrets/secrets.nix): Remove redundant secretlist --- system/secrets/secrets.nix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 2fd4132..11c0655 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -3,15 +3,13 @@ let sils = "age1vuhaey7kd9l76y6f9weeqmde3s4kjw38869ju6u3027yece2r3rqssjxst"; server1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnqsfIZjelH7rcvFvnLR5zUZuC8thsBupBlvjcMRBUm"; -in { - "keycloak/passwd.tix".publicKeys = [ - soispha - sils - server1 - ]; - "matrix-synapse/passwd.tix".publicKeys = [ + + allSecrets = [ soispha sils server1 ]; +in { + "keycloak/passwd.tix".publicKeys = allSecrets; + "matrix-synapse/passwd.tix".publicKeys = allSecrets; } -- cgit 1.4.1 From 317575461a640ddc601751741bc6da92a3edb867 Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 12:40:14 +0200 Subject: Feat(system): Add invidious --- system/secrets/default.nix | 12 ++++++++++++ system/secrets/invidious/passwd.tix | 16 ++++++++++++++++ system/secrets/invidious/settings.tix | 14 ++++++++++++++ system/secrets/secrets.nix | 2 ++ system/services/default.nix | 1 + system/services/invidious/default.nix | 12 ++++++++++++ 6 files changed, 57 insertions(+) create mode 100644 system/secrets/invidious/passwd.tix create mode 100644 system/secrets/invidious/settings.tix create mode 100644 system/services/invidious/default.nix diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 5cd401c..515c3e7 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -13,6 +13,18 @@ owner = "matrix-synapse"; group = "matrix-synapse"; }; + invidious = { + file = ./invidious/passwd.tix; + mode = "700"; + owner = "invidious"; + group = "invidious"; + }; + invidiousSettings = { + file = ./invidious/settings.tix; + mode = "700"; + owner = "invidious"; + group = "invidious"; + }; }; }; } diff --git a/system/secrets/invidious/passwd.tix b/system/secrets/invidious/passwd.tix new file mode 100644 index 0000000..beaee32 --- /dev/null +++ b/system/secrets/invidious/passwd.tix @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeHpwZFZEWXc0cGxZZ2dV +WDkvUmVFWXE5azZ1VlREM090bWJ6elgxR3hFCmhnNkhWZWVqdmxEcUJVTnFZaGw1 +YnVOYmpYOGd5YU1EaDlmc0ZrNk0zT0EKLT4gWDI1NTE5IEwyL1ptVzJ2bUdvSW1n +TzNod1BKZHQ3YXhUMkl5ZzRiT2Y3aUt0NGw4RVUKWTF3ampTMG1DYTBYTFcwNEp6 +bkFWbGl6WEVCcVdhQnVWY0piQ1VHMzk0SQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +TnFGVkQxTndPZ1l4c2J5dzNmT1YrZ0dQYytIMmtxaTN2Y01uZFdXOThqWQo2TDkv +MUJzc3BON1JwbGN3OW44WWZ5WUxWdWU2UnpJczVYVHBsdUFmdllJCi0+IHg5YmFB +eS1ncmVhc2UgYl9hXWlgIC5fIGpLaU1wWiN4ICczCkVmOHRibWptbDBxOS9Ic1VC +L0tFQXo5Sk45TDFlQlB5bnFleUF0dFlMSmdvd2dmUlZ3Ci0tLSBIN0MvMEduQVlR +bDVTQUxvZjB2TTljdjZkbGphN1l1QnZESWNZUjZzd1dVCmCWuxwFj1FyTEFasr8X +apyuQkXs6Cvfx82qMvwE1G4SLOEulJjVp/VDcICQ8RE8BE0HJGRjG64FqdtbHY2K +tPMADqfz/jt7kbXKSwB6zOHE9VNcTrGl+mx2Ki8HUG8GElj+hE2m0cWdGijcsGVW +lo2HKPa7F/d9vBUC9sLYo8U5VrnIRhBN1s4ECfAa4vj2RSsCZePCHkJMH7qFPGuC +PZST +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/invidious/settings.tix b/system/secrets/invidious/settings.tix new file mode 100644 index 0000000..fe80a7d --- /dev/null +++ b/system/secrets/invidious/settings.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNzBJNXhlcGVJWk1nZERp +QXJrSEtxY2tyY0FwZnN6ZFB6dGVxZVVsdWtjCjI5cE85ZHhoRVBqcjdZaG9BWFJK +b09GblVERUZsR2ZPaW9aU1NCc25GM00KLT4gWDI1NTE5IHZwL3YraVBBVXVFVmpR +TENiaFoxdTJhUCtWcEFkU0ptaERpbEl1aGw3M00KWUozUTZxYm4rclN6L1IrTi9k +eEF0dVlYVEVNTnZ4Y0tUU0hwV2U0bXVCSQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +QkpGQ1RkVWhNQTFyMS9qRGYrT2s2djJHMEI0eFI5R3ZMVlRsa1JoMXIwawpRVG5z +TnZWMWhQSGxlL0VnUng1N0QvbTFuNS9WZmhnK3ZnVTdoMmtsejVJCi0+IDJNPHpY +LWdyZWFzZSBdVyBYZ3s8IG8ve0ByIHlrIkZkMwo4bmJOZU5yd3loSDlURWorZ0VZ +bWF2dHdLNkQ1ZUx5STZSa3dibVRsTCtQekdKWCtYNWlOR3BVQm5MRmQ2Z085Cmkw +OGhJU2kzR21MNk1OdkpHY29Gc21rNEh6VEZKWGkyCi0tLSBSemVvc2hlSnEyYUVM +UXRPSWtrd1hEcWtVTm95dzVFU085Y09adlFwYnhFCrbJEjFMSSaKqhW2GwuRilaw +N3U8GF22F10XHXyg+8csPFOpowRdS7ZBS52leGe/ve7oiVO5SBd3v7yWXa6ZInxo +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 11c0655..194ed3c 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -12,4 +12,6 @@ let in { "keycloak/passwd.tix".publicKeys = allSecrets; "matrix-synapse/passwd.tix".publicKeys = allSecrets; + "invidious/passwd.tix".publicKeys = allSecrets; + "invidious/settings.tix".publicKeys = allSecrets; } diff --git a/system/services/default.nix b/system/services/default.nix index 8f5540f..6c2670d 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,7 @@ {...}: { imports = [ ./fail2ban + ./invidious ./keycloak ./mail ./matrix diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix new file mode 100644 index 0000000..50a32e8 --- /dev/null +++ b/system/services/invidious/default.nix @@ -0,0 +1,12 @@ +{config, ...}: { + services.invidious = { + enable = true; + database = { + createLocally = true; + passwordFile = "${config.age.secrets.invidious.path}"; + }; + domain = "invidious.vhack.eu"; + nginx.enable = true; + extraSettingsFile = "${config.age.secrets.invidiousSettings.path}"; + }; +} -- cgit 1.4.1 From 704232eab7b89ec235bdc9978eb6f35a30258060 Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 12:47:13 +0200 Subject: Fix(system/services/invidious): Specifiy database host --- system/services/invidious/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 50a32e8..fd10eec 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -4,6 +4,7 @@ database = { createLocally = true; passwordFile = "${config.age.secrets.invidious.path}"; + host = "localhost"; }; domain = "invidious.vhack.eu"; nginx.enable = true; -- cgit 1.4.1 From 96857910fa87e996945bc3f2e5b6f4ef4a6166ea Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 13:04:27 +0200 Subject: Fix(system): Binary substitution for debugging --- system/secrets/default.nix | 6 +++--- system/services/invidious/default.nix | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 515c3e7..3b8029f 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -21,9 +21,9 @@ }; invidiousSettings = { file = ./invidious/settings.tix; - mode = "700"; - owner = "invidious"; - group = "invidious"; + #mode = "700"; + #owner = "invidious"; + #group = "invidious"; }; }; }; diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index fd10eec..d03dee4 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -3,8 +3,8 @@ enable = true; database = { createLocally = true; - passwordFile = "${config.age.secrets.invidious.path}"; - host = "localhost"; + #passwordFile = "${config.age.secrets.invidious.path}"; + #host = "localhost"; }; domain = "invidious.vhack.eu"; nginx.enable = true; -- cgit 1.4.1 From c31ce7ffd20264952f6567dd8665ca7913a59c86 Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 13:10:43 +0200 Subject: Fix(system/secrets): make invidious settings readable for invidious --- system/secrets/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 3b8029f..345354c 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -21,9 +21,9 @@ }; invidiousSettings = { file = ./invidious/settings.tix; - #mode = "700"; - #owner = "invidious"; - #group = "invidious"; + mode = "744"; + owner = "root"; + group = "root"; }; }; }; -- cgit 1.4.1 From 38c2bb6a2128215f01ede4102195c144f6dfc6ff Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 13:16:31 +0200 Subject: Fix(system/secrets/invidious): Change formatting of invidiousSettings --- system/secrets/invidious/settings.tix | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/system/secrets/invidious/settings.tix b/system/secrets/invidious/settings.tix index fe80a7d..1d00897 100644 --- a/system/secrets/invidious/settings.tix +++ b/system/secrets/invidious/settings.tix @@ -1,14 +1,15 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNzBJNXhlcGVJWk1nZERp -QXJrSEtxY2tyY0FwZnN6ZFB6dGVxZVVsdWtjCjI5cE85ZHhoRVBqcjdZaG9BWFJK -b09GblVERUZsR2ZPaW9aU1NCc25GM00KLT4gWDI1NTE5IHZwL3YraVBBVXVFVmpR -TENiaFoxdTJhUCtWcEFkU0ptaERpbEl1aGw3M00KWUozUTZxYm4rclN6L1IrTi9k -eEF0dVlYVEVNTnZ4Y0tUU0hwV2U0bXVCSQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -QkpGQ1RkVWhNQTFyMS9qRGYrT2s2djJHMEI0eFI5R3ZMVlRsa1JoMXIwawpRVG5z -TnZWMWhQSGxlL0VnUng1N0QvbTFuNS9WZmhnK3ZnVTdoMmtsejVJCi0+IDJNPHpY -LWdyZWFzZSBdVyBYZ3s8IG8ve0ByIHlrIkZkMwo4bmJOZU5yd3loSDlURWorZ0VZ -bWF2dHdLNkQ1ZUx5STZSa3dibVRsTCtQekdKWCtYNWlOR3BVQm5MRmQ2Z085Cmkw -OGhJU2kzR21MNk1OdkpHY29Gc21rNEh6VEZKWGkyCi0tLSBSemVvc2hlSnEyYUVM -UXRPSWtrd1hEcWtVTm95dzVFU085Y09adlFwYnhFCrbJEjFMSSaKqhW2GwuRilaw -N3U8GF22F10XHXyg+8csPFOpowRdS7ZBS52leGe/ve7oiVO5SBd3v7yWXa6ZInxo +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaN09yQTF6QkYzMlhYZzdT +NnpoS3Z4d1FjaWFIbjc5QS9MTmQ0UWNaOVQ0Ci9Cd0NyL3ZtdEt5d0VKVUV1dmVp +cmF3TGtOSFBTdzBEcXUxRllNSTlCam8KLT4gWDI1NTE5IG9UUy93TWM0VnlCQm5n +T2hpSUxldjV6YTFKdzBFRFQ0UHl3Rk9CWjZ2eHMKVVFqdkNReWZLT2hUeWdISUVL +aUp2RzFPZnc0K1Yrb2kwMWNGQ3FBYkVYbwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +Z211aHp4RzVUYVdMbFB1ZXFQMElaeSs2MmpBdlhIYlVOc1IxdCttRDhWNApoT2Vm +OWhVd3RzY2R4R1krVlVIQjVrYnNGT1NEVWFrVkFiVzFBOHppOFJnCi0+IERRRzNT +OFYtZ3JlYXNlIElgfkBXQGQgflN9IG0/ICQzTj4wLCUqCkZyRnN4Z2FkMGNObzBM +cXk4K1J6TUdJZXovajZKV1FMZ2Z1TjdqaENrSjJzYWpoKzNvOXhDUEt6aWdUaWVw +a2oKRU1FdDlDbjBXN3psRElWcnlhSjJDQQotLS0gYnh6QUZtSG1FSCtHWkhZNG5r +RFNrWjczLzQ0S0gxUzZPTVBhb2YwS1VVVQoMo4QpyDyp22gd0d/AcxLsxzxSP7Bv +BGVNAROHFbvNZ0hhqqXEhc819makKyDWv90wDSYQ3R3rjEyzx0jyEwl7e82ANmwZ +HQ== -----END AGE ENCRYPTED FILE----- -- cgit 1.4.1 From b6d9d9692416a9b1f566eda9a72fce5304e28220 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:14:05 +0200 Subject: Fix(system/services/invidious): Quote attr names in json config --- system/secrets/invidious/settings.tix | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/system/secrets/invidious/settings.tix b/system/secrets/invidious/settings.tix index 1d00897..f760fa9 100644 --- a/system/secrets/invidious/settings.tix +++ b/system/secrets/invidious/settings.tix @@ -1,15 +1,14 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaN09yQTF6QkYzMlhYZzdT -NnpoS3Z4d1FjaWFIbjc5QS9MTmQ0UWNaOVQ0Ci9Cd0NyL3ZtdEt5d0VKVUV1dmVp -cmF3TGtOSFBTdzBEcXUxRllNSTlCam8KLT4gWDI1NTE5IG9UUy93TWM0VnlCQm5n -T2hpSUxldjV6YTFKdzBFRFQ0UHl3Rk9CWjZ2eHMKVVFqdkNReWZLT2hUeWdISUVL -aUp2RzFPZnc0K1Yrb2kwMWNGQ3FBYkVYbwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -Z211aHp4RzVUYVdMbFB1ZXFQMElaeSs2MmpBdlhIYlVOc1IxdCttRDhWNApoT2Vm -OWhVd3RzY2R4R1krVlVIQjVrYnNGT1NEVWFrVkFiVzFBOHppOFJnCi0+IERRRzNT -OFYtZ3JlYXNlIElgfkBXQGQgflN9IG0/ICQzTj4wLCUqCkZyRnN4Z2FkMGNObzBM -cXk4K1J6TUdJZXovajZKV1FMZ2Z1TjdqaENrSjJzYWpoKzNvOXhDUEt6aWdUaWVw -a2oKRU1FdDlDbjBXN3psRElWcnlhSjJDQQotLS0gYnh6QUZtSG1FSCtHWkhZNG5r -RFNrWjczLzQ0S0gxUzZPTVBhb2YwS1VVVQoMo4QpyDyp22gd0d/AcxLsxzxSP7Bv -BGVNAROHFbvNZ0hhqqXEhc819makKyDWv90wDSYQ3R3rjEyzx0jyEwl7e82ANmwZ -HQ== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds +dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t +dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ +bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw +ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv +T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa +aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv +S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t +LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc +N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx +aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== -----END AGE ENCRYPTED FILE----- -- cgit 1.4.1 From 320cc252c1e59de8fed8993b3a527839bc0963a6 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:28:16 +0200 Subject: Refactor(system/secrets/invidious): Remove unneeded files and improve names --- system/secrets/default.nix | 10 ++-------- system/secrets/invidious/hmac.tix | 14 ++++++++++++++ system/secrets/invidious/passwd.tix | 16 ---------------- system/secrets/invidious/settings.tix | 14 -------------- system/services/invidious/default.nix | 4 +--- 5 files changed, 17 insertions(+), 41 deletions(-) create mode 100644 system/secrets/invidious/hmac.tix delete mode 100644 system/secrets/invidious/passwd.tix delete mode 100644 system/secrets/invidious/settings.tix diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 345354c..2269672 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -13,15 +13,9 @@ owner = "matrix-synapse"; group = "matrix-synapse"; }; - invidious = { - file = ./invidious/passwd.tix; + invidiousHmac = { + file = ./invidious/hmac.tix; mode = "700"; - owner = "invidious"; - group = "invidious"; - }; - invidiousSettings = { - file = ./invidious/settings.tix; - mode = "744"; owner = "root"; group = "root"; }; diff --git a/system/secrets/invidious/hmac.tix b/system/secrets/invidious/hmac.tix new file mode 100644 index 0000000..f760fa9 --- /dev/null +++ b/system/secrets/invidious/hmac.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds +dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t +dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ +bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw +ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv +T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa +aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv +S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t +LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc +N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx +aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/invidious/passwd.tix b/system/secrets/invidious/passwd.tix deleted file mode 100644 index beaee32..0000000 --- a/system/secrets/invidious/passwd.tix +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeHpwZFZEWXc0cGxZZ2dV -WDkvUmVFWXE5azZ1VlREM090bWJ6elgxR3hFCmhnNkhWZWVqdmxEcUJVTnFZaGw1 -YnVOYmpYOGd5YU1EaDlmc0ZrNk0zT0EKLT4gWDI1NTE5IEwyL1ptVzJ2bUdvSW1n -TzNod1BKZHQ3YXhUMkl5ZzRiT2Y3aUt0NGw4RVUKWTF3ampTMG1DYTBYTFcwNEp6 -bkFWbGl6WEVCcVdhQnVWY0piQ1VHMzk0SQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -TnFGVkQxTndPZ1l4c2J5dzNmT1YrZ0dQYytIMmtxaTN2Y01uZFdXOThqWQo2TDkv -MUJzc3BON1JwbGN3OW44WWZ5WUxWdWU2UnpJczVYVHBsdUFmdllJCi0+IHg5YmFB -eS1ncmVhc2UgYl9hXWlgIC5fIGpLaU1wWiN4ICczCkVmOHRibWptbDBxOS9Ic1VC -L0tFQXo5Sk45TDFlQlB5bnFleUF0dFlMSmdvd2dmUlZ3Ci0tLSBIN0MvMEduQVlR -bDVTQUxvZjB2TTljdjZkbGphN1l1QnZESWNZUjZzd1dVCmCWuxwFj1FyTEFasr8X -apyuQkXs6Cvfx82qMvwE1G4SLOEulJjVp/VDcICQ8RE8BE0HJGRjG64FqdtbHY2K -tPMADqfz/jt7kbXKSwB6zOHE9VNcTrGl+mx2Ki8HUG8GElj+hE2m0cWdGijcsGVW -lo2HKPa7F/d9vBUC9sLYo8U5VrnIRhBN1s4ECfAa4vj2RSsCZePCHkJMH7qFPGuC -PZST ------END AGE ENCRYPTED FILE----- diff --git a/system/secrets/invidious/settings.tix b/system/secrets/invidious/settings.tix deleted file mode 100644 index f760fa9..0000000 --- a/system/secrets/invidious/settings.tix +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds -dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t -dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ -bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw -ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv -T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa -aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv -S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t -LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc -N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx -aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== ------END AGE ENCRYPTED FILE----- diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index d03dee4..7a37f50 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -3,11 +3,9 @@ enable = true; database = { createLocally = true; - #passwordFile = "${config.age.secrets.invidious.path}"; - #host = "localhost"; }; domain = "invidious.vhack.eu"; nginx.enable = true; - extraSettingsFile = "${config.age.secrets.invidiousSettings.path}"; + extraSettingsFile = "${config.age.secrets.invidiousHmac.path}"; }; } -- cgit 1.4.1 From b39d8005c6315ceb9e3e6068a854a21dfa80ab97 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:43:50 +0200 Subject: Fix(system/services/invidious): Check tables on startup --- system/services/invidious/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 7a37f50..17ba0c1 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -7,5 +7,9 @@ domain = "invidious.vhack.eu"; nginx.enable = true; extraSettingsFile = "${config.age.secrets.invidiousHmac.path}"; + + settings = { + check_tables = true; + }; }; } -- cgit 1.4.1 From c525e36a3dd0345e3ef04b9e2669264b4ec7daa2 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:54:23 +0200 Subject: Fix(system/services/invidious): Set correct access permissions on hmac --- system/services/invidious/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 17ba0c1..8b69c2e 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -6,10 +6,13 @@ }; domain = "invidious.vhack.eu"; nginx.enable = true; - extraSettingsFile = "${config.age.secrets.invidiousHmac.path}"; + extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac"; settings = { check_tables = true; }; }; + systemd.services.invidious.serviceConfig = { + LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + }; } -- cgit 1.4.1 From 542bb5d7b8e3dfe22826fe0af3272b8b2a8b925a Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 10:31:46 +0200 Subject: Fix(system/service/invidious): Copy their script, to remove shell escape The default ExecStart implementation in the module, escapes all stings. This does not work for us because we need to use the `$CREDENTIALS_DIR` environment variable, for the credentials deployed in den `LoadCredential` option --- system/services/invidious/default.nix | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 8b69c2e..f51fc3d 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -1,4 +1,11 @@ -{config, ...}: { +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.invidious; +in { services.invidious = { enable = true; database = { @@ -14,5 +21,25 @@ }; systemd.services.invidious.serviceConfig = { LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + + script = let + # taken from the invidious module + settingsFormat = pkgs.formats.json {}; + settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; + + jqFilter = + "." + + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\"" + + " | .[0]" + + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]"; + + # don't escape extraSettingsFile, to allow variable substitution + jqFiles = + settingsFile + + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; + in '' + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''; }; } -- cgit 1.4.1 From df87e1dfd15cbd229ad3a7df3ded7544aadee75a Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 10:37:43 +0200 Subject: Fix(system/services/invidious): Force the new script option to be applied --- system/services/invidious/default.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index f51fc3d..e9ac768 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -22,7 +22,7 @@ in { systemd.services.invidious.serviceConfig = { LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; - script = let + ExecStart = let # taken from the invidious module settingsFormat = pkgs.formats.json {}; settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; @@ -37,9 +37,10 @@ in { jqFiles = settingsFile + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; - in '' - export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" - exec ${cfg.package}/bin/invidious - ''; + in + lib.mkForce (pkgs.writeScript "start-invidious" '' + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''); }; } -- cgit 1.4.1 From 08eb7736c7e1897885e9e28a09bbc3510e572f8f Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 18:05:17 +0200 Subject: Fix(system/services/invidious): Add interpreter to start script --- system/services/invidious/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index e9ac768..a1d202c 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -39,6 +39,8 @@ in { + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; in lib.mkForce (pkgs.writeScript "start-invidious" '' + #! ${pkgs.dash}/bin/dash + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" exec ${cfg.package}/bin/invidious ''); -- cgit 1.4.1 From 503e9e2154b4b905201f3a47cffa54c3c25c7318 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 18:15:01 +0200 Subject: chore(version): v0.8.0 --- system/services/invidious/CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 system/services/invidious/CHANGELOG.md diff --git a/system/services/invidious/CHANGELOG.md b/system/services/invidious/CHANGELOG.md new file mode 100644 index 0000000..66fa2bf --- /dev/null +++ b/system/services/invidious/CHANGELOG.md @@ -0,0 +1,11 @@ +# Changelog +All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. + +- - - +## v0.8.0 - 2023-08-11 +#### Features +- **(system/services/snapper)** Add - (1256cab) - Soispha + +- - - + +Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). \ No newline at end of file -- cgit 1.4.1 From d9ac400a323f3e0e2461f6e1a15f03f980c38d6e Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 18:15:01 +0200 Subject: chore(version): v0.8.0 --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cc864f2..b7aa2f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # Changelog All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. +- - - +## v0.8.0 - 2023-08-11 +#### Features +- **(system/services/snapper)** Add - (1256cab) - Soispha + - - - ## v0.7.0 - 2023-08-04 #### Bug Fixes @@ -263,4 +268,4 @@ All notable changes to this project will be documented in this file. See [conven - - - -Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). \ No newline at end of file +Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). -- cgit 1.4.1 From 03ce680b953b826098808ff3c0157da1186827e2 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 18:15:01 +0200 Subject: chore(version): v0.8.0 --- system/services/invidious/CHANGELOG.md | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 system/services/invidious/CHANGELOG.md diff --git a/system/services/invidious/CHANGELOG.md b/system/services/invidious/CHANGELOG.md deleted file mode 100644 index 66fa2bf..0000000 --- a/system/services/invidious/CHANGELOG.md +++ /dev/null @@ -1,11 +0,0 @@ -# Changelog -All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - -- - - -## v0.8.0 - 2023-08-11 -#### Features -- **(system/services/snapper)** Add - (1256cab) - Soispha - -- - - - -Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). \ No newline at end of file -- cgit 1.4.1 From 95b7f9d6b0e44ca4699e2dbb8c5fee940d82de42 Mon Sep 17 00:00:00 2001 From: sils Date: Sun, 13 Aug 2023 12:44:21 +0200 Subject: Fix(system/secrets): Tell (r)agenix new location of invidious hmac secret --- system/secrets/secrets.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 194ed3c..9fa9cc5 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -12,6 +12,6 @@ let in { "keycloak/passwd.tix".publicKeys = allSecrets; "matrix-synapse/passwd.tix".publicKeys = allSecrets; - "invidious/passwd.tix".publicKeys = allSecrets; + "invidious/hmac.tix".publicKeys = allSecrets; "invidious/settings.tix".publicKeys = allSecrets; } -- cgit 1.4.1 From 74e2c16b138c1bfe581cf9e033e06de7674f592e Mon Sep 17 00:00:00 2001 From: sils Date: Sun, 13 Aug 2023 12:46:30 +0200 Subject: chore(version): v0.9.0 --- system/secrets/CHANGELOG.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 system/secrets/CHANGELOG.md diff --git a/system/secrets/CHANGELOG.md b/system/secrets/CHANGELOG.md new file mode 100644 index 0000000..cef729c --- /dev/null +++ b/system/secrets/CHANGELOG.md @@ -0,0 +1,30 @@ +# Changelog +All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. + +- - - +## v0.9.0 - 2023-08-13 +#### Bug Fixes +- **(system)** Binary substitution for debugging - (9685791) - sils +- **(system/secrets)** Tell (r)agenix new location of invidious hmac secret - (95b7f9d) - sils +- **(system/secrets)** make invidious settings readable for invidious - (c31ce7f) - sils +- **(system/secrets/invidious)** Change formatting of invidiousSettings - (38c2bb6) - sils +- **(system/service/invidious)** Copy their script, to remove shell escape - (542bb5d) - Soispha +- **(system/services/invidious)** Add interpreter to start script - (08eb773) - Soispha +- **(system/services/invidious)** Force the new script option to be applied - (df87e1d) - Soispha +- **(system/services/invidious)** Set correct access permissions on hmac - (c525e36) - Soispha +- **(system/services/invidious)** Check tables on startup - (b39d800) - Soispha +- **(system/services/invidious)** Quote attr names in json config - (b6d9d96) - Soispha +- **(system/services/invidious)** Specifiy database host - (704232e) - sils +#### Features +- **(system)** Add invidious - (3175754) - sils +#### Miscellaneous Chores +- **(Merge)** Branch 'invidious' - (e33c36f) - Soispha +- **(version)** v0.8.0 - (03ce680) - Soispha +- **(version)** v0.8.0 - (d9ac400) - Soispha +#### Refactoring +- **(system/secrets/invidious)** Remove unneeded files and improve names - (320cc25) - Soispha +- **(system/secrets/secrets.nix)** Remove redundant secretlist - (e1f0250) - sils + +- - - + +Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). \ No newline at end of file -- cgit 1.4.1 From 46dfce2014a089d07910b7293289d2d3cb100246 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 14:05:14 +0200 Subject: Build(flake): Update --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index ae7cc7f..2e93263 100644 --- a/flake.lock +++ b/flake.lock @@ -54,11 +54,11 @@ ] }, "locked": { - "lastModified": 1688772518, - "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=", + "lastModified": 1691803597, + "narHash": "sha256-khWW1Owzselq5o816Lb7x624d6QGnv+kpronK3ndkr4=", "owner": "ipetkov", "repo": "crane", - "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e", + "rev": "7809d369710abb17767b624f9e72b500373580bc", "type": "github" }, "original": { @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1690739034, - "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=", + "lastModified": 1692199161, + "narHash": "sha256-GqKApvQ1JCf5DzH/Q+P4nwuHb6MaQGaWTu41lYzveF4=", "owner": "nix-community", "repo": "disko", - "rev": "4015740375676402a2ee6adebc3c30ea625b9a94", + "rev": "4eed2457b053c4bbad7d90d2b3a1d539c2c9009c", "type": "github" }, "original": { @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690934545, - "narHash": "sha256-8Kl8YtcjnvyIAlHMWQWGtk+B89ZQIjBmceAZXlrRYLU=", + "lastModified": 1692339729, + "narHash": "sha256-TUK76/Pqm9qIDjEGd27Lz9EiBIvn5F70JWDmEQ4Y5DQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "146e8f5424579d5b0680fa4957ee99814361a9d8", + "rev": "ae521bd4e460b076a455dca8b13f4151489a725c", "type": "github" }, "original": { @@ -284,11 +284,11 @@ ] }, "locked": { - "lastModified": 1690942540, - "narHash": "sha256-eafSSO3Y+/TFuy+CHKyolYfGvC33IAWNx4W2NA7LfZM=", + "lastModified": 1692324578, + "narHash": "sha256-wlZd4e98ElxbWCr6oRHE/Fv+LMD3+7UYMe8SpHB04MA=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "aa3994f054038262df55122dfa552b9eab71a994", + "rev": "8fba680620f7be7e6c63a45aeeafed612d00eb7b", "type": "github" }, "original": { -- cgit 1.4.1 From 7428d690a6df382444c15683377e105456f72cab Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 14:12:24 +0200 Subject: Feat(system/services/libreddit): Init --- system/services/default.nix | 1 + system/services/libreddit/default.nix | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 system/services/libreddit/default.nix diff --git a/system/services/default.nix b/system/services/default.nix index 6c2670d..9163588 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -3,6 +3,7 @@ ./fail2ban ./invidious ./keycloak + ./libreddit ./mail ./matrix ./minecraft diff --git a/system/services/libreddit/default.nix b/system/services/libreddit/default.nix new file mode 100644 index 0000000..e52507f --- /dev/null +++ b/system/services/libreddit/default.nix @@ -0,0 +1,7 @@ +{...}: { + services.libreddit = { + enable = true; + address = "libreddit.vhack.eu"; + openFirewall = true; + }; +} -- cgit 1.4.1 From 097d566da1b3fe4092d8daa38034cf9b4c64556f Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 14:19:12 +0200 Subject: Fix(system/services/libreddit): Actually proxy services via nginx --- system/services/libreddit/default.nix | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/system/services/libreddit/default.nix b/system/services/libreddit/default.nix index e52507f..581445c 100644 --- a/system/services/libreddit/default.nix +++ b/system/services/libreddit/default.nix @@ -1,7 +1,23 @@ -{...}: { +{ + config, + lib, + ... +}: let + domain = "libreddit.vhack.eu"; +in { services.libreddit = { enable = true; - address = "libreddit.vhack.eu"; + address = "127.0.0.1"; openFirewall = true; }; + + services.nginx = { + enable = true; + virtualHosts.${domain} = { + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; + + enableACME = lib.mkDefault true; + forceSSL = lib.mkDefault true; + }; + }; } -- cgit 1.4.1 From f0a98522ac1d46c40d7337d34cd73b115512127d Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 14:33:14 +0200 Subject: Fix(system/services/libreddit): Don't open firewall --- system/services/libreddit/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/services/libreddit/default.nix b/system/services/libreddit/default.nix index 581445c..e4ab893 100644 --- a/system/services/libreddit/default.nix +++ b/system/services/libreddit/default.nix @@ -8,7 +8,7 @@ in { services.libreddit = { enable = true; address = "127.0.0.1"; - openFirewall = true; + openFirewall = false; }; services.nginx = { -- cgit 1.4.1 From 112606a305a832f73bdbae9dd500294e0e426521 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 20:36:19 +0200 Subject: Chore(Changelog): Delete branch specific changelogs --- CHANGELOG.md | 24 ++++++++++++++++++++++++ system/secrets/CHANGELOG.md | 30 ------------------------------ 2 files changed, 24 insertions(+), 30 deletions(-) delete mode 100644 system/secrets/CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md index b7aa2f1..08448d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,30 @@ # Changelog All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. +- - - +## v0.9.0 - 2023-08-13 +#### Bug Fixes +- **(system)** Binary substitution for debugging - (9685791) - sils +- **(system/secrets)** Tell (r)agenix new location of invidious hmac secret - (95b7f9d) - sils +- **(system/secrets)** make invidious settings readable for invidious - (c31ce7f) - sils +- **(system/secrets/invidious)** Change formatting of invidiousSettings - (38c2bb6) - sils +- **(system/service/invidious)** Copy their script, to remove shell escape - (542bb5d) - Soispha +- **(system/services/invidious)** Add interpreter to start script - (08eb773) - Soispha +- **(system/services/invidious)** Force the new script option to be applied - (df87e1d) - Soispha +- **(system/services/invidious)** Set correct access permissions on hmac - (c525e36) - Soispha +- **(system/services/invidious)** Check tables on startup - (b39d800) - Soispha +- **(system/services/invidious)** Quote attr names in json config - (b6d9d96) - Soispha +- **(system/services/invidious)** Specifiy database host - (704232e) - sils +#### Features +- **(system)** Add invidious - (3175754) - sils +#### Miscellaneous Chores +- **(Merge)** Branch 'invidious' - (e33c36f) - Soispha +- **(version)** v0.8.0 - (03ce680) - Soispha +- **(version)** v0.8.0 - (d9ac400) - Soispha +#### Refactoring +- **(system/secrets/invidious)** Remove unneeded files and improve names - (320cc25) - Soispha +- **(system/secrets/secrets.nix)** Remove redundant secretlist - (e1f0250) - sils + - - - ## v0.8.0 - 2023-08-11 #### Features diff --git a/system/secrets/CHANGELOG.md b/system/secrets/CHANGELOG.md deleted file mode 100644 index cef729c..0000000 --- a/system/secrets/CHANGELOG.md +++ /dev/null @@ -1,30 +0,0 @@ -# Changelog -All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - -- - - -## v0.9.0 - 2023-08-13 -#### Bug Fixes -- **(system)** Binary substitution for debugging - (9685791) - sils -- **(system/secrets)** Tell (r)agenix new location of invidious hmac secret - (95b7f9d) - sils -- **(system/secrets)** make invidious settings readable for invidious - (c31ce7f) - sils -- **(system/secrets/invidious)** Change formatting of invidiousSettings - (38c2bb6) - sils -- **(system/service/invidious)** Copy their script, to remove shell escape - (542bb5d) - Soispha -- **(system/services/invidious)** Add interpreter to start script - (08eb773) - Soispha -- **(system/services/invidious)** Force the new script option to be applied - (df87e1d) - Soispha -- **(system/services/invidious)** Set correct access permissions on hmac - (c525e36) - Soispha -- **(system/services/invidious)** Check tables on startup - (b39d800) - Soispha -- **(system/services/invidious)** Quote attr names in json config - (b6d9d96) - Soispha -- **(system/services/invidious)** Specifiy database host - (704232e) - sils -#### Features -- **(system)** Add invidious - (3175754) - sils -#### Miscellaneous Chores -- **(Merge)** Branch 'invidious' - (e33c36f) - Soispha -- **(version)** v0.8.0 - (03ce680) - Soispha -- **(version)** v0.8.0 - (d9ac400) - Soispha -#### Refactoring -- **(system/secrets/invidious)** Remove unneeded files and improve names - (320cc25) - Soispha -- **(system/secrets/secrets.nix)** Remove redundant secretlist - (e1f0250) - sils - -- - - - -Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). \ No newline at end of file -- cgit 1.4.1 From 153a3dba6b1e61d32ffd041ea571ee2b1ed6d4ff Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 20:37:09 +0200 Subject: chore(version): v0.9.0 --- CHANGELOG.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08448d6..0c2c077 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,38 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.9.0 - 2023-08-18 +#### Bug Fixes +- **(system)** Binary substitution for debugging - (9685791) - sils +- **(system/secrets)** Tell (r)agenix new location of invidious hmac secret - (95b7f9d) - sils +- **(system/secrets)** make invidious settings readable for invidious - (c31ce7f) - sils +- **(system/secrets/invidious)** Change formatting of invidiousSettings - (38c2bb6) - sils +- **(system/service/invidious)** Copy their script, to remove shell escape - (542bb5d) - Soispha +- **(system/services/invidious)** Add interpreter to start script - (08eb773) - Soispha +- **(system/services/invidious)** Force the new script option to be applied - (df87e1d) - Soispha +- **(system/services/invidious)** Set correct access permissions on hmac - (c525e36) - Soispha +- **(system/services/invidious)** Check tables on startup - (b39d800) - Soispha +- **(system/services/invidious)** Quote attr names in json config - (b6d9d96) - Soispha +- **(system/services/invidious)** Specifiy database host - (704232e) - sils +- **(system/services/libreddit)** Don't open firewall - (f0a9852) - Soispha +- **(system/services/libreddit)** Actually proxy services via nginx - (097d566) - Soispha +#### Build system +- **(flake)** Update - (46dfce2) - Soispha +#### Features +- **(system)** Add invidious - (3175754) - sils +- **(system/services/libreddit)** Init - (7428d69) - Soispha +#### Miscellaneous Chores +- **(Changelog)** Delete branch specific changelogs - (112606a) - Soispha +- **(Merge)** Branch 'invidious' - (e33c36f) - Soispha +- **(version)** v0.9.0 - (74e2c16) - sils +- **(version)** v0.8.0 - (03ce680) - Soispha +- **(version)** v0.8.0 - (d9ac400) - Soispha +#### Refactoring +- **(system/secrets/invidious)** Remove unneeded files and improve names - (320cc25) - Soispha +- **(system/secrets/secrets.nix)** Remove redundant secretlist - (e1f0250) - sils + +- - - + ## v0.9.0 - 2023-08-13 #### Bug Fixes - **(system)** Binary substitution for debugging - (9685791) - sils -- cgit 1.4.1 From 2aa1c1641161185edd31df73739b26dea56b3786 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 20:43:59 +0200 Subject: Fix(system/services/nginx): Update hosts --- system/services/nginx/hosts.nix | Bin 454 -> 300 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index 550c28f..3abd841 100644 Binary files a/system/services/nginx/hosts.nix and b/system/services/nginx/hosts.nix differ -- cgit 1.4.1 From a4c1e6958f3ceb785c0c9fb8d482f832d19aaf01 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 23:35:28 +0200 Subject: Build(flake): Update --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 2e93263..feecb60 100644 --- a/flake.lock +++ b/flake.lock @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1692339729, - "narHash": "sha256-TUK76/Pqm9qIDjEGd27Lz9EiBIvn5F70JWDmEQ4Y5DQ=", + "lastModified": 1692365558, + "narHash": "sha256-984xnTNiU7NIfWbMvSVsMgIYxRV9AJHVKyCnFobnUck=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ae521bd4e460b076a455dca8b13f4151489a725c", + "rev": "c8eb2fc11206bb14b1c66f0f1542f9ae3eafc255", "type": "github" }, "original": { -- cgit 1.4.1 From ec43442acc66e04d3b575280051e3279a259a380 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 7 Sep 2023 21:51:41 +0200 Subject: build(flake): update --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index feecb60..ee9c51a 100644 --- a/flake.lock +++ b/flake.lock @@ -54,11 +54,11 @@ ] }, "locked": { - "lastModified": 1691803597, - "narHash": "sha256-khWW1Owzselq5o816Lb7x624d6QGnv+kpronK3ndkr4=", + "lastModified": 1693787605, + "narHash": "sha256-rwq5U8dy+a9JFny/73L0SJu1GfWwATMPMTp7D+mjHy8=", "owner": "ipetkov", "repo": "crane", - "rev": "7809d369710abb17767b624f9e72b500373580bc", + "rev": "8b4f7a4dab2120cf41e7957a28a853f45016bd9d", "type": "github" }, "original": { @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1692199161, - "narHash": "sha256-GqKApvQ1JCf5DzH/Q+P4nwuHb6MaQGaWTu41lYzveF4=", + "lastModified": 1694069327, + "narHash": "sha256-Si2otUNjCe8kY5nsV7tILi4PsI0odBFrdSu8cCjn/eQ=", "owner": "nix-community", "repo": "disko", - "rev": "4eed2457b053c4bbad7d90d2b3a1d539c2c9009c", + "rev": "7bee8de8e6755506c70323b864a884f9624cc23a", "type": "github" }, "original": { @@ -132,11 +132,11 @@ ] }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1692799911, + "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", "type": "github" }, "original": { @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1692365558, - "narHash": "sha256-984xnTNiU7NIfWbMvSVsMgIYxRV9AJHVKyCnFobnUck=", + "lastModified": 1694048570, + "narHash": "sha256-PEQptwFCVaJ+jLFJgrZll2shQ9VI/7xVhrCYkJo8iIw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c8eb2fc11206bb14b1c66f0f1542f9ae3eafc255", + "rev": "4f77ea639305f1de0a14d9d41eef83313360638c", "type": "github" }, "original": { @@ -284,11 +284,11 @@ ] }, "locked": { - "lastModified": 1692324578, - "narHash": "sha256-wlZd4e98ElxbWCr6oRHE/Fv+LMD3+7UYMe8SpHB04MA=", + "lastModified": 1694052649, + "narHash": "sha256-+eBEU3dw3/fCfi8ZHFNutINxehMazGkQxqNcpeNbTo4=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "8fba680620f7be7e6c63a45aeeafed612d00eb7b", + "rev": "a795148ffbcc77f2b592d50ceebe36147e623a77", "type": "github" }, "original": { -- cgit 1.4.1 From 0a877a1348721df855d3aaf1de37e991d1fd8919 Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 11 Sep 2023 19:26:20 +0200 Subject: build(flake): update --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index ee9c51a..6107be1 100644 --- a/flake.lock +++ b/flake.lock @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1694069327, - "narHash": "sha256-Si2otUNjCe8kY5nsV7tILi4PsI0odBFrdSu8cCjn/eQ=", + "lastModified": 1694395354, + "narHash": "sha256-fzm/+caf+yPLb/Wivbydbhg5GlTo4f1rMOLbH7G9c9k=", "owner": "nix-community", "repo": "disko", - "rev": "7bee8de8e6755506c70323b864a884f9624cc23a", + "rev": "b54e2dc988b34fbad1a1180fe68b573a9d080df5", "type": "github" }, "original": { @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694048570, - "narHash": "sha256-PEQptwFCVaJ+jLFJgrZll2shQ9VI/7xVhrCYkJo8iIw=", + "lastModified": 1694383256, + "narHash": "sha256-Kc0EN6mbJ/eN9PnF9xVURqGvQyNGJYADu+KbdWBZnHw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4f77ea639305f1de0a14d9d41eef83313360638c", + "rev": "18d81edd4a3952028b561875fc9b3a4741b5cd30", "type": "github" }, "original": { @@ -284,11 +284,11 @@ ] }, "locked": { - "lastModified": 1694052649, - "narHash": "sha256-+eBEU3dw3/fCfi8ZHFNutINxehMazGkQxqNcpeNbTo4=", + "lastModified": 1694452381, + "narHash": "sha256-IQl0hBUHDDoaC1UmFGNelO1OPMgrS+8RvVjCxgE667Q=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "a795148ffbcc77f2b592d50ceebe36147e623a77", + "rev": "f77e108350b821d62b7c2ee43fe411a9f4738099", "type": "github" }, "original": { -- cgit 1.4.1 From 327e8bf0b6e12eca501a532a0991fd4df49693cb Mon Sep 17 00:00:00 2001 From: Soispha Date: Sun, 1 Oct 2023 21:54:41 +0200 Subject: build(flake): Update --- flake.lock | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index 6107be1..737ea6e 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ ] }, "locked": { - "lastModified": 1690228878, - "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", + "lastModified": 1695384796, + "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", "owner": "ryantm", "repo": "agenix", - "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", + "rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4", "type": "github" }, "original": { @@ -54,11 +54,11 @@ ] }, "locked": { - "lastModified": 1693787605, - "narHash": "sha256-rwq5U8dy+a9JFny/73L0SJu1GfWwATMPMTp7D+mjHy8=", + "lastModified": 1696184529, + "narHash": "sha256-mJI+zYNKX6hu/dhh92ierUWgr5VWzQ9MThDsDDbmQFE=", "owner": "ipetkov", "repo": "crane", - "rev": "8b4f7a4dab2120cf41e7957a28a853f45016bd9d", + "rev": "a863ce3c79ea1a809ba81427e1b0d9c55b3eb7ef", "type": "github" }, "original": { @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1694395354, - "narHash": "sha256-fzm/+caf+yPLb/Wivbydbhg5GlTo4f1rMOLbH7G9c9k=", + "lastModified": 1695864092, + "narHash": "sha256-Hu1SkFPqO7ND95AOzBkZE2jGXSYhfZ965C03O72Kbu8=", "owner": "nix-community", "repo": "disko", - "rev": "b54e2dc988b34fbad1a1180fe68b573a9d080df5", + "rev": "19b62324663b6b9859caf7f335d232cf4f1f6a32", "type": "github" }, "original": { @@ -132,11 +132,11 @@ ] }, "locked": { - "lastModified": 1692799911, - "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -168,11 +168,11 @@ }, "impermanence": { "locked": { - "lastModified": 1690797372, - "narHash": "sha256-GImz19e33SeVcIvBB7NnhbJSbTpFFmNtWLh7Z85Y188=", + "lastModified": 1694622745, + "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", "owner": "nix-community", "repo": "impermanence", - "rev": "e3a7acd113903269a1b5c8b527e84ce7ee859851", + "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", "type": "github" }, "original": { @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694383256, - "narHash": "sha256-Kc0EN6mbJ/eN9PnF9xVURqGvQyNGJYADu+KbdWBZnHw=", + "lastModified": 1696115311, + "narHash": "sha256-JPZNLVgzVp6Z3Lv5h9kUWOX8jeBD1FLVTd2zXIfbaU0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "18d81edd4a3952028b561875fc9b3a4741b5cd30", + "rev": "15c4fb651d5306d01e485063121aa5411b2d9b6c", "type": "github" }, "original": { @@ -284,11 +284,11 @@ ] }, "locked": { - "lastModified": 1694452381, - "narHash": "sha256-IQl0hBUHDDoaC1UmFGNelO1OPMgrS+8RvVjCxgE667Q=", + "lastModified": 1696126582, + "narHash": "sha256-uo4cn/d2rHPy/fpKZKFBOaVO531zs/Doxz43imrpqZM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "f77e108350b821d62b7c2ee43fe411a9f4738099", + "rev": "fc6fe50d9a4540a1111731baaa00f207301fdeb7", "type": "github" }, "original": { -- cgit 1.4.1 From cd75ff6797386c5924a2f0bbc62eadf1c6e2725d Mon Sep 17 00:00:00 2001 From: Soispha Date: Sun, 1 Oct 2023 22:07:22 +0200 Subject: feat(system/services/taskserver): Init This is the server part used in combination with Taskwarrior to regain control over the unwieldy amount of task, that accumulate over the day. --- notes/taskserver.md | 7 +++++++ system/impermanence/default.nix | 1 + system/impermanence/mods/taskserver.nix | 5 +++++ system/services/default.nix | 1 + system/services/taskserver/default.nix | 28 ++++++++++++++++++++++++++++ 5 files changed, 42 insertions(+) create mode 100644 notes/taskserver.md create mode 100644 system/impermanence/mods/taskserver.nix create mode 100644 system/services/taskserver/default.nix diff --git a/notes/taskserver.md b/notes/taskserver.md new file mode 100644 index 0000000..36aeff0 --- /dev/null +++ b/notes/taskserver.md @@ -0,0 +1,7 @@ +# User export +Use +```bash +nixos-taskserver user export my-company alice +# or via ssh +ssh $server nixos-taskserver user export my-company alice #| sh +``` diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index b60eb4c..6e977b5 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -8,6 +8,7 @@ ./mods/nix-sync.nix ./mods/openssh.nix ./mods/postgresql.nix + ./mods/taskserver.nix ./mods/users.nix ]; diff --git a/system/impermanence/mods/taskserver.nix b/system/impermanence/mods/taskserver.nix new file mode 100644 index 0000000..9208aa4 --- /dev/null +++ b/system/impermanence/mods/taskserver.nix @@ -0,0 +1,5 @@ +{...}: { + environment.persistence."/srv".directories = [ + "/var/lib/taskserver" + ]; +} diff --git a/system/services/default.nix b/system/services/default.nix index 9163588..3349b38 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -13,5 +13,6 @@ ./openssh ./rust-motd ./snapper + ./taskserver ]; } diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix new file mode 100644 index 0000000..56255cd --- /dev/null +++ b/system/services/taskserver/default.nix @@ -0,0 +1,28 @@ +{...}: { + services.taskserver = { + enable = true; + pki.auto = { + expiration = { + server = 365; + crl = 365; + client = 365; + ca = 365; + }; + bits = 4096; + }; + organisations = { + vhack = { + users = [ + "soispha" + ]; + }; + soispha = { + users = [ + "soispha" + ]; + }; + }; + openFirewall = true; + fqdn = "taskserver.vhack.eu"; + }; +} -- cgit 1.4.1 From 18624e4434c5ec379784e59a2f8054296d4c6837 Mon Sep 17 00:00:00 2001 From: Soispha Date: Sun, 1 Oct 2023 22:55:33 +0200 Subject: fix(system/services/taskserver): Specify domain to listen on --- system/services/taskserver/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix index 56255cd..6a0aba6 100644 --- a/system/services/taskserver/default.nix +++ b/system/services/taskserver/default.nix @@ -24,5 +24,6 @@ }; openFirewall = true; fqdn = "taskserver.vhack.eu"; + listenHost = "taskserver.vhack.eu"; }; } -- cgit 1.4.1 From 17f6a00debfb2a68a691936d3f1c5a4b84edef19 Mon Sep 17 00:00:00 2001 From: Soispha Date: Mon, 2 Oct 2023 18:21:36 +0200 Subject: fix(system/services/taskserver): Use strict certificate validation --- system/services/taskserver/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix index 6a0aba6..517da5d 100644 --- a/system/services/taskserver/default.nix +++ b/system/services/taskserver/default.nix @@ -22,6 +22,7 @@ ]; }; }; + trust = "strict"; openFirewall = true; fqdn = "taskserver.vhack.eu"; listenHost = "taskserver.vhack.eu"; -- cgit 1.4.1 From 5eda6811be4b66b1057b6cb8c5f67c1259be267f Mon Sep 17 00:00:00 2001 From: Soispha Date: Mon, 2 Oct 2023 18:25:52 +0200 Subject: chore(version): v0.10.0 --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c2c077..381d82d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,21 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.10.0 - 2023-10-02 +#### Bug Fixes +- **(system/services/nginx)** Update hosts - (2aa1c16) - Soispha +- **(system/services/taskserver)** Use strict certificate validation - (17f6a00) - Soispha +- **(system/services/taskserver)** Specify domain to listen on - (18624e4) - Soispha +#### Build system +- **(flake)** Update - (327e8bf) - Soispha +- **(flake)** update - (0a877a1) - sils +- **(flake)** update - (ec43442) - sils +- **(flake)** Update - (a4c1e69) - Soispha +#### Features +- **(system/services/taskserver)** Init - (cd75ff6) - Soispha + +- - - + ## v0.9.0 - 2023-08-18 #### Bug Fixes - **(system)** Binary substitution for debugging - (9685791) - sils -- cgit 1.4.1 From 932c45d2eb843bac1bb2f6e64a91613fe0fa3dd2 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 16:10:04 +0200 Subject: feat(system/services/miniflux): Init --- system/secrets/default.nix | 6 ++++++ system/secrets/miniflux/admin.tix | 20 ++++++++++++++++++++ system/secrets/secrets.nix | 1 + system/services/default.nix | 1 + system/services/miniflux/default.nix | 19 +++++++++++++++++++ 5 files changed, 47 insertions(+) create mode 100644 system/secrets/miniflux/admin.tix create mode 100644 system/services/miniflux/default.nix diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 2269672..6cd7524 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -19,6 +19,12 @@ owner = "root"; group = "root"; }; + minifluxAdmin = { + file = ./miniflux/admin.tix; + mode = "700"; + owner = "root"; + group = "root"; + }; }; }; } diff --git a/system/secrets/miniflux/admin.tix b/system/secrets/miniflux/admin.tix new file mode 100644 index 0000000..5f9855b --- /dev/null +++ b/system/secrets/miniflux/admin.tix @@ -0,0 +1,20 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3a1AwRUpRS2dTVWc5dFFx +SWtnOHh0SWRVODBxUTlkWmQvOURvVk90d1hVCkNwTlZDWGhhSnNyYzZQa2N4aUxV +SUx3aWk3ditmVURjTjJCckNqOSs1QzAKLT4gWDI1NTE5IElQNHBVZnB3Umw0bW9R +K1lsQXlLc3Vld0ljanBjS1E4TGdHSE8rR3ZMemsKY3ZpVm5OSDZrNHlXMVh6bXIz +YnhFSmdFTTNCUUFkeEpCbCt6Z21SbCtEUQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +VGQxbTRiNkxRTUhRVFZEWkZiZ3ZoRStDbk5OZWFMb1BacEhmOWxjVmlRdwpidTlI +TXNnVHJPVUJjZXdGVWdMZkJ3WVZ2c3k2a3BrSDJDdWdTd1VLdVhjCi0+IExLOWst +Z3JlYXNlIC9kIDJYWlZDCkpXUW1IdFA3RjFoQXJHdG10bERLNk93ZFRvVVgxRjNY +QUlJcmpPVVU0RXYvVEZFZk5nTFNrWXVNWVg5Q0xzLzcKWWlDUUtPRWIwVWF3RXZt +M2dJenh3bk9nQ0paMTVweHlnQQotLS0gK3J4NTJ3Wkl1bDlVd3F1NVFlcVhWS0ZT +RlFxUFRBcXJEcC91M3pYaWNmYwoKAC8nGzAQewMVBhgwU4UxDIzm16OH1Te2N1Up +WjjAaHKGHeLcTG8UN6CgmIsjijV1EIN4qMLGQy1tJlMoim4/Q5kyTkHSEVAgLbKI +vUiW2/7mblgkTJzlVw0EB7wep6HPT9C7JYuirBRstUf0TdBIIB+u0Q/AGTnydcg8 +Kus1e4zuoanFxXoIFoUt48zC8T+EsPd3hMMe8h//rAfsBIxB3CJaqibxmQSWAPoA +yCuULWrmD48xjS6tzwZQo+Fx334HdH/hQSaZS0wJccwONbXaqexm+rEn+wmnBZW6 +lOFE86S9f3b1+GI3ze23yD4nbY+7txlP2QwADu815IZ3eOLBfxXjJR7K4+bEeiqz +0Q+t8fWZntB9sL0iELQlXa4uwcu7DlxLnopC/klTBisrEXizH4ALwVcr9Cxwp4Hj +vpOTqLt2Qxw= +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 9fa9cc5..cd27612 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -14,4 +14,5 @@ in { "matrix-synapse/passwd.tix".publicKeys = allSecrets; "invidious/hmac.tix".publicKeys = allSecrets; "invidious/settings.tix".publicKeys = allSecrets; + "miniflux/admin.tix".publicKeys = allSecrets; } diff --git a/system/services/default.nix b/system/services/default.nix index 3349b38..2530f3a 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -7,6 +7,7 @@ ./mail ./matrix ./minecraft + ./miniflux ./nginx ./nix ./nix-sync diff --git a/system/services/miniflux/default.nix b/system/services/miniflux/default.nix new file mode 100644 index 0000000..e42ebe2 --- /dev/null +++ b/system/services/miniflux/default.nix @@ -0,0 +1,19 @@ +{config, ...}: { + services.miniflux = { + enable = true; + config = { + LISTEN_ADDR = "127.0.0.1:5892"; + }; + adminCredentialsFile = config.secrets.age.minifluxAdmin.path; + }; + + services.nginx = { + enable = true; + virtualHosts."rss.vhack.eu" = { + locations."/".proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}"; + + enableACME = true; + forceSSL = true; + }; + }; +} -- cgit 1.4.1 From b4944b16cade3b006615bd3efd3795b8e235e6ec Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 16:13:26 +0200 Subject: fix(system/services/miniflux): Correctly specify secret path --- system/services/miniflux/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/services/miniflux/default.nix b/system/services/miniflux/default.nix index e42ebe2..516a9b2 100644 --- a/system/services/miniflux/default.nix +++ b/system/services/miniflux/default.nix @@ -4,7 +4,7 @@ config = { LISTEN_ADDR = "127.0.0.1:5892"; }; - adminCredentialsFile = config.secrets.age.minifluxAdmin.path; + adminCredentialsFile = config.age.secrets.minifluxAdmin.path; }; services.nginx = { -- cgit 1.4.1 From ca1e35461cb2ec8984750dc69a6ef1497a134df4 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 16:19:12 +0200 Subject: fix(system/services/miniflux): Reduce password length --- system/secrets/miniflux/admin.tix | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/system/secrets/miniflux/admin.tix b/system/secrets/miniflux/admin.tix index 5f9855b..6b34ab0 100644 --- a/system/secrets/miniflux/admin.tix +++ b/system/secrets/miniflux/admin.tix @@ -1,20 +1,14 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3a1AwRUpRS2dTVWc5dFFx -SWtnOHh0SWRVODBxUTlkWmQvOURvVk90d1hVCkNwTlZDWGhhSnNyYzZQa2N4aUxV -SUx3aWk3ditmVURjTjJCckNqOSs1QzAKLT4gWDI1NTE5IElQNHBVZnB3Umw0bW9R -K1lsQXlLc3Vld0ljanBjS1E4TGdHSE8rR3ZMemsKY3ZpVm5OSDZrNHlXMVh6bXIz -YnhFSmdFTTNCUUFkeEpCbCt6Z21SbCtEUQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -VGQxbTRiNkxRTUhRVFZEWkZiZ3ZoRStDbk5OZWFMb1BacEhmOWxjVmlRdwpidTlI -TXNnVHJPVUJjZXdGVWdMZkJ3WVZ2c3k2a3BrSDJDdWdTd1VLdVhjCi0+IExLOWst -Z3JlYXNlIC9kIDJYWlZDCkpXUW1IdFA3RjFoQXJHdG10bERLNk93ZFRvVVgxRjNY -QUlJcmpPVVU0RXYvVEZFZk5nTFNrWXVNWVg5Q0xzLzcKWWlDUUtPRWIwVWF3RXZt -M2dJenh3bk9nQ0paMTVweHlnQQotLS0gK3J4NTJ3Wkl1bDlVd3F1NVFlcVhWS0ZT -RlFxUFRBcXJEcC91M3pYaWNmYwoKAC8nGzAQewMVBhgwU4UxDIzm16OH1Te2N1Up -WjjAaHKGHeLcTG8UN6CgmIsjijV1EIN4qMLGQy1tJlMoim4/Q5kyTkHSEVAgLbKI -vUiW2/7mblgkTJzlVw0EB7wep6HPT9C7JYuirBRstUf0TdBIIB+u0Q/AGTnydcg8 -Kus1e4zuoanFxXoIFoUt48zC8T+EsPd3hMMe8h//rAfsBIxB3CJaqibxmQSWAPoA -yCuULWrmD48xjS6tzwZQo+Fx334HdH/hQSaZS0wJccwONbXaqexm+rEn+wmnBZW6 -lOFE86S9f3b1+GI3ze23yD4nbY+7txlP2QwADu815IZ3eOLBfxXjJR7K4+bEeiqz -0Q+t8fWZntB9sL0iELQlXa4uwcu7DlxLnopC/klTBisrEXizH4ALwVcr9Cxwp4Hj -vpOTqLt2Qxw= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0ZHJ3V0E3bjVLYUd5N2gx +eE15dlBldWt1ZGpBcGc3ZWcwMTNKSTcxR0Y0Cm03dEgxYzdhYjYvWFNNUVdtR3E1 +dW1lMlE3R3dlcUZ1Qm1GMElPQU8xYmMKLT4gWDI1NTE5IFJrc28wZzhWQ3RoeFFK +WFlTSmVzRGMzamxrQ0NSUG9KVWxSajJsQ1BablEKS0tFb096djZOdUJIVTdaSndH +b1ZMT3ZCZGVkaWMvU0hPSFhsMkY3RzBkNAotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +SWdGV1pSYzY3bWxadWJZeXVmTXBHeGpMTTYyak1IbE9jTjZQS3dwRXozUQo1UFlT +am9WNzh1TytMNTFsNjM4amh0N2JDdkxjYk9GL285UWUrZHV5L3p3Ci0+IEkqMS1n +cmVhc2UgZV4KRFlYWlRyNDFtZlJWcS9vZ1hiUkJxdE9saHpTTWQ3TitMc1N0UXBE +eWZ5SQotLS0gRzE4bmpSTWpjUnlHUlNHTTNWSjNNL0d3VFFpVFdOaVlMUERmRHNt +d2k3WQqd+49pa75kfJffbdCOmNvPLUN7N+d+lI4lXlPTyLWTNnM8qaVz+BAhMH40 +ri9BTHHtg4ql7bXZWXZt/CiBLUOuv+yKckm4u51vjOwyHwUjaMYF4bfXS+rChsQV +BL+XWihQZ5wNsUh1PRHMy3mrF1XSYROa4ApK/i5Sgm271cvBMI4C4G+oux0/wvkL -----END AGE ENCRYPTED FILE----- -- cgit 1.4.1 From 7da6e60b4006edec97440769ecf94157910c2eff Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 16:33:04 +0200 Subject: chore(version): v0.11.0 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 381d82d..a7c5132 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.11.0 - 2023-10-03 +#### Bug Fixes +- **(system/services/miniflux)** Reduce password length - (ca1e354) - Soispha +- **(system/services/miniflux)** Correctly specify secret path - (b4944b1) - Soispha +#### Features +- **(system/services/miniflux)** Init - (932c45d) - Soispha + +- - - + ## v0.10.0 - 2023-10-02 #### Bug Fixes - **(system/services/nginx)** Update hosts - (2aa1c16) - Soispha -- cgit 1.4.1 From f3eeef86672cc5ab34703a75fd52232b450b06e9 Mon Sep 17 00:00:00 2001 From: sils Date: Tue, 3 Oct 2023 16:51:04 +0200 Subject: build(flake): update --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 737ea6e..14c1b8c 100644 --- a/flake.lock +++ b/flake.lock @@ -54,11 +54,11 @@ ] }, "locked": { - "lastModified": 1696184529, - "narHash": "sha256-mJI+zYNKX6hu/dhh92ierUWgr5VWzQ9MThDsDDbmQFE=", + "lastModified": 1696266955, + "narHash": "sha256-GhaBeBWwejBTzBQl803x7iUXQ6GGUZgBxz+qyk1E3v4=", "owner": "ipetkov", "repo": "crane", - "rev": "a863ce3c79ea1a809ba81427e1b0d9c55b3eb7ef", + "rev": "581245bf1233d6f621ce3b6cb99224a948c3a37f", "type": "github" }, "original": { @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1695864092, - "narHash": "sha256-Hu1SkFPqO7ND95AOzBkZE2jGXSYhfZ965C03O72Kbu8=", + "lastModified": 1696266752, + "narHash": "sha256-wJnMDFM21+xXdsXSs6pXMElbv4YfqmQslcPApRuaYKs=", "owner": "nix-community", "repo": "disko", - "rev": "19b62324663b6b9859caf7f335d232cf4f1f6a32", + "rev": "646ee25c25fffee122a66282861f5f56ad3e0fd9", "type": "github" }, "original": { @@ -112,11 +112,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696267196, + "narHash": "sha256-AAQ/2sD+0D18bb8hKuEEVpHUYD1GmO2Uh/taFamn6XQ=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "4f910c9827911b1ec2bf26b5a062cd09f8d89f85", "type": "github" }, "original": { @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696115311, - "narHash": "sha256-JPZNLVgzVp6Z3Lv5h9kUWOX8jeBD1FLVTd2zXIfbaU0=", + "lastModified": 1696275639, + "narHash": "sha256-3zShVFShYM2/n4p3Y2hzTzIE0zjR6/G1sDXo4awMR/w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "15c4fb651d5306d01e485063121aa5411b2d9b6c", + "rev": "cb1f8c37d44052b9fd2b6bd208ec4dbbe068cced", "type": "github" }, "original": { @@ -284,11 +284,11 @@ ] }, "locked": { - "lastModified": 1696126582, - "narHash": "sha256-uo4cn/d2rHPy/fpKZKFBOaVO531zs/Doxz43imrpqZM=", + "lastModified": 1696299134, + "narHash": "sha256-RS77cAa0N+Sfj5EmKbm5IdncNXaBCE1BSSQvUE8exvo=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "fc6fe50d9a4540a1111731baaa00f207301fdeb7", + "rev": "611ccdceed92b4d94ae75328148d84ee4a5b462d", "type": "github" }, "original": { -- cgit 1.4.1 From a3c31664dad17674721b0d31eec8ca0d8e57bd3e Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 17:11:46 +0200 Subject: feat(system/services/murmur): Initialize --- system/services/default.nix | 1 + system/services/murmur/default.nix | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 system/services/murmur/default.nix diff --git a/system/services/default.nix b/system/services/default.nix index 2530f3a..db42284 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -8,6 +8,7 @@ ./matrix ./minecraft ./miniflux + ./murmur ./nginx ./nix ./nix-sync diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix new file mode 100644 index 0000000..9c04db0 --- /dev/null +++ b/system/services/murmur/default.nix @@ -0,0 +1,23 @@ +{config, ...}: { + services.murmur = { + enable = true; + openFirewall = true; + welcometext = '' + You never get a second chance to make a first impression + + The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here! + ''; + sslKey = "${config.security.acme.certs.murmur.directory}/key.pem"; + sslCert = "${config.security.acme.certs.murmur.directory}/fullchain.pem"; + + registerUrl = "vhack.eu"; + registerName = "vhack"; + registerHostname = "mumble.vhack.eu"; + hostName = "mumble.vhack.eu"; + clientCertRequired = true; + }; + + security.acme.certs.murmur = { + domain = "mumble.vhack.eu"; + }; +} -- cgit 1.4.1 From c154fa39a7f68a17713eff260c45c4d23835feb1 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 17:29:00 +0200 Subject: fix(system/services/murmur): Allow murmur's user to read certs --- system/impermanence/default.nix | 1 + system/impermanence/mods/murmur.nix | 10 ++++++++++ system/services/murmur/default.nix | 26 ++++++++++++++++++++++---- 3 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 system/impermanence/mods/murmur.nix diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 6e977b5..f3d792d 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -5,6 +5,7 @@ ./mods/mail.nix ./mods/matrix.nix ./mods/minecraft.nix + ./mods/murmur.nix ./mods/nix-sync.nix ./mods/openssh.nix ./mods/postgresql.nix diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix new file mode 100644 index 0000000..48912e1 --- /dev/null +++ b/system/impermanence/mods/murmur.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/murmur"; + user = "murmur"; + group = "murmur"; + mode = "0700"; + } + ]; +} diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix index 9c04db0..1dcd781 100644 --- a/system/services/murmur/default.nix +++ b/system/services/murmur/default.nix @@ -1,23 +1,41 @@ -{config, ...}: { +{...}: let + murmurStore = "/var/lib/murmur"; +in { services.murmur = { enable = true; openFirewall = true; welcometext = '' - You never get a second chance to make a first impression + You never get a second chance to make a first impression
The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here! ''; - sslKey = "${config.security.acme.certs.murmur.directory}/key.pem"; - sslCert = "${config.security.acme.certs.murmur.directory}/fullchain.pem"; + sslKey = "${murmurStore}/key.pem"; + sslCert = "${murmurStore}/fullchain.pem"; registerUrl = "vhack.eu"; registerName = "vhack"; registerHostname = "mumble.vhack.eu"; hostName = "mumble.vhack.eu"; clientCertRequired = true; + bandwidth = 7200000; }; security.acme.certs.murmur = { domain = "mumble.vhack.eu"; + postRun = + /* + bash + */ + '' + set -x + rm "${murmurStore}/key.pem" + rm "${murmurStore}/fullchain.pem" + + cp key.pem "${murmurStore}"; + cp fullchain.pem "${murmurStore}"; + + chown murmur:murmur "${murmurStore}/key.pem" + chown murmur:murmur "${murmurStore}/fullchain.pem" + ''; }; } -- cgit 1.4.1 From 5b1220b2f47bfaa6a63cc144b67288b31f4cfc46 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 18:07:25 +0200 Subject: chore(version): v0.12.0 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a7c5132..1928ad8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.12.0 - 2023-10-03 +#### Bug Fixes +- **(system/services/murmur)** Allow murmur's user to read certs - (c37bf3d) - Soispha +#### Build system +- **(flake)** update - (f3eeef8) - sils +#### Features +- **(system/services/murmur)** Init - (beb53b0) - Soispha + +- - - + ## v0.11.0 - 2023-10-03 #### Bug Fixes - **(system/services/miniflux)** Reduce password length - (ca1e354) - Soispha -- cgit 1.4.1 From 7d905a84db0514bdd8c07bc3a1a0bbff3eaa1a18 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 18:09:02 +0200 Subject: chore(version): v0.13.0 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1928ad8..b82c79c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.13.0 - 2023-10-03 +#### Bug Fixes +- **(system/services/murmur)** Allow murmur's user to read certs - (c154fa3) - Soispha +#### Features +- **(system/services/murmur)** Initialize - (a3c3166) - Soispha +#### Miscellaneous Chores +- **(version)** v0.12.0 - (5b1220b) - Soispha + +- - - + ## v0.12.0 - 2023-10-03 #### Bug Fixes - **(system/services/murmur)** Allow murmur's user to read certs - (c37bf3d) - Soispha -- cgit 1.4.1 From 52ae495f89ac232f689d2af04a7d88441bef0b4f Mon Sep 17 00:00:00 2001 From: sils Date: Wed, 11 Oct 2023 12:41:55 +0200 Subject: feat(system/services/nix): add wheel group to trusted-users --- system/services/nix/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix index bd562ec..ec5fe5d 100644 --- a/system/services/nix/default.nix +++ b/system/services/nix/default.nix @@ -13,6 +13,10 @@ settings = { auto-optimise-store = true; experimental-features = ["nix-command" "flakes"]; + trusted-users = [ + "root" + "@wheel" + ]; }; }; } -- cgit 1.4.1 From b07daa8d46300eef7f0b99f9061955f79de08346 Mon Sep 17 00:00:00 2001 From: sils Date: Wed, 11 Oct 2023 13:55:36 +0200 Subject: chore(version): v0.14.0 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b82c79c..8b41f38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.14.0 - 2023-10-11 +#### Features +- **(system/services/nix)** add wheel group to trusted-users - (52ae495) - sils + +- - - + ## v0.13.0 - 2023-10-03 #### Bug Fixes - **(system/services/murmur)** Allow murmur's user to read certs - (c154fa3) - Soispha -- cgit 1.4.1 From d4fbb499fb5c0a16dfc132cd32e4cd8cc6f9ddbc Mon Sep 17 00:00:00 2001 From: sils Date: Wed, 11 Oct 2023 14:01:11 +0200 Subject: build(flake): update --- flake.lock | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/flake.lock b/flake.lock index 14c1b8c..298efde 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ ] }, "locked": { - "lastModified": 1695384796, + "lastModified": 1696775529, "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", "owner": "ryantm", "repo": "agenix", - "rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4", + "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", "type": "github" }, "original": { @@ -54,11 +54,11 @@ ] }, "locked": { - "lastModified": 1696266955, - "narHash": "sha256-GhaBeBWwejBTzBQl803x7iUXQ6GGUZgBxz+qyk1E3v4=", + "lastModified": 1696384830, + "narHash": "sha256-j8ZsVqzmj5sOm5MW9cqwQJUZELFFwOislDmqDDEMl6k=", "owner": "ipetkov", "repo": "crane", - "rev": "581245bf1233d6f621ce3b6cb99224a948c3a37f", + "rev": "f2143cd27f8bd09ee4f0121336c65015a2a0a19c", "type": "github" }, "original": { @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1696266752, - "narHash": "sha256-wJnMDFM21+xXdsXSs6pXMElbv4YfqmQslcPApRuaYKs=", + "lastModified": 1696814493, + "narHash": "sha256-1qArVsJGG2RHbV2iKFpAmM5os3myvwpXMOdFy5nh54M=", "owner": "nix-community", "repo": "disko", - "rev": "646ee25c25fffee122a66282861f5f56ad3e0fd9", + "rev": "32ce057c183506cecb0b84950e4eaf39f37e8c75", "type": "github" }, "original": { @@ -112,11 +112,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1696267196, - "narHash": "sha256-AAQ/2sD+0D18bb8hKuEEVpHUYD1GmO2Uh/taFamn6XQ=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "4f910c9827911b1ec2bf26b5a062cd09f8d89f85", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696275639, - "narHash": "sha256-3zShVFShYM2/n4p3Y2hzTzIE0zjR6/G1sDXo4awMR/w=", + "lastModified": 1696954215, + "narHash": "sha256-AFnALq/MZs0vRKwjGpS27maCMRcXr04lzi+BI7ZIoDw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cb1f8c37d44052b9fd2b6bd208ec4dbbe068cced", + "rev": "0927ba648bbbdff18356c292edcfefbb4e1a143d", "type": "github" }, "original": { @@ -284,11 +284,11 @@ ] }, "locked": { - "lastModified": 1696299134, - "narHash": "sha256-RS77cAa0N+Sfj5EmKbm5IdncNXaBCE1BSSQvUE8exvo=", + "lastModified": 1696990596, + "narHash": "sha256-Yyb4o7/qNGB+oig3978ehzRrJf/zjfCOEB/g7ZF3//E=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "611ccdceed92b4d94ae75328148d84ee4a5b462d", + "rev": "c6d2f0bbd56fc833a7c1973f422ca92a507d0320", "type": "github" }, "original": { -- cgit 1.4.1 From 631e9c0fc66e7c0493ea447dfcfcfca93ce0d72c Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 20:49:27 +0200 Subject: feat(treewide): add mastodon --- system/impermanence/default.nix | 1 + system/impermanence/mods/mastodon.nix | 10 ++++++++++ system/secrets/default.nix | 6 ++++++ system/secrets/mastodon/mail.tix | 15 +++++++++++++++ system/secrets/secrets.nix | 1 + system/services/mail/users.nix | Bin 1138 -> 1303 bytes system/services/mastodon/default.nix | 17 +++++++++++++++++ 7 files changed, 50 insertions(+) create mode 100644 system/impermanence/mods/mastodon.nix create mode 100644 system/secrets/mastodon/mail.tix create mode 100644 system/services/mastodon/default.nix diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index f3d792d..f42c084 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -3,6 +3,7 @@ imports = [ ./mods/acme.nix ./mods/mail.nix + ./mods/mastodon.nix ./mods/matrix.nix ./mods/minecraft.nix ./mods/murmur.nix diff --git a/system/impermanence/mods/mastodon.nix b/system/impermanence/mods/mastodon.nix new file mode 100644 index 0000000..a5bdbfd --- /dev/null +++ b/system/impermanence/mods/mastodon.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; +} diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 6cd7524..658679b 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -25,6 +25,12 @@ owner = "root"; group = "root"; }; + mastodonMail = { + file = ./mastodon/mail.tix; + mode = "700"; + owner = "mastodon"; + group = "mastodon"; + }; }; }; } diff --git a/system/secrets/mastodon/mail.tix b/system/secrets/mastodon/mail.tix new file mode 100644 index 0000000..c64a2e7 --- /dev/null +++ b/system/secrets/mastodon/mail.tix @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqT05Uc2hrcFAwd1c5S1o0 +L3hhQURmdUVBbmxSYVFGczdGWThTck9VdkhRCktOZ1JSamN0Ly9pVXJDMDZ4Y0VZ +bmRyMTlaOU9HOEZ5SitzOVovUkhCNFUKLT4gWDI1NTE5IHlqUTFtODd6QXpNMFBY +WTY2cTJ2TFI5S0ZGc1doeEVEUi9veGRDKzN5UWsKUC9WZUtXVUs5cnkxL3Y5RlJs +RTRkNE5zQ0NtbG0vdStuZXZVUzFoeTBwNAotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +Um1qczl3YTM0S3dIb3AzQmpSNVNNUXFzMFNLNEEwQllOSUkrMHNzVy9uMApTdjhz +U250NGNpdk5SbWhPNjhjWWM0aWovRCt0MjR3M29JSTZjLy9IbTAwCi0+IEwtZ3Jl +YXNlIEp6KCk4by1jIF0Kd2xoKytCU3d3MGFxZmRmS2gxSDJiVFp1L3hOS2hJVEtz +NlFHWHhnRW5SNTZRMFFFRUJrVXo2blZvNlZTSXNqeQpVbWFLUmVHN1ptWGdLMkJT +RVJuUWxTVE4vcDhsCi0tLSA5ckxpdFhrQWErb2NkcXlWaHR6WmVndVppbjRIQ3cw +VjAxdTlnTEdmTkVrCou6/oezocFtYn7QDWLFzknFPlD5d1xBFutng6dvazWasZXD +qecouKvAmFFA4mQHUjbmD2QxWdorU7SyYpEPeTJ4rbOuayySkYPxUoo8gqvd7JkS +0VCavUuSb8nmfk24E3M= +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index cd27612..411f92e 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -15,4 +15,5 @@ in { "invidious/hmac.tix".publicKeys = allSecrets; "invidious/settings.tix".publicKeys = allSecrets; "miniflux/admin.tix".publicKeys = allSecrets; + "mastodon/mail.tix".publicKeys = allSecrets; } diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index a30d547..2104a8a 100644 Binary files a/system/services/mail/users.nix and b/system/services/mail/users.nix differ diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix new file mode 100644 index 0000000..6fb821e --- /dev/null +++ b/system/services/mastodon/default.nix @@ -0,0 +1,17 @@ +{config, ...}: let + emailAddress = "mastodon@vhack.eu"; +in { + services.mastodon = { + enable = true; + localDomain = "mstdn.vhack.eu"; + configureNginx = true; + smtp = { + authenticate = true; + createLocally = false; + fromAddress = emailAddress; + user = emailAddress; + host = "server1.vhack.eu"; + passwordFile = "${config.age.secrets.mastdonMail.path}"; + }; + }; +} -- cgit 1.4.1 From b8f786bf568187f83da586df9e5d354e79b59cb2 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 20:56:51 +0200 Subject: fix(system/services/mastodon): correct age secret path --- system/services/mastodon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 6fb821e..3a983c3 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -11,7 +11,7 @@ in { fromAddress = emailAddress; user = emailAddress; host = "server1.vhack.eu"; - passwordFile = "${config.age.secrets.mastdonMail.path}"; + passwordFile = "${config.age.secrets.mastodonMail.path}"; }; }; } -- cgit 1.4.1 From 927fc165253804a6b8ffe0e648baa279e77a8233 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 20:57:20 +0200 Subject: feat(system/services): actually import mastodon --- system/services/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/system/services/default.nix b/system/services/default.nix index db42284..9998e43 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -5,6 +5,7 @@ ./keycloak ./libreddit ./mail + ./mastodon ./matrix ./minecraft ./miniflux -- cgit 1.4.1 From cb49aa5ed36f38aa9608695fb1884846b9f859f9 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 21:35:13 +0200 Subject: fix(system/services/mastodon): separate domains for user handles and webinterface --- system/services/mastodon/default.nix | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 3a983c3..96c2744 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -3,8 +3,7 @@ in { services.mastodon = { enable = true; - localDomain = "mstdn.vhack.eu"; - configureNginx = true; + localDomain = "vhack.eu"; smtp = { authenticate = true; createLocally = false; @@ -13,5 +12,38 @@ in { host = "server1.vhack.eu"; passwordFile = "${config.age.secrets.mastodonMail.path}"; }; + extraConfig.WEB_DOMAIN = "mastodon.vhack.eu"; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; # required for redirections to work + virtualHosts = { + "${config.services.mastodon.extraConfig.WEB_DOMAIN}" = { + root = "${config.services.mastodon.package}/public/"; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = true; + enableACME = true; + + locations."/system/".alias = "/var/lib/mastodon/public-system/"; + + locations."/" = { + tryFiles = "$uri @proxy"; + }; + + locations."@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + + locations."/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + "vhack.eu" = { + locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri"; + }; + }; }; } -- cgit 1.4.1 From bd824945407c1db99d35e1b56fc19ef08abd6c36 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 21:39:35 +0200 Subject: fix(system/services/mastodon): allow registration only with vhack.eu/sils.li mail --- system/services/mastodon/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 96c2744..5007d0e 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -12,7 +12,10 @@ in { host = "server1.vhack.eu"; passwordFile = "${config.age.secrets.mastodonMail.path}"; }; - extraConfig.WEB_DOMAIN = "mastodon.vhack.eu"; + extraConfig = { + WEB_DOMAIN = "mastodon.vhack.eu"; + EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li"; + }; }; services.nginx = { -- cgit 1.4.1 From 1ddfb655c9cb35a40cc13dca84652678f7a30f1a Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 21:52:37 +0200 Subject: fix(system/services/mastodon): add nginx to group 'mastodon' --- system/services/mastodon/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 5007d0e..ea49fc5 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -49,4 +49,6 @@ in { }; }; }; + + users.groups.${config.services.mastodon.group}.members = config.services.nginx.user; } -- cgit 1.4.1 From 478437be715c965a4028693582bef650ce190198 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 21:54:21 +0200 Subject: fix(system/services/mastodon): change string to list of string --- system/services/mastodon/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index ea49fc5..fee472e 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -50,5 +50,7 @@ in { }; }; - users.groups.${config.services.mastodon.group}.members = config.services.nginx.user; + users.groups.${config.services.mastodon.group}.members = [ + config.services.nginx.user + ]; } -- cgit 1.4.1 From cfdd2e350ff5df55beef4fa5b7bc11e9ff5e23c1 Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 13 Oct 2023 13:40:22 +0200 Subject: fix(system/services/mastodon): remove unneccessary stringcasts --- system/services/mastodon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index fee472e..7522d99 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -10,7 +10,7 @@ in { fromAddress = emailAddress; user = emailAddress; host = "server1.vhack.eu"; - passwordFile = "${config.age.secrets.mastodonMail.path}"; + passwordFile = config.age.secrets.mastodonMail.path; }; extraConfig = { WEB_DOMAIN = "mastodon.vhack.eu"; @@ -22,7 +22,7 @@ in { enable = true; recommendedProxySettings = true; # required for redirections to work virtualHosts = { - "${config.services.mastodon.extraConfig.WEB_DOMAIN}" = { + "config.services.mastodon.extraConfig.WEB_DOMAIN" = { root = "${config.services.mastodon.package}/public/"; # mastodon only supports https, but you can override this if you offload tls elsewhere. forceSSL = true; -- cgit 1.4.1 From 4325da79ba9dfc8191d896dbbc801337d3f8b5bb Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 13 Oct 2023 13:46:04 +0200 Subject: chore(version): v0.15.0 --- CHANGELOG.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b41f38..a90b456 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,22 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.15.0 - 2023-10-13 +#### Bug Fixes +- **(system/services/mastodon)** remove unneccessary stringcasts - (cfdd2e3) - sils +- **(system/services/mastodon)** change string to list of string - (478437b) - sils +- **(system/services/mastodon)** add nginx to group 'mastodon' - (1ddfb65) - sils +- **(system/services/mastodon)** allow registration only with vhack.eu/sils.li mail - (bd82494) - sils +- **(system/services/mastodon)** separate domains for user handles and webinterface - (cb49aa5) - sils +- **(system/services/mastodon)** correct age secret path - (b8f786b) - sils +#### Build system +- **(flake)** update - (d4fbb49) - sils +#### Features +- **(system/services)** actually import mastodon - (927fc16) - sils +- **(treewide)** add mastodon - (631e9c0) - sils + +- - - + ## v0.14.0 - 2023-10-11 #### Features - **(system/services/nix)** add wheel group to trusted-users - (52ae495) - sils -- cgit 1.4.1 From 900d013b708fb84add332fe397a01991cf71a119 Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 13 Oct 2023 17:20:20 +0200 Subject: Revert "fix(system/services/mastodon): remove unneccessary stringcasts" These stringcasts were mandatory. This reverts commit cfdd2e350ff5df55beef4fa5b7bc11e9ff5e23c1. --- system/services/mastodon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 7522d99..fee472e 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -10,7 +10,7 @@ in { fromAddress = emailAddress; user = emailAddress; host = "server1.vhack.eu"; - passwordFile = config.age.secrets.mastodonMail.path; + passwordFile = "${config.age.secrets.mastodonMail.path}"; }; extraConfig = { WEB_DOMAIN = "mastodon.vhack.eu"; @@ -22,7 +22,7 @@ in { enable = true; recommendedProxySettings = true; # required for redirections to work virtualHosts = { - "config.services.mastodon.extraConfig.WEB_DOMAIN" = { + "${config.services.mastodon.extraConfig.WEB_DOMAIN}" = { root = "${config.services.mastodon.package}/public/"; # mastodon only supports https, but you can override this if you offload tls elsewhere. forceSSL = true; -- cgit 1.4.1 From 925e9936646bf071f6de271c8f17727e2ab86616 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 13 Oct 2023 17:36:16 +0200 Subject: fix(system/services/mastodon): Correctly avoid string casts --- system/services/mastodon/default.nix | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index fee472e..39a0f56 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -10,7 +10,7 @@ in { fromAddress = emailAddress; user = emailAddress; host = "server1.vhack.eu"; - passwordFile = "${config.age.secrets.mastodonMail.path}"; + passwordFile = config.age.secrets.mastodonMail.path; }; extraConfig = { WEB_DOMAIN = "mastodon.vhack.eu"; @@ -22,28 +22,26 @@ in { enable = true; recommendedProxySettings = true; # required for redirections to work virtualHosts = { - "${config.services.mastodon.extraConfig.WEB_DOMAIN}" = { + ${config.services.mastodon.extraConfig.WEB_DOMAIN} = { root = "${config.services.mastodon.package}/public/"; # mastodon only supports https, but you can override this if you offload tls elsewhere. forceSSL = true; enableACME = true; - locations."/system/".alias = "/var/lib/mastodon/public-system/"; - - locations."/" = { - tryFiles = "$uri @proxy"; - }; - - locations."@proxy" = { - proxyPass = "http://unix:/run/mastodon-web/web.socket"; - proxyWebsockets = true; - }; - - locations."/api/v1/streaming/" = { - proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; - proxyWebsockets = true; + locations = { + "/system/".alias = "/var/lib/mastodon/public-system/"; + "/".tryFiles = "$uri @proxy"; + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + "/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; }; }; + "vhack.eu" = { locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri"; }; -- cgit 1.4.1