Merge commit 'caf1394' into development

deploy.sh

@@ -1,5 +0,0 @@
-# usage:
-# $ ./deploy.sh <hostname> <ip>
-# example usage:
-# $ ./deply.sh 109-199-104-83 109.199.104.83
-nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config ./hardware-configuration.nix --flake .?ref=411ee0c#$1 --target-host root@$2

hardware-configuration.nix

@@ -1,24 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

machines.nix

@@ -19,9 +19,6 @@
       # networking
       ./modules/nixos/laptop.nix
 
-      # vpn
-      ./modules/nixos/openvpn-client.nix
-
       # ly display manager
       ./modules/nixos/ly.nix
 
@@ -61,6 +58,8 @@
       ./modules/nixos/networking/ssh-as-root.nix
       ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})
 
+      # TODO add Impermanence to the following services
+
       # simple-nixos-mailserver email server
       # mail.domain
       ./modules/nixos/mailserver.nix
@@ -69,15 +68,16 @@
       # webmail.domain
       ./modules/nixos/roundcube.nix
 
-      # BROKEN
       # forgejo
       # git.domain
-      # ./modules/nixos/forgejo.nix
+      ./modules/nixos/forgejo.nix
 
       # BROKEN
       # zulip chat client
       # chat.domain
-      ./modules/nixos/zulip.nix
+      # zulip chat server
+      # zulip.domain
+      # ./modules/nixos/zulip.nix
     ];
   };
 }

modules/nixos/mailserver.nix

@@ -2,14 +2,10 @@
   mailserver = {
     enable = true;
     stateVersion = 3;
-
-    # domain bs
     fqdn = "mail.${config.networking.domain}";
     domains = ["${config.networking.domain}"];
     x509.useACMEHost = config.mailserver.fqdn;
-
     loginAccounts = {
-      # test acc
       "test@${config.networking.domain}" = {
         hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
       };
@@ -19,17 +15,6 @@
       };
     };
   };
-
-  # put dkim key into /etc for declarability
-  mailserver.dkimKeyDirectory = "/etc/dkim";
-  environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key" = {
-    source = config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;
-    mode = "600";
-    user = config.services.rspamd.user;
-    group = config.services.rspamd.group;
-  };
-
-  # does acme for me
   services.nginx = {
     enable = true;
     virtualHosts = {
@@ -43,12 +28,9 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
-
-  # persist directories per the backup guidelines
   environment.persistence."/persist" = {
     directories = [
-      # not needed bc the dkim dir is declared
+      "/var/dkim"
-      # "/var/dkim"
       "/var/vmail"
       "/var/lib/redis-rspamd"
       "/var/lib/acme"

modules/nixos/openvpn-client.nix

@@ -1,8 +0,0 @@
-{lib, ...}: {
-  services.openvpn.servers = {
-    "173.249.5.230" = {config = ''config /etc/openvpn-confs/173.249.5.230.ovpn'';};
-  };
-  networking.enableIPv6 = lib.mkForce false;
-  environment.persistence."/persist".directories = ["/etc/openvpn-confs"];
-  boot.kernelParams = ["ipv6.disable=1"];
-}

modules/nixos/zulip.nix

@@ -8,47 +8,25 @@
     # host domain
     host = "chat.${config.networking.domain}";
 
-    # secrets; head rolled on keyboard for all :)
+    # secrets
     camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path;
     rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path;
     secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path;
     sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path;
     avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path;
-
+    extraSecrets = {
-    # TODO check for parity with `mailserver-acc-admin-pw.age`
+      email_password = builtins.toString config.age.secrets.zulip-extraSecrets-email_password.path;
-    extraSecrets.email_password = builtins.toString config.age.secrets.zulip-extraSecrets-email_password.path;
+    };
 
     # settings
     zulipSettings = rec {
-      # email users
+      EMAIL_USE_TLS = true;
-      ZULIP_ADMINISTRATOR = "admin@${config.networking.domain}";
+      EMAIL_PORT = 587;
-      EMAIL_HOST_USER = ZULIP_ADMINISTRATOR;
-
-      # configure mailserver port
-      EMAIL_HOST = config.mailserver.fqdn;
-      EMAIL_USE_SSL = true;
-      EMAIL_PORT = 465;
-
-      # setting to allow realm creation; probably unsafe, might delete later :3
-      OPEN_REALM_CREATION = true;
-
-      # send all noreply emails from `admin@galaxious.de`
-      # TODO configure admin to send from any address
       ADD_TOKENS_TO_NOREPLY_ADDRESS = false;
       NOREPLY_EMAIL_ADDRESS = ZULIP_ADMINISTRATOR;
-
+      OPEN_REALM_CREATION = true;
-      # domain name
       EXTERNAL_HOST = config.services.zulip.host;
+      ZULIP_ADMINISTRATOR = "admin@${config.networking.domain}";
     };
   };
-  # persist
-  environment.persistence."/persist".directories = [
-    # messages
-    "/var/lib/rabbitmq"
-    # uploads
-    "/var/lib/zulip"
-
-    # contrived, but in the store a couple layers down
-    # "/var/lib/redis-zulip"
-  ];
 }

pub-keys.nix

@@ -1,11 +1,10 @@
 {
   age.secrets = {
     andromeda-pw.file = ./secrets/andromeda-pw.age;
-    "dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age;
     mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
     mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
     mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age;
-    "mailserver-acc-zulip+admin-pw".file = "${./secrets}/mailserver-acc-zulip+admin-pw.age";
+    "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age";
     zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age;
     zulip-camoKey.file = ./secrets/zulip-camoKey.age;
     zulip-extraSecrets-email_password.file = ./secrets/zulip-extraSecrets-email_password.age;
@@ -17,7 +16,7 @@
     ssh = {
       andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
       lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBH5TA6Br8K4xTjD5YcXQDh4UQSvuE0lEs1UxUytDiAn root@109-199-104-83";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqjbjFrGZD98tAb8tnayeGjkcsJ17nAdREugZub3AWz root@109-199-104-83";
     };
   };
 }

secrets/andromeda-pw.age

@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg ixFM7swaItfNnTRVSdTm1wZJ8lHUv7tDOgSXo1OpgCc
+-> ssh-ed25519 mT2fyg lpbWxTU6p0TLqdrqEAJLZp9lMuGZiTwZviuMBSq8dAI
-lf8/ChfcpgYkK8mTS9Zk++toOu0KNh88S+Lqu4a0UIw
+hapEREw5ZqDrUsGYFbVy3ZybfxKv7cKtgsCIRUJNMeQ
--> ssh-ed25519 UHxfvA hbsRwdzU1IP3K/gH0btUOQ8hZer8Kgq+RqzcEVrCqTE
+-> ssh-ed25519 UHxfvA SrK+1CTq/fkEj/KlSHM+9iQq7AcNFjDwwwEVenbKSCs
-iSVh+yeypHoalRhaRM2XMlBvtO8HCyatDnWgUyC3GWU
+zVNGyZbWQCrgmQ/uNCv23O6i6GfDdOoYHPN0E7A0XbE
---- hcs6DJZRvjoKDPI/cjUXRfM7+06PNJvWqjkvJof/bSs
+--- KpfV8+Snrp9R69h5TVphgzvxEsDgaXI1Wva8iq5Y0Mk
-Boƒp‡Qlg-§\§=Æ™	Ú¼ðÛÒÙsv½Ì~×ÚOÔí{R
x×IErô–s§1„¯v¹÷Ü:<–
+<ivÆ‘Þj¯/
zíë—¹mÂ…ÿ?±û½ÿù~\£=Õ5žL˜M”¤D¬ù¬Ãêûã(H$‰Ëã^<5E>f¾9‹º;ÀjˆaV8Èq“wµeô료<C2A3>%Û‡ªU
-i¶Ÿ×1¾v»„KùÑýé¦*Ú |£ ¶–´Ÿñ5[{­\Ó

secrets/mailserver-acc-test-pw.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg at6Q9eK1o8Mk0+fJh+mnIVrvV1tASV+PGuV8MXuwR2c
+-> ssh-ed25519 mT2fyg BHPXb0yAMGIMJoEFJFzq5YQrlj7C0IyXcIKHtEbQmiw
-cm3wvsLAemeeTFok7yBocNlfwewKruPnymG+wsT5g+Y
+0ilGBqIPjzYe0l6N/PXdTWW3spJZIsIBC0B62wdutNc
--> ssh-ed25519 UHxfvA aaQqfrUfUnLzwUVT6nCRPIAVlIhIWAJcPyeg3J6BQUI
+-> ssh-ed25519 UHxfvA 4KodpMUl2mkRcsKY7EzoMgIeWQ0yqyW+NqQheyHd6w0
-4sh8ZV14csafSs8yAtFZIccSkiz6YnseV3DJcuhw7dQ
+JMei4drWd0VG/qHDAlucoFtYlDAv/whTKrs23q9YX+c
--> ssh-ed25519 yXDKAA KmwRbJURujQhlqOIVxzlVjyvaYRfyuJAVGWMZdkFaAE
+-> ssh-ed25519 EL/Tyg Ip6g9rPqiKDUlmrBO+Bfu+VAi6rx90zUBxzbKupXHXE
-mX083o2XdnnYgqLs5NeppwMbFHDHTucMiHHZuYdzLvo
+AK9id0HQqWPzNrK3AVox4vUO4mQlI/uZY7+ez8992K4
---- Ay/SP2CXGOhSzO4KoiXFQhJMMdHaecxXOtNkGBK/RO0
+--- rhCvXjaEy9bzdG5UTR6HcQvHfioEJi4H0BFjyrQopLc
- Zÿ? á†‹ˆB¾æFØ9_N`¶È8Õ÷å&<26>Îï@ëŽ)q€7–aìO
+ÞñÙ ŸJl¼O¹Wñ¿u­1ú•Ê€…÷ŽË±¬XÊd1	“[²éƒ||Bt‡\µ ™h¾#ŒÝÑ£'åb£™Aðîz"n1\Áõq0£—a<E28094>:Ñ®­T‚¢ëEGÑ
	bø Cy÷†7Uá‰
W

secrets/mailserver-acc-zulip+admin-pw.age

@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg sRu0FIphSJVMBcC02mo1YuZdy3i2+/jMeN3ROvxp4kM
+-> ssh-ed25519 mT2fyg /YSp9eYFPJT5Vj1lkw19CfDCW8bauZ2b1BiMtdZKTnY
-sEwx23t3IAauISKesq+110ZKRKxQv3Zesd0AJufYOLs
+sJL2tL8nmh7q/8raA6Nnha2J9witk3994fxyvGcmBoA
--> ssh-ed25519 UHxfvA +YaJGPRT7nX2CqVzw1ixNLpW7MfzEnj44pSwj4iUwhI
+-> ssh-ed25519 UHxfvA 68lyvttT185FSxrJLdAv2Qdb9/50Dn8zL5K5v7knz2A
-E2U6Q+4uesNCWK7uVSztrA84TU/n/xLFm3PJH0hO/EM
+hrT93PeA+zX+ilXUjVuNQQi3nHED/ksmY82x89gJxj0
--> ssh-ed25519 yXDKAA V2kygl0BK/oYpKnnheslBO2YqXFdQWFgtqfmDNdgolc
+-> ssh-ed25519 EL/Tyg RDA+VpzH1QetDunca2R3KyzvBs0c1Hyp/BCDSGB+DQc
-NpJNN4nfrbgOav8Y38C9DwKFZH+QTRp/US/8kyo9m0o
+o9k3z0FO/VXubhug6eeSDRwed2zvu+pbWeed6cKOun0
---- LdqtfywtHOAy3AZ7AexZU0TJMU/ugq+ZYN07706rNxY
+--- 8dCuX7j1i7EiXtF6jILoMUt8RxxBXnMgDqvqp2uMSOk
-±
+€‚××ýÓ.ã‚Úg5†ˆT<CB86>oek'—nέ-7:±šàXEúa£ú¢÷pbíRéådQš¢±çåª<þ)n^q·yõEJ·
-U$âApµnG NeÉ•£u y`!<21>ʤ®•Øf;ipvÙYˆ°V_3»ºN+±éªk#¨{û…ŽÊêWÑ*Ÿn(Å•ËÎú‹Õ»G6ÒÉ݈yc`<60>éqµ:$K]?Í—b=§'ü^Ï9
+ˬë૳a<18>e9u·ë’*N$€èXõVÉÈmgŒ(ʆ& 

secrets/mtgmonkey-pw.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg WZNwnBmikWIb4rlH89iIQHouM7cw07/E/KXz/AVv3V8
+-> ssh-ed25519 mT2fyg OF0H3FW/+6+6efi3cniowSGshtKoTSgk3pgz9ct16Vw
-FxLaO1zM0aGztJAsq+lgrM8gFogKY76Wcs1vYxhA19g
+RBSPPnJG1UtnOEpkPqwpB+xcQCBTmzVNpGH+2eJpYfM
--> ssh-ed25519 UHxfvA YIpS5r25kHVJtG3+kDVUvAPyTKDsRPG/jHwXmiD44SA
+-> ssh-ed25519 UHxfvA 1WcauG5gNnszYp/iAiFNLMvhPXAZ3qAd4F4t41U4bjY
-FKAmC669aQzSbjBjbQbzCixdqnCXnb/JJRQo2MgEZgw
+ERntLA7C/KtbyQzc3REwCSo/i2Yygk8khJTeULUaZ0o
---- xvwJ5oYHR3T1D44fl/aeAVjZglnKhq0JKZr9YecC3EE
+--- 9eUxYn/d3qTHY5AMjJk85iJINxrt6eHyBbx7NbY3s0E
- owÌMÆÍÀ·{Œ8ãm€$/Ì1Åö0øts®‹ÞX±ýˆå¡ñ±Cד‡´ƒÏ\•hõ-}¹•E,É ŽÑ¦,dxdX¥TAkäÄ•
+ã6<EFBFBD>hM)Ì'ÚÔˉ3Õ´„Éeàý†

secrets/secrets.nix

@@ -8,9 +8,6 @@ in {
   "andromeda-pw.age".publicKeys = [andromeda lenovo];
   "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
 
-  # dkim private keys
-  "dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83];
-
   # mail account passwords
   "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
   "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];

secrets/zulip-camoKey.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg 5ADzKAtycqfFpqW/dp71FTaK2gchzdWFNqxPyZ6deSY
+-> ssh-ed25519 mT2fyg F5X75uA03GCdN5hiq4K6GPkjZOEGNxmZ71X8Gx0VeFY
-+aISA4YwF1l9S0fmE84wOvAJpM221bwPDYvXELTVv9k
+nURLjoD+R284PtDudfVRVwByEP836e+rhQyggmZG5Jg
--> ssh-ed25519 UHxfvA uKYcpPbaXA4r1OmlkuiIu/EqQ3IiHR7JpItnVgTaW2g
+-> ssh-ed25519 UHxfvA 6hSu9W0aRzw6lzOg8VtnR19/byrMv3Ioc3dY/HQD3Qc
-LjySgI4mTlaZY81IJc6DmBh43l2qeGlQnZi+rOlbtb8
+bTaLokq4Gn/tpCM7b10ME5MPR0oR3QyAKmlhXlrhLJw
--> ssh-ed25519 yXDKAA TMwoM06ZJsjkZ7eLguxqYB05jcRn+tTgVzE7WQIf0mw
+-> ssh-ed25519 EL/Tyg 4k+vFxHeqISiWexGj5IAvXRpWdheKDJ/8b9dy8EYVHU
-vKwCkWsywGsgVv6Y278Mi28MhCYBRRUnfg4+EouOw+0
+eRBAnmIxuXtgi7dVTHfH0Q9h8KsyrVD0tTK0PlXO0EE
---- CScrim9wya9AhElXBtKBR3XBZDL83/g3MTfdF258GJ8
+--- ZLCSwwY0oD0L1nwBKhZlRmDG4dj6MdjXZFQoITaECDg
-K#Ð>8}cã§Ï}8‡ÅL¹(Ëôcò¶
+èoÓˆÏlÎÀŽNq«[ïªJ)&7¯`:Þ¸`©×†ÿDµë/JåÙ±Fö[<12>©Aù#–Z»ÇÁLÿy²)"gtßÍ*%4ôᘨÍO¢9Αv
-Üw1ª"O“Ù

secrets/zulip-extraSecrets-email_password.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg IOcD4r19Gx2AvjusnnJDHQXr/U4Ti6qKr01I9lNQDQE
+-> ssh-ed25519 mT2fyg 6o7tjdOI24SQ/wAIw6DhF59ZSCY+5weRUxCqQso6PnI
-fCwouMQPvhkyzehszuv0YhSfNh9zGKaFNDKaTZT0rD0
+1OdvoW2M8etjWYM87ZW2muKpNUV+iOFY8NCd1Wopjkk
--> ssh-ed25519 UHxfvA e95raPehUz6T2FR/eT8kzfrxt/Ou6kKsqi7z/3BkfwU
+-> ssh-ed25519 UHxfvA ksk6McR1jrkxTmGqMnkhM0b41+AZc26LoainR5CGmC8
-uHymqnY3t7IwpxWkN8xen3Vsy6R7VMoj+fR0zPnPinY
+AZTynapDNQ8aLFx7Rcu3dLVxJnuKcb8Emak9SjEOQcU
--> ssh-ed25519 yXDKAA nlR1prGysW+k8gq2npEiboFqoo9jKQ5ISxRiiCFlb0s
+-> ssh-ed25519 EL/Tyg ZQaWIGPt41SwnQpGFnAadZmC/bVuTJx2v15GMmqjlU4
-kaGOvlQgO0nOAl12mMKvafa9ezmy8XdUC2tVPuBG4iw
+3/S32mze090ThCPZF/lDs3xvsaAKNgfrM7I09WUGtsk
---- MRFAGURoyediqNSjGxr57a0w6n9lH2zVjfyrUZcyAYw
+--- aRUPFhqwkRAzL2sQW4UJPPhV/EEvWCmXLE7PjHMLtnU
-
+Ûàš×ØßmÑa_VX#!Ü[dà[ÁüÐö£®×s½M”!©/þb[ãJÄÝ[
-zä0

users/andromeda/home.nix

@@ -91,91 +91,6 @@ in {
       };
     };
     fastfetch.enable = true;
-    firefox = {
-      enable = true;
-      package = pkgs.firefox.override {
-        cfg.enableTridactylNative = true;
-      };
-      profiles.${config.home.username} = {
-        extensions.packages = [
-          pkgs.nur.repos.rycee.firefox-addons.tridactyl
-        ];
-        search = {
-          default = "repos";
-          privateDefault = "ddghtml";
-          order = [
-            "wiki"
-            "options"
-            "packages"
-            "repos"
-          ];
-          engines = {
-            "packages" = {
-              urls = [
-                {
-                  template = "https://search.nixos.org/packages";
-                  params = [
-                    {
-                      name = "channel";
-                      value = "unstable";
-                    }
-                    {
-                      name = "query";
-                      value = "{searchTerms}";
-                    }
-                  ];
-                }
-              ];
-            };
-
-            "options" = {
-              urls = [
-                {
-                  template = "https://search.nixos.org/options";
-                  params = [
-                    {
-                      name = "channel";
-                      value = "unstable";
-                    }
-                    {
-                      name = "query";
-                      value = "{searchTerms}";
-                    }
-                  ];
-                }
-              ];
-            };
-
-            "wiki" = {
-              urls = [
-                {
-                  template = "https://wiki.nixos.org/w/index.php";
-                  params = [
-                    {
-                      name = "search";
-                      value = "{searchTerms}";
-                    }
-                  ];
-                }
-              ];
-            };
-
-            "repos" = {
-              template = "https://html.duckduckgo.com/html/";
-              params = [
-                {
-                  name = "q";
-                  value = "{searchTerms}+(site:*.gitlab.org OR site:github.com OR site:git.mtgmonkey.net OR site:sr.ht)";
-                }
-              ];
-            };
-          };
-        };
-        settings = {
-          "extensions.autoDisableScopes" = 0;
-        };
-      };
-    };
     git = {
       enable = true;
       settings = {
@@ -188,6 +103,15 @@ in {
     };
     gh.enable = true;
     home-manager.enable = true;
+    firefox = {
+      enable = true;
+      package = pkgs.firefox.override {
+        cfg.enableTridactylNative = true;
+      };
+      profiles.${config.home.username}.extensions.packages = [
+        pkgs.nur.repos.rycee.firefox-addons.tridactyl
+      ];
+    };
     lsd.enable = true;
     nvf = {
       enable = true;