Merge commit 'caf1394' into development

update remote keys
fix ssh
2026-01-10 15:42:13 +01:00 · 2026-01-10 15:40:07 +01:00 · 2026-01-10 15:30:17 +01:00 · 2026-01-10 15:23:02 +01:00 · 2026-01-10 10:33:06 +01:00 · 2026-01-10 10:21:04 +01:00
17 changed files with 96 additions and 48 deletions
--- a/machines.nix
+++ b/machines.nix
@@ -36,6 +36,7 @@
    modules = [
      # impermanence
      ./modules/nixos/impermanence.nix
+      ./modules/nixos/impermanence-ssh.nix

      # hardware configuration
      # verbatim as `nixos-generate-config` AND `system.stateVersion`
@@ -53,23 +54,25 @@

      # ssh through port 5522 among other things
      # andromeda@lenovo is the only user allowed access
-      # ./modules/nixos/networking/hard-ssh.nix
-      #./modules/nixos/networking/ssh-as-root.nix
-      ({config, ...}: {
-        services.openssh.enable = true;
-        users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
-      })
+      ./modules/nixos/networking/hard-ssh.nix
+      ./modules/nixos/networking/ssh-as-root.nix
+      ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})

      # TODO add Impermanence to the following services

      # simple-nixos-mailserver email server
      # mail.domain
-      # ./modules/nixos/mailserver.nix
+      ./modules/nixos/mailserver.nix

      # roundcube webmail client
      # webmail.domain
-      # ./modules/nixos/roundcube.nix
+      ./modules/nixos/roundcube.nix

+      # forgejo
+      # git.domain
+      ./modules/nixos/forgejo.nix
+
+      # BROKEN
      # zulip chat client
      # chat.domain
      # zulip chat server
--- a/modules/nixos/boot/109-199-104-83.nix
+++ b/modules/nixos/boot/109-199-104-83.nix
@@ -3,4 +3,7 @@
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
 }
--- a/modules/nixos/forgejo.nix
+++ b/modules/nixos/forgejo.nix
@@ -0,0 +1,27 @@
+{config, ...}: {
+  services.nginx = {
+    virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M
+      '';
+      locations."/".proxyPass = "https://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = rec {
+        DOMAIN = "git.galaxious.de";
+        ROOT_URL = "https://${DOMAIN}";
+        HTTP_PORT = 4043;
+        SSH_PORT = 4022;
+      };
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+  services.openssh.ports = [config.services.forgejo.settings.server.SSH_PORT];
+}
--- a/modules/nixos/mailserver.nix
+++ b/modules/nixos/mailserver.nix
@@ -28,4 +28,12 @@
    acceptTerms = true;
    defaults.email = "mtgmonket@gmail.com";
  };
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/dkim"
+      "/var/vmail"
+      "/var/lib/redis-rspamd"
+      "/var/lib/acme"
+    ];
+  };
 }
--- a/modules/nixos/roundcube.nix
+++ b/modules/nixos/roundcube.nix
@@ -9,4 +9,8 @@
      $config['smtp_pass'] = "%p";
    '';
  };
+  environment.persistence."/persist".directories = [
+    "/var/lib/roundcube"
+    "/var/lib/postgresql"
+  ];
 }
--- a/pub-keys.nix
+++ b/pub-keys.nix
@@ -16,7 +16,7 @@
    ssh = {
      andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
      lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJe5ol56yC23fivSEKeK4HZQm934ROX46AM7o0aE2hMq root@vmi2998419";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqjbjFrGZD98tAb8tnayeGjkcsJ17nAdREugZub3AWz root@109-199-104-83";
    };
  };
 }
--- a/secrets/andromeda-pw.age
+++ b/secrets/andromeda-pw.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg 4fCTrNibFdjnVfsIbXi6plbd56K8ZDDqtgryXPk2SUA
-vKlbDi+HpyYlSsN39GRh6GRwdHRSjypCEqguOaHPFDM
-> ssh-ed25519 UHxfvA RqrDa4xJoAy1Gdzvq6Z5eTSNTDtHzUmzRoLC+j+HxiI
-+5CohUFSDB9oiLU0T25FKrQrz07DCviVuzZsVcUltOc
--- SQ5zQx9lL5UdNinOgP6yG5WWiBdhSwFqJVt6u3SNpLA
-î6<EFBFBD>©ç¥UÛð¦pî<70>‡„øÚúQÙ]ÜNû;K;1yœµ™
+-> ssh-ed25519 mT2fyg lpbWxTU6p0TLqdrqEAJLZp9lMuGZiTwZviuMBSq8dAI
+hapEREw5ZqDrUsGYFbVy3ZybfxKv7cKtgsCIRUJNMeQ
+-> ssh-ed25519 UHxfvA SrK+1CTq/fkEj/KlSHM+9iQq7AcNFjDwwwEVenbKSCs
+zVNGyZbWQCrgmQ/uNCv23O6i6GfDdOoYHPN0E7A0XbE
+--- KpfV8+Snrp9R69h5TVphgzvxEsDgaXI1Wva8iq5Y0Mk
+<ivÆ‘Þj¯/zíë—¹mÂ…ÿ?±û½ÿù~\£=Õ5žL˜M”¤D¬ù¬Ãêûã(H$‰Ëã^<5E>f¾9‹º;ÀjˆaV8Èq“wµeôë£Œ<C2A3>%Û‡ªU
--- a/secrets/mailserver-acc-admin-pw.age
+++ b/secrets/mailserver-acc-admin-pw.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg Lt6EG5R9iQWuD/eDXM+vsablwqCn7wUBKFuNO3qcq04
-07jSpN+5/CJFCaBAEVB5TYqLEnGj8Fbt6z3qIVSijqU
-> ssh-ed25519 UHxfvA 8iIyIoZxJUYrvL9DFmleATVYs0TSZvPjSFqxSWYnVFs
-XDQQGlQXJqjjAqslyfJerVATPIO4vCxTPRWOcBuF7f8
-> ssh-ed25519 Xoin5w tE8Tx9cSJH+4eJoEpG8CVf9+C1WrurERvGG0kOLatG4
-YUUPvg6Ev3+7idthbcUeLeRZ+iE8yp+uirJojSt1gVg
--- FamPgM9+DjHiHQBkCmPaHe9aLLXIL3ZPCUtmtEtNOAI
-Õ‘žâ}ƒ_rT6ÖUwzù|–<ÿ_Ñø®¬×5 ®û!~‹N<E280B9>ácÇ¦i<>*þE<10>M?H?›QSbùàÀòâ\ŠÛ<C5A0>‰ÑzèK	?zŒÕ;¦×R¶JpËÒ¶í‡É´sóè”ˆœy›Ä
+-> ssh-ed25519 mT2fyg VKndh6ieX+XzpTHBh+ov96IrqGCIQeYcKji5wt6HlXA
+LW+yUqS5KFWVTvZHAcUOBH9VS+FoFupqnzajU5nR0EI
+-> ssh-ed25519 UHxfvA p1bCzcd97Ra//YUnes9g6Q/qp07n+f+dDkaCNZiBpEc
+ZJ/khm5EuOZj6OyG/JNP7MeyM6SAVAfnx6GkFULHXTs
+-> ssh-ed25519 EL/Tyg 9AL2BfGioplxgC+Paid3OMpTxAAZ/MqgD2cZ9JGuNzM
+fY2puHpjjNbCUJpHX1DIoqcpu5pM/yxhgZxkSlJYMBw
+--- AnUcifoSL3SM3R+dKgldV2//mRjs6f+7t1v7xAEjUbU
+“¾7Óçr¡L6•TDrÂò¬/£EÀêxÈ©ÐuòcN¯JŠ4ÛY)ì]‡N“Ô¹[ÒËq}Í-ºÅ‰=;2ÖhI‘ê«ŽHe™_FéËo±©®
+½}º’ýI@3øÌ)ÂÇOé=ËÀÌ
--- a/secrets/mailserver-acc-test-pw.age
+++ b/secrets/mailserver-acc-test-pw.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg slLOkD/9TAYOuZ/g5U4NvPWUlmYZeie12xzggioviw0
-E0uAj4RMgv7DTJpvtEO54G9XHNLFOgFflR54Cl6/X8g
-> ssh-ed25519 UHxfvA xHFujOdegur0PLNHZP+h5RxHhVD2K906NZx7nprMkUs
-PdDxzD5QBdE/yWPMnF+CDGROEpE4nYvg12v1G3QK9XI
-> ssh-ed25519 Xoin5w YWsO9HtEFB79+aKr6eWi5Sg5geKfzT+IrDy2L5qEmx4
-sXLRmcRDyAv64nSGs8QXcHmKYO+F11Pzea1EVGmpEys
--- Sjg8SqkkEEL4X0G1GOUoHO702ZtrM0hMniIdS7yIsDA
-'ÏBâÉ(<28>–7DÏ“=ù³h•áÊh	fëÉ®×xT Ž!K.»‰‚~Ø³ò,…ß“<C39F>D|éä+pû<70>ü"Òt‚ÝG¢yñQ¬ÏRcPÁQüúQßÐ
+-> ssh-ed25519 mT2fyg BHPXb0yAMGIMJoEFJFzq5YQrlj7C0IyXcIKHtEbQmiw
+0ilGBqIPjzYe0l6N/PXdTWW3spJZIsIBC0B62wdutNc
+-> ssh-ed25519 UHxfvA 4KodpMUl2mkRcsKY7EzoMgIeWQ0yqyW+NqQheyHd6w0
+JMei4drWd0VG/qHDAlucoFtYlDAv/whTKrs23q9YX+c
+-> ssh-ed25519 EL/Tyg Ip6g9rPqiKDUlmrBO+Bfu+VAi6rx90zUBxzbKupXHXE
+AK9id0HQqWPzNrK3AVox4vUO4mQlI/uZY7+ez8992K4
+--- rhCvXjaEy9bzdG5UTR6HcQvHfioEJi4H0BFjyrQopLc
+ÞñÙ ŸJl¼O¹Wñ¿u1ú•Ê€…÷ŽË±¬XÊd1	“[²éƒ||Bt‡\µ ™h¾#ŒÝÑ£'åb£™Aðîz"n1\Áõq0£—a<E28094>:Ñ®T‚¢ëEGÑ	bø Cy÷†7Uá‰W
--- a/secrets/mailserver-acc-zulip+admin-pw.age
+++ b/secrets/mailserver-acc-zulip+admin-pw.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg JsKjySZOoC/xK6HFjgBSYumrg/Ak7EBjYCqa9uszXGo
-daQvoxsqkxA4OClbWm4YHes5zkky8wikEKg94ceeNWw
-> ssh-ed25519 UHxfvA yDtvX6SqI9HFN3v1teeRfVicMXpS0fYLiyxe391kIHY
-xpYokiMmAlFbZHuOIqxKeGXtgiB9yOvRquI8OY5mdqE
-> ssh-ed25519 Xoin5w 9ND7dZoaaLXVu7VN3fYF6bZa23QpCr29b4DNIOSRi2Q
-L6oOEQ8XSZZuQyfxPwgGYycMqAKfslEtFRJbBHbomoY
--- ewcxsNTgXUy+wlZ3MiSC2KYO0BowGOAn/JvvV7x3pBc
-ýVÖ5aƒ›Ð.°B'Kì¸7¹ì²LR9h`™<>Â€ƒÕ·<C395>Iúéª
-8cˆ%)ÅÛ£Ö5³‡<C2B3>ä¾ä©ÕKLR¢˜yÞ199Y?©v’Û’¼‘2<E28098>Ð–KûfãºÔ<C2BA>!€©{3‚)æ,
+-> ssh-ed25519 mT2fyg /YSp9eYFPJT5Vj1lkw19CfDCW8bauZ2b1BiMtdZKTnY
+sJL2tL8nmh7q/8raA6Nnha2J9witk3994fxyvGcmBoA
+-> ssh-ed25519 UHxfvA 68lyvttT185FSxrJLdAv2Qdb9/50Dn8zL5K5v7knz2A
+hrT93PeA+zX+ilXUjVuNQQi3nHED/ksmY82x89gJxj0
+-> ssh-ed25519 EL/Tyg RDA+VpzH1QetDunca2R3KyzvBs0c1Hyp/BCDSGB+DQc
+o9k3z0FO/VXubhug6eeSDRwed2zvu+pbWeed6cKOun0
+--- 8dCuX7j1i7EiXtF6jILoMUt8RxxBXnMgDqvqp2uMSOk
+€‚××ýÓ.ã‚Úg5†ˆT<CB86>oek'—nÎ-7:±šàXEúa£ú¢÷pbíRéådQš¢±çåª<þ)n^q·yõEJ·
+Ë¬ëà«³a<18>e9u·ë’*N$€èXõVÉÈmgŒ(ÃŠ†& 
--- a/secrets/mtgmonkey-pw.age
+++ b/secrets/mtgmonkey-pw.age
--- a/secrets/zulip-avatarSaltKey.age
+++ b/secrets/zulip-avatarSaltKey.age
--- a/secrets/zulip-camoKey.age
+++ b/secrets/zulip-camoKey.age
--- a/secrets/zulip-extraSecrets-email_password.age
+++ b/secrets/zulip-extraSecrets-email_password.age
--- a/secrets/zulip-rabbitmqPassword.age
+++ b/secrets/zulip-rabbitmqPassword.age
@@ -1,9 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg N+K4UqHYGQTzqq5wMhEs5ijh8a8uXarYy2BpWH2GAUY
-7mWlRNsudiBCr34QMXkzwkyRZa9K6pAPLX0phQBIH1A
-> ssh-ed25519 UHxfvA i5e8E+FMsG+n+jl5ASBYbPvnME7X58sMMAlYelZAm3A
-ARlV+vWRRsFVAsjdk+JgUMgp49muyGFF5g+iyzpyJQY
-> ssh-ed25519 Xoin5w 0EH6bLW0DwwVi8GMjq4ZjlBak1QQ0cxh/+KK/e1rPTY
-yIpSegzmBeJ86jApt23Kv9vZ2sVLC8dFYa9t43/x8MM
--- c4PhDnZ271mJc2sc7DSIRqVF503JSsZhBj2ANwcT2po
-PKŽFª†!"¤š<>“Mgoí/¶úÁgF®Š0@‚ì‡gA³ŸÎ„åP¶úæm+u‘éLoŠ
+-> ssh-ed25519 mT2fyg zafxexSagQeL9Upbgi6UCWKIWN93OIViw3U/aFn6p28
+jEUjCPoCuIHJ1ICP8gkHj4kWQaTAhEtoS4QDJLCQQek
+-> ssh-ed25519 UHxfvA UiU/MjBeFl7r0HIjMqTMSYGGa/S84ZpyEXMoyKhrMwc
+sCCXk319YR7WOd2YGjl+hgi4xk+yE7eyN9Z6I1qDu40
+-> ssh-ed25519 EL/Tyg 4YvWb6Ht4w6jtJZ7ROXzOLDIKjK0H5nDJSFADTcYiDg
+pDaPf5o6dFfE+J6CsEG4grI1DmBGuLCPcOys5q28pHo
+--- rtPaK/w9Hla1apU/p3m+oORkmorylxOokUf64Le6A08
+´-sNŸß}üv
+lQw•¿‰
+·¬>ÉŽ®™·#	€ºîcÄ»þ&Œûµuºë—‹(F—S*ªÒ@k'(›¸KzÆ³¼Â©P<C2A9>K
--- a/secrets/zulip-secretKey.age
+++ b/secrets/zulip-secretKey.age
--- a/secrets/zulip-sharedSecretKey.age
+++ b/secrets/zulip-sharedSecretKey.age
Author	SHA1	Message	Date
andromeda	03f5bbf2c0	Merge commit 'caf1394' into development	2026-01-10 15:42:13 +01:00
andromeda	caf139425f	update remote keys	2026-01-10 15:40:07 +01:00
andromeda	45f5249165	fix ssh	2026-01-10 15:30:17 +01:00
andromeda	90dd0582b0	forgejo	2026-01-10 15:23:02 +01:00
andromeda	0781c8428d	fix agenix boot problem on remote?	2026-01-10 10:33:06 +01:00
andromeda	2d1048b00f	add roundcube persist	2026-01-10 10:21:04 +01:00
andromeda	58f011079c	rekey	2026-01-10 10:08:40 +01:00
andromeda	d32f99baf5	persist acme, update public key	2026-01-10 10:07:01 +01:00
andromeda	13141933b4	enable roundcube, backup mailserver	2026-01-10 10:01:38 +01:00
andromeda	a57edbf3fd	enable mailserver	2026-01-10 09:48:42 +01:00
andromeda	bf22a9de21	add /etc/ssh persist to remote	2026-01-10 09:02:24 +01:00