From 3e598641270f781b3f76e9df1bddd7dd00f5bc2a Mon Sep 17 00:00:00 2001 From: chaos Date: Thu, 25 Jan 2024 11:53:48 +0000 Subject: [PATCH] move to gts-02, change contact, updates --- flake.lock | 72 +++++++++--------- .../mail/modules/mailserver/dovecot.nix | 16 ++-- .../containers/postgresql/data/databases.nix | 0 .../postgresql/profiles/postgres.nix | 10 ++- .../containers/postgresql/profiles/restic.nix | 2 + .../containers/social-02/default.nix | 67 +++++++++++++++++ .../social-02/profiles/gotosocial.nix | 74 +++++++++++++++++++ .../{social => social-02}/profiles/restic.nix | 0 .../containers/social-02/secrets.nix | 46 ++++++++++++ .../hetzner-arm/containers/social/default.nix | 1 - .../hetzner-arm/containers/social/secrets.nix | 15 ---- hosts/hetzner-arm/data/containerAddresses.nix | 1 + hosts/hetzner-arm/hetzner-arm.nix | 1 + .../staticSiteData/contact/index.html | 6 +- overlay/default.nix | 49 +++++++++++- profiles/gui/environments/gnome/default.nix | 2 +- 16 files changed, 293 insertions(+), 69 deletions(-) delete mode 100644 hosts/hetzner-arm/containers/postgresql/data/databases.nix create mode 100644 hosts/hetzner-arm/containers/social-02/default.nix create mode 100644 hosts/hetzner-arm/containers/social-02/profiles/gotosocial.nix rename hosts/hetzner-arm/containers/{social => social-02}/profiles/restic.nix (100%) create mode 100644 hosts/hetzner-arm/containers/social-02/secrets.nix diff --git a/flake.lock b/flake.lock index 7bffcd7..3dc47f7 100644 --- a/flake.lock +++ b/flake.lock @@ -21,11 +21,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": { @@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1701095034, - "narHash": "sha256-up8JguDsMgvf3umpcH6P9iD/R6TqCrcB3rhlsOTLKYU=", + "lastModified": 1705410953, + "narHash": "sha256-c0IUoRKt5k2EprCbccRF7ohWEHlGTppalXAC6ZKpoNk=", "ref": "refs/heads/hungy", - "rev": "1cca07d244e18ea1c1c0d48016fa3e4b581bf224", - "revCount": 57, + "rev": "db36355ce9eba4d0898ebd2490b5b35b923ac72e", + "revCount": 58, "type": "git", "url": "https://forgejo.owo.monster/chaos/food-site" }, @@ -65,11 +65,11 @@ ] }, "locked": { - "lastModified": 1703072477, - "narHash": "sha256-I2g7o+J26iK3sGk53iuaYiMWryzAYx0zhNQUFzTID/A=", + "lastModified": 1705408632, + "narHash": "sha256-/AhkReVocTli5BLWA5WXxUlGYXn3Agi/uzX76TNrsbo=", "owner": "nix-community", "repo": "home-manager", - "rev": "433120e47d016c9960dd9c2b1821e97d223a6a39", + "rev": "37d6eeceee464adc03585404eebd68765b3c8615", "type": "github" }, "original": { @@ -89,11 +89,11 @@ ] }, "locked": { - "lastModified": 1701094124, - "narHash": "sha256-4nZrZe/rzxmp+H2JrfLWVkwNGzvx0nVVWcfcF1AEb9I=", + "lastModified": 1705410918, + "narHash": "sha256-sSxVbpl0qW2Nd+iZXqurZoYoiZpHnaNy8R6h5hWyh64=", "ref": "refs/heads/main", - "rev": "8f935b84929eb6ea4577b015b9b4ef4e86ee69ce", - "revCount": 116, + "rev": "d6359a1af8bed495482137dd9908e7407b8444db", + "revCount": 117, "type": "git", "url": "https://forgejo.owo.monster/chaos/musicutil" }, @@ -115,11 +115,11 @@ ] }, "locked": { - "lastModified": 1702867085, - "narHash": "sha256-zcKtsexiTURppa7styWbMvrFiIYfoY5mBtWeIlh7YqU=", + "lastModified": 1705359964, + "narHash": "sha256-ys1MDjIH6z5UP7gAciRfUAlf2FJV0t3yFib965N/S+I=", "owner": "nix-community", "repo": "NixOS-WSL", - "rev": "86f3b26038b36603f51e260979a09e9c659415e9", + "rev": "bb3eeeb96ce059ae29309138874ccf58e796f4b1", "type": "github" }, "original": { @@ -130,11 +130,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700794826, - "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=", + "lastModified": 1705133751, + "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8", + "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", "type": "github" }, "original": { @@ -146,11 +146,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1703013332, - "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "lastModified": 1705133751, + "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", "type": "github" }, "original": { @@ -162,11 +162,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1700794826, - "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=", + "lastModified": 1705133751, + "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8", + "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", "type": "github" }, "original": { @@ -178,11 +178,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1700794826, - "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=", + "lastModified": 1705133751, + "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8", + "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", "type": "github" }, "original": { @@ -194,11 +194,11 @@ }, "nur": { "locked": { - "lastModified": 1703085539, - "narHash": "sha256-4YE7zXvzWUtnAyzV9+9VYrfr/o+Y/k4ka7yWO2MtAaI=", + "lastModified": 1705412701, + "narHash": "sha256-C+xOfQHcc2eB2iq6qyFzReoDJSUYv513FFuluVu4Lr4=", "owner": "nix-community", "repo": "NUR", - "rev": "d19b0ed13ad371fe975f20872d7d198d50ecf763", + "rev": "63ffe98d833ec01b51ea43204a4e844e2fa39a5e", "type": "github" }, "original": { @@ -283,11 +283,11 @@ ] }, "locked": { - "lastModified": 1701095009, - "narHash": "sha256-hV9R/ZCXL9cZ78TZSkO6TUfuwx/E2K13k2kcoGDgGBc=", + "lastModified": 1705413365, + "narHash": "sha256-C3CvdCebHM5RiGrRF4WGQLisQ0FYrPPeJBbCWNxHGAI=", "ref": "refs/heads/main", - "rev": "6b0eada62567711299750ae2b708ae30318c8ff9", - "revCount": 462, + "rev": "ea11dd6514c51d524b5cdded260a4632c5cf3c9c", + "revCount": 464, "type": "git", "url": "https://forgejo.owo.monster/chaos/VaultUI" }, diff --git a/hosts/hetzner-arm/containers/mail/modules/mailserver/dovecot.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/dovecot.nix index 9afc71c..40fd63f 100644 --- a/hosts/hetzner-arm/containers/mail/modules/mailserver/dovecot.nix +++ b/hosts/hetzner-arm/containers/mail/modules/mailserver/dovecot.nix @@ -57,14 +57,14 @@ in { protocols = ["sieve"]; sieveScripts = { - after = builtins.toFile "spam.sieve" '' - require "fileinto"; - - if header :is "X-Spam" "Yes" { - fileinto "Junk"; - stop; - } - ''; + # BROKEN: after: line 1: error: require command: unknown Sieve capability `fileinto'. + # after = builtins.toFile "spam.sieve" '' + # require "fileinto"; + # if header :is "X-Spam" "Yes" { + # fileinto "Junk"; + # stop; + # } + # ''; }; mailboxes = { diff --git a/hosts/hetzner-arm/containers/postgresql/data/databases.nix b/hosts/hetzner-arm/containers/postgresql/data/databases.nix deleted file mode 100644 index e69de29..0000000 diff --git a/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix index 900609a..f98ae16 100644 --- a/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix +++ b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix @@ -13,22 +13,28 @@ in { enableTCPIP = true; ensureDatabases = [ "gotosocial" + "gotosocial_new" "quassel" ]; ensureUsers = [ { name = "gotosocial"; - ensurePermissions."DATABASE gotosocial" = "ALL PRIVILEGES"; + ensureDBOwnership = true; + } + { + name = "gotosocial_new"; + ensureDBOwnership = true; } { name = "quassel"; - ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES"; + ensureDBOwnership = true; } ]; # If the host is a local container then use the container's IP # otherwise use the host's IP authentication = '' host gotosocial gotosocial ${localContainersAddresses.containers."social"}/32 trust + host gotosocial_new gotosocial_new ${localContainersAddresses.containers."social-02"}/32 trust host quassel quassel ${localContainersAddresses.containers."quassel"}/32 trust ''; }; diff --git a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix index ce6ce66..edcc8ad 100644 --- a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix @@ -8,6 +8,7 @@ backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' systemctl start remotePostgreSQLBackup-gotosocial --wait + systemctl start remotePostgreSQLBackup-gotosocial_new --wait systemctl start remotePostgreSQLBackup-quassel --wait '') }/bin/backupPrepareCommand"; @@ -51,6 +52,7 @@ in { backupUser = "postgres"; databases = [ "gotosocial" + "gotosocial_new" "quassel" ]; }; diff --git a/hosts/hetzner-arm/containers/social-02/default.nix b/hosts/hetzner-arm/containers/social-02/default.nix new file mode 100644 index 0000000..57c7a6e --- /dev/null +++ b/hosts/hetzner-arm/containers/social-02/default.nix @@ -0,0 +1,67 @@ +{ + self, + hostPath, + tree, + inputs, + config, + pkgs, + ... +}: let + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.social-02; +in { + containers.social-02 = { + autoStart = true; + privateNetwork = true; + hostAddress = hostIP; + localAddress = containerIP; + + specialArgs = { + inherit inputs; + inherit tree; + inherit self; + inherit hostPath; + }; + + config = {...}: { + nixpkgs.pkgs = pkgs; + + imports = with tree; + [ + presets.nixos.containerBase + ./secrets.nix + ] + ++ (with hosts.hetzner-arm.containers.social-02.profiles; [ + gotosocial + #restic + ]); + + networking.firewall = { + enable = true; + allowedTCPPorts = [8080]; + }; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; + }; + }; + + services.nginx.virtualHosts."gts-02.owo.monster" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${containerIP}:8080"; + proxyWebsockets = true; + extraConfig = '' + # uncomment if running nginx without recommendedProxySettings + # proxy_set_header Host $host; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + extraConfig = '' + client_max_body_size 128M; + ''; + }; +} diff --git a/hosts/hetzner-arm/containers/social-02/profiles/gotosocial.nix b/hosts/hetzner-arm/containers/social-02/profiles/gotosocial.nix new file mode 100644 index 0000000..0e95378 --- /dev/null +++ b/hosts/hetzner-arm/containers/social-02/profiles/gotosocial.nix @@ -0,0 +1,74 @@ +{ + hostPath, + config, + ... +}: let + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.social-02; + + secrets = config.services.secrets.secrets; +in { + services.gotosocial = { + enable = true; + setupPostgresqlDB = false; + environmentFile = secrets.env_secrets.path; + + settings = { + application-name = "chaos-gts"; + host = "gts-02.owo.monster"; + bind-address = "0.0.0.0"; + + log-level = "info"; + log-client-ip = true; + + db-type = "postgres"; + db-user = "gotosocial_new"; + db-database = "gotosocial_new"; + db-address = "${containerAddresses.containers.postgresql}"; + + trusted-proxies = [ + "127.0.0.1/32" + "::1" + hostIP + containerIP + ]; + + port = 8080; + letsencrypt-enabled = false; + + accounts-registration-open = false; + + smtp-host = "mail.owo.monster"; + smtp-port = 587; + smtp-from = "gotosocial@owo.monster"; + smtp-username = "gotosocial@owo.monster"; + smtp-password = ""; # set via env variables + + instance-languages = ["en" "de"]; + + media-image-max-size = 1000000 * 64; # MB + media-video-max-size = 1000000 * 1024; # MB + media-description-max-chars = 4000; + media-emoji-local-max-size = 102400; + media-emoji-remote-max-size = 102400; + + media-remote-cache-days = 1; + media-cleanup-every = "6h"; + + statuses-cw-max-chars = 150; + statuses-poll-max-options = 10; + statuses-media-max-files = 8; + + advanced-rate-limit-requests = 0; + + # only enable when testing out mastodon-api applications + # that use instance version for api compatibility checks + # instance-inject-mastodon-version = true; + + cache = { + memory-target = "512MiB"; + }; + }; + }; +} diff --git a/hosts/hetzner-arm/containers/social/profiles/restic.nix b/hosts/hetzner-arm/containers/social-02/profiles/restic.nix similarity index 100% rename from hosts/hetzner-arm/containers/social/profiles/restic.nix rename to hosts/hetzner-arm/containers/social-02/profiles/restic.nix diff --git a/hosts/hetzner-arm/containers/social-02/secrets.nix b/hosts/hetzner-arm/containers/social-02/secrets.nix new file mode 100644 index 0000000..a5e64e8 --- /dev/null +++ b/hosts/hetzner-arm/containers/social-02/secrets.nix @@ -0,0 +1,46 @@ +{...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm-container-social"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "private-public-keys/data/restic/Social" + + "api-keys/data/storage/restic/Social" + + "api-keys/data/chaos_mail/gotosocial" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Social" .password > "$secretFile" + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .restic) + echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile" + ''; + }; + env_secrets = { + fetchScript = '' + smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) + echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-arm/containers/social/default.nix b/hosts/hetzner-arm/containers/social/default.nix index e28bca8..a6a10da 100644 --- a/hosts/hetzner-arm/containers/social/default.nix +++ b/hosts/hetzner-arm/containers/social/default.nix @@ -34,7 +34,6 @@ in { ] ++ (with hosts.hetzner-arm.containers.social.profiles; [ gotosocial - restic ]); networking.firewall = { diff --git a/hosts/hetzner-arm/containers/social/secrets.nix b/hosts/hetzner-arm/containers/social/secrets.nix index a5e64e8..41160b6 100644 --- a/hosts/hetzner-arm/containers/social/secrets.nix +++ b/hosts/hetzner-arm/containers/social/secrets.nix @@ -12,10 +12,6 @@ }; requiredVaultPaths = [ - "private-public-keys/data/restic/Social" - - "api-keys/data/storage/restic/Social" - "api-keys/data/chaos_mail/gotosocial" ]; @@ -24,17 +20,6 @@ manual = true; }; - restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Social" .password > "$secretFile" - ''; - }; - restic_env = { - fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile" - ''; - }; env_secrets = { fetchScript = '' smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) diff --git a/hosts/hetzner-arm/data/containerAddresses.nix b/hosts/hetzner-arm/data/containerAddresses.nix index 62af287..b33e732 100644 --- a/hosts/hetzner-arm/data/containerAddresses.nix +++ b/hosts/hetzner-arm/data/containerAddresses.nix @@ -10,5 +10,6 @@ caldav = "10.0.1.8"; owncast = "10.0.1.9"; jellyfin = "10.0.1.10"; + social-02 = "10.0.1.11"; }; } diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index 2abfc8d..3f353d0 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -21,6 +21,7 @@ in { ] ++ (forEach [ "social" + "social-02" "storage" "music" "quassel" diff --git a/hosts/hetzner-arm/profiles/staticSiteData/contact/index.html b/hosts/hetzner-arm/profiles/staticSiteData/contact/index.html index b8534f8..0e6601d 100644 --- a/hosts/hetzner-arm/profiles/staticSiteData/contact/index.html +++ b/hosts/hetzner-arm/profiles/staticSiteData/contact/index.html @@ -49,13 +49,13 @@

Telegram: chaoticryptidz

Discord: chaoticryptidz

Matrix: @chaos:barr0w.net

-

Fediverse: @chaos@gts-01.owo.monster

+

Fediverse: @chaos@gts-02.owo.monster

Signal: Ask elsewhere for number

Session: Ask elsewhere for ID

IRC(liberachat, rarely active so ping me elsewhere): chaoticryptidz

Email: chaos@owo.monster

-

Age pubkey: - age1za8dy3n8lqtuwfy0np2h0alcezw97sunzz5ywfv0pg22x4lqys6sl33uc8

+

Age pubkey: age1za8dy3n8lqtuwfy0np2h0alcezw97sunzz5ywfv0pg22x4lqys6sl33uc8

+ Donate (ko-fi / stripe) diff --git a/overlay/default.nix b/overlay/default.nix index 57c9d0b..cc65dfc 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -13,6 +13,49 @@ final: prev: rec { cp -r ${./kitty-terminfo}/* $out/share ''; + # Remove when fixed in upstream + jellyfin-ffmpeg = + (prev.ffmpeg_6-headless.override { + withAribcaption = false; # FIXME remove when updating past version 6.1 + }) + .overrideAttrs (old: rec { + pname = "jellyfin-ffmpeg"; + version = "6.0.1-1"; + + src = final.fetchFromGitHub { + owner = "jellyfin"; + repo = "jellyfin-ffmpeg"; + rev = "v${version}"; + hash = "sha256-LMwGxx++z6TpZLnpeRGraid4653Mp8T4pY5EP4Z7GXY="; + }; + + buildInputs = old.buildInputs ++ [prev.chromaprint]; + + configureFlags = + old.configureFlags + ++ [ + "--extra-version=Jellyfin" + "--disable-ptx-compression" # https://github.com/jellyfin/jellyfin/issues/7944#issuecomment-1156880067 + "--enable-chromaprint" + ]; + + postPatch = '' + for file in $(cat debian/patches/series); do + patch -p1 < debian/patches/$file + done + + ${old.postPatch or ""} + ''; + + meta = with final.lib; { + description = "${old.meta.description} (Jellyfin fork)"; + homepage = "https://github.com/jellyfin/jellyfin-ffmpeg"; + license = licenses.gpl3; + maintainers = with maintainers; [justinas]; + pkgConfigModules = ["libavutil"]; + }; + }); + mpd-headless = (prev.mpdWithFeatures.override { ffmpeg = final.ffmpeg_6-headless; @@ -51,9 +94,9 @@ final: prev: rec { owner = "superseriousbusiness"; repo = "gotosocial"; - version = "0.13.0"; - source-hash = "sha256-+/x3CAGF/cjK1/7fHgC8EzlGR/Xmq3aFL5Ogc/QZCpA="; - web-assets-hash = "sha256-aPxjfe+0f4hUBfwBH67LsR1/Kv/42sPhlHwmVmDfp30="; + version = "0.13.1"; + source-hash = "sha256-hqESRm+UOBFd+882Qfru1Dc4CnFaHFatX+K12meDODs="; + web-assets-hash = "sha256-I/vwAB5F1A2cGmu76CIAYioYoycTHt0RxPOsPr5uQas="; web-assets = final.fetchurl { url = "https://github.com/${owner}/${repo}/releases/download/v${version}/${repo}_${version}_web-assets.tar.gz"; diff --git a/profiles/gui/environments/gnome/default.nix b/profiles/gui/environments/gnome/default.nix index af09ebf..59e9a36 100644 --- a/profiles/gui/environments/gnome/default.nix +++ b/profiles/gui/environments/gnome/default.nix @@ -41,7 +41,7 @@ in { pkgs.gnome.cheese pkgs.gnome.gnome-music pkgs.gnome.gnome-terminal - pkgs.gnome.gedit + pkgs.gedit pkgs.epiphany pkgs.evince pkgs.gnome.gnome-characters