From 06bd805501b1ecc2df16c6474474f216fbe4a9c3 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 30 Oct 2024 10:56:15 +0100 Subject: [PATCH 1/7] updates --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index e0e86a3..975d825 100644 --- a/flake.lock +++ b/flake.lock @@ -301,11 +301,11 @@ ] }, "locked": { - "lastModified": 1728791962, - "narHash": "sha256-nr5QiXwQcZmf6/auC1UpX8iAtINMtdi2mH+OkqJQVmU=", + "lastModified": 1730016908, + "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=", "owner": "nix-community", "repo": "home-manager", - "rev": "64c6325b28ebd708653dd41d88f306023f296184", + "rev": "e83414058edd339148dc142a8437edb9450574c8", "type": "github" }, "original": { @@ -336,11 +336,11 @@ }, "impermanence": { "locked": { - "lastModified": 1727649413, - "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=", + "lastModified": 1729068498, + "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", "owner": "nix-community", "repo": "impermanence", - "rev": "d0b38e550039a72aff896ee65b0918e975e6d48e", + "rev": "e337457502571b23e449bf42153d7faa10c0a562", "type": "github" }, "original": { @@ -450,11 +450,11 @@ ] }, "locked": { - "lastModified": 1728790083, - "narHash": "sha256-grMdAd4KSU6uPqsfLzA1B/3pb9GtGI9o8qb0qFzEU/Y=", + "lastModified": 1729999765, + "narHash": "sha256-LYsavZXitFjjyETZoij8usXjTa7fa9AIF3Sk3MJSX+Y=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "5c54c33aa04df5dd4b0984b7eb861d1981009b22", + "rev": "0e3a8778c2ee218eff8de6aacf3d2fa6c33b2d4f", "type": "github" }, "original": { @@ -524,11 +524,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1728492678, - "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", + "lastModified": 1729880355, + "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", + "rev": "18536bf04cd71abd345f9579158841376fdd0c5a", "type": "github" }, "original": { From 5b741fa38eef44f2ac3ab4b2079fcf92fff7754d Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 30 Oct 2024 10:59:52 +0100 Subject: [PATCH 2/7] user: add some packages --- users/rouven/fixes.nix | 5 +++++ users/rouven/modules/packages.nix | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/users/rouven/fixes.nix b/users/rouven/fixes.nix index 469d8cf..0f6ebb6 100644 --- a/users/rouven/fixes.nix +++ b/users/rouven/fixes.nix @@ -47,4 +47,9 @@ # enable java black magic # programs.java.enable = true; + + # fix for old matrix clients + nixpkgs.config.permittedInsecurePackages = [ + "olm-3.2.16" + ]; } diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index f02aee1..505d04b 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -12,6 +12,7 @@ pcmanfm xdg-utils # used for xdg-open appimage-run + glab # graphics (zathura.override { plugins = [ zathuraPkgs.zathura_pdf_mupdf ]; }) @@ -31,11 +32,12 @@ # messaging tdesktop profanity + gomuks # games prismlauncher superTuxKart - space-cadet-pinball + # space-cadet-pinball # cryptography yubikey-manager @@ -62,6 +64,7 @@ gnumake go pre-commit + jetbrains.idea-ultimate # fancy tools just @@ -113,6 +116,7 @@ "image/gif" = image-viewers; "image/webp" = image-viewers; "image/ico" = image-viewers; + "image/svg" = browsers; "x-scheme-handler/http" = browsers; "x-scheme-handler/https" = browsers; "x-scheme-handler/tg" = [ "org.telegram.desktop.desktop" ]; From 3a836ed4a7a35f8b25a39f691a3ac84e7b17548f Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 30 Oct 2024 11:00:28 +0100 Subject: [PATCH 3/7] thinkpad: update certs and passwords --- hosts/thinkpad/modules/graphics/default.nix | 2 +- hosts/thinkpad/modules/networks/uni.nix | 2 +- secrets/thinkpad/agdsn.age | Bin 347 -> 347 bytes secrets/thinkpad/wireless.age | Bin 692 -> 692 bytes 4 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/thinkpad/modules/graphics/default.nix b/hosts/thinkpad/modules/graphics/default.nix index e835627..d100e5c 100644 --- a/hosts/thinkpad/modules/graphics/default.nix +++ b/hosts/thinkpad/modules/graphics/default.nix @@ -9,7 +9,7 @@ [ nerdfonts noto-fonts - noto-fonts-cjk + noto-fonts-cjk-sans noto-fonts-emoji roboto fira diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index 7db4fbd..54d3f6f 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -138,7 +138,7 @@ systemd.services = { openfortivpn-agdsn = { description = "AG DSN Fortinet VPN"; - script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert f49ac8a174c758737c3e27d93bc2f5de37e634e2f04029a85bdb629c0ebeed31"; + script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert 249db14f96c8ea6174d80a3b964868bfbe8c56bc27bf031bf0afb9aeca8eb978"; requires = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; serviceConfig = { diff --git a/secrets/thinkpad/agdsn.age b/secrets/thinkpad/agdsn.age index 3f28f76542089a8fccda7e924a2f8a9dd395188a..32fd7feaae34d7126e3f3cba7eb60ad9ba70438e 100644 GIT binary patch delta 312 zcmV-80muH^0^0(REPrNND^5*NGe>YkR!25WHBoS9bu(vjIdf@cPNYEejXQ)6#RGj}*eV@hFcLuXlUMom|8a%N*%Lq$w5O+-a9Sqd#a zAaiqQEoEdfH8n9gAVpSsbU9HVa92%LL{MckdNnySMlWkPYJV~-X*P9fXF_OsO;0&a zXjM-`GH7abN>OMq3Px>1b~$HLHfv;gIB97^az#f{RBl0bZ&hn>O;K}rbar=VPDO5N zFlA|D3N0-yAZ2z$Y%ervNiSAUcTY%qRY*}Qd23NuPEur7S5;U_S6FOkaBFdSSUE5- z3Y_2%yc5rbx-qZ;#OI7^D)wp$hDGYxIlR@S$|GK&{?(x`U<=ysAh)R1^T*W_ delta 312 zcmV-80muH^0^0(REPrt@Q$>1iVlP)$H92%iHBebXdQ@&tcQ|1yZb&d_W?@54XH!r` zS5ZZ3RSHp4c`!0dQ*|(6d3a}ZG*oUxR%S?UP(o#OXi;x^OHoWhNl905OLQ+Va|$g! zAaiqQEoEdfH8n9gAVpSsbU9HVb7W^SVpCySG*MJcL2PL?Vt;Q~bXHGvX>D#sQ8;jA zS7t?VS5H$#ZaG6q3QIwCc0x3CFiA{qVnj@7Y;b5#L}fxkG*V?_S~XX8Y;$>VWJyF+ zcv&xN3N0-yAbMIeSWz!ea8*T8V@*#}Xi7^^XE$g_N_lW*Z7W%DMoBSdFjHkhS8p>_ z3QTeBS=^8G(lHk2wf5+`O~t KnBdO|FY@433Uf68 diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age index 89bc53aea88af047e37b4c6a4804418a9e26b16c..d7bb382179c9cf73db4120436e678b5aaf684f36 100644 GIT binary patch delta 660 zcmV;F0&D%W1+)c_EPpR|SW9a+PIF^4dO=QNSwci*SZ_~Qab$T^bYgL8Z(=k|K~+L_ za!ojHSqg4wQ!iRXOLS*tO?P#8FEliAR8lWUX*6jyR5?ONZdguHFh^lQS2225V+t)k zAaiqQEoEdfH8n9gAVpSsbU9HVaA-D0Xk>RudSPxWc0^KSaep~?dQmY>Q#WZZFG6cY zOgDCGPjy%?XktZG3T8-aI8Q}XW>i5#c5qHIS4c2*R6}S+K~HsdXmwa@ae6s7M`|`n zWJxwS3N0-yATVMzZFfy(NN8wvXG(ZMN-=IRWoJlpXk>FQXmUnxV?udmWJxb$Fl$mt z3K`a>E?y*}#((Y4Vd#MD4a0_pA_x5nWf+aOOituf&q_IW8;E&KygxbqSj**^XY93z z_3XrD_^Zc2_!YM=Yon+s=?X41JjO816%%%?rL^KVpGpboS9YlpWW2zOlRV}goK93?77x28?Xvf#60udIIw;7XCUK4Jp;DUmHSY~DY>k|J~ zfoV`e>VLX27AH$Pc{nimWS8Ccv$Gnb3@cMF&*OOl-_wmWmLkujMY{?BEphF5Q34UL(POW0*uvyWaHV4%# uJTwWrxNC$D@~1_~7k5xL5KON7ZMwif!b-jv%MGmr7@dTUQ`P)l}DFVRBbCO=?tYMRiAR zV{%1F3N0-yAW1MuHbP7}aYth?F?DoTOm}y4Ggfa=cy}~NId5q*D^6B0Qf6*yXG}6t z3Q&D13%XGgOn-ddyFS!k?HNk=P$>hB6pynx6LB7ZAv%fJR!Eia>*x$2_i8RYLy$eviX99D|tOcU}mwwrNPf2}RM&Bb^5&u`tB z&nA!%=LY6MV%MPu-%4_^pd@ByV4F>Y~zR0s=k=n0O<>+?l`wg3Tq^BI_uEW`#obb?B3maGf From 86cd05062e70742daf9a7bee936c795d744c3890 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 30 Oct 2024 11:01:00 +0100 Subject: [PATCH 4/7] remove matrix-sliding-sync --- hosts/nuc/modules/matrix/default.nix | 19 ------------------- secrets/nuc/matrix/sync.age | 10 ---------- 2 files changed, 29 deletions(-) delete mode 100644 secrets/nuc/matrix/sync.age diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix index d46c038..99ca51d 100644 --- a/hosts/nuc/modules/matrix/default.nix +++ b/hosts/nuc/modules/matrix/default.nix @@ -15,9 +15,6 @@ in file = ../../../../secrets/nuc/matrix/shared.age; owner = config.systemd.services.matrix-synapse.serviceConfig.User; }; - "matrix/sync" = { - file = ../../../../secrets/nuc/matrix/sync.age; - }; }; nixpkgs.config.permittedInsecurePackages = [ "jitsi-meet-1.0.8043" @@ -59,22 +56,11 @@ in }]; }; }; - matrix-sliding-sync = { - enable = true; - settings = { - SYNCV3_SERVER = "https://${domain}"; - SYNCV3_BINDADDR = "/run/matrix-sliding-sync/server.sock"; - }; - environmentFile = config.age.secrets."matrix/sync".path; - }; - caddy = { virtualHosts = { # synapse "${domain}".extraConfig = '' - reverse_proxy /client/* unix//run/matrix-sliding-sync/server.sock - reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync* unix//run/matrix-sliding-sync/server.sock reverse_proxy 127.0.0.1:8008 handle /_synapse/metrics* { respond 404 @@ -104,11 +90,6 @@ in RuntimeDirectory = "matrix-synapse"; }; }; - systemd.services.matrix-sliding-sync = { - serviceConfig = { - RuntimeDirectory = "matrix-sliding-sync"; - }; - }; systemd.services.matrix-synapse-pgsetup = { description = "Prepare Synapse postgres database"; diff --git a/secrets/nuc/matrix/sync.age b/secrets/nuc/matrix/sync.age deleted file mode 100644 index b7b6f0c..0000000 --- a/secrets/nuc/matrix/sync.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uWbAHQ XsGbKNzqR/HTkmMZxCcmxAXDIpuJENpJR1GyFuumMlo -T2uxdQvSKHveDL7nY0tlNAWNuUX/h8wEORV0xmNfqm8 --> ssh-ed25519 2TRdXg 57Bliz2LRjK5sHjGtRVdIUWfV7Iji0/RACEDF0dNUno -TMBsr9g940Xrbiu8XwbLKQJRNadC2+BuaTBbSo09t5A --> U1M[E6m-grease US!+ :Hx\j7A K -7AyVWcQChTJPlIoH7ZLebV7C+HJACc4vsBRrma+m47r9FV+KmVpfrhPy7jH1wSkX -sG2Du4OrPh5+xPAgNaPNw3rbex9I6oRjmbhJ ---- gW24zSlBpNtmQhp0Er4MaZV/K8TigsV+d7jMulAR3YQ -\4O M_@ aŀ@6[XCͦ||" zOƔ!:>xMH(KByZ 1*]d|l? tE_: \ No newline at end of file From f75a808a533089b24812d290203133f4bc336e7f Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 30 Oct 2024 11:01:23 +0100 Subject: [PATCH 5/7] fix postfix tls level --- hosts/falkenstein/modules/mail/postfix.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/falkenstein/modules/mail/postfix.nix b/hosts/falkenstein/modules/mail/postfix.nix index 7cab1a4..3e695c4 100644 --- a/hosts/falkenstein/modules/mail/postfix.nix +++ b/hosts/falkenstein/modules/mail/postfix.nix @@ -40,7 +40,8 @@ in smtp_helo_name = config.networking.fqdn; smtpd_banner = "${config.networking.fqdn} ESMTP $mail_name"; smtp_tls_security_level = "may"; - smtpd_tls_security_level = lib.mkForce "encrypt"; + # forcing encryption breaks rspamd + smtpd_tls_security_level = "may"; smtpd_tls_auth_only = true; smtpd_tls_protocols = [ "!SSLv2" From 9a1435517fc1bc9bb6a061fad6436a0e9d96ffa8 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 30 Oct 2024 11:01:50 +0100 Subject: [PATCH 6/7] monitoring: remove json exporter --- hosts/nuc/modules/monitoring/default.nix | 55 ++++++++++++------------ 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix index 8c7c03c..9097c6f 100644 --- a/hosts/nuc/modules/monitoring/default.nix +++ b/hosts/nuc/modules/monitoring/default.nix @@ -85,6 +85,7 @@ in services.prometheus = { enable = true; port = 9001; + retentionTime = "1y"; ruleFiles = [ ./synapse-v2.rules ]; @@ -93,19 +94,19 @@ in enable = true; enabledCollectors = [ "systemd" ]; }; - json = { - enable = true; - configFile = pkgs.writeText "json-exporter.yml" '' - --- - modules: - pegelstand: - metrics: - - name: pegelstand_elbe_dresden - path: '{ $.pegel }' - type: value - help: Pegelstand in Dresden - ''; - }; + # json = { + # enable = true; + # configFile = pkgs.writeText "json-exporter.yml" '' + # --- + # modules: + # pegelstand: + # metrics: + # - name: pegelstand_elbe_dresden + # path: '{ $.pegel }' + # type: value + # help: Pegelstand in Dresden + # ''; + # }; }; scrapeConfigs = [ { @@ -140,20 +141,20 @@ in targets = [ "nuc.vpn.rfive.de:9300" ]; }]; } - { - job_name = "pegel_dresden"; - metrics_path = "/probe"; - params = { - module = [ "pegelstand" ]; - target = [ - "https://api.stramke.com/wasserstand/sachsen/Dresden" - ]; - }; - static_configs = [{ - targets = [ "nuc.vpn.rfive.de:7979" ]; - }]; - scrape_interval = "5m"; - } + # { + # job_name = "pegel_dresden"; + # metrics_path = "/probe"; + # params = { + # module = [ "pegelstand" ]; + # target = [ + # "https://api.stramke.com/wasserstand/sachsen/Dresden" + # ]; + # }; + # static_configs = [{ + # targets = [ "nuc.vpn.rfive.de:7979" ]; + # }]; + # scrape_interval = "5m"; + # } { job_name = "caddy"; static_configs = [{ From a5d244afb489edda4e633ca6316f81459a3c7034 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 30 Oct 2024 11:02:05 +0100 Subject: [PATCH 7/7] misc updates --- hosts/nuc/modules/torrent/default.nix | 4 ++-- shared/nix.nix | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/nuc/modules/torrent/default.nix b/hosts/nuc/modules/torrent/default.nix index 2bff346..0b7c0e0 100644 --- a/hosts/nuc/modules/torrent/default.nix +++ b/hosts/nuc/modules/torrent/default.nix @@ -19,9 +19,9 @@ in serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStart = "${pkgs.iproute}/bin/ip netns add %I"; + ExecStart = "${pkgs.iproute2}/bin/ip netns add %I"; ExecStartPost = "${pkgs.iproute2}/bin/ip netns exec %I ${pkgs.iproute2}/bin/ip link set dev lo up"; - ExecStop = "${pkgs.iproute}/bin/ip netns del %I"; + ExecStop = "${pkgs.iproute2}/bin/ip netns del %I"; }; }; diff --git a/shared/nix.nix b/shared/nix.nix index 4a69065..fe7070a 100644 --- a/shared/nix.nix +++ b/shared/nix.nix @@ -9,7 +9,7 @@ distributedBuilds = true; settings = { auto-optimise-store = true; - experimental-features = [ "nix-command" "flakes" "repl-flake" ]; + experimental-features = [ "nix-command" "flakes" ]; substituters = [ "https://cache.rfive.de" "https://cache.ifsr.de"