move all postgres to one daemon, redo wireguard some, roundcube is haunted and network interface is broken somehow

data/wireguard/chaosInternalWireGuard.nix

@@ -1,29 +1,44 @@
 let
   pubkeys = builtins.fromJSON (builtins.readFile ./chaosInternalWireGuardPubKeys.json);
+  listenPort = 51820;
 in rec {
+  # 10.0.0.0/24 - machines
+  # 10.0.1.0/24 - containers for hetzner-arm
+
   hosts = {
     "hetzner-arm" = {
-      ip = "10.69.42.1";
+      ip = "10.0.0.1";
+      allowedIPs = [
+        "10.0.0.1/32" # Allow itself
+        "10.0.1.1/24" # Containers
+      ];
       public = pubkeys."hetzner-arm";
-      endpoint = "hetzner-arm.servers.genderfucked.monster:51820";
+      inherit listenPort;
+      endpoint = "hetzner-arm.servers.genderfucked.monster:${toString listenPort}";
     };
     "vault" = {
-      ip = "10.69.42.2";
+      ip = "10.0.0.2";
       public = pubkeys."vault";
-      endpoint = "vault.servers.genderfucked.monster:51820";
-    };
-    "iphone8" = {
-      ip = "10.69.42.3";
-      public = pubkeys."iphone8";
+      inherit listenPort;
+      endpoint = "vault.servers.genderfucked.monster:${toString listenPort}";
     };
     "lappy-t495" = {
-      ip = "10.69.42.4";
+      ip = "10.0.0.3";
       public = pubkeys."lappy-t495";
     };
     "raspberry" = {
-      ip = "10.69.42.5";
+      ip = "10.0.0.4";
       public = pubkeys."raspberry";
-      endpoint = "raspberry.servers.genderfucked.monster:51820";
+      inherit listenPort;
+      endpoint = "raspberry.servers.genderfucked.monster:${toString listenPort}";
+    };
+    "iphone15" = {
+      ip = "10.0.0.5";
+      public = pubkeys."iphone15";
+    };
+    "iphone8" = {
+      ip = "10.0.0.6";
+      public = pubkeys."iphone8";
     };
   };
 }

data/wireguard/chaosInternalWireGuardPubKeys.json

@@ -1,7 +1,8 @@
 {
-  "vault": "0jGdR0yBnjY5CUCQpqWIaWAfgT36QdGdhZXtaAV+MkE=",
-  "raspberry": "DXXUfkR4qlytdsf37NGzgzVhDxPuhz8oxRcSxOX2fQk=",
-  "lappy-t495": "kyykcuDMWy1WRxX97PImEYgwWw8HUbhM53kW6bEyryA=",
-  "iphone8": "1u/G60EWg2bo1iyViWAGXs8HXES2zenZCVdD5X+yJi4=",
-  "hetzner-arm": "rCkptlaz5IFSZ+4OPaylbyKVoUwYNWBNkaT63QApymA="
+  "vault": "IfYCpiUXmsGVj8OR32W1ind0TWf2hmT+Axz3SaTsUQE=",
+  "raspberry": "ZWnPJZ5Bw/EyoLo5o3xjhkn3aTDC+ivPnnizGL0JfEo=",
+  "lappy-t495": "ogQmpEb3pXgn8NhQUlIwj/6CwAxXeB1ayqfXaieKs3g=",
+  "iphone8": "OptrVbP0q9q3DkEUGYu8aa6kj3S7h7cpotz5yuKs7Qw=",
+  "hetzner-arm": "UJ1WgFOy5AtvMvvU9Y3F8CuDOXz8JeJGZtDa83s7D3s=",
+  "iphone15": "i4vGjEqQyuoRqOJucXVrW0aIbwSUaB2dVVtEUjvHx3A="
 }

hosts/hetzner-arm/containers/forgejo/default.nix

@@ -37,6 +37,7 @@ in {
           presets.nixos.containerBase
           profiles.sshd
           profiles.firewallAllow.ssh
+
           ./secrets.nix
         ]
         ++ (with hosts.hetzner-arm.containers.forgejo.profiles; [

hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix

@@ -1,7 +1,9 @@
 {pkgs, ...}: {
   services.forgejo = {
     enable = true;
-    database.type = "sqlite3";
+    database = {
+      type = "sqlite3";
+    };
     lfs.enable = true;
     settings = {
       DEFAULT.APP_NAME = "chaos's Forgejo";

hosts/hetzner-arm/containers/mail/default.nix

@@ -87,10 +87,6 @@ in {
       forceSSL = true;
       enableACME = true;
       acmeRoot = "/var/lib/acme/acme-challenge";
-      # also being used for webmail
-      locations."/" = {
-        proxyPass = "http://unix:/var/lib/nixos-containers/mail/var/sockets/roundcube.sock";
-      };
     };
   };
 

hosts/hetzner-arm/containers/mail/modules/mailserver/default.nix

@@ -1,11 +1,10 @@
 {
   config,
-  pkgs,
   lib,
   ...
 }: let
   inherit (lib) types;
-  inherit (lib.options) mkEnableOption mkOption mkPackageOption;
+  inherit (lib.options) mkEnableOption mkOption;
 
   cfg = config.services.mailserver;
 in {
@@ -43,34 +42,6 @@ in {
       };
     };
 
-    roundcube = {
-      enable = mkOption {
-        type = types.bool;
-        default = true;
-      };
-      package = mkPackageOption pkgs "roundcube" {};
-      domain = mkOption {
-        type = types.str;
-        default = "${cfg.fqdn}";
-      };
-      plugins = mkOption {
-        type = types.listOf types.str;
-        default = [];
-      };
-      extraConfig = mkOption {
-        type = types.lines;
-        default = "";
-      };
-      forceSSL = mkOption {
-        type = types.bool;
-        default = true;
-      };
-      enableACME = mkOption {
-        type = types.bool;
-        default = true;
-      };
-    };
-
     spf = {
       enable = mkOption {
         type = types.bool;

hosts/hetzner-arm/containers/mail/modules/mailserver/webmail.nix

@@ -1,34 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib.modules) mkIf mkForce;
-
-  mailConfig = config.services.mailserver;
-in {
-  config = mkIf (mailConfig.enable && mailConfig.roundcube.enable) {
-    services.roundcube = {
-      enable = true;
-      package = mailConfig.roundcube.package;
-      plugins =
-        mailConfig.roundcube.plugins
-        ++ [
-          "managesieve"
-        ];
-      hostName = "${mailConfig.roundcube.domain}";
-      extraConfig = ''
-        $config['smtp_server'] = "tls://${mailConfig.fqdn}";
-        $config['smtp_user'] = "%u";
-        $config['smtp_pass'] = "%p";
-        $config['managesieve_host'] = 'tls://${mailConfig.fqdn}';
-        ${mailConfig.roundcube.extraConfig}
-      '';
-    };
-
-    services.nginx.virtualHosts."${mailConfig.roundcube.domain}" = {
-      forceSSL = mkForce mailConfig.roundcube.forceSSL;
-      enableACME = mkForce mailConfig.roundcube.enableACME;
-    };
-  };
-}

hosts/hetzner-arm/containers/mail/profiles/mailserver.nix

@@ -1,8 +1,4 @@
-{
-  pkgs,
-  config,
-  ...
-}: let
+{config, ...}: let
   secrets = config.services.secrets.secrets;
 in {
   services.mailserver = {
@@ -39,48 +35,5 @@ in {
     };
 
     extraAliasesFile = "${secrets.private_mail_aliases.path}";
-
-    roundcube = {
-      enable = true;
-
-      package = pkgs.roundcube.withPlugins (_plugins:
-        with pkgs.roundcubePlugins; [
-          persistent_login
-        ]);
-      plugins = ["persistent_login"];
-
-      # running in container, passing socket to host
-      forceSSL = false;
-      enableACME = false;
-
-      extraConfig = ''
-        $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks
-        $config['product_name'] = 'Chaos Mail';
-        $config['username_domain'] = "owo.monster";
-        $config['username_domain_forced'] = true;
-        $config['log_driver'] = 'syslog';
-        $config['smtp_debug'] = true;
-      '';
-    };
-  };
-
-  systemd.tmpfiles.rules = [
-    "d /var/sockets - nginx nginx"
-  ];
-
-  systemd.services.nginx.serviceConfig.ReadWritePaths = [
-    "/var/sockets"
-  ];
-
-  services.nginx.virtualHosts."mail.owo.monster" = {
-    # running in privateNetwork
-    # required so nginx doesn't try listening on port 80
-    listen = [
-      {
-        addr = "127.0.0.1";
-        port = 8089;
-      }
-    ];
-    extraConfig = "listen unix:/var/sockets/roundcube.sock;";
   };
 }

hosts/hetzner-arm/containers/mail/profiles/restic.nix

@@ -6,12 +6,6 @@
   secrets = config.services.secrets.secrets;
 
   mailConfig = config.services.mailserver;
-
-  backupPrepareCommand = "${
-    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
-      systemctl start postgresqlBackup-roundcube --wait
-    '')
-  }/bin/backupPrepareCommand";
 in {
   environment.systemPackages = with pkgs; [
     restic
@@ -26,8 +20,6 @@ in {
   services.restic.backups.mail = {
     user = "root";
     paths = [
-      "/var/backup/postgresql"
-
       mailConfig.vmail.directory
       mailConfig.sieveDirectory
       mailConfig.dkim.directory
@@ -48,15 +40,5 @@ in {
       OnBootSec = "1m";
       OnCalendar = "8h";
     };
-
-    inherit backupPrepareCommand;
-  };
-
-  services.postgresql.enable = true;
-  services.postgresqlBackup = {
-    enable = true;
-    backupAll = false;
-    databases = ["roundcube"];
-    compression = "zstd";
   };
 }

hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix

@@ -1,21 +0,0 @@
-{self, ...}: let
-  wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
-  wireguardHosts = wireguardData.hosts;
-in {
-  services.postgresql = {
-    enable = true;
-    port = 5434;
-    enableTCPIP = true;
-    ensureUsers = [
-      {
-        name = "piped";
-        ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
-      }
-    ];
-    ensureDatabases = ["piped"];
-    authentication = ''
-      host piped piped ${wireguardHosts."raspberry".ip}/32 trust
-      host piped piped ${wireguardHosts."hetzner-arm".ip}/32 trust
-    '';
-  };
-}

hosts/hetzner-arm/containers/piped-fi/default.nix

@@ -5,21 +5,24 @@
   inputs,
   config,
   pkgs,
-  lib,
   ...
 }: let
-  inherit (lib.modules) mkForce;
-
   pipedName = "piped-fi";
   containerName = pipedName;
 
+  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
+  hostIP = containerAddresses.host;
+  containerIP = containerAddresses.containers.${containerName};
+
   pipedSocketForComponent = (
     component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
   );
 in {
   containers.${containerName} = {
     autoStart = true;
-    privateNetwork = false;
+    privateNetwork = true;
+    hostAddress = hostIP;
+    localAddress = containerIP;
 
     specialArgs = {
       inherit inputs;
@@ -36,8 +39,6 @@ in {
         presets.nixos.pipedNode
       ];
 
-      networking.firewall.enable = mkForce false;
-
       home-manager.users.root.home.stateVersion = "23.05";
       system.stateVersion = "23.05";
     };

hosts/hetzner-arm/containers/postgresql/default.nix

@@ -5,14 +5,17 @@
   inputs,
   config,
   pkgs,
-  lib,
   ...
 }: let
-  inherit (lib.modules) mkForce;
+  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
+  hostIP = containerAddresses.host;
+  containerIP = containerAddresses.containers.postgresql;
 in {
-  containers.piped-db = {
+  containers.postgresql = {
     autoStart = true;
-    privateNetwork = false;
+    privateNetwork = true;
+    hostAddress = hostIP;
+    localAddress = containerIP;
 
     specialArgs = {
       inherit inputs;
@@ -32,7 +35,7 @@ in {
         ./profiles/restic.nix
       ];
 
-      networking.firewall.enable = mkForce false;
+      networking.firewall.allowedTCPPorts = [5432];
 
       home-manager.users.root.home.stateVersion = "23.05";
       system.stateVersion = "23.05";

hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix

@@ -0,0 +1,49 @@
+{
+  self,
+  hostPath,
+  ...
+}: let
+  wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
+  wireguardHosts = wireguardData.hosts;
+
+  localContainersAddresses = import "${hostPath}/data/containerAddresses.nix";
+in {
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+    ensureDatabases = [
+      "piped"
+      "gotosocial"
+      "quassel"
+      "roundcube"
+    ];
+    ensureUsers = [
+      {
+        name = "piped";
+        ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
+      }
+      {
+        name = "gotosocial";
+        ensurePermissions."DATABASE gotosocial" = "ALL PRIVILEGES";
+      }
+      {
+        name = "quassel";
+        ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES";
+      }
+      {
+        name = "roundcube";
+        ensurePermissions."DATABASE roundcube" = "ALL PRIVILEGES";
+      }
+    ];
+    # If the host is a local container then use the container's IP
+    # otherwise use the host's IP
+    authentication = ''
+      host piped piped ${localContainersAddresses.containers."piped-fi"}/32 trust
+      host piped piped ${wireguardHosts."raspberry".ip}/32 trust
+
+      host gotosocial gotosocial ${localContainersAddresses.containers."social"}/32 trust
+      host quassel quassel ${localContainersAddresses.containers."quassel"}/32 trust
+      host roundcube roundcube ${localContainersAddresses.containers."roundcube"}/32 trust
+    '';
+  };
+}

hosts/hetzner-arm/containers/postgresql/profiles/restic.nix

@@ -8,12 +8,15 @@
   backupPrepareCommand = "${
     (pkgs.writeShellScriptBin "backupPrepareCommand" ''
       systemctl start postgresqlBackup-piped --wait
+      systemctl start postgresqlBackup-gotosocial --wait
+      systemctl start postgresqlBackup-quassel --wait
+      systemctl start postgresqlBackup-roundcube --wait
     '')
   }/bin/backupPrepareCommand";
 in {
   environment.systemPackages = with pkgs; [
     restic
-    (pkgs.writeShellScriptBin "restic-piped" ''
+    (pkgs.writeShellScriptBin "restic-postgresql" ''
       env \
         RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
         $(cat ${secrets.restic_env.path}) \
@@ -21,7 +24,7 @@ in {
     '')
   ];
 
-  services.restic.backups.piped = {
+  services.restic.backups.postgresql = {
     user = "root";
     paths = [
       "/var/backup/postgresql"
@@ -29,7 +32,7 @@ in {
 
     # repository is overrided in environmentFile to contain auth
     # make sure to keep up to date when changing repository
-    repository = "rest:https://storage-restic.owo.monster/Piped";
+    repository = "rest:https://storage-restic.owo.monster/PostgreSQL";
     passwordFile = "${secrets.restic_password.path}";
     environmentFile = "${secrets.restic_env.path}";
 
@@ -48,8 +51,12 @@ in {
   services.postgresqlBackup = {
     enable = true;
     backupAll = false;
-    pgdumpOptions = "-p ${toString config.services.postgresql.port}";
-    databases = ["piped"];
+    databases = [
+      "piped"
+      "gotosocial"
+      "quassel"
+      "roundcube"
+    ];
     compression = "zstd";
   };
 }

hosts/hetzner-arm/containers/postgresql/secrets.nix

@@ -4,7 +4,7 @@
 
     vaultLogin = {
       enable = true;
-      loginUsername = "hetzner-arm-container-piped-db";
+      loginUsername = "hetzner-arm-container-postgresql";
     };
 
     autoSecrets = {
@@ -12,8 +12,8 @@
     };
 
     requiredVaultPaths = [
-      "api-keys/data/storage/restic/Piped"
-      "private-public-keys/data/restic/Piped"
+      "api-keys/data/storage/restic/PostgreSQL"
+      "private-public-keys/data/restic/PostgreSQL"
     ];
 
     secrets = {
@@ -23,14 +23,14 @@
 
       restic_password = {
         fetchScript = ''
-          simple_get "/private-public-keys/restic/Piped" .password > "$secretFile"
+          simple_get "/private-public-keys/restic/PostgreSQL" .password > "$secretFile"
         '';
       };
       restic_env = {
         fetchScript = ''
-          RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped" .username)
-          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped" .password)
-          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile"
+          RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/PostgreSQL" .username)
+          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/PostgreSQL" .password)
+          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/PostgreSQL" > "$secretFile"
         '';
       };
     };

hosts/hetzner-arm/containers/quassel/profiles/quassel.nix

@@ -3,17 +3,4 @@
     enable = true;
     interfaces = ["0.0.0.0"];
   };
-
-  services.postgresql = {
-    enable = true;
-    ensureDatabases = ["quassel"];
-    ensureUsers = [
-      {
-        name = "quassel";
-        ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES";
-      }
-    ];
-
-    authentication = "host quassel quassel localhost trust";
-  };
 }

hosts/hetzner-arm/containers/quassel/profiles/restic.nix

@@ -24,7 +24,6 @@ in {
   services.restic.backups.quassel = {
     user = "root";
     paths = [
-      "/var/backup/postgresql"
       "/home/quassel/.config/quassel-irc.org"
     ];
 
@@ -45,11 +44,4 @@ in {
 
     inherit backupPrepareCommand;
   };
-
-  services.postgresqlBackup = {
-    enable = true;
-    backupAll = false;
-    databases = ["quassel"];
-    compression = "zstd";
-  };
 }

hosts/hetzner-arm/containers/roundcube/default.nix

@@ -0,0 +1,55 @@
+{
+  self,
+  tree,
+  inputs,
+  config,
+  pkgs,
+  hostPath,
+  ...
+}: let
+  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
+  hostIP = containerAddresses.host;
+  containerIP = containerAddresses.containers.roundcube;
+in {
+  containers.roundcube = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = hostIP;
+    localAddress = containerIP;
+
+    specialArgs = {
+      inherit inputs;
+      inherit tree;
+      inherit self;
+      inherit hostPath;
+    };
+
+    config = {...}: {
+      nixpkgs.pkgs = pkgs;
+
+      imports = with tree; [
+        presets.nixos.containerBase
+
+        profiles.nginx
+        profiles.sshd
+        profiles.firewallAllow.ssh
+
+        ./profiles/roundcube.nix
+      ];
+
+      home-manager.users.root.home.stateVersion = "23.05";
+      system.stateVersion = "23.05";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."mail.owo.monster" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://unix:/var/lib/nixos-containers/roundcube/var/sockets/roundcube.sock";
+      };
+    };
+  };
+}

hosts/hetzner-arm/containers/roundcube/profiles/roundcube.nix

@@ -0,0 +1,55 @@
+{
+  pkgs,
+  lib,
+  hostPath,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+
+  localContainersAddresses = import "${hostPath}/data/containerAddresses.nix";
+in {
+  services.roundcube = {
+    enable = true;
+    hostName = "mail.owo.monster";
+    package = pkgs.roundcube.withPlugins (_plugins:
+      with pkgs.roundcubePlugins; [
+        persistent_login
+      ]);
+    plugins = [
+      "persistent_login"
+      "managesieve"
+    ];
+
+    database = {
+      host = localContainersAddresses.containers.postgresql;
+      passwordFile = builtins.toFile "pw" "";
+    };
+
+    extraConfig = ''
+      $config['smtp_server'] = "tls://mail.owo.monster";
+      $config['smtp_user'] = "%u";
+      $config['smtp_pass'] = "%p";
+      $config['managesieve_host'] = 'tls://mail.owo.monster';
+      $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks
+      $config['product_name'] = 'Chaos Mail';
+      $config['username_domain'] = "owo.monster";
+      $config['username_domain_forced'] = true;
+      $config['log_driver'] = 'syslog';
+      $config['smtp_debug'] = true;
+    '';
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/sockets - nginx nginx"
+  ];
+
+  systemd.services.nginx.serviceConfig.ReadWritePaths = [
+    "/var/sockets"
+  ];
+
+  services.nginx.virtualHosts."mail.owo.monster" = {
+    forceSSL = mkForce false;
+    enableACME = mkForce false;
+    extraConfig = "listen unix:/var/sockets/roundcube.sock;";
+  };
+}

hosts/hetzner-arm/containers/social/profiles/gotosocial.nix

@@ -11,7 +11,7 @@
 in {
   services.gotosocial = {
     enable = true;
-    setupPostgresqlDB = true;
+    setupPostgresqlDB = false;
     environmentFile = secrets.env_secrets.path;
 
     settings = {
@@ -20,7 +20,12 @@ in {
       bind-address = "0.0.0.0";
 
       log-level = "info";
-      log-client-ip = false;
+      log-client-ip = true;
+
+      db-type = "postgres";
+      db-address = "${containerAddresses.containers.postgresql}";
+      db-database = "gotosocial";
+      db-user = "gotosocial";
 
       trusted-proxies = [
         "127.0.0.1/32"

hosts/hetzner-arm/containers/social/profiles/restic.nix

@@ -1,12 +1,8 @@
 {
   pkgs,
   config,
-  lib,
   ...
 }: let
-  inherit (lib.strings) concatStringsSep;
-  inherit (lib.lists) forEach;
-
   secrets = config.services.secrets.secrets;
 
   # Because gotosocial-admin isn't a seporate package we need to generate a seperate config
@@ -23,12 +19,6 @@
 
   backupPrepareCommand = "${
     (pkgs.writeShellScriptBin "backupPrepareCommand" ''
-      systemctl start ${
-        concatStringsSep " "
-        (forEach config.services.postgresqlBackup.databases
-          (db: "postgresqlBackup-${db}"))
-      } --wait
-
       systemctl stop gotosocial
 
       ${goToSocialAdmin} export --path /var/lib/gotosocial/gts-export.json
@@ -56,7 +46,6 @@ in {
   services.restic.backups.social = {
     user = "root";
     paths = [
-      "/var/backup/postgresql"
       "/var/lib/gotosocial"
     ];
 
@@ -78,11 +67,4 @@ in {
     inherit backupPrepareCommand;
     inherit backupCleanupCommand;
   };
-
-  services.postgresqlBackup = {
-    enable = true;
-    backupAll = false;
-    databases = ["gotosocial"];
-    compression = "zstd";
-  };
 }

hosts/hetzner-arm/containers/storage/data/ports.nix

@@ -7,7 +7,7 @@
   rclone_serve_restic_vault = 4211;
   rclone_serve_restic_social = 4212;
   rclone_serve_restic_quassel = 4213;
-  rclone_serve_restic_piped = 4214;
+  rclone_serve_restic_postgresql = 4214;
   rclone_serve_restic_mail = 4215;
   rclone_serve_restic_forgejo = 4216;
 

hosts/hetzner-arm/containers/storage/default.nix

@@ -95,7 +95,7 @@ in {
       "/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}";
       "/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}";
       "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}";
-      "/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}";
+      "/PostgreSQL/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_postgresql}";
       "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}";
       "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_forgejo}";
     };

hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix

@@ -117,13 +117,13 @@ in {
         ];
       }
       {
-        id = "restic-piped";
-        remote = "StorageBox:Backups/Restic/Piped";
+        id = "restic-postgresql";
+        remote = "StorageBox:Backups/Restic/PostgreSQL";
         type = "restic";
         extraArgs = [
-          "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped}"
-          "--htpasswd=${secrets.restic_piped_htpasswd.path}"
-          "--baseurl=/Piped/"
+          "--addr=0.0.0.0:${toString ports.rclone_serve_restic_postgresql}"
+          "--htpasswd=${secrets.restic_postgresql_htpasswd.path}"
+          "--baseurl=/PostgreSQL/"
         ];
       }
       {

hosts/hetzner-arm/containers/storage/secrets.nix

@@ -28,7 +28,7 @@
       "api-keys/data/storage/restic/Vault"
       "api-keys/data/storage/restic/Social"
       "api-keys/data/storage/restic/Quassel"
-      "api-keys/data/storage/restic/Piped"
+      "api-keys/data/storage/restic/PostgreSQL"
       "api-keys/data/storage/restic/Mail"
       "api-keys/data/storage/restic/Forgejo"
 
@@ -118,12 +118,12 @@
         '';
       };
 
-      restic_piped_htpasswd = {
+      restic_postgresql_htpasswd = {
         user = "storage";
         group = "storage";
         fetchScript = ''
-          username=$(simple_get "/api-keys/storage/restic/Piped" .username)
-          password=$(simple_get "/api-keys/storage/restic/Piped" .password)
+          username=$(simple_get "/api-keys/storage/restic/PostgreSQL" .username)
+          password=$(simple_get "/api-keys/storage/restic/PostgreSQL" .password)
           htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
         '';
       };

hosts/hetzner-arm/data/containerAddresses.nix

@@ -1,10 +1,13 @@
 {
-  host = "192.168.100.10";
+  host = "10.0.1.1";
   containers = {
-    storage = "192.168.100.11";
-    social = "192.168.100.12";
-    music = "192.168.100.13";
-    quassel = "192.168.100.14";
-    forgejo = "192.168.100.15";
+    storage = "10.0.1.2";
+    social = "10.0.1.3";
+    music = "10.0.1.4";
+    quassel = "10.0.1.5";
+    forgejo = "10.0.1.6";
+    postgresql = "10.0.1.7";
+    piped-fi = "10.0.1.8";
+    roundcube = "10.0.1.9";
   };
 }

hosts/hetzner-arm/hetzner-arm.nix

@@ -24,10 +24,11 @@ in {
       "storage"
       "music"
       "quassel"
-      "piped-db"
+      "postgresql"
       "piped-fi"
       "mail"
       "forgejo"
+      #"roundcube"
     ] (name: ./containers + "/${name}"))
     ++ (with hosts.hetzner-arm.profiles; [
       staticSites

outputs.nix

@@ -140,7 +140,7 @@ in
           # All machines/containers with secrets.nix
           machines = rec {
             "hetzner-arm" = {
-              containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi" "forgejo"];
+              containers = ["storage" "music" "quassel" "social" "mail" "postgresql" "piped-fi" "forgejo"];
               sshAddress = "hetzner-arm.servers.genderfucked.monster";
             };
             "vault" = {

presets/nixos/pipedNode.nix

@@ -7,11 +7,10 @@
 }: let
   inherit (builtins) attrNames elem;
 
-  wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
-  wireguardHosts = wireguardData.hosts;
-
   hostName = config.networking.hostName;
 
+  hetznerARMContainerAddresses = import "${self}/hosts/hetzner-arm/data/containerAddresses.nix";
+
   defaultPorts = {
     internalPipedBackend = 3012;
     internalPipedProxy = 3013;
@@ -71,8 +70,7 @@ in {
         name = "piped";
         username = "piped";
         usePassword = false;
-        host = "${wireguardHosts."hetzner-arm".ip}";
-        port = 5434;
+        host = hetznerARMContainerAddresses.containers.postgresql;
       };
     };
 

profiles/chaosInternalWireGuard/wireguard.nix

@@ -17,13 +17,18 @@
   currentHostName = config.networking.hostName;
   currentHostConfig = wireguardHosts.${currentHostName};
 in {
-  networking.firewall.trustedInterfaces = ["wg0"];
-  networking.firewall.allowPing = true;
-  networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820];
+  networking.firewall = {
+    trustedInterfaces = [
+      "wg0"
+    ];
+    allowPing = true;
+    allowedUDPPorts = mkIf (hasAttr "listenPort" currentHostConfig) [
+      currentHostConfig.listenPort
+    ];
+  };
 
   systemd.services.wireguard-debug = {
     wantedBy = ["multi-user.target"];
-    partOf = ["wg-quick-wg0.service"];
     script = ''
       echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
     '';
@@ -33,14 +38,14 @@ in {
     wg0 = {
       address = ["${currentHostConfig.ip}/24"];
       privateKeyFile = "${secrets.wg_private.path}";
-      listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
+      listenPort = mkIf (hasAttr "listenPort" currentHostConfig) currentHostConfig.listenPort;
 
       peers =
         map (
           hostName: let
             host = wireguardHosts.${hostName};
           in {
-            allowedIPs = ["${host.ip}/32"];
+            allowedIPs = host.allowedIPs or ["${host.ip}/32"];
             publicKey = host.public;
             endpoint = host.endpoint or null;
           }

profiles/firewallAllow/ssh.nix

@@ -1,2 +1,3 @@
 {...}: {
+  networking.firewall.allowedTCPPorts = [22];
 }