From 1b04cd6f94211ec3acf751b025f7fbf5814de473 Mon Sep 17 00:00:00 2001 From: Nettika Date: Wed, 8 Oct 2025 17:16:52 -0700 Subject: [PATCH 01/19] Setup matrix on apogee --- hosts/apogee/default.nix | 4 ++- hosts/apogee/matrix.nix | 28 +++++++++++++++++++ .../apogee/secrets/synapse-secrets-config.age | 6 ++++ 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 hosts/apogee/matrix.nix create mode 100644 hosts/apogee/secrets/synapse-secrets-config.age diff --git a/hosts/apogee/default.nix b/hosts/apogee/default.nix index f74e348..f4f1c0b 100644 --- a/hosts/apogee/default.nix +++ b/hosts/apogee/default.nix @@ -1,7 +1,9 @@ { ... }: { - imports = [ ./gandicloud.nix ]; + imports = [ ./matrix.nix ./gandicloud.nix ]; networking.hostName = "apogee"; + services.postgresql.enable = true; + promptSymbol = "🔭"; } diff --git a/hosts/apogee/matrix.nix b/hosts/apogee/matrix.nix new file mode 100644 index 0000000..76d329c --- /dev/null +++ b/hosts/apogee/matrix.nix @@ -0,0 +1,28 @@ +{ config, ... }: +let domain = "leaf.ninja"; +in { + age.secrets.synapse-secrets-config.file = + ./secrets/synapse-secrets-config.age; + + services.matrix-synapse = { + enable = true; + extraConfigFiles = [ config.age.secrets.synapse-secrets-config.path ]; + settings = { + server_name = domain; + database_type = "psycopg2"; + database_args.database = "matrix-synapse"; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 8448 # Matrix federation + ]; + + services.caddy = { + enable = true; + virtualHosts."matrix.${domain}".extraConfig = '' + reverse_proxy /_matrix/* localhost:8008 + reverse_proxy /_synapse/client/* localhost:8008 + ''; + }; +} diff --git a/hosts/apogee/secrets/synapse-secrets-config.age b/hosts/apogee/secrets/synapse-secrets-config.age new file mode 100644 index 0000000..5c762df --- /dev/null +++ b/hosts/apogee/secrets/synapse-secrets-config.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 f+PJrQ 2Gd75cRZviUH5xYRTC+6oKAT5/FfpY2zfMJVYwVlcCs +eA4B5qHSoPujIgcpBl4UOT8ovvdiTUb16Yk/lHNJJKo +--- 58bdTWl7z2skdVACACl/aAt76ciYkJOjnvDyendgKpQ +Qv=VU&Ld<#h~y"kv1Iz?»UH +rYImlh&PqK>s;ɅuX7z-(Ȭ \ No newline at end of file From 9eb0949e6054679249a5a7ed92235611994e6a64 Mon Sep 17 00:00:00 2001 From: Nettika Date: Wed, 8 Oct 2025 17:18:09 -0700 Subject: [PATCH 02/19] Remove apogee host --- hosts/apogee/default.nix | 7 ------ hosts/apogee/gandicloud.nix | 46 ------------------------------------- 2 files changed, 53 deletions(-) delete mode 100644 hosts/apogee/default.nix delete mode 100644 hosts/apogee/gandicloud.nix diff --git a/hosts/apogee/default.nix b/hosts/apogee/default.nix deleted file mode 100644 index f74e348..0000000 --- a/hosts/apogee/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: { - imports = [ ./gandicloud.nix ]; - - networking.hostName = "apogee"; - - promptSymbol = "🔭"; -} diff --git a/hosts/apogee/gandicloud.nix b/hosts/apogee/gandicloud.nix deleted file mode 100644 index 8df6e08..0000000 --- a/hosts/apogee/gandicloud.nix +++ /dev/null @@ -1,46 +0,0 @@ -# This is the configuration required to run NixOS on GandiCloud. -{ lib, modulesPath, ... }: { - imports = [ (modulesPath + "/virtualisation/openstack-config.nix") ]; - config = { - boot.initrd.kernelModules = [ - "xen-blkfront" - "xen-tpmfront" - "xen-kbdfront" - "xen-fbfront" - "xen-netfront" - "xen-pcifront" - "xen-scsifront" - ]; - - # Show debug kernel message on boot then reduce loglevel once booted - boot.consoleLogLevel = 7; - boot.kernel.sysctl."kernel.printk" = "4 4 1 7"; - - # For "openstack console log show" - boot.kernelParams = [ "console=ttyS0" ]; - systemd.services."serial-getty@ttyS0" = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.Restart = "always"; - }; - - # The device exposed by Xen - boot.loader.grub.device = lib.mkForce "/dev/xvda"; - - # This is to get a prompt via the "openstack console url show" command - systemd.services."getty@tty1" = { - enable = lib.mkForce true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.Restart = "always"; - }; - - # This is required to get an IPv6 address on our infrastructure - networking.tempAddresses = "disabled"; - - nix.extraOptions = '' - experimental-features = nix-command flakes - ''; - - system.stateVersion = "24.11"; - }; -} From ae246349e13d793955ebb3eac44f80f198144c7d Mon Sep 17 00:00:00 2001 From: Nettika Date: Wed, 8 Oct 2025 17:47:10 -0700 Subject: [PATCH 03/19] Ingress quasar configurations --- hosts/default.nix | 8 ++ hosts/quasar/default.nix | 89 +++++++++++++++++++ .../quasar/secrets/matrix-synapse-secrets.age | 7 ++ secrets.nix | 2 + 4 files changed, 106 insertions(+) create mode 100644 hosts/quasar/default.nix create mode 100644 hosts/quasar/secrets/matrix-synapse-secrets.age diff --git a/hosts/default.nix b/hosts/default.nix index 3795651..23f9596 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -14,4 +14,12 @@ in { modules = [ ./astral ]; specialArgs = { inherit (self) nixosModules; }; }; + quasar = nixosSystem { + system = "x86_64-linux"; + modules = [ ./quasar ]; + specialArgs = { + inherit (self) nixosModules; + inherit agenix; + }; + }; } diff --git a/hosts/quasar/default.nix b/hosts/quasar/default.nix new file mode 100644 index 0000000..c3ba129 --- /dev/null +++ b/hosts/quasar/default.nix @@ -0,0 +1,89 @@ +{ modulesPath, nixosModules, agenix, pkgs, config, ... }: { + imports = [ + "${modulesPath}/virtualisation/amazon-image.nix" + nixosModules.nettika + nixosModules.promptmoji + agenix.nixosModules.default + ]; + + nixpkgs.config.allowUnfree = true; + + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + trusted-users = [ "@wheel" ]; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.variables.EDITOR = "nano"; + + networking = { + hostName = "quasar"; + networkmanager.enable = true; + firewall.allowedTCPPorts = [ 80 443 ]; + }; + + environment.systemPackages = [ pkgs.htop ]; + + age.secrets = { + matrix-synapse-secrets.file = ./secrets/matrix-synapse-secrets.age; + }; + + services.postgresql = { enable = true; }; + + services.caddy = { + enable = true; + virtualHosts = { + "consortium.chat".extraConfig = '' + reverse_proxy localhost:8008 + header Strict-Transport-Security "max-age=63072000; includeSubDomains" + ''; + "matrix.consortium.chat".extraConfig = '' + reverse_proxy /_matrix/* localhost:8008 + reverse_proxy /_synapse/client/* localhost:8008 + ''; + "admin.consortium.chat".extraConfig = '' + root * ${pkgs.synapse-admin} + file_server + ''; + }; + }; + + services.matrix-synapse = { + enable = true; + settings = { + server_name = "consortium.chat"; + serve_server_wellknown = true; + }; + extraConfigFiles = [ config.age.secrets.matrix-synapse-secrets.path ]; + }; + + programs.git = { + enable = true; + lfs.enable = true; + config = { + init.defaultBranch = "master"; + user = { + email = "git@nettika.cat"; + name = "Nettika"; + }; + credential.helper = "store"; + }; + }; + + programs.nano = { + enable = true; + nanorc = '' + set autoindent + set linenumbers + ''; + }; + + programs.fish.enable = true; + + promptSymbol = "🌟"; + + time.timeZone = "America/Los_Angeles"; + + system.stateVersion = "24.05"; +} diff --git a/hosts/quasar/secrets/matrix-synapse-secrets.age b/hosts/quasar/secrets/matrix-synapse-secrets.age new file mode 100644 index 0000000..f8716bd --- /dev/null +++ b/hosts/quasar/secrets/matrix-synapse-secrets.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 f+PJrQ Iv9sdO33a3P4MqwsqV9fG1pZo2qflmlKYr2oDI/guwQ +oUUIBdg9Ey5RTBDFTKTvAdQGxKWtdlBluBE2Urosc7Y +--- pAqz01P0OJOGhl/nM09oFU+f447+O7K1lFRlkhcv740 +Hub~*:9zl/^o#ň3 ~z(56+<TxM5`F`[-3"Ϩ- +h? @4g ޳$s2b[Y) s܃_YI{4CRA$kQ, +oigr<'l$S2s8}E+\.ry"k}ԭ,ꐈ0=t Date: Wed, 8 Oct 2025 19:39:30 -0700 Subject: [PATCH 04/19] Extract nano settings into a shared modules --- hosts/astral/default.nix | 11 +---------- hosts/marauder/default.nix | 11 +---------- hosts/quasar/default.nix | 11 +---------- modules/default.nix | 1 + modules/nano.nix | 11 +++++++++++ 5 files changed, 15 insertions(+), 30 deletions(-) create mode 100644 modules/nano.nix diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix index 9bd5a71..3dafb8c 100644 --- a/hosts/astral/default.nix +++ b/hosts/astral/default.nix @@ -1,6 +1,7 @@ { nixosModules, modulesPath, lib, pkgs, ... }: { imports = [ "${modulesPath}/virtualisation/amazon-image.nix" + nixosModules.nano nixosModules.nettika nixosModules.promptmoji ]; @@ -26,8 +27,6 @@ security.sudo.wheelNeedsPassword = false; - environment.variables.EDITOR = "nano"; - services.caddy = { enable = true; virtualHosts = { @@ -53,14 +52,6 @@ }; }; - programs.nano = { - enable = true; - nanorc = '' - set autoindent - set linenumbers - ''; - }; - documentation.man.generateCaches = false; promptSymbol = "✴️"; diff --git a/hosts/marauder/default.nix b/hosts/marauder/default.nix index 712e12d..8ffaf92 100755 --- a/hosts/marauder/default.nix +++ b/hosts/marauder/default.nix @@ -11,6 +11,7 @@ let in { imports = [ ./backup.nix + nixosModules.nano nixosModules.nettika nixosModules.promptmoji agenix.nixosModules.default @@ -30,8 +31,6 @@ in { nixpkgs.config.allowUnfree = true; - environment.variables.EDITOR = "nano"; - documentation.man.generateCaches = false; environment.variables = { @@ -181,14 +180,6 @@ in { }; }; - programs.nano = { - enable = true; - nanorc = '' - set autoindent - set linenumbers - ''; - }; - programs.steam = { enable = true; remotePlay.openFirewall = true; diff --git a/hosts/quasar/default.nix b/hosts/quasar/default.nix index c3ba129..289cf4b 100644 --- a/hosts/quasar/default.nix +++ b/hosts/quasar/default.nix @@ -1,6 +1,7 @@ { modulesPath, nixosModules, agenix, pkgs, config, ... }: { imports = [ "${modulesPath}/virtualisation/amazon-image.nix" + nixosModules.nano nixosModules.nettika nixosModules.promptmoji agenix.nixosModules.default @@ -15,8 +16,6 @@ security.sudo.wheelNeedsPassword = false; - environment.variables.EDITOR = "nano"; - networking = { hostName = "quasar"; networkmanager.enable = true; @@ -71,14 +70,6 @@ }; }; - programs.nano = { - enable = true; - nanorc = '' - set autoindent - set linenumbers - ''; - }; - programs.fish.enable = true; promptSymbol = "🌟"; diff --git a/modules/default.nix b/modules/default.nix index f900622..dd877a2 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,4 +1,5 @@ { + nano = ./nano.nix; nettika = ./nettika.nix; promptmoji = ./promptmoji.nix; } diff --git a/modules/nano.nix b/modules/nano.nix new file mode 100644 index 0000000..a700807 --- /dev/null +++ b/modules/nano.nix @@ -0,0 +1,11 @@ +{ ... }: { + environment.variables.EDITOR = "nano"; + + programs.nano = { + enable = true; + nanorc = '' + set autoindent + set linenumbers + ''; + }; +} From 660426df1f3fbfd36541638e0a494756624e1045 Mon Sep 17 00:00:00 2001 From: Nettika Date: Wed, 8 Oct 2025 19:46:56 -0700 Subject: [PATCH 05/19] Remove unneeded configs from astral --- hosts/astral/default.nix | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix index 3dafb8c..421f5e0 100644 --- a/hosts/astral/default.nix +++ b/hosts/astral/default.nix @@ -20,7 +20,6 @@ networking = { hostName = "astral"; firewall.allowedTCPPorts = [ 80 443 ]; - networkmanager.enable = true; }; users.defaultUserShell = pkgs.fish; @@ -39,22 +38,9 @@ programs.fish.enable = true; - programs.git = { - enable = true; - lfs.enable = true; - config = { - init.defaultBranch = "master"; - user = { - email = "git@nettika.cat"; - name = "Nettika"; - }; - credential.helper = "store"; - }; - }; - documentation.man.generateCaches = false; - promptSymbol = "✴️"; + promptSymbol = "👻"; time.timeZone = "America/Los_Angeles"; From b665d7cffefae54963b5e95b3fd142ceb097f2e3 Mon Sep 17 00:00:00 2001 From: Nettika Date: Wed, 8 Oct 2025 21:45:43 -0700 Subject: [PATCH 06/19] Setup vaultwarden on astral --- hosts/astral/default.nix | 29 ++++++++++++++++-- hosts/astral/secrets/vaultwarden-env.age | Bin 0 -> 370 bytes hosts/default.nix | 19 ++++++------ hosts/marauder/secrets/restic-env.age | 9 +++--- hosts/marauder/secrets/restic-password.age | Bin 246 -> 246 bytes hosts/quasar/default.nix | 2 +- .../quasar/secrets/matrix-synapse-secrets.age | Bin 426 -> 536 bytes secrets.nix | 14 ++++++--- 8 files changed, 51 insertions(+), 22 deletions(-) create mode 100644 hosts/astral/secrets/vaultwarden-env.age diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix index 421f5e0..4e019e7 100644 --- a/hosts/astral/default.nix +++ b/hosts/astral/default.nix @@ -1,9 +1,10 @@ -{ nixosModules, modulesPath, lib, pkgs, ... }: { +{ modulesPath, nixosModules, agenix, lib, pkgs, config, ... }: { imports = [ "${modulesPath}/virtualisation/amazon-image.nix" nixosModules.nano nixosModules.nettika nixosModules.promptmoji + agenix.nixosModules.default ]; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; @@ -14,7 +15,10 @@ dates = "weekly"; options = "--delete-older-than 30d"; }; - settings.trusted-users = [ "@wheel" ]; + settings = { + trusted-users = [ "@wheel" ]; + experimental-features = [ "nix-command" "flakes" ]; + }; }; networking = { @@ -22,6 +26,8 @@ firewall.allowedTCPPorts = [ 80 443 ]; }; + age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age; + users.defaultUserShell = pkgs.fish; security.sudo.wheelNeedsPassword = false; @@ -33,9 +39,28 @@ respond "astral is online" header Strict-Transport-Security: "max-age=63072000; includeSubDomains" ''; + "vault.leaf.ninja".extraConfig = '' + reverse_proxy localhost:8222 + ''; }; }; + services.vaultwarden = { + enable = true; + config = { + domain = "https://vault.leaf.ninja"; + signupsAllowed = false; + rocketAddress = "0.0.0.0"; + rocketPort = 8222; + smtpHost = "smtp.migadu.com"; + smtpFrom = "vaultwarden@leaf.ninja"; + smtpPort = 587; + smtpSecurity = "starttls"; + smtpUsername = "vaultwarden@leaf.ninja"; + }; + environmentFile = config.age.secrets.vaultwarden-env.path; + }; + programs.fish.enable = true; documentation.man.generateCaches = false; diff --git a/hosts/astral/secrets/vaultwarden-env.age b/hosts/astral/secrets/vaultwarden-env.age new file mode 100644 index 0000000000000000000000000000000000000000..83accd1590e1f22e60cbfb11a1212f09d5aa6142 GIT binary patch literal 370 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn(+=<|3RFmR_jfLG zODrmOEY1%NOG^z;kMu~jG;}R-HH`50k4)D#FDZ+N^eznzGvUfe^mNa2D-VhA^GVhZ z^Ybf-^esv+3Jgi9% zIM^lIEwP}?&pA2JG9}o;xxy>JsHEJ$*f-BN+=9zjKddA%AS$mk#I4fAEiX9V-6uTC zJ>M_DB)h`LJhwb2)g#ryJX60Y)s;(ES63m&ATOoFJ ssh-ed25519 f+PJrQ qccE2xAzfBZ3DCRQtQDgwS1UzjlZx44oUrYjcDfMfDk -I2l6xRJsdQLYB2cMo0Kfi6mVyhZsuSPFG574P8pl12Y ---- WoBlo7fqYRkiBYPoLpa3wHB8ZPCVy32a4aL5UswCHJc -LΚ[N<#] B}f%PxKۨkI ssh-ed25519 f+PJrQ VJshLBSbF93anR9fOJ3Kwhxh1AOdvsS0hoJ86Bw9oBQ +It8hELrRN+EYt9nv75lVHha+ZDUhCDNQVczDZVlDCBs +--- xzJ/50+WOA+IWRXiAvBbJLUlsgsSztQrzbimng2QdlU +Ϭjҍ8K7$wbԲǰ~]NB]QM+cw +Jo͔Sؚ!NDuOnZnNѵV:kc)|JopSHfu19 \ No newline at end of file diff --git a/hosts/marauder/secrets/restic-password.age b/hosts/marauder/secrets/restic-password.age index 58bbd5c66d43e5ccf66e1e1bcd8d3e55b07de816..6722ce542f8ef776c9fd8e734eac4e732a2a1d31 100644 GIT binary patch delta 210 zcmeyy_>FObPJMcEg^5S9U!HfWk#A5^j(bFsi&17uM43lUYJ{Ufh+9d4XL>-0M`l#G zCzq*FmWOvW^k2zmZ?v0iE(a0vU6IgW06~sBbTnOu7X)g zvOz$$Nn%Brfsa#gP*J6KU`Ux$S!rHsQcFObPQ7oKv%W!CWTvxMvQc(aNI`^4akiUzx?ypSab8%iQJ6`weom1=VYZ2T zI+t5cX}Z6kkDEtEqN#6ENU=w0aZa#LiFuHBdVaW*iF>$dX-;9Gm!Gzy374*}u0n>p zn@^OhTe!Jfl)ryeRe5+|MOI3IYoSMuc}{Vpo3XKPqIYqqg^OuAzCCAkMR%LGpDwgZqx8S$BTivO81v NW7kr>xv5Xq0sz0LPIv$S diff --git a/hosts/quasar/default.nix b/hosts/quasar/default.nix index 289cf4b..c4d5809 100644 --- a/hosts/quasar/default.nix +++ b/hosts/quasar/default.nix @@ -28,7 +28,7 @@ matrix-synapse-secrets.file = ./secrets/matrix-synapse-secrets.age; }; - services.postgresql = { enable = true; }; + services.postgresql.enable = true; services.caddy = { enable = true; diff --git a/hosts/quasar/secrets/matrix-synapse-secrets.age b/hosts/quasar/secrets/matrix-synapse-secrets.age index f8716bd7dc792c563d7f3a82ae069701e209c31c..5fba68282a14bb27a4c678752c43893479363b7b 100644 GIT binary patch delta 502 zcmZ3*JcDI|PJKaGk&AzzenD79m9MvBnoCAjaB@hMsj**VnR${=W@Ju5u1k(vMW|zN zGM8~+Mw&&qOK_57MxsZBkBh#3ain`jMR0nEk8irSb4o#$mrt0pfw^Ou0hg|wLUD11 zZfc5=si~o*LW-ApQof^tp;>u`NpWOET4Yi|zHv%URlUE7Z$^ZLMSeh_f0n7KlfPk# zyKi}FS#XvwSCq4hmq~_eNLpx6XhB|}iFRgSc1lsck&C;bL55LQfmdp>rI(pwQCU!^-n(63`s^;AeDg2z2g6_dQ(OG6OQGND z-@Tn~ZVS@_9^JNom3dF5&+#q)0k6}gTU;$}ZQfaXL3_`WM*rW@r}}T_7-z7(EA17{ z++BY9xa9jt(d2E50wOIpMCIM~`KO}rHL^`sJnNK_!j4HR#cTBn=0E?p)?UG3{W}0Y Cy3PIo delta 392 zcmbQivWj_vPQ7QDWpRqXv2mhtfQfHmd2wNwWtzKTK~%m`VOmaZj(22{QND|(etKzn zAXk29sHam(x}|HSX;6rhi(80yNSR|wpnHXPcu7i*Q%YlfPuf4zk5cGex9#^WxiXecAANaxwgN#w_%Q3P<>8zMsk_Ci2>Kb_1{;1W?JJ> znzTdWQ{4kCt9h1H%b0Rnzw0-wj+4!2Ql5LX!&r6^2lth_TJ*>Un<{w{3 z#RFf{1h<4}-Nnmfjg_vSU!lvDVXyGi!6cpM-ewV%hG)gUUl_HVPkI~8d@Az$pU3qQ z+ch666yIr%um4>?C(?8M$F|nD)h1gvy=IYIHs5(}&|Sw37rv;pXFr-B_(6wjUcK~; zWfMNUe7280LRm*H2?qr diff --git a/secrets.nix b/secrets.nix index 1e8ad6a..48f0c4b 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,10 +1,14 @@ let - marauder.nettika = + marauder = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHopty1QG8P+OfGxQ9CV0BI1IRB/q6yITzMZaZ6Zspid"; + astral = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRJf6qsNoITXPBdiFsmZuLR0dyP/D6WYNP/RQynl3kf"; + quasar = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoVsKoMEiA2G0WIC/6gFsNE09yhumWf4xnDuoRcD2Px"; in { - "hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder.nettika ]; - "hosts/marauder/secrets/restic-password.age".publicKeys = - [ marauder.nettika ]; + "hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder ]; + "hosts/marauder/secrets/restic-password.age".publicKeys = [ marauder ]; "hosts/quasar/secrets/matrix-synapse-secrets.age".publicKeys = - [ marauder.nettika ]; + [ marauder quasar ]; + "hosts/astral/secrets/vaultwarden-env.age".publicKeys = [ marauder astral ]; } From 735f4243159ca9d746f2467c92f20afb37984964 Mon Sep 17 00:00:00 2001 From: Nettika Date: Wed, 8 Oct 2025 22:28:31 -0700 Subject: [PATCH 07/19] Setup forgejo on astral --- hosts/astral/default.nix | 25 +++---------- hosts/astral/forgejo.nix | 36 +++++++++++++++++++ .../secrets/forgejo-mailer-password.age | 7 ++++ hosts/astral/vaultwarden.nix | 25 +++++++++++++ secrets.nix | 2 ++ 5 files changed, 74 insertions(+), 21 deletions(-) create mode 100644 hosts/astral/forgejo.nix create mode 100644 hosts/astral/secrets/forgejo-mailer-password.age create mode 100644 hosts/astral/vaultwarden.nix diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix index 4e019e7..1e85c02 100644 --- a/hosts/astral/default.nix +++ b/hosts/astral/default.nix @@ -1,10 +1,12 @@ -{ modulesPath, nixosModules, agenix, lib, pkgs, config, ... }: { +{ modulesPath, nixosModules, agenix, lib, pkgs, ... }: { imports = [ "${modulesPath}/virtualisation/amazon-image.nix" nixosModules.nano nixosModules.nettika nixosModules.promptmoji agenix.nixosModules.default + ./forgejo.nix + ./vaultwarden.nix ]; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; @@ -26,8 +28,6 @@ firewall.allowedTCPPorts = [ 80 443 ]; }; - age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age; - users.defaultUserShell = pkgs.fish; security.sudo.wheelNeedsPassword = false; @@ -39,27 +39,10 @@ respond "astral is online" header Strict-Transport-Security: "max-age=63072000; includeSubDomains" ''; - "vault.leaf.ninja".extraConfig = '' - reverse_proxy localhost:8222 - ''; }; }; - services.vaultwarden = { - enable = true; - config = { - domain = "https://vault.leaf.ninja"; - signupsAllowed = false; - rocketAddress = "0.0.0.0"; - rocketPort = 8222; - smtpHost = "smtp.migadu.com"; - smtpFrom = "vaultwarden@leaf.ninja"; - smtpPort = 587; - smtpSecurity = "starttls"; - smtpUsername = "vaultwarden@leaf.ninja"; - }; - environmentFile = config.age.secrets.vaultwarden-env.path; - }; + services.postgresql.enable = true; programs.fish.enable = true; diff --git a/hosts/astral/forgejo.nix b/hosts/astral/forgejo.nix new file mode 100644 index 0000000..8c29daf --- /dev/null +++ b/hosts/astral/forgejo.nix @@ -0,0 +1,36 @@ +{ config, ... }: +let domain = "git.leaf.ninja"; +in { + services.forgejo = { + enable = true; + database.type = "postgres"; + lfs.enable = true; + settings = { + server = { + DOMAIN = domain; + ROOT_URL = "https://${domain}/"; + HTTP_PORT = 3000; + }; + service.DISABLE_REGISTRATION = true; + mailer = { + ENABLED = true; + SMTP_ADDR = "smtp.migadu.com"; + FROM = "forgejo@leaf.ninja"; + USER = "forgejo@$leaf.ninja"; + }; + }; + secrets = { + mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path; + }; + }; + + services.caddy.virtualHosts.${domain}.extraConfig = '' + reverse_proxy localhost:3000 + ''; + + age.secrets.forgejo-mailer-password = { + file = ./secrets/forgejo-mailer-password.age; + mode = "400"; + owner = "forgejo"; + }; +} diff --git a/hosts/astral/secrets/forgejo-mailer-password.age b/hosts/astral/secrets/forgejo-mailer-password.age new file mode 100644 index 0000000..411e34a --- /dev/null +++ b/hosts/astral/secrets/forgejo-mailer-password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 f+PJrQ 6h8dfxbHOBbyTK6iwzbqVpUUYJtJhg6XMAoRWDhbdT8 +kZSsccA4qkiTS8wNdZphZ9cioiFbXjR4xkVZBi1j0aM +-> ssh-ed25519 nz/vnw Q+BuraNFun6RwcLPFcKcjBptgpZdddI+hQP2UVKFJmA +WJNvdIDTDBXbaXYw7gom7YQTTNrxlsP1EvTDNN5G9+0 +--- a6gvFS7YixX30i1Jm04vrwzq3Xh9iXufdnZMnPPI+Mw +ԇ]h6+2xD UZeAzDkL;I /'4nLT<4}i _݋ \ No newline at end of file diff --git a/hosts/astral/vaultwarden.nix b/hosts/astral/vaultwarden.nix new file mode 100644 index 0000000..1041d65 --- /dev/null +++ b/hosts/astral/vaultwarden.nix @@ -0,0 +1,25 @@ +{ config, ... }: +let domain = "vault.leaf.ninja"; +in { + services.vaultwarden = { + enable = true; + config = { + domain = "https://${domain}"; + signupsAllowed = false; + rocketAddress = "0.0.0.0"; + rocketPort = 8222; + smtpHost = "smtp.migadu.com"; + smtpFrom = "vaultwarden@leaf.ninja"; + smtpPort = 587; + smtpSecurity = "starttls"; + smtpUsername = "vaultwarden@leaf.ninja"; + }; + environmentFile = config.age.secrets.vaultwarden-env.path; + }; + + services.caddy.virtualHosts.${domain}.extraConfig = '' + reverse_proxy localhost:8222 + ''; + + age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age; +} diff --git a/secrets.nix b/secrets.nix index 48f0c4b..1d322d3 100644 --- a/secrets.nix +++ b/secrets.nix @@ -11,4 +11,6 @@ in { "hosts/quasar/secrets/matrix-synapse-secrets.age".publicKeys = [ marauder quasar ]; "hosts/astral/secrets/vaultwarden-env.age".publicKeys = [ marauder astral ]; + "hosts/astral/secrets/forgejo-mailer-password.age".publicKeys = + [ marauder astral ]; } From 8e5b7440a15831376080af05cd264d3f96dc2bb3 Mon Sep 17 00:00:00 2001 From: Nettika Date: Fri, 10 Oct 2025 08:58:59 -0700 Subject: [PATCH 08/19] Fix matrix synapse instance on quasar --- hosts/quasar/default.nix | 25 ++++++++++++++++-- .../quasar/secrets/matrix-synapse-secrets.age | Bin 536 -> 0 bytes .../secrets/matrix-synapse-secrets.yaml | Bin 0 -> 542 bytes secrets.nix | 2 +- 4 files changed, 24 insertions(+), 3 deletions(-) delete mode 100644 hosts/quasar/secrets/matrix-synapse-secrets.age create mode 100644 hosts/quasar/secrets/matrix-synapse-secrets.yaml diff --git a/hosts/quasar/default.nix b/hosts/quasar/default.nix index c4d5809..777afc0 100644 --- a/hosts/quasar/default.nix +++ b/hosts/quasar/default.nix @@ -25,7 +25,11 @@ environment.systemPackages = [ pkgs.htop ]; age.secrets = { - matrix-synapse-secrets.file = ./secrets/matrix-synapse-secrets.age; + matrix-synapse-secrets = { + file = ./secrets/matrix-synapse-secrets.yaml; + mode = "400"; + owner = "matrix-synapse"; + }; }; services.postgresql.enable = true; @@ -33,7 +37,23 @@ services.caddy = { enable = true; virtualHosts = { + "quasar.leaf.ninja".extraConfig = '' + respond "quasar is online" + header Strict-Transport-Security: "max-age=63072000; includeSubDomains" + ''; "consortium.chat".extraConfig = '' + respond /.well-known/matrix/server <*2(8aOTxxh6-JHIf(IGJnJ98=ZG8~>+1Q)sZ-o6VE#`S|LwwYO>(7KkrC#xTz~ zW?$;J=^AqsFCWjnm2D@l;FPI5J=)_t*Nqt$tGFMz2S;hW+>%vL|2vskU8W>FYMP_b zNnOtmKNEG@53_SjxnC0dZGNrY+rw)vkc<w2{v7}*JlG2W diff --git a/hosts/quasar/secrets/matrix-synapse-secrets.yaml b/hosts/quasar/secrets/matrix-synapse-secrets.yaml new file mode 100644 index 0000000000000000000000000000000000000000..22adf929452acfd50c5f4abd306fee4a44384101 GIT binary patch literal 542 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn(+=<|3RE!8bqP$f z)K78rHcc<^bu{-$_X$i7$gA*A4KwnOGH`UWh)i-$3jD$v*2HQyj5C^5^iDv)cf6svk1;ZaEG|8e8m?tiS^1)uI2 z%(%PPL}^JN@1>JUp>yUQS(bV&XU38CZu4;C2`d_xeq8vCVTY)@;fFi@-w$1x{OY^U zuRG`8wk%u9R#zVv7&7%qN#~W>{Tq8;S+`_MXyk-ESe6?0hmr5SQ~8Z;Opogig-u>5 f>oZS|@#k`LDb+ilME3>CbWTZ?U4QG)={HdTgE{1l literal 0 HcmV?d00001 diff --git a/secrets.nix b/secrets.nix index 1d322d3..58ceb27 100644 --- a/secrets.nix +++ b/secrets.nix @@ -8,7 +8,7 @@ let in { "hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder ]; "hosts/marauder/secrets/restic-password.age".publicKeys = [ marauder ]; - "hosts/quasar/secrets/matrix-synapse-secrets.age".publicKeys = + "hosts/quasar/secrets/matrix-synapse-secrets.yaml".publicKeys = [ marauder quasar ]; "hosts/astral/secrets/vaultwarden-env.age".publicKeys = [ marauder astral ]; "hosts/astral/secrets/forgejo-mailer-password.age".publicKeys = From 60b00f946b9ae4e45c3d1d09a271d4b7088f7c57 Mon Sep 17 00:00:00 2001 From: Nettika Date: Sat, 11 Oct 2025 19:18:44 -0700 Subject: [PATCH 09/19] Setup link-in-bio page on astral --- hosts/astral/default.nix | 1 + hosts/astral/forgejo.nix | 4 +++- hosts/astral/links.nix | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 hosts/astral/links.nix diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix index 1e85c02..cc03584 100644 --- a/hosts/astral/default.nix +++ b/hosts/astral/default.nix @@ -6,6 +6,7 @@ nixosModules.promptmoji agenix.nixosModules.default ./forgejo.nix + ./links.nix ./vaultwarden.nix ]; diff --git a/hosts/astral/forgejo.nix b/hosts/astral/forgejo.nix index 8c29daf..366bf7b 100644 --- a/hosts/astral/forgejo.nix +++ b/hosts/astral/forgejo.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let domain = "git.leaf.ninja"; in { services.forgejo = { @@ -18,6 +18,8 @@ in { FROM = "forgejo@leaf.ninja"; USER = "forgejo@$leaf.ninja"; }; + webhook.ALLOWED_HOST_LIST = + pkgs.lib.concatStringsSep "," [ "localhost" "::1" ]; }; secrets = { mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path; diff --git a/hosts/astral/links.nix b/hosts/astral/links.nix new file mode 100644 index 0000000..eb70571 --- /dev/null +++ b/hosts/astral/links.nix @@ -0,0 +1,39 @@ +{ pkgs, ... }: +let + domain = "nettika.leaf.ninja"; + root = "/srv/links"; + webhookHandler = pkgs.writeScript "webhook-handler.py" '' + #!${pkgs.python3}/bin/python3 + + import http.server + import socketserver + import subprocess + import os + + class WebhookHandler(http.server.SimpleHTTPRequestHandler): + def do_POST(self): + os.chdir('${root}') + subprocess.run(['${pkgs.git}/bin/git', 'pull'], check=True) + self.send_response(200) + self.end_headers() + self.wfile.write(b'OK') + + with socketserver.TCPServer(("127.0.0.1", 8081), WebhookHandler) as httpd: + httpd.serve_forever() + ''; +in { + systemd.services.links-webhook = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.python3}/bin/python3 ${webhookHandler}"; + Restart = "always"; + }; + }; + + services.caddy.virtualHosts.${domain}.extraConfig = '' + root * ${root} + file_server + ''; +} From fbba1d34367b71670e7af7905726a014b5524bb2 Mon Sep 17 00:00:00 2001 From: Nettika Date: Sat, 11 Oct 2025 19:23:46 -0700 Subject: [PATCH 10/19] Adjust settings on quasar --- hosts/quasar/default.nix | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/hosts/quasar/default.nix b/hosts/quasar/default.nix index 777afc0..fc8a69b 100644 --- a/hosts/quasar/default.nix +++ b/hosts/quasar/default.nix @@ -16,6 +16,8 @@ security.sudo.wheelNeedsPassword = false; + users.defaultUserShell = pkgs.fish; + networking = { hostName = "quasar"; networkmanager.enable = true; @@ -78,23 +80,12 @@ extraConfigFiles = [ config.age.secrets.matrix-synapse-secrets.path ]; }; - programs.git = { - enable = true; - lfs.enable = true; - config = { - init.defaultBranch = "master"; - user = { - email = "git@nettika.cat"; - name = "Nettika"; - }; - credential.helper = "store"; - }; - }; - programs.fish.enable = true; promptSymbol = "🌟"; + documentation.man.generateCaches = false; + time.timeZone = "America/Los_Angeles"; system.stateVersion = "24.05"; From fd605c040bb68a76d6fc150c68ea48330add949e Mon Sep 17 00:00:00 2001 From: Nettika Date: Sat, 11 Oct 2025 19:39:49 -0700 Subject: [PATCH 11/19] Add readmes --- flake.nix | 2 +- hosts/readme.md | 6 ++++++ modules/readme.md | 7 +++++++ readme.md | 4 ++++ 4 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 hosts/readme.md create mode 100644 modules/readme.md create mode 100644 readme.md diff --git a/flake.nix b/flake.nix index 389eca4..f8c151e 100755 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "NixOS Configurations"; + description = "Nettika's NixOS Configs"; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; diff --git a/hosts/readme.md b/hosts/readme.md new file mode 100644 index 0000000..8b01a00 --- /dev/null +++ b/hosts/readme.md @@ -0,0 +1,6 @@ +# Hosts + +- [astral](astral) - VPS running miscellaneous servers +- [marauder](marauder) - My laptop +- [quasar](quasar) - VPS running the [consortium.chat](https://consortium.chat) + matrix-synapse instance \ No newline at end of file diff --git a/modules/readme.md b/modules/readme.md new file mode 100644 index 0000000..a54b0c6 --- /dev/null +++ b/modules/readme.md @@ -0,0 +1,7 @@ +# Modules + +- `nano`: Base config for [nano](https://www.nano-editor.org) +- `nettika`: Base config for user "nettika" +- `promptmoji`: Fish prompt starting with an emoji to indicate which host I'm + logged into. The emoji is configured with `promptSymbol`. Ignored if + `programs.fish.enabled` is false. \ No newline at end of file diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..b96399f --- /dev/null +++ b/readme.md @@ -0,0 +1,4 @@ +# Nettika's NixOS Configs + +- [hosts](hosts) - my `nixosConfigurations` +- [modules](modules) - my `nixosModules` \ No newline at end of file From 690b2e2deb3fd406bb8659203cf4052add860acf Mon Sep 17 00:00:00 2001 From: Nettika Date: Sun, 12 Oct 2025 00:45:52 -0700 Subject: [PATCH 12/19] Adjust git settings on marauder --- hosts/marauder/default.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/hosts/marauder/default.nix b/hosts/marauder/default.nix index 8ffaf92..944c470 100755 --- a/hosts/marauder/default.nix +++ b/hosts/marauder/default.nix @@ -172,9 +172,10 @@ in { lfs.enable = true; config = { init.defaultBranch = "master"; + push.autoSetupRemote = true; user = { - email = "git@nettika.cat"; name = "Nettika"; + email = "git@nettika.cat"; }; credential.helper = "store"; }; @@ -190,7 +191,7 @@ in { programs.ssh.extraConfig = '' Host quasar - HostName consortium.chat + HostName quasar.leaf.ninja IdentityFile ~/.ssh/LightsailDefaultKey-us-west-2.pem Host monolith @@ -199,9 +200,6 @@ in { Host astral HostName astral.leaf.ninja IdentityFile ~/.ssh/LightsailDefaultKey-us-west-2.pem - - Host apogee - HostName 46.226.107.209 ''; services.mysql = { From f00ab5b5ae38216e535706d98bd8dad3cbf605cd Mon Sep 17 00:00:00 2001 From: Nettika Date: Sun, 12 Oct 2025 01:01:00 -0700 Subject: [PATCH 13/19] Update apps on marauder --- flake.lock | 37 +++++++++++++++++++++++++- flake.nix | 1 + hosts/default.nix | 4 +-- hosts/marauder/default.nix | 54 +++++++++++++++++++------------------- 4 files changed, 66 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index dc58554..c14689d 100755 --- a/flake.lock +++ b/flake.lock @@ -98,6 +98,22 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1758690382, + "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e643668fd71b949c53f8626614b21ff71a07379d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "phps": { "inputs": { "flake-compat": "flake-compat", @@ -124,7 +140,8 @@ "inputs": { "agenix": "agenix", "nixpkgs": "nixpkgs", - "phps": "phps" + "phps": "phps", + "winboat": "winboat" } }, "systems": { @@ -174,6 +191,24 @@ "repo": "flake-utils", "type": "github" } + }, + "winboat": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1760183562, + "narHash": "sha256-lauscAI61WXjLTuGiRDMUAEeTqvOTSWhRoHDaor5sfE=", + "owner": "TibixDev", + "repo": "winboat", + "rev": "ae60de6c2cba7a2001fef1027d5c2e06614e6904", + "type": "github" + }, + "original": { + "owner": "TibixDev", + "repo": "winboat", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f8c151e..19932c2 100755 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,7 @@ url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; + winboat.url = "github:TibixDev/winboat"; }; outputs = inputs: { diff --git a/hosts/default.nix b/hosts/default.nix index 2c19793..02b0866 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,4 +1,4 @@ -{ self, nixpkgs, phps, agenix, ... }: +{ self, nixpkgs, phps, agenix, winboat }: let baseSpecialArgs = { inherit (self) nixosModules; @@ -11,7 +11,7 @@ in { marauder = nixosSystem { system = "x86_64-linux"; modules = [ ./marauder ]; - specialArgs = { inherit phps; }; + specialArgs = { inherit phps winboat; }; }; astral = nixosSystem { system = "x86_64-linux"; diff --git a/hosts/marauder/default.nix b/hosts/marauder/default.nix index 944c470..cf47dd2 100755 --- a/hosts/marauder/default.nix +++ b/hosts/marauder/default.nix @@ -1,4 +1,4 @@ -{ pkgs, nixosModules, phps, agenix, ... }: +{ pkgs, nixosModules, phps, agenix, winboat, ... }: let fortune = pkgs.writeShellScript "cgi" '' echo "Content-type: text/html" @@ -102,69 +102,69 @@ in { environment.systemPackages = with pkgs; [ # Chat clients discord - slack element-desktop - telegram-desktop signal-desktop + slack + telegram-desktop # Browsers - firefox filezilla + firefox # Creative - inkscape + bambu-studio + blender gimp + inkscape krita openscad-unstable - bambu-studio orca-slicer # Multimedia - vlc - ffmpeg ffcheck - aonsoku + ffmpeg + vlc - # Code Editors + # Editors + abiword + obsidian vscode - arduino-ide # Dev Tools + fossil nixd nixfmt-classic nixpkgs-fmt pyenv rustup - electron - uv - ruff - fossil - just - dioxus-cli # Languages - gcc kotlin nodejs php # Command line + agenix.packages.x86_64-linux.default + backblaze-b2 + dig htop jq - backblaze-b2 + just + unzip + zip - # Misc - obsidian - intiface-central - prismlauncher - blender + # Network mullvad-vpn qbittorrent - system-config-printer + + # Misc + gcc + intiface-central openssl pkg-config - agenix.packages.x86_64-linux.default - abiword + prismlauncher + system-config-printer + winboat.packages.x86_64-linux.winboat ]; programs.git = { From b91fcb6500296549b709b904f1a33cf2ee8071e3 Mon Sep 17 00:00:00 2001 From: Nettika Date: Sun, 12 Oct 2025 18:53:50 -0700 Subject: [PATCH 14/19] Extract matrix-synapse configs into a separate module on quasar --- hosts/quasar/default.nix | 53 ++++------------------------------------ hosts/quasar/matrix.nix | 46 ++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 48 deletions(-) create mode 100644 hosts/quasar/matrix.nix diff --git a/hosts/quasar/default.nix b/hosts/quasar/default.nix index fc8a69b..e997ebf 100644 --- a/hosts/quasar/default.nix +++ b/hosts/quasar/default.nix @@ -5,6 +5,7 @@ nixosModules.nettika nixosModules.promptmoji agenix.nixosModules.default + ./matrix.nix ]; nixpkgs.config.allowUnfree = true; @@ -26,58 +27,14 @@ environment.systemPackages = [ pkgs.htop ]; - age.secrets = { - matrix-synapse-secrets = { - file = ./secrets/matrix-synapse-secrets.yaml; - mode = "400"; - owner = "matrix-synapse"; - }; - }; - services.postgresql.enable = true; services.caddy = { enable = true; - virtualHosts = { - "quasar.leaf.ninja".extraConfig = '' - respond "quasar is online" - header Strict-Transport-Security: "max-age=63072000; includeSubDomains" - ''; - "consortium.chat".extraConfig = '' - respond /.well-known/matrix/server < Date: Wed, 15 Oct 2025 14:29:17 -0700 Subject: [PATCH 15/19] Setup radicale on astral --- hosts/astral/default.nix | 1 + hosts/astral/radicale.nix | 25 +++++++++++++++++++++++++ hosts/astral/secrets/radicale-htpasswd | 9 +++++++++ secrets.nix | 1 + 4 files changed, 36 insertions(+) create mode 100644 hosts/astral/radicale.nix create mode 100644 hosts/astral/secrets/radicale-htpasswd diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix index cc03584..3ad498a 100644 --- a/hosts/astral/default.nix +++ b/hosts/astral/default.nix @@ -7,6 +7,7 @@ agenix.nixosModules.default ./forgejo.nix ./links.nix + ./radicale.nix ./vaultwarden.nix ]; diff --git a/hosts/astral/radicale.nix b/hosts/astral/radicale.nix new file mode 100644 index 0000000..68d3c08 --- /dev/null +++ b/hosts/astral/radicale.nix @@ -0,0 +1,25 @@ +{ config, ... }: +let domain = "radicale.leaf.ninja"; +in { + age.secrets.radicale-htpasswd = { + file = ./secrets/radicale-htpasswd; + mode = "400"; + owner = "radicale"; + }; + + services.radicale = { + enable = true; + settings = { + server.hosts = [ "localhost:5232" ]; + auth = { + type = "htpasswd"; + htpasswd_filename = config.age.secrets.radicale-htpasswd.path; + htpasswd_encryption = "plain"; + }; + }; + }; + + services.caddy.virtualHosts.${domain}.extraConfig = '' + reverse_proxy localhost:5232 + ''; +} diff --git a/hosts/astral/secrets/radicale-htpasswd b/hosts/astral/secrets/radicale-htpasswd new file mode 100644 index 0000000..36c140f --- /dev/null +++ b/hosts/astral/secrets/radicale-htpasswd @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 f+PJrQ pKqLrqz0R7kAzNQZ3ChRsoWa63JEN2H2KHtGguF5nSc +6Mk1qDWKx26jPdEzaVMh0vgUeVWjAGcmIPpvSU8BFNE +-> ssh-ed25519 nz/vnw 0PuVNQ97Qa6iCk4pPf34lgS1aPb4CeDB4Qclk5F24T4 +OwJOYMTlTY9+Pj/BwG09z4q2/QViii710Kh3xPU5FRA +--- mSdutlC3gFq8lDjeOGqi361i+DUI1Yg6Bpl7hCfznJA +tQ/rNeKeѥ~ן{_o +y_ܭ}ûP*W5F.ECZ#; +liԧ*]yT \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 58ceb27..33a040c 100644 --- a/secrets.nix +++ b/secrets.nix @@ -13,4 +13,5 @@ in { "hosts/astral/secrets/vaultwarden-env.age".publicKeys = [ marauder astral ]; "hosts/astral/secrets/forgejo-mailer-password.age".publicKeys = [ marauder astral ]; + "hosts/astral/secrets/radicale-htpasswd".publicKeys = [ marauder astral ]; } From 39f73ef2f21e4d2b578da80524ac95b49b294aba Mon Sep 17 00:00:00 2001 From: Nettika Date: Wed, 15 Oct 2025 17:43:36 -0700 Subject: [PATCH 16/19] Use caddy-exec to handling Forgejo webhooks on astral --- hosts/astral/default.nix | 5 +++++ hosts/astral/links.nix | 48 +++++++++++++--------------------------- 2 files changed, 20 insertions(+), 33 deletions(-) diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix index 3ad498a..c600557 100644 --- a/hosts/astral/default.nix +++ b/hosts/astral/default.nix @@ -36,6 +36,11 @@ services.caddy = { enable = true; + package = pkgs.caddy.withPlugins { + plugins = + [ "github.com/abiosoft/caddy-exec@v0.0.0-20240914124740-521d8736cb4d" ]; + hash = "sha256-ef6/x7wjKk0axjX6MfAzTTwPM2FTOTSSyI9zLLrczV0="; + }; virtualHosts = { "astral.leaf.ninja".extraConfig = '' respond "astral is online" diff --git a/hosts/astral/links.nix b/hosts/astral/links.nix index eb70571..fe836be 100644 --- a/hosts/astral/links.nix +++ b/hosts/astral/links.nix @@ -1,39 +1,21 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: let domain = "nettika.leaf.ninja"; root = "/srv/links"; - webhookHandler = pkgs.writeScript "webhook-handler.py" '' - #!${pkgs.python3}/bin/python3 - - import http.server - import socketserver - import subprocess - import os - - class WebhookHandler(http.server.SimpleHTTPRequestHandler): - def do_POST(self): - os.chdir('${root}') - subprocess.run(['${pkgs.git}/bin/git', 'pull'], check=True) - self.send_response(200) - self.end_headers() - self.wfile.write(b'OK') - - with socketserver.TCPServer(("127.0.0.1", 8081), WebhookHandler) as httpd: - httpd.serve_forever() - ''; in { - systemd.services.links-webhook = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.python3}/bin/python3 ${webhookHandler}"; - Restart = "always"; - }; + services.caddy.virtualHosts = { + ${domain}.extraConfig = '' + root * ${root} + file_server + ''; + "http://localhost:8081".extraConfig = let git = lib.getExe pkgs.git; + in '' + route { + exec { + command ${git} pull --rebase + directory ${root} + } + } + ''; }; - - services.caddy.virtualHosts.${domain}.extraConfig = '' - root * ${root} - file_server - ''; } From d6ef606632cbdf45a49a665b3232b9112a42afb9 Mon Sep 17 00:00:00 2001 From: Nettika Date: Wed, 15 Oct 2025 22:05:17 -0700 Subject: [PATCH 17/19] Remove winboat from marauder --- flake.lock | 37 +------------------------------------ flake.nix | 1 - hosts/default.nix | 4 ++-- hosts/marauder/default.nix | 3 +-- 4 files changed, 4 insertions(+), 41 deletions(-) diff --git a/flake.lock b/flake.lock index c14689d..dc58554 100755 --- a/flake.lock +++ b/flake.lock @@ -98,22 +98,6 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "phps": { "inputs": { "flake-compat": "flake-compat", @@ -140,8 +124,7 @@ "inputs": { "agenix": "agenix", "nixpkgs": "nixpkgs", - "phps": "phps", - "winboat": "winboat" + "phps": "phps" } }, "systems": { @@ -191,24 +174,6 @@ "repo": "flake-utils", "type": "github" } - }, - "winboat": { - "inputs": { - "nixpkgs": "nixpkgs_2" - }, - "locked": { - "lastModified": 1760183562, - "narHash": "sha256-lauscAI61WXjLTuGiRDMUAEeTqvOTSWhRoHDaor5sfE=", - "owner": "TibixDev", - "repo": "winboat", - "rev": "ae60de6c2cba7a2001fef1027d5c2e06614e6904", - "type": "github" - }, - "original": { - "owner": "TibixDev", - "repo": "winboat", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 19932c2..f8c151e 100755 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,6 @@ url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; - winboat.url = "github:TibixDev/winboat"; }; outputs = inputs: { diff --git a/hosts/default.nix b/hosts/default.nix index 02b0866..1b52d15 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,4 +1,4 @@ -{ self, nixpkgs, phps, agenix, winboat }: +{ self, nixpkgs, phps, agenix }: let baseSpecialArgs = { inherit (self) nixosModules; @@ -11,7 +11,7 @@ in { marauder = nixosSystem { system = "x86_64-linux"; modules = [ ./marauder ]; - specialArgs = { inherit phps winboat; }; + specialArgs = { inherit phps; }; }; astral = nixosSystem { system = "x86_64-linux"; diff --git a/hosts/marauder/default.nix b/hosts/marauder/default.nix index cf47dd2..630416e 100755 --- a/hosts/marauder/default.nix +++ b/hosts/marauder/default.nix @@ -1,4 +1,4 @@ -{ pkgs, nixosModules, phps, agenix, winboat, ... }: +{ pkgs, nixosModules, phps, agenix, ... }: let fortune = pkgs.writeShellScript "cgi" '' echo "Content-type: text/html" @@ -164,7 +164,6 @@ in { pkg-config prismlauncher system-config-printer - winboat.packages.x86_64-linux.winboat ]; programs.git = { From 5e6167ece8f96295a74da5a047eec8686563cc36 Mon Sep 17 00:00:00 2001 From: Nettika Date: Wed, 15 Oct 2025 22:07:26 -0700 Subject: [PATCH 18/19] Add various apps to marauder --- hosts/marauder/default.nix | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/hosts/marauder/default.nix b/hosts/marauder/default.nix index 630416e..e6639d7 100755 --- a/hosts/marauder/default.nix +++ b/hosts/marauder/default.nix @@ -102,7 +102,7 @@ in { environment.systemPackages = with pkgs; [ # Chat clients discord - element-desktop + cinny-desktop signal-desktop slack telegram-desktop @@ -119,6 +119,7 @@ in { krita openscad-unstable orca-slicer + plasticity # Multimedia ffcheck @@ -132,6 +133,8 @@ in { # Dev Tools fossil + just + kondo nixd nixfmt-classic nixpkgs-fmt @@ -149,7 +152,6 @@ in { dig htop jq - just unzip zip @@ -157,13 +159,17 @@ in { mullvad-vpn qbittorrent + # Utility Apps + baobab + gparted + system-config-printer + # Misc gcc intiface-central openssl pkg-config prismlauncher - system-config-printer ]; programs.git = { From 55a68c21dab9722f3f70f169c5b5f549787e5268 Mon Sep 17 00:00:00 2001 From: Nettika Date: Thu, 16 Oct 2025 07:21:05 -0700 Subject: [PATCH 19/19] Enable arch64 emulation on marauder --- hosts/marauder/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/marauder/default.nix b/hosts/marauder/default.nix index e6639d7..ab09178 100755 --- a/hosts/marauder/default.nix +++ b/hosts/marauder/default.nix @@ -76,6 +76,7 @@ in { }; kernelModules = [ "kvm-amd" ]; kernelParams = [ "amd_pstate=active" ]; + binfmt.emulatedSystems = [ "aarch64-linux" ]; }; hardware = {