move all postgres to one daemon, redo wireguard some, roundcube is haunted and network interface is broken somehow

2023-10-02 03:08:24 +01:00 · 2023-10-02 03:08:24 +01:00 · 7583c0f482
parent cf495c8bbd
commit 7583c0f482
33 changed files with 278 additions and 268 deletions
--- a/data/wireguard/chaosInternalWireGuard.nix
+++ b/data/wireguard/chaosInternalWireGuard.nix
@ -1,29 +1,44 @@
 let
  pubkeys = builtins.fromJSON (builtins.readFile ./chaosInternalWireGuardPubKeys.json);
  listenPort = 51820;
 in rec {
  # 10.0.0.0/24 - machines
  # 10.0.1.0/24 - containers for hetzner-arm
  hosts = {
    "hetzner-arm" = {
-      ip = "10.69.42.1";
+      ip = "10.0.0.1";
      allowedIPs = [
        "10.0.0.1/32" # Allow itself
        "10.0.1.1/24" # Containers
      ];
      public = pubkeys."hetzner-arm";
-      endpoint = "hetzner-arm.servers.genderfucked.monster:51820";
+      inherit listenPort;
      endpoint = "hetzner-arm.servers.genderfucked.monster:${toString listenPort}";
    };
    "vault" = {
-      ip = "10.69.42.2";
+      ip = "10.0.0.2";
      public = pubkeys."vault";
-      endpoint = "vault.servers.genderfucked.monster:51820";
+      inherit listenPort;
-    };
+      endpoint = "vault.servers.genderfucked.monster:${toString listenPort}";
    "iphone8" = {
      ip = "10.69.42.3";
      public = pubkeys."iphone8";
    };
    "lappy-t495" = {
-      ip = "10.69.42.4";
+      ip = "10.0.0.3";
      public = pubkeys."lappy-t495";
    };
    "raspberry" = {
-      ip = "10.69.42.5";
+      ip = "10.0.0.4";
      public = pubkeys."raspberry";
-      endpoint = "raspberry.servers.genderfucked.monster:51820";
+      inherit listenPort;
      endpoint = "raspberry.servers.genderfucked.monster:${toString listenPort}";
    };
    "iphone15" = {
      ip = "10.0.0.5";
      public = pubkeys."iphone15";
    };
    "iphone8" = {
      ip = "10.0.0.6";
      public = pubkeys."iphone8";
    };
  };
 }
--- a/data/wireguard/chaosInternalWireGuardPubKeys.json
+++ b/data/wireguard/chaosInternalWireGuardPubKeys.json
@ -1,7 +1,8 @@
 {
-  "vault": "0jGdR0yBnjY5CUCQpqWIaWAfgT36QdGdhZXtaAV+MkE=",
+  "vault": "IfYCpiUXmsGVj8OR32W1ind0TWf2hmT+Axz3SaTsUQE=",
-  "raspberry": "DXXUfkR4qlytdsf37NGzgzVhDxPuhz8oxRcSxOX2fQk=",
+  "raspberry": "ZWnPJZ5Bw/EyoLo5o3xjhkn3aTDC+ivPnnizGL0JfEo=",
-  "lappy-t495": "kyykcuDMWy1WRxX97PImEYgwWw8HUbhM53kW6bEyryA=",
+  "lappy-t495": "ogQmpEb3pXgn8NhQUlIwj/6CwAxXeB1ayqfXaieKs3g=",
-  "iphone8": "1u/G60EWg2bo1iyViWAGXs8HXES2zenZCVdD5X+yJi4=",
+  "iphone8": "OptrVbP0q9q3DkEUGYu8aa6kj3S7h7cpotz5yuKs7Qw=",
-  "hetzner-arm": "rCkptlaz5IFSZ+4OPaylbyKVoUwYNWBNkaT63QApymA="
+  "hetzner-arm": "UJ1WgFOy5AtvMvvU9Y3F8CuDOXz8JeJGZtDa83s7D3s=",
  "iphone15": "i4vGjEqQyuoRqOJucXVrW0aIbwSUaB2dVVtEUjvHx3A="
 }
--- a/hosts/hetzner-arm/containers/forgejo/default.nix
+++ b/hosts/hetzner-arm/containers/forgejo/default.nix
@ -37,6 +37,7 @@ in {
          presets.nixos.containerBase
          profiles.sshd
          profiles.firewallAllow.ssh
          ./secrets.nix
        ]
        ++ (with hosts.hetzner-arm.containers.forgejo.profiles; [
--- a/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix
+++ b/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix
@ -1,7 +1,9 @@
 {pkgs, ...}: {
  services.forgejo = {
    enable = true;
-    database.type = "sqlite3";
+    database = {
      type = "sqlite3";
    };
    lfs.enable = true;
    settings = {
      DEFAULT.APP_NAME = "chaos's Forgejo";
--- a/hosts/hetzner-arm/containers/mail/default.nix
+++ b/hosts/hetzner-arm/containers/mail/default.nix
@ -87,10 +87,6 @@ in {
      forceSSL = true;
      enableACME = true;
      acmeRoot = "/var/lib/acme/acme-challenge";
      # also being used for webmail
      locations."/" = {
        proxyPass = "http://unix:/var/lib/nixos-containers/mail/var/sockets/roundcube.sock";
      };
    };
  };
--- a/hosts/hetzner-arm/containers/mail/modules/mailserver/default.nix
+++ b/hosts/hetzner-arm/containers/mail/modules/mailserver/default.nix
@ -1,11 +1,10 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  inherit (lib) types;
-  inherit (lib.options) mkEnableOption mkOption mkPackageOption;
+  inherit (lib.options) mkEnableOption mkOption;
  cfg = config.services.mailserver;
 in {
@ -43,34 +42,6 @@ in {
      };
    };
    roundcube = {
      enable = mkOption {
        type = types.bool;
        default = true;
      };
      package = mkPackageOption pkgs "roundcube" {};
      domain = mkOption {
        type = types.str;
        default = "${cfg.fqdn}";
      };
      plugins = mkOption {
        type = types.listOf types.str;
        default = [];
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
      };
      forceSSL = mkOption {
        type = types.bool;
        default = true;
      };
      enableACME = mkOption {
        type = types.bool;
        default = true;
      };
    };
    spf = {
      enable = mkOption {
        type = types.bool;
--- a/hosts/hetzner-arm/containers/mail/modules/mailserver/webmail.nix
+++ b/hosts/hetzner-arm/containers/mail/modules/mailserver/webmail.nix
@ -1,34 +0,0 @@
 {
  config,
  lib,
  ...
 }: let
  inherit (lib.modules) mkIf mkForce;
  mailConfig = config.services.mailserver;
 in {
  config = mkIf (mailConfig.enable && mailConfig.roundcube.enable) {
    services.roundcube = {
      enable = true;
      package = mailConfig.roundcube.package;
      plugins =
        mailConfig.roundcube.plugins
        ++ [
          "managesieve"
        ];
      hostName = "${mailConfig.roundcube.domain}";
      extraConfig = ''
        $config['smtp_server'] = "tls://${mailConfig.fqdn}";
        $config['smtp_user'] = "%u";
        $config['smtp_pass'] = "%p";
        $config['managesieve_host'] = 'tls://${mailConfig.fqdn}';
        ${mailConfig.roundcube.extraConfig}
      '';
    };
    services.nginx.virtualHosts."${mailConfig.roundcube.domain}" = {
      forceSSL = mkForce mailConfig.roundcube.forceSSL;
      enableACME = mkForce mailConfig.roundcube.enableACME;
    };
  };
 }
--- a/hosts/hetzner-arm/containers/mail/profiles/mailserver.nix
+++ b/hosts/hetzner-arm/containers/mail/profiles/mailserver.nix
@ -1,8 +1,4 @@
-{
+{config, ...}: let
  pkgs,
  config,
  ...
 }: let
  secrets = config.services.secrets.secrets;
 in {
  services.mailserver = {
@ -39,48 +35,5 @@ in {
    };
    extraAliasesFile = "${secrets.private_mail_aliases.path}";
    roundcube = {
      enable = true;
      package = pkgs.roundcube.withPlugins (_plugins:
        with pkgs.roundcubePlugins; [
          persistent_login
        ]);
      plugins = ["persistent_login"];
      # running in container, passing socket to host
      forceSSL = false;
      enableACME = false;
      extraConfig = ''
        $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks
        $config['product_name'] = 'Chaos Mail';
        $config['username_domain'] = "owo.monster";
        $config['username_domain_forced'] = true;
        $config['log_driver'] = 'syslog';
        $config['smtp_debug'] = true;
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d /var/sockets - nginx nginx"
  ];
  systemd.services.nginx.serviceConfig.ReadWritePaths = [
    "/var/sockets"
  ];
  services.nginx.virtualHosts."mail.owo.monster" = {
    # running in privateNetwork
    # required so nginx doesn't try listening on port 80
    listen = [
      {
        addr = "127.0.0.1";
        port = 8089;
      }
    ];
    extraConfig = "listen unix:/var/sockets/roundcube.sock;";
  };
 }
--- a/hosts/hetzner-arm/containers/mail/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/mail/profiles/restic.nix
@ -6,12 +6,6 @@
  secrets = config.services.secrets.secrets;
  mailConfig = config.services.mailserver;
  backupPrepareCommand = "${
    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
      systemctl start postgresqlBackup-roundcube --wait
    '')
  }/bin/backupPrepareCommand";
 in {
  environment.systemPackages = with pkgs; [
    restic
@ -26,8 +20,6 @@ in {
  services.restic.backups.mail = {
    user = "root";
    paths = [
      "/var/backup/postgresql"
      mailConfig.vmail.directory
      mailConfig.sieveDirectory
      mailConfig.dkim.directory
@ -48,15 +40,5 @@ in {
      OnBootSec = "1m";
      OnCalendar = "8h";
    };
    inherit backupPrepareCommand;
  };
  services.postgresql.enable = true;
  services.postgresqlBackup = {
    enable = true;
    backupAll = false;
    databases = ["roundcube"];
    compression = "zstd";
  };
 }
--- a/hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix
+++ b/hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix
@ -1,21 +0,0 @@
 {self, ...}: let
  wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
  wireguardHosts = wireguardData.hosts;
 in {
  services.postgresql = {
    enable = true;
    port = 5434;
    enableTCPIP = true;
    ensureUsers = [
      {
        name = "piped";
        ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
      }
    ];
    ensureDatabases = ["piped"];
    authentication = ''
      host piped piped ${wireguardHosts."raspberry".ip}/32 trust
      host piped piped ${wireguardHosts."hetzner-arm".ip}/32 trust
    '';
  };
 }
--- a/hosts/hetzner-arm/containers/piped-fi/default.nix
+++ b/hosts/hetzner-arm/containers/piped-fi/default.nix
@ -5,21 +5,24 @@
  inputs,
  config,
  pkgs,
  lib,
  ...
 }: let
  inherit (lib.modules) mkForce;
  pipedName = "piped-fi";
  containerName = pipedName;
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.${containerName};
  pipedSocketForComponent = (
    component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
  );
 in {
  containers.${containerName} = {
    autoStart = true;
-    privateNetwork = false;
+    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    specialArgs = {
      inherit inputs;
@ -36,8 +39,6 @@ in {
        presets.nixos.pipedNode
      ];
      networking.firewall.enable = mkForce false;
      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
--- a/hosts/hetzner-arm/containers/postgresql/default.nix
+++ b/hosts/hetzner-arm/containers/postgresql/default.nix
@ -5,14 +5,17 @@
  inputs,
  config,
  pkgs,
  lib,
  ...
 }: let
-  inherit (lib.modules) mkForce;
+  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.postgresql;
 in {
-  containers.piped-db = {
+  containers.postgresql = {
    autoStart = true;
-    privateNetwork = false;
+    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    specialArgs = {
      inherit inputs;
@ -32,7 +35,7 @@ in {
        ./profiles/restic.nix
      ];
-      networking.firewall.enable = mkForce false;
+      networking.firewall.allowedTCPPorts = [5432];
      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
--- a/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix
+++ b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix
@ -0,0 +1,49 @@
 {
  self,
  hostPath,
  ...
 }: let
  wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
  wireguardHosts = wireguardData.hosts;
  localContainersAddresses = import "${hostPath}/data/containerAddresses.nix";
 in {
  services.postgresql = {
    enable = true;
    enableTCPIP = true;
    ensureDatabases = [
      "piped"
      "gotosocial"
      "quassel"
      "roundcube"
    ];
    ensureUsers = [
      {
        name = "piped";
        ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
      }
      {
        name = "gotosocial";
        ensurePermissions."DATABASE gotosocial" = "ALL PRIVILEGES";
      }
      {
        name = "quassel";
        ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES";
      }
      {
        name = "roundcube";
        ensurePermissions."DATABASE roundcube" = "ALL PRIVILEGES";
      }
    ];
    # If the host is a local container then use the container's IP
    # otherwise use the host's IP
    authentication = ''
      host piped piped ${localContainersAddresses.containers."piped-fi"}/32 trust
      host piped piped ${wireguardHosts."raspberry".ip}/32 trust
      host gotosocial gotosocial ${localContainersAddresses.containers."social"}/32 trust
      host quassel quassel ${localContainersAddresses.containers."quassel"}/32 trust
      host roundcube roundcube ${localContainersAddresses.containers."roundcube"}/32 trust
    '';
  };
 }
--- a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix
@ -8,12 +8,15 @@
  backupPrepareCommand = "${
    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
      systemctl start postgresqlBackup-piped --wait
      systemctl start postgresqlBackup-gotosocial --wait
      systemctl start postgresqlBackup-quassel --wait
      systemctl start postgresqlBackup-roundcube --wait
    '')
  }/bin/backupPrepareCommand";
 in {
  environment.systemPackages = with pkgs; [
    restic
-    (pkgs.writeShellScriptBin "restic-piped" ''
+    (pkgs.writeShellScriptBin "restic-postgresql" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
        $(cat ${secrets.restic_env.path}) \
@ -21,7 +24,7 @@ in {
    '')
  ];
-  services.restic.backups.piped = {
+  services.restic.backups.postgresql = {
    user = "root";
    paths = [
      "/var/backup/postgresql"
@ -29,7 +32,7 @@ in {
    # repository is overrided in environmentFile to contain auth
    # make sure to keep up to date when changing repository
-    repository = "rest:https://storage-restic.owo.monster/Piped";
+    repository = "rest:https://storage-restic.owo.monster/PostgreSQL";
    passwordFile = "${secrets.restic_password.path}";
    environmentFile = "${secrets.restic_env.path}";
@ -48,8 +51,12 @@ in {
  services.postgresqlBackup = {
    enable = true;
    backupAll = false;
-    pgdumpOptions = "-p ${toString config.services.postgresql.port}";
+    databases = [
-    databases = ["piped"];
+      "piped"
      "gotosocial"
      "quassel"
      "roundcube"
    ];
    compression = "zstd";
  };
 }
--- a/hosts/hetzner-arm/containers/postgresql/secrets.nix
+++ b/hosts/hetzner-arm/containers/postgresql/secrets.nix
@ -4,7 +4,7 @@
    vaultLogin = {
      enable = true;
-      loginUsername = "hetzner-arm-container-piped-db";
+      loginUsername = "hetzner-arm-container-postgresql";
    };
    autoSecrets = {
@ -12,8 +12,8 @@
    };
    requiredVaultPaths = [
-      "api-keys/data/storage/restic/Piped"
+      "api-keys/data/storage/restic/PostgreSQL"
-      "private-public-keys/data/restic/Piped"
+      "private-public-keys/data/restic/PostgreSQL"
    ];
    secrets = {
@ -23,14 +23,14 @@
      restic_password = {
        fetchScript = ''
-          simple_get "/private-public-keys/restic/Piped" .password > "$secretFile"
+          simple_get "/private-public-keys/restic/PostgreSQL" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
-          RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped" .username)
+          RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/PostgreSQL" .username)
-          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped" .password)
+          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/PostgreSQL" .password)
-          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile"
+          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/PostgreSQL" > "$secretFile"
        '';
      };
    };
--- a/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix
+++ b/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix
@ -3,17 +3,4 @@
    enable = true;
    interfaces = ["0.0.0.0"];
  };
  services.postgresql = {
    enable = true;
    ensureDatabases = ["quassel"];
    ensureUsers = [
      {
        name = "quassel";
        ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES";
      }
    ];
    authentication = "host quassel quassel localhost trust";
  };
 }
--- a/hosts/hetzner-arm/containers/quassel/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/quassel/profiles/restic.nix
@ -24,7 +24,6 @@ in {
  services.restic.backups.quassel = {
    user = "root";
    paths = [
      "/var/backup/postgresql"
      "/home/quassel/.config/quassel-irc.org"
    ];
@ -45,11 +44,4 @@ in {
    inherit backupPrepareCommand;
  };
  services.postgresqlBackup = {
    enable = true;
    backupAll = false;
    databases = ["quassel"];
    compression = "zstd";
  };
 }
--- a/hosts/hetzner-arm/containers/roundcube/default.nix
+++ b/hosts/hetzner-arm/containers/roundcube/default.nix
@ -0,0 +1,55 @@
 {
  self,
  tree,
  inputs,
  config,
  pkgs,
  hostPath,
  ...
 }: let
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.roundcube;
 in {
  containers.roundcube = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };
    config = {...}: {
      nixpkgs.pkgs = pkgs;
      imports = with tree; [
        presets.nixos.containerBase
        profiles.nginx
        profiles.sshd
        profiles.firewallAllow.ssh
        ./profiles/roundcube.nix
      ];
      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };
  services.nginx = {
    enable = true;
    virtualHosts."mail.owo.monster" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://unix:/var/lib/nixos-containers/roundcube/var/sockets/roundcube.sock";
      };
    };
  };
 }
--- a/hosts/hetzner-arm/containers/roundcube/profiles/roundcube.nix
+++ b/hosts/hetzner-arm/containers/roundcube/profiles/roundcube.nix
@ -0,0 +1,55 @@
 {
  pkgs,
  lib,
  hostPath,
  ...
 }: let
  inherit (lib.modules) mkForce;
  localContainersAddresses = import "${hostPath}/data/containerAddresses.nix";
 in {
  services.roundcube = {
    enable = true;
    hostName = "mail.owo.monster";
    package = pkgs.roundcube.withPlugins (_plugins:
      with pkgs.roundcubePlugins; [
        persistent_login
      ]);
    plugins = [
      "persistent_login"
      "managesieve"
    ];
    database = {
      host = localContainersAddresses.containers.postgresql;
      passwordFile = builtins.toFile "pw" "";
    };
    extraConfig = ''
      $config['smtp_server'] = "tls://mail.owo.monster";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
      $config['managesieve_host'] = 'tls://mail.owo.monster';
      $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks
      $config['product_name'] = 'Chaos Mail';
      $config['username_domain'] = "owo.monster";
      $config['username_domain_forced'] = true;
      $config['log_driver'] = 'syslog';
      $config['smtp_debug'] = true;
    '';
  };
  systemd.tmpfiles.rules = [
    "d /var/sockets - nginx nginx"
  ];
  systemd.services.nginx.serviceConfig.ReadWritePaths = [
    "/var/sockets"
  ];
  services.nginx.virtualHosts."mail.owo.monster" = {
    forceSSL = mkForce false;
    enableACME = mkForce false;
    extraConfig = "listen unix:/var/sockets/roundcube.sock;";
  };
 }
--- a/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix
+++ b/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix
@ -11,7 +11,7 @@
 in {
  services.gotosocial = {
    enable = true;
-    setupPostgresqlDB = true;
+    setupPostgresqlDB = false;
    environmentFile = secrets.env_secrets.path;
    settings = {
@ -20,7 +20,12 @@ in {
      bind-address = "0.0.0.0";
      log-level = "info";
-      log-client-ip = false;
+      log-client-ip = true;
      db-type = "postgres";
      db-address = "${containerAddresses.containers.postgresql}";
      db-database = "gotosocial";
      db-user = "gotosocial";
      trusted-proxies = [
        "127.0.0.1/32"
--- a/hosts/hetzner-arm/containers/social/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/social/profiles/restic.nix
@ -1,12 +1,8 @@
 {
  pkgs,
  config,
  lib,
  ...
 }: let
  inherit (lib.strings) concatStringsSep;
  inherit (lib.lists) forEach;
  secrets = config.services.secrets.secrets;
  # Because gotosocial-admin isn't a seporate package we need to generate a seperate config
@ -23,12 +19,6 @@
  backupPrepareCommand = "${
    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
      systemctl start ${
        concatStringsSep " "
        (forEach config.services.postgresqlBackup.databases
          (db: "postgresqlBackup-${db}"))
      } --wait
      systemctl stop gotosocial
      ${goToSocialAdmin} export --path /var/lib/gotosocial/gts-export.json
@ -56,7 +46,6 @@ in {
  services.restic.backups.social = {
    user = "root";
    paths = [
      "/var/backup/postgresql"
      "/var/lib/gotosocial"
    ];
@ -78,11 +67,4 @@ in {
    inherit backupPrepareCommand;
    inherit backupCleanupCommand;
  };
  services.postgresqlBackup = {
    enable = true;
    backupAll = false;
    databases = ["gotosocial"];
    compression = "zstd";
  };
 }
--- a/hosts/hetzner-arm/containers/storage/data/ports.nix
+++ b/hosts/hetzner-arm/containers/storage/data/ports.nix
@ -7,7 +7,7 @@
  rclone_serve_restic_vault = 4211;
  rclone_serve_restic_social = 4212;
  rclone_serve_restic_quassel = 4213;
-  rclone_serve_restic_piped = 4214;
+  rclone_serve_restic_postgresql = 4214;
  rclone_serve_restic_mail = 4215;
  rclone_serve_restic_forgejo = 4216;
--- a/hosts/hetzner-arm/containers/storage/default.nix
+++ b/hosts/hetzner-arm/containers/storage/default.nix
@ -95,7 +95,7 @@ in {
      "/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}";
      "/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}";
      "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}";
-      "/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}";
+      "/PostgreSQL/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_postgresql}";
      "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}";
      "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_forgejo}";
    };
--- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
+++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
@ -117,13 +117,13 @@ in {
        ];
      }
      {
-        id = "restic-piped";
+        id = "restic-postgresql";
-        remote = "StorageBox:Backups/Restic/Piped";
+        remote = "StorageBox:Backups/Restic/PostgreSQL";
        type = "restic";
        extraArgs = [
-          "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped}"
+          "--addr=0.0.0.0:${toString ports.rclone_serve_restic_postgresql}"
-          "--htpasswd=${secrets.restic_piped_htpasswd.path}"
+          "--htpasswd=${secrets.restic_postgresql_htpasswd.path}"
-          "--baseurl=/Piped/"
+          "--baseurl=/PostgreSQL/"
        ];
      }
      {
--- a/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix
+++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix
@ -15,7 +15,7 @@
        };
        extraArgs = [
          "--fast-list"
-	  "--check-first"
+          "--check-first"
          "--delete-before"
          "--b2-upload-concurrency=4"
          "--transfers=4"
--- a/hosts/hetzner-arm/containers/storage/secrets.nix
+++ b/hosts/hetzner-arm/containers/storage/secrets.nix
@ -28,7 +28,7 @@
      "api-keys/data/storage/restic/Vault"
      "api-keys/data/storage/restic/Social"
      "api-keys/data/storage/restic/Quassel"
-      "api-keys/data/storage/restic/Piped"
+      "api-keys/data/storage/restic/PostgreSQL"
      "api-keys/data/storage/restic/Mail"
      "api-keys/data/storage/restic/Forgejo"
@ -118,12 +118,12 @@
        '';
      };
-      restic_piped_htpasswd = {
+      restic_postgresql_htpasswd = {
        user = "storage";
        group = "storage";
        fetchScript = ''
-          username=$(simple_get "/api-keys/storage/restic/Piped" .username)
+          username=$(simple_get "/api-keys/storage/restic/PostgreSQL" .username)
-          password=$(simple_get "/api-keys/storage/restic/Piped" .password)
+          password=$(simple_get "/api-keys/storage/restic/PostgreSQL" .password)
          htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
        '';
      };
--- a/hosts/hetzner-arm/data/containerAddresses.nix
+++ b/hosts/hetzner-arm/data/containerAddresses.nix
@ -1,10 +1,13 @@
 {
-  host = "192.168.100.10";
+  host = "10.0.1.1";
  containers = {
-    storage = "192.168.100.11";
+    storage = "10.0.1.2";
-    social = "192.168.100.12";
+    social = "10.0.1.3";
-    music = "192.168.100.13";
+    music = "10.0.1.4";
-    quassel = "192.168.100.14";
+    quassel = "10.0.1.5";
-    forgejo = "192.168.100.15";
+    forgejo = "10.0.1.6";
    postgresql = "10.0.1.7";
    piped-fi = "10.0.1.8";
    roundcube = "10.0.1.9";
  };
 }
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -24,10 +24,11 @@ in {
      "storage"
      "music"
      "quassel"
-      "piped-db"
+      "postgresql"
      "piped-fi"
      "mail"
      "forgejo"
      #"roundcube"
    ] (name: ./containers + "/${name}"))
    ++ (with hosts.hetzner-arm.profiles; [
      staticSites
--- a/modules/nixos/rcloneSync.nix
+++ b/modules/nixos/rcloneSync.nix
@ -86,7 +86,7 @@ in {
        [
          (pkgs.writeShellScriptBin "rclone-sync-stop-all" (concatStringsSep "\n" (map (
              job: ''
-		systemctl stop rclone-sync-${job.id}.service
+                systemctl stop rclone-sync-${job.id}.service
              ''
            )
            cfg.syncJobs)))
--- a/outputs.nix
+++ b/outputs.nix
@ -140,7 +140,7 @@ in
          # All machines/containers with secrets.nix
          machines = rec {
            "hetzner-arm" = {
-              containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi" "forgejo"];
+              containers = ["storage" "music" "quassel" "social" "mail" "postgresql" "piped-fi" "forgejo"];
              sshAddress = "hetzner-arm.servers.genderfucked.monster";
            };
            "vault" = {
--- a/presets/nixos/pipedNode.nix
+++ b/presets/nixos/pipedNode.nix
@ -7,11 +7,10 @@
 }: let
  inherit (builtins) attrNames elem;
  wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
  wireguardHosts = wireguardData.hosts;
  hostName = config.networking.hostName;
  hetznerARMContainerAddresses = import "${self}/hosts/hetzner-arm/data/containerAddresses.nix";
  defaultPorts = {
    internalPipedBackend = 3012;
    internalPipedProxy = 3013;
@ -71,8 +70,7 @@ in {
        name = "piped";
        username = "piped";
        usePassword = false;
-        host = "${wireguardHosts."hetzner-arm".ip}";
+        host = hetznerARMContainerAddresses.containers.postgresql;
        port = 5434;
      };
    };
--- a/profiles/chaosInternalWireGuard/wireguard.nix
+++ b/profiles/chaosInternalWireGuard/wireguard.nix
@ -17,13 +17,18 @@
  currentHostName = config.networking.hostName;
  currentHostConfig = wireguardHosts.${currentHostName};
 in {
-  networking.firewall.trustedInterfaces = ["wg0"];
+  networking.firewall = {
-  networking.firewall.allowPing = true;
+    trustedInterfaces = [
-  networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820];
+      "wg0"
    ];
    allowPing = true;
    allowedUDPPorts = mkIf (hasAttr "listenPort" currentHostConfig) [
      currentHostConfig.listenPort
    ];
  };
  systemd.services.wireguard-debug = {
    wantedBy = ["multi-user.target"];
    partOf = ["wg-quick-wg0.service"];
    script = ''
      echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
    '';
@ -33,14 +38,14 @@ in {
    wg0 = {
      address = ["${currentHostConfig.ip}/24"];
      privateKeyFile = "${secrets.wg_private.path}";
-      listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
+      listenPort = mkIf (hasAttr "listenPort" currentHostConfig) currentHostConfig.listenPort;
      peers =
        map (
          hostName: let
            host = wireguardHosts.${hostName};
          in {
-            allowedIPs = ["${host.ip}/32"];
+            allowedIPs = host.allowedIPs or ["${host.ip}/32"];
            publicKey = host.public;
            endpoint = host.endpoint or null;
          }
--- a/profiles/firewallAllow/ssh.nix
+++ b/profiles/firewallAllow/ssh.nix
@ -1,2 +1,3 @@
 {...}: {
  networking.firewall.allowedTCPPorts = [22];
 }