Merge commit 'caf1394' into development

machines.nix

@@ -36,6 +36,7 @@
     modules = [
       # impermanence
       ./modules/nixos/impermanence.nix
+      ./modules/nixos/impermanence-ssh.nix
 
       # hardware configuration
       # verbatim as `nixos-generate-config` AND `system.stateVersion`
@@ -53,23 +54,25 @@
 
       # ssh through port 5522 among other things
       # andromeda@lenovo is the only user allowed access
-      # ./modules/nixos/networking/hard-ssh.nix
+      ./modules/nixos/networking/hard-ssh.nix
-      #./modules/nixos/networking/ssh-as-root.nix
+      ./modules/nixos/networking/ssh-as-root.nix
-      ({config, ...}: {
+      ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})
-        services.openssh.enable = true;
-        users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
-      })
 
       # TODO add Impermanence to the following services
 
       # simple-nixos-mailserver email server
       # mail.domain
-      # ./modules/nixos/mailserver.nix
+      ./modules/nixos/mailserver.nix
 
       # roundcube webmail client
       # webmail.domain
-      # ./modules/nixos/roundcube.nix
+      ./modules/nixos/roundcube.nix
 
+      # forgejo
+      # git.domain
+      ./modules/nixos/forgejo.nix
+
+      # BROKEN
       # zulip chat client
       # chat.domain
       # zulip chat server

modules/nixos/boot/109-199-104-83.nix

@@ -3,4 +3,7 @@
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
 }

modules/nixos/forgejo.nix

@@ -0,0 +1,27 @@
+{config, ...}: {
+  services.nginx = {
+    virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M
+      '';
+      locations."/".proxyPass = "https://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = rec {
+        DOMAIN = "git.galaxious.de";
+        ROOT_URL = "https://${DOMAIN}";
+        HTTP_PORT = 4043;
+        SSH_PORT = 4022;
+      };
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+  services.openssh.ports = [config.services.forgejo.settings.server.SSH_PORT];
+}

modules/nixos/mailserver.nix

@@ -28,4 +28,12 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/dkim"
+      "/var/vmail"
+      "/var/lib/redis-rspamd"
+      "/var/lib/acme"
+    ];
+  };
 }

modules/nixos/roundcube.nix

@@ -9,4 +9,8 @@
       $config['smtp_pass'] = "%p";
     '';
   };
+  environment.persistence."/persist".directories = [
+    "/var/lib/roundcube"
+    "/var/lib/postgresql"
+  ];
 }

pub-keys.nix

@@ -16,7 +16,7 @@
     ssh = {
       andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
       lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJe5ol56yC23fivSEKeK4HZQm934ROX46AM7o0aE2hMq root@vmi2998419";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqjbjFrGZD98tAb8tnayeGjkcsJ17nAdREugZub3AWz root@109-199-104-83";
     };
   };
 }

secrets/andromeda-pw.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg 4fCTrNibFdjnVfsIbXi6plbd56K8ZDDqtgryXPk2SUA
+-> ssh-ed25519 mT2fyg lpbWxTU6p0TLqdrqEAJLZp9lMuGZiTwZviuMBSq8dAI
-vKlbDi+HpyYlSsN39GRh6GRwdHRSjypCEqguOaHPFDM
+hapEREw5ZqDrUsGYFbVy3ZybfxKv7cKtgsCIRUJNMeQ
--> ssh-ed25519 UHxfvA RqrDa4xJoAy1Gdzvq6Z5eTSNTDtHzUmzRoLC+j+HxiI
+-> ssh-ed25519 UHxfvA SrK+1CTq/fkEj/KlSHM+9iQq7AcNFjDwwwEVenbKSCs
-+5CohUFSDB9oiLU0T25FKrQrz07DCviVuzZsVcUltOc
+zVNGyZbWQCrgmQ/uNCv23O6i6GfDdOoYHPN0E7A0XbE
---- SQ5zQx9lL5UdNinOgP6yG5WWiBdhSwFqJVt6u3SNpLA
+--- KpfV8+Snrp9R69h5TVphgzvxEsDgaXI1Wva8iq5Y0Mk
-î6<EFBFBD>©ç¥UÛð¦pî<70>‡„øÚúQÙ]ÜNû;K;1yœµ™
+<ivÆ‘Þj¯/
zíë—¹mÂ…ÿ?±û½ÿù~\£=Õ5žL˜M”¤D¬ù¬Ãêûã(H$‰Ëã^<5E>f¾9‹º;ÀjˆaV8Èq“wµeô료<C2A3>%Û‡ªU

secrets/mailserver-acc-admin-pw.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg Lt6EG5R9iQWuD/eDXM+vsablwqCn7wUBKFuNO3qcq04
+-> ssh-ed25519 mT2fyg VKndh6ieX+XzpTHBh+ov96IrqGCIQeYcKji5wt6HlXA
-07jSpN+5/CJFCaBAEVB5TYqLEnGj8Fbt6z3qIVSijqU
+LW+yUqS5KFWVTvZHAcUOBH9VS+FoFupqnzajU5nR0EI
--> ssh-ed25519 UHxfvA 8iIyIoZxJUYrvL9DFmleATVYs0TSZvPjSFqxSWYnVFs
+-> ssh-ed25519 UHxfvA p1bCzcd97Ra//YUnes9g6Q/qp07n+f+dDkaCNZiBpEc
-XDQQGlQXJqjjAqslyfJerVATPIO4vCxTPRWOcBuF7f8
+ZJ/khm5EuOZj6OyG/JNP7MeyM6SAVAfnx6GkFULHXTs
--> ssh-ed25519 Xoin5w tE8Tx9cSJH+4eJoEpG8CVf9+C1WrurERvGG0kOLatG4
+-> ssh-ed25519 EL/Tyg 9AL2BfGioplxgC+Paid3OMpTxAAZ/MqgD2cZ9JGuNzM
-YUUPvg6Ev3+7idthbcUeLeRZ+iE8yp+uirJojSt1gVg
+fY2puHpjjNbCUJpHX1DIoqcpu5pM/yxhgZxkSlJYMBw
---- FamPgM9+DjHiHQBkCmPaHe9aLLXIL3ZPCUtmtEtNOAI
+--- AnUcifoSL3SM3R+dKgldV2//mRjs6f+7t1v7xAEjUbU
-Õ‘žâ}ƒ_rT6ÖUwzù|–<ÿ_Ñø®¬×5 ®û!~‹N<E280B9>ácǦi<>*þE<10>M?H?›QSbùàÀòâ\ŠÛ<C5A0>‰ÑzèK	?zŒÕ;¦×R¶JpËÒ¶í‡É´só蔈œy›Ä
+“¾7Óçr¡L6•TDrÂò¬/£EÀêxÈ©ÐuòcN¯JŠ4ÛY)ì]‡N“Ô¹[ÒËq}Í-ºÅ‰=;2ÖhI‘ê«ŽHe™_FéËo±©®
+½}º’ýI@3øÌ)ÂÇOé=ËÀÌ

secrets/mailserver-acc-test-pw.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg slLOkD/9TAYOuZ/g5U4NvPWUlmYZeie12xzggioviw0
+-> ssh-ed25519 mT2fyg BHPXb0yAMGIMJoEFJFzq5YQrlj7C0IyXcIKHtEbQmiw
-E0uAj4RMgv7DTJpvtEO54G9XHNLFOgFflR54Cl6/X8g
+0ilGBqIPjzYe0l6N/PXdTWW3spJZIsIBC0B62wdutNc
--> ssh-ed25519 UHxfvA xHFujOdegur0PLNHZP+h5RxHhVD2K906NZx7nprMkUs
+-> ssh-ed25519 UHxfvA 4KodpMUl2mkRcsKY7EzoMgIeWQ0yqyW+NqQheyHd6w0
-PdDxzD5QBdE/yWPMnF+CDGROEpE4nYvg12v1G3QK9XI
+JMei4drWd0VG/qHDAlucoFtYlDAv/whTKrs23q9YX+c
--> ssh-ed25519 Xoin5w YWsO9HtEFB79+aKr6eWi5Sg5geKfzT+IrDy2L5qEmx4
+-> ssh-ed25519 EL/Tyg Ip6g9rPqiKDUlmrBO+Bfu+VAi6rx90zUBxzbKupXHXE
-sXLRmcRDyAv64nSGs8QXcHmKYO+F11Pzea1EVGmpEys
+AK9id0HQqWPzNrK3AVox4vUO4mQlI/uZY7+ez8992K4
---- Sjg8SqkkEEL4X0G1GOUoHO702ZtrM0hMniIdS7yIsDA
+--- rhCvXjaEy9bzdG5UTR6HcQvHfioEJi4H0BFjyrQopLc
-'ÏBâÉ(<28>–7DÏ“=ù³h•áÊh	fëÉ®×xT Ž!K.»‰‚~سò,…ß“<C39F>D|éä+pû<70>ü"Òt‚ÝG¢yñQ¬ÏRcPÁQüúQßÐ
+ÞñÙ ŸJl¼O¹Wñ¿u­1ú•Ê€…÷ŽË±¬XÊd1	“[²éƒ||Bt‡\µ ™h¾#ŒÝÑ£'åb£™Aðîz"n1\Áõq0£—a<E28094>:Ñ®­T‚¢ëEGÑ
	bø Cy÷†7Uá‰
W

secrets/mailserver-acc-zulip+admin-pw.age

@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg JsKjySZOoC/xK6HFjgBSYumrg/Ak7EBjYCqa9uszXGo
+-> ssh-ed25519 mT2fyg /YSp9eYFPJT5Vj1lkw19CfDCW8bauZ2b1BiMtdZKTnY
-daQvoxsqkxA4OClbWm4YHes5zkky8wikEKg94ceeNWw
+sJL2tL8nmh7q/8raA6Nnha2J9witk3994fxyvGcmBoA
--> ssh-ed25519 UHxfvA yDtvX6SqI9HFN3v1teeRfVicMXpS0fYLiyxe391kIHY
+-> ssh-ed25519 UHxfvA 68lyvttT185FSxrJLdAv2Qdb9/50Dn8zL5K5v7knz2A
-xpYokiMmAlFbZHuOIqxKeGXtgiB9yOvRquI8OY5mdqE
+hrT93PeA+zX+ilXUjVuNQQi3nHED/ksmY82x89gJxj0
--> ssh-ed25519 Xoin5w 9ND7dZoaaLXVu7VN3fYF6bZa23QpCr29b4DNIOSRi2Q
+-> ssh-ed25519 EL/Tyg RDA+VpzH1QetDunca2R3KyzvBs0c1Hyp/BCDSGB+DQc
-L6oOEQ8XSZZuQyfxPwgGYycMqAKfslEtFRJbBHbomoY
+o9k3z0FO/VXubhug6eeSDRwed2zvu+pbWeed6cKOun0
---- ewcxsNTgXUy+wlZ3MiSC2KYO0BowGOAn/JvvV7x3pBc
+--- 8dCuX7j1i7EiXtF6jILoMUt8RxxBXnMgDqvqp2uMSOk
-ýVÖ5aƒ›Ð.°B'Kì¸7¹ì²LR9h`™<>€ƒÕ·<C395>Iúéª
+€‚××ýÓ.ã‚Úg5†ˆT<CB86>oek'—nέ-7:±šàXEúa£ú¢÷pbíRéådQš¢±çåª<þ)n^q·yõEJ·
-8cˆ%)ÅÛ£Ö5³‡<C2B3>ä¾ä©ÕKLR¢˜yÞ199Y?©v’Û’¼‘2<E28098>ЖKûfãºÔ<C2BA>!€©{3‚)æ,
+ˬë૳a<18>e9u·ë’*N$€èXõVÉÈmgŒ(ʆ& 

secrets/zulip-rabbitmqPassword.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg N+K4UqHYGQTzqq5wMhEs5ijh8a8uXarYy2BpWH2GAUY
+-> ssh-ed25519 mT2fyg zafxexSagQeL9Upbgi6UCWKIWN93OIViw3U/aFn6p28
-7mWlRNsudiBCr34QMXkzwkyRZa9K6pAPLX0phQBIH1A
+jEUjCPoCuIHJ1ICP8gkHj4kWQaTAhEtoS4QDJLCQQek
--> ssh-ed25519 UHxfvA i5e8E+FMsG+n+jl5ASBYbPvnME7X58sMMAlYelZAm3A
+-> ssh-ed25519 UHxfvA UiU/MjBeFl7r0HIjMqTMSYGGa/S84ZpyEXMoyKhrMwc
-ARlV+vWRRsFVAsjdk+JgUMgp49muyGFF5g+iyzpyJQY
+sCCXk319YR7WOd2YGjl+hgi4xk+yE7eyN9Z6I1qDu40
--> ssh-ed25519 Xoin5w 0EH6bLW0DwwVi8GMjq4ZjlBak1QQ0cxh/+KK/e1rPTY
+-> ssh-ed25519 EL/Tyg 4YvWb6Ht4w6jtJZ7ROXzOLDIKjK0H5nDJSFADTcYiDg
-yIpSegzmBeJ86jApt23Kv9vZ2sVLC8dFYa9t43/x8MM
+pDaPf5o6dFfE+J6CsEG4grI1DmBGuLCPcOys5q28pHo
---- c4PhDnZ271mJc2sc7DSIRqVF503JSsZhBj2ANwcT2po
+--- rtPaK/w9Hla1apU/p3m+oORkmorylxOokUf64Le6A08
-PKŽFª†!"¤š<>“Mgoí/¶úÁgF®Š0@‚ì‡gA³ŸÎ„åP¶úæm+u‘éLoŠ
+´-sNŸß}üv
+lQw•¿‰
++·¬>ÉŽ®™·#	€ºîcÄ»þ&Œûµuºë—‹(F—S*ªÒ@k'(›¸KzƳ¼Â©P<C2A9>K