diff --git a/flake.lock b/flake.lock index 975d825..e0e86a3 100644 --- a/flake.lock +++ b/flake.lock @@ -301,11 +301,11 @@ ] }, "locked": { - "lastModified": 1730016908, - "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=", + "lastModified": 1728791962, + "narHash": "sha256-nr5QiXwQcZmf6/auC1UpX8iAtINMtdi2mH+OkqJQVmU=", "owner": "nix-community", "repo": "home-manager", - "rev": "e83414058edd339148dc142a8437edb9450574c8", + "rev": "64c6325b28ebd708653dd41d88f306023f296184", "type": "github" }, "original": { @@ -336,11 +336,11 @@ }, "impermanence": { "locked": { - "lastModified": 1729068498, - "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", + "lastModified": 1727649413, + "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=", "owner": "nix-community", "repo": "impermanence", - "rev": "e337457502571b23e449bf42153d7faa10c0a562", + "rev": "d0b38e550039a72aff896ee65b0918e975e6d48e", "type": "github" }, "original": { @@ -450,11 +450,11 @@ ] }, "locked": { - "lastModified": 1729999765, - "narHash": "sha256-LYsavZXitFjjyETZoij8usXjTa7fa9AIF3Sk3MJSX+Y=", + "lastModified": 1728790083, + "narHash": "sha256-grMdAd4KSU6uPqsfLzA1B/3pb9GtGI9o8qb0qFzEU/Y=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "0e3a8778c2ee218eff8de6aacf3d2fa6c33b2d4f", + "rev": "5c54c33aa04df5dd4b0984b7eb861d1981009b22", "type": "github" }, "original": { @@ -524,11 +524,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1729880355, - "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=", + "lastModified": 1728492678, + "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "18536bf04cd71abd345f9579158841376fdd0c5a", + "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", "type": "github" }, "original": { diff --git a/hosts/falkenstein/modules/mail/postfix.nix b/hosts/falkenstein/modules/mail/postfix.nix index 3e695c4..7cab1a4 100644 --- a/hosts/falkenstein/modules/mail/postfix.nix +++ b/hosts/falkenstein/modules/mail/postfix.nix @@ -40,8 +40,7 @@ in smtp_helo_name = config.networking.fqdn; smtpd_banner = "${config.networking.fqdn} ESMTP $mail_name"; smtp_tls_security_level = "may"; - # forcing encryption breaks rspamd - smtpd_tls_security_level = "may"; + smtpd_tls_security_level = lib.mkForce "encrypt"; smtpd_tls_auth_only = true; smtpd_tls_protocols = [ "!SSLv2" diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix index 99ca51d..d46c038 100644 --- a/hosts/nuc/modules/matrix/default.nix +++ b/hosts/nuc/modules/matrix/default.nix @@ -15,6 +15,9 @@ in file = ../../../../secrets/nuc/matrix/shared.age; owner = config.systemd.services.matrix-synapse.serviceConfig.User; }; + "matrix/sync" = { + file = ../../../../secrets/nuc/matrix/sync.age; + }; }; nixpkgs.config.permittedInsecurePackages = [ "jitsi-meet-1.0.8043" @@ -56,11 +59,22 @@ in }]; }; }; + matrix-sliding-sync = { + enable = true; + settings = { + SYNCV3_SERVER = "https://${domain}"; + SYNCV3_BINDADDR = "/run/matrix-sliding-sync/server.sock"; + }; + environmentFile = config.age.secrets."matrix/sync".path; + }; + caddy = { virtualHosts = { # synapse "${domain}".extraConfig = '' + reverse_proxy /client/* unix//run/matrix-sliding-sync/server.sock + reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync* unix//run/matrix-sliding-sync/server.sock reverse_proxy 127.0.0.1:8008 handle /_synapse/metrics* { respond 404 @@ -90,6 +104,11 @@ in RuntimeDirectory = "matrix-synapse"; }; }; + systemd.services.matrix-sliding-sync = { + serviceConfig = { + RuntimeDirectory = "matrix-sliding-sync"; + }; + }; systemd.services.matrix-synapse-pgsetup = { description = "Prepare Synapse postgres database"; diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix index 9097c6f..8c7c03c 100644 --- a/hosts/nuc/modules/monitoring/default.nix +++ b/hosts/nuc/modules/monitoring/default.nix @@ -85,7 +85,6 @@ in services.prometheus = { enable = true; port = 9001; - retentionTime = "1y"; ruleFiles = [ ./synapse-v2.rules ]; @@ -94,19 +93,19 @@ in enable = true; enabledCollectors = [ "systemd" ]; }; - # json = { - # enable = true; - # configFile = pkgs.writeText "json-exporter.yml" '' - # --- - # modules: - # pegelstand: - # metrics: - # - name: pegelstand_elbe_dresden - # path: '{ $.pegel }' - # type: value - # help: Pegelstand in Dresden - # ''; - # }; + json = { + enable = true; + configFile = pkgs.writeText "json-exporter.yml" '' + --- + modules: + pegelstand: + metrics: + - name: pegelstand_elbe_dresden + path: '{ $.pegel }' + type: value + help: Pegelstand in Dresden + ''; + }; }; scrapeConfigs = [ { @@ -141,20 +140,20 @@ in targets = [ "nuc.vpn.rfive.de:9300" ]; }]; } - # { - # job_name = "pegel_dresden"; - # metrics_path = "/probe"; - # params = { - # module = [ "pegelstand" ]; - # target = [ - # "https://api.stramke.com/wasserstand/sachsen/Dresden" - # ]; - # }; - # static_configs = [{ - # targets = [ "nuc.vpn.rfive.de:7979" ]; - # }]; - # scrape_interval = "5m"; - # } + { + job_name = "pegel_dresden"; + metrics_path = "/probe"; + params = { + module = [ "pegelstand" ]; + target = [ + "https://api.stramke.com/wasserstand/sachsen/Dresden" + ]; + }; + static_configs = [{ + targets = [ "nuc.vpn.rfive.de:7979" ]; + }]; + scrape_interval = "5m"; + } { job_name = "caddy"; static_configs = [{ diff --git a/hosts/nuc/modules/torrent/default.nix b/hosts/nuc/modules/torrent/default.nix index 0b7c0e0..2bff346 100644 --- a/hosts/nuc/modules/torrent/default.nix +++ b/hosts/nuc/modules/torrent/default.nix @@ -19,9 +19,9 @@ in serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStart = "${pkgs.iproute2}/bin/ip netns add %I"; + ExecStart = "${pkgs.iproute}/bin/ip netns add %I"; ExecStartPost = "${pkgs.iproute2}/bin/ip netns exec %I ${pkgs.iproute2}/bin/ip link set dev lo up"; - ExecStop = "${pkgs.iproute2}/bin/ip netns del %I"; + ExecStop = "${pkgs.iproute}/bin/ip netns del %I"; }; }; diff --git a/hosts/thinkpad/modules/graphics/default.nix b/hosts/thinkpad/modules/graphics/default.nix index d100e5c..e835627 100644 --- a/hosts/thinkpad/modules/graphics/default.nix +++ b/hosts/thinkpad/modules/graphics/default.nix @@ -9,7 +9,7 @@ [ nerdfonts noto-fonts - noto-fonts-cjk-sans + noto-fonts-cjk noto-fonts-emoji roboto fira diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index 54d3f6f..7db4fbd 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -138,7 +138,7 @@ systemd.services = { openfortivpn-agdsn = { description = "AG DSN Fortinet VPN"; - script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert 249db14f96c8ea6174d80a3b964868bfbe8c56bc27bf031bf0afb9aeca8eb978"; + script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert f49ac8a174c758737c3e27d93bc2f5de37e634e2f04029a85bdb629c0ebeed31"; requires = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; serviceConfig = { diff --git a/secrets/nuc/matrix/sync.age b/secrets/nuc/matrix/sync.age new file mode 100644 index 0000000..b7b6f0c --- /dev/null +++ b/secrets/nuc/matrix/sync.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 uWbAHQ XsGbKNzqR/HTkmMZxCcmxAXDIpuJENpJR1GyFuumMlo +T2uxdQvSKHveDL7nY0tlNAWNuUX/h8wEORV0xmNfqm8 +-> ssh-ed25519 2TRdXg 57Bliz2LRjK5sHjGtRVdIUWfV7Iji0/RACEDF0dNUno +TMBsr9g940Xrbiu8XwbLKQJRNadC2+BuaTBbSo09t5A +-> U1M[E6m-grease US!+ :Hx\j7A K +7AyVWcQChTJPlIoH7ZLebV7C+HJACc4vsBRrma+m47r9FV+KmVpfrhPy7jH1wSkX +sG2Du4OrPh5+xPAgNaPNw3rbex9I6oRjmbhJ +--- gW24zSlBpNtmQhp0Er4MaZV/K8TigsV+d7jMulAR3YQ +\4O M_@ aŀ@6[XCͦ||" zOƔ!:>xMH(KByZ 1*]d|l? tE_: \ No newline at end of file diff --git a/secrets/thinkpad/agdsn.age b/secrets/thinkpad/agdsn.age index 32fd7fe..3f28f76 100644 Binary files a/secrets/thinkpad/agdsn.age and b/secrets/thinkpad/agdsn.age differ diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age index d7bb382..89bc53a 100644 Binary files a/secrets/thinkpad/wireless.age and b/secrets/thinkpad/wireless.age differ diff --git a/shared/nix.nix b/shared/nix.nix index fe7070a..4a69065 100644 --- a/shared/nix.nix +++ b/shared/nix.nix @@ -9,7 +9,7 @@ distributedBuilds = true; settings = { auto-optimise-store = true; - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = [ "nix-command" "flakes" "repl-flake" ]; substituters = [ "https://cache.rfive.de" "https://cache.ifsr.de" diff --git a/users/rouven/fixes.nix b/users/rouven/fixes.nix index 0f6ebb6..469d8cf 100644 --- a/users/rouven/fixes.nix +++ b/users/rouven/fixes.nix @@ -47,9 +47,4 @@ # enable java black magic # programs.java.enable = true; - - # fix for old matrix clients - nixpkgs.config.permittedInsecurePackages = [ - "olm-3.2.16" - ]; } diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index 505d04b..f02aee1 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -12,7 +12,6 @@ pcmanfm xdg-utils # used for xdg-open appimage-run - glab # graphics (zathura.override { plugins = [ zathuraPkgs.zathura_pdf_mupdf ]; }) @@ -32,12 +31,11 @@ # messaging tdesktop profanity - gomuks # games prismlauncher superTuxKart - # space-cadet-pinball + space-cadet-pinball # cryptography yubikey-manager @@ -64,7 +62,6 @@ gnumake go pre-commit - jetbrains.idea-ultimate # fancy tools just @@ -116,7 +113,6 @@ "image/gif" = image-viewers; "image/webp" = image-viewers; "image/ico" = image-viewers; - "image/svg" = browsers; "x-scheme-handler/http" = browsers; "x-scheme-handler/https" = browsers; "x-scheme-handler/tg" = [ "org.telegram.desktop.desktop" ];