Setup matrix on apogee

flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "Nettika's NixOS Configs";
+  description = "NixOS Configurations";
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";

hosts/apogee/default.nix

@@ -0,0 +1,9 @@
+{ ... }: {
+  imports = [ ./matrix.nix ./gandicloud.nix ];
+
+  networking.hostName = "apogee";
+
+  services.postgresql.enable = true;
+
+  promptSymbol = "🔭";
+}

hosts/apogee/gandicloud.nix

@@ -0,0 +1,46 @@
+# This is the configuration required to run NixOS on GandiCloud.
+{ lib, modulesPath, ... }: {
+  imports = [ (modulesPath + "/virtualisation/openstack-config.nix") ];
+  config = {
+    boot.initrd.kernelModules = [
+      "xen-blkfront"
+      "xen-tpmfront"
+      "xen-kbdfront"
+      "xen-fbfront"
+      "xen-netfront"
+      "xen-pcifront"
+      "xen-scsifront"
+    ];
+
+    # Show debug kernel message on boot then reduce loglevel once booted
+    boot.consoleLogLevel = 7;
+    boot.kernel.sysctl."kernel.printk" = "4 4 1 7";
+
+    # For "openstack console log show"
+    boot.kernelParams = [ "console=ttyS0" ];
+    systemd.services."serial-getty@ttyS0" = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Restart = "always";
+    };
+
+    # The device exposed by Xen
+    boot.loader.grub.device = lib.mkForce "/dev/xvda";
+
+    # This is to get a prompt via the "openstack console url show" command
+    systemd.services."getty@tty1" = {
+      enable = lib.mkForce true;
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Restart = "always";
+    };
+
+    # This is required to get an IPv6 address on our infrastructure
+    networking.tempAddresses = "disabled";
+
+    nix.extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+
+    system.stateVersion = "24.11";
+  };
+}

hosts/apogee/matrix.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+let domain = "leaf.ninja";
+in {
+  age.secrets.synapse-secrets-config.file =
+    ./secrets/synapse-secrets-config.age;
+
+  services.matrix-synapse = {
+    enable = true;
+    extraConfigFiles = [ config.age.secrets.synapse-secrets-config.path ];
+    settings = {
+      server_name = domain;
+      database_type = "psycopg2";
+      database_args.database = "matrix-synapse";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    8448 # Matrix federation
+  ];
+
+  services.caddy = {
+    enable = true;
+    virtualHosts."matrix.${domain}".extraConfig = ''
+      reverse_proxy /_matrix/* localhost:8008
+      reverse_proxy /_synapse/client/* localhost:8008
+    '';
+  };
+}

hosts/apogee/secrets/synapse-secrets-config.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 f+PJrQ 2Gd75cRZviUH5xYRTC+6oKAT5/FfpY2zfMJVYwVlcCs
+eA4B5qHSoPujIgcpBl4UOT8ovvdiTUb16Yk/lHNJJKo
+--- 58bdTWl7z2skdVACACl/aAt76ciYkJOjnvDyendgKpQ
+Q¼³¿‡vð¨ÖÑ=·VU&÷‡ÿLd°<¸#³¥Ëh~yð"«kvõ1I<31>ƒz?»›’U“……üåH
+rÑYIm½¤lÒÈhÓû&<26>ðÁªPqžK>Œsž;ÕæÉ…uX7·¥Îó©¿z<C2BF>-¦(êȬ

hosts/astral/default.nix

@@ -1,14 +1,8 @@
-{ modulesPath, nixosModules, agenix, lib, pkgs, ... }: {
+{ nixosModules, modulesPath, lib, pkgs, ... }: {
   imports = [
     "${modulesPath}/virtualisation/amazon-image.nix"
-    nixosModules.nano
     nixosModules.nettika
     nixosModules.promptmoji
-    agenix.nixosModules.default
-    ./forgejo.nix
-    ./links.nix
-    ./radicale.nix
-    ./vaultwarden.nix
   ];
 
   boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
@@ -19,28 +13,23 @@
       dates = "weekly";
       options = "--delete-older-than 30d";
     };
-    settings = {
+    settings.trusted-users = [ "@wheel" ];
-      trusted-users = [ "@wheel" ];
-      experimental-features = [ "nix-command" "flakes" ];
-    };
   };
 
   networking = {
     hostName = "astral";
     firewall.allowedTCPPorts = [ 80 443 ];
+    networkmanager.enable = true;
   };
 
   users.defaultUserShell = pkgs.fish;
 
   security.sudo.wheelNeedsPassword = false;
 
+  environment.variables.EDITOR = "nano";
+
   services.caddy = {
     enable = true;
-    package = pkgs.caddy.withPlugins {
-      plugins =
-        [ "github.com/abiosoft/caddy-exec@v0.0.0-20240914124740-521d8736cb4d" ];
-      hash = "sha256-ef6/x7wjKk0axjX6MfAzTTwPM2FTOTSSyI9zLLrczV0=";
-    };
     virtualHosts = {
       "astral.leaf.ninja".extraConfig = ''
         respond "astral is online"
@@ -49,13 +38,32 @@
     };
   };
 
-  services.postgresql.enable = true;
-
   programs.fish.enable = true;
 
+  programs.git = {
+    enable = true;
+    lfs.enable = true;
+    config = {
+      init.defaultBranch = "master";
+      user = {
+        email = "git@nettika.cat";
+        name = "Nettika";
+      };
+      credential.helper = "store";
+    };
+  };
+
+  programs.nano = {
+    enable = true;
+    nanorc = ''
+      set autoindent
+      set linenumbers
+    '';
+  };
+
   documentation.man.generateCaches = false;
 
-  promptSymbol = "👻";
+  promptSymbol = "✴️";
 
   time.timeZone = "America/Los_Angeles";
 

hosts/astral/forgejo.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, ... }:
-let domain = "git.leaf.ninja";
-in {
-  services.forgejo = {
-    enable = true;
-    database.type = "postgres";
-    lfs.enable = true;
-    settings = {
-      server = {
-        DOMAIN = domain;
-        ROOT_URL = "https://${domain}/";
-        HTTP_PORT = 3000;
-      };
-      service.DISABLE_REGISTRATION = true;
-      mailer = {
-        ENABLED = true;
-        SMTP_ADDR = "smtp.migadu.com";
-        FROM = "forgejo@leaf.ninja";
-        USER = "forgejo@$leaf.ninja";
-      };
-      webhook.ALLOWED_HOST_LIST =
-        pkgs.lib.concatStringsSep "," [ "localhost" "::1" ];
-    };
-    secrets = {
-      mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
-    };
-  };
-
-  services.caddy.virtualHosts.${domain}.extraConfig = ''
-    reverse_proxy localhost:3000
-  '';
-
-  age.secrets.forgejo-mailer-password = {
-    file = ./secrets/forgejo-mailer-password.age;
-    mode = "400";
-    owner = "forgejo";
-  };
-}

hosts/astral/links.nix

@@ -1,21 +0,0 @@
-{ pkgs, lib, ... }:
-let
-  domain = "nettika.leaf.ninja";
-  root = "/srv/links";
-in {
-  services.caddy.virtualHosts = {
-    ${domain}.extraConfig = ''
-      root * ${root}
-      file_server
-    '';
-    "http://localhost:8081".extraConfig = let git = lib.getExe pkgs.git;
-    in ''
-      route {
-        exec {
-          command ${git} pull --rebase 
-          directory ${root}
-        }
-      }
-    '';
-  };
-}

hosts/astral/radicale.nix

@@ -1,25 +0,0 @@
-{ config, ... }:
-let domain = "radicale.leaf.ninja";
-in {
-  age.secrets.radicale-htpasswd = {
-    file = ./secrets/radicale-htpasswd;
-    mode = "400";
-    owner = "radicale";
-  };
-
-  services.radicale = {
-    enable = true;
-    settings = {
-      server.hosts = [ "localhost:5232" ];
-      auth = {
-        type = "htpasswd";
-        htpasswd_filename = config.age.secrets.radicale-htpasswd.path;
-        htpasswd_encryption = "plain";
-      };
-    };
-  };
-
-  services.caddy.virtualHosts.${domain}.extraConfig = ''
-    reverse_proxy localhost:5232
-  '';
-}

hosts/astral/secrets/forgejo-mailer-password.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 f+PJrQ 6h8dfxbHOBbyTK6iwzbqVpUUYJtJhg6XMAoRWDhbdT8
-kZSsccA4qkiTS8wNdZphZ9cioiFbXjR4xkVZBi1j0aM
--> ssh-ed25519 nz/vnw Q+BuraNFun6RwcLPFcKcjBptgpZdddI+hQP2UVKFJmA
-WJNvdIDTDBXbaXYw7gom7YQTTNrxlsP1EvTDNN5G9+0
---- a6gvFS7YixX30i1Jm04vrwzq3Xh9iXufdnZMnPPI+Mw
-ÒÍÔ‡]‡¤h6µ+„2xDŸÇUŸãZºâeAzêÿ³DkÔLÇ;½†Iª ê/Œæ'®éøï4nL»T<4Ó}iãÁí _ÛÝ‹à

hosts/astral/secrets/radicale-htpasswd

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 f+PJrQ pKqLrqz0R7kAzNQZ3ChRsoWa63JEN2H2KHtGguF5nSc
-6Mk1qDWKx26jPdEzaVMh0vgUeVWjAGcmIPpvSU8BFNE
--> ssh-ed25519 nz/vnw 0PuVNQ97Qa6iCk4pPf34lgS1aPb4CeDB4Qclk5F24T4
-OwJOYMTlTY9+Pj/BwG09z4q2/QViii710Kh3xPU5FRA
---- mSdutlC3gFq8lDjeOGqi361i+DUI1Yg6Bpl7hCfznJA
-“ÜtQÆ/í rNeKeíé¸Ñ¥Äè~ˆý¾×Ÿ{_¡o
-y_Ü­}‹¸Ã»P*W5<57>»´õFû.ECø¡‘Z©å#;
-£¢ð§Ûli…Ô§±*´Î]yT

hosts/astral/vaultwarden.nix

@@ -1,25 +0,0 @@
-{ config, ... }:
-let domain = "vault.leaf.ninja";
-in {
-  services.vaultwarden = {
-    enable = true;
-    config = {
-      domain = "https://${domain}";
-      signupsAllowed = false;
-      rocketAddress = "0.0.0.0";
-      rocketPort = 8222;
-      smtpHost = "smtp.migadu.com";
-      smtpFrom = "vaultwarden@leaf.ninja";
-      smtpPort = 587;
-      smtpSecurity = "starttls";
-      smtpUsername = "vaultwarden@leaf.ninja";
-    };
-    environmentFile = config.age.secrets.vaultwarden-env.path;
-  };
-
-  services.caddy.virtualHosts.${domain}.extraConfig = ''
-    reverse_proxy localhost:8222
-  '';
-
-  age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age;
-}

hosts/default.nix

@@ -1,24 +1,17 @@
-{ self, nixpkgs, phps, agenix }:
+{ self, nixpkgs, phps, agenix, ... }:
-let
+let inherit (nixpkgs.lib) nixosSystem;
-  baseSpecialArgs = {
-    inherit (self) nixosModules;
-    inherit agenix;
-  };
-  nixosSystem = args:
-    nixpkgs.lib.nixosSystem
-    (nixpkgs.lib.recursiveUpdate args { specialArgs = baseSpecialArgs; });
 in {
   marauder = nixosSystem {
     system = "x86_64-linux";
     modules = [ ./marauder ];
-    specialArgs = { inherit phps; };
+    specialArgs = {
+      inherit (self) nixosModules;
+      inherit phps agenix;
+    };
   };
   astral = nixosSystem {
     system = "x86_64-linux";
     modules = [ ./astral ];
-  };
+    specialArgs = { inherit (self) nixosModules; };
-  quasar = nixosSystem {
-    system = "x86_64-linux";
-    modules = [ ./quasar ];
   };
 }

hosts/marauder/default.nix

@@ -11,7 +11,6 @@ let
 in {
   imports = [
     ./backup.nix
-    nixosModules.nano
     nixosModules.nettika
     nixosModules.promptmoji
     agenix.nixosModules.default
@@ -31,6 +30,8 @@ in {
 
   nixpkgs.config.allowUnfree = true;
 
+  environment.variables.EDITOR = "nano";
+
   documentation.man.generateCaches = false;
 
   environment.variables = {
@@ -76,7 +77,6 @@ in {
     };
     kernelModules = [ "kvm-amd" ];
     kernelParams = [ "amd_pstate=active" ];
-    binfmt.emulatedSystems = [ "aarch64-linux" ];
   };
 
   hardware = {
@@ -103,74 +103,69 @@ in {
   environment.systemPackages = with pkgs; [
     # Chat clients
     discord
-    cinny-desktop
-    signal-desktop
     slack
+    element-desktop
     telegram-desktop
+    signal-desktop
 
     # Browsers
-    filezilla
     firefox
+    filezilla
 
     # Creative
-    bambu-studio
-    blender
-    gimp
     inkscape
+    gimp
     krita
     openscad-unstable
+    bambu-studio
     orca-slicer
-    plasticity
 
     # Multimedia
-    ffcheck
-    ffmpeg
     vlc
+    ffmpeg
+    ffcheck
+    aonsoku
 
-    # Editors
+    # Code Editors
-    abiword
-    obsidian
     vscode
+    arduino-ide
 
     # Dev Tools
-    fossil
-    just
-    kondo
     nixd
     nixfmt-classic
     nixpkgs-fmt
     pyenv
     rustup
+    electron
+    uv
+    ruff
+    fossil
+    just
+    dioxus-cli
 
     # Languages
+    gcc
     kotlin
     nodejs
     php
 
     # Command line
-    agenix.packages.x86_64-linux.default
-    backblaze-b2
-    dig
     htop
     jq
-    unzip
+    backblaze-b2
-    zip
-
-    # Network
-    mullvad-vpn
-    qbittorrent
-
-    # Utility Apps
-    baobab
-    gparted
-    system-config-printer
 
     # Misc
-    gcc
+    obsidian
     intiface-central
+    prismlauncher
+    blender
+    mullvad-vpn
+    qbittorrent
+    system-config-printer
     openssl
     pkg-config
-    prismlauncher
+    agenix.packages.x86_64-linux.default
+    abiword
   ];
 
   programs.git = {
@@ -178,15 +173,22 @@ in {
     lfs.enable = true;
     config = {
       init.defaultBranch = "master";
-      push.autoSetupRemote = true;
       user = {
-        name = "Nettika";
         email = "git@nettika.cat";
+        name = "Nettika";
       };
       credential.helper = "store";
     };
   };
 
+  programs.nano = {
+    enable = true;
+    nanorc = ''
+      set autoindent
+      set linenumbers
+    '';
+  };
+
   programs.steam = {
     enable = true;
     remotePlay.openFirewall = true;
@@ -197,7 +199,7 @@ in {
 
   programs.ssh.extraConfig = ''
     Host quasar
-      HostName quasar.leaf.ninja
+      HostName consortium.chat
       IdentityFile ~/.ssh/LightsailDefaultKey-us-west-2.pem
 
     Host monolith
@@ -206,6 +208,9 @@ in {
     Host astral
       HostName astral.leaf.ninja
       IdentityFile ~/.ssh/LightsailDefaultKey-us-west-2.pem
+
+    Host apogee
+      HostName 46.226.107.209
   '';
 
   services.mysql = {

hosts/marauder/secrets/restic-env.age

@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 f+PJrQ VJshLBSbF93anR9fOJ3Kwhxh1AOdvsS0hoJ86Bw9oBQ
+-> ssh-ed25519 f+PJrQ qccE2xAzfBZ3DCRQtQDgwS1UzjlZx44oUrYjcDfMfDk
-It8hELrRN+EYt9nv75lVHha+ZDUhCDNQVczDZVlDCBs
+I2l6xRJsdQLYB2cMo0Kfi6mVyhZsuSPFG574P8pl12Y
---- xzJ/50+WOA+IWRXiAvBbJLUlsgsSztQrzbimng2QdlU
+--- WoBlo7fqYRkiBYPoLpa3wHB8ZPCVy32a4aL5UswCHJc
-<EFBFBD>´Ï¬jÒ<>ÿ8K7$ðwÃbԲǰ€Ì~]NBª]QÐM+cw
+LŁćΚČ[¤Nî<#Ő]<5D>
ź<>üBÄ}–×fË%P„ôxK±Ű¨ţkI˝©”<§V<C2A7>ź…¶YÄ5#ĺ±đ÷ű”qEł4’­®¶l—ËřFľ“8ukȨ<C48C>űÂ%Ŕ´U53yěű"Ťg\î<>©ŞZćŮC®őWĄ˛g­z
-þþÔJ•o—Í”ÔSîØš!N¨Du¦OÈnçZnNâæÍѵV¬:ŒŸ®¬kúÝcó)|æŒJ…opÇSÎH˜«f§ùØu1šã9Çå

hosts/quasar/default.nix

@@ -1,49 +0,0 @@
-{ modulesPath, nixosModules, agenix, pkgs, config, ... }: {
-  imports = [
-    "${modulesPath}/virtualisation/amazon-image.nix"
-    nixosModules.nano
-    nixosModules.nettika
-    nixosModules.promptmoji
-    agenix.nixosModules.default
-    ./matrix.nix
-  ];
-
-  nixpkgs.config.allowUnfree = true;
-
-  nix.settings = {
-    experimental-features = [ "nix-command" "flakes" ];
-    trusted-users = [ "@wheel" ];
-  };
-
-  security.sudo.wheelNeedsPassword = false;
-
-  users.defaultUserShell = pkgs.fish;
-
-  networking = {
-    hostName = "quasar";
-    networkmanager.enable = true;
-    firewall.allowedTCPPorts = [ 80 443 ];
-  };
-
-  environment.systemPackages = [ pkgs.htop ];
-
-  services.postgresql.enable = true;
-
-  services.caddy = {
-    enable = true;
-    virtualHosts."quasar.leaf.ninja".extraConfig = ''
-      respond "quasar is online"
-      header Strict-Transport-Security: "max-age=63072000; includeSubDomains"
-    '';
-  };
-
-  programs.fish.enable = true;
-
-  promptSymbol = "🌟";
-
-  documentation.man.generateCaches = false;
-
-  time.timeZone = "America/Los_Angeles";
-
-  system.stateVersion = "24.05";
-}

hosts/quasar/matrix.nix

@@ -1,46 +0,0 @@
-{ pkgs, config, ... }:
-let
-  canonicalDomain = "consortium.chat";
-  delegatedDomain = "matrix.consortium.chat";
-  adminAppDomain = "admin.consortium.chat";
-in {
-  age.secrets.matrix-synapse-secrets = {
-    file = ./secrets/matrix-synapse-secrets.yaml;
-    owner = "matrix-synapse";
-    mode = "400";
-  };
-
-  services.matrix-synapse = {
-    enable = true;
-    settings = {
-      server_name = "consortium.chat";
-      database_type = "psycopg2";
-      database_args.database = "matrix-synapse";
-    };
-    extraConfigFiles = [ config.age.secrets.matrix-synapse-secrets.path ];
-  };
-
-  services.caddy.virtualHosts = {
-    ${canonicalDomain}.extraConfig = let
-      wellknown = {
-        server = builtins.toJSON { "m.server" = "${delegatedDomain}:443"; };
-        client = builtins.toJSON {
-          "m.homeserver".base_url = "https://${delegatedDomain}";
-        };
-      };
-    in ''
-      respond /.well-known/matrix/server `${wellknown.server}` 200
-      respond /.well-known/matrix/client `${wellknown.client}` 200
-      reverse_proxy localhost:8008
-      header Strict-Transport-Security "max-age=63072000; includeSubDomains"
-    '';
-    ${delegatedDomain}.extraConfig = ''
-      reverse_proxy /_matrix/* localhost:8008
-      reverse_proxy /_synapse/client/* localhost:8008
-    '';
-    ${adminAppDomain}.extraConfig = ''
-      root * ${pkgs.synapse-admin}
-      file_server
-    '';
-  };
-}

hosts/readme.md

@@ -1,6 +0,0 @@
-# Hosts
-
-- [astral](astral) - VPS running miscellaneous servers
-- [marauder](marauder) - My laptop
-- [quasar](quasar) - VPS running the [consortium.chat](https://consortium.chat)
-  matrix-synapse instance

modules/default.nix

@@ -1,5 +1,4 @@
 {
-  nano = ./nano.nix;
   nettika = ./nettika.nix;
   promptmoji = ./promptmoji.nix;
 }

modules/nano.nix

@@ -1,11 +0,0 @@
-{ ... }: {
-  environment.variables.EDITOR = "nano";
-
-  programs.nano = {
-    enable = true;
-    nanorc = ''
-      set autoindent
-      set linenumbers
-    '';
-  };
-}

modules/readme.md

@@ -1,7 +0,0 @@
-# Modules
-
-- `nano`: Base config for [nano](https://www.nano-editor.org)
-- `nettika`: Base config for user "nettika"
-- `promptmoji`: Fish prompt starting with an emoji to indicate which host I'm
-  logged into. The emoji is configured with `promptSymbol`. Ignored if
-  `programs.fish.enabled` is false.

readme.md

@@ -1,4 +0,0 @@
-# Nettika's NixOS Configs
-
-- [hosts](hosts) - my `nixosConfigurations`
-- [modules](modules) - my `nixosModules` 

secrets.nix

@@ -1,17 +1,8 @@
 let
-  marauder =
+  marauder.nettika =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHopty1QG8P+OfGxQ9CV0BI1IRB/q6yITzMZaZ6Zspid";
-  astral =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRJf6qsNoITXPBdiFsmZuLR0dyP/D6WYNP/RQynl3kf";
-  quasar =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoVsKoMEiA2G0WIC/6gFsNE09yhumWf4xnDuoRcD2Px";
 in {
-  "hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder ];
+  "hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder.nettika ];
-  "hosts/marauder/secrets/restic-password.age".publicKeys = [ marauder ];
+  "hosts/marauder/secrets/restic-password.age".publicKeys =
-  "hosts/quasar/secrets/matrix-synapse-secrets.yaml".publicKeys =
+    [ marauder.nettika ];
-    [ marauder quasar ];
-  "hosts/astral/secrets/vaultwarden-env.age".publicKeys = [ marauder astral ];
-  "hosts/astral/secrets/forgejo-mailer-password.age".publicKeys =
-    [ marauder astral ];
-  "hosts/astral/secrets/radicale-htpasswd".publicKeys = [ marauder astral ];
 }