Merge commit 'caf1394' into development

machines.nix

@@ -36,6 +36,7 @@
     modules = [
       # impermanence
       ./modules/nixos/impermanence.nix
+      ./modules/nixos/impermanence-ssh.nix
 
       # hardware configuration
       # verbatim as `nixos-generate-config` AND `system.stateVersion`
@@ -53,23 +54,25 @@
 
       # ssh through port 5522 among other things
       # andromeda@lenovo is the only user allowed access
-      # ./modules/nixos/networking/hard-ssh.nix
+      ./modules/nixos/networking/hard-ssh.nix
-      #./modules/nixos/networking/ssh-as-root.nix
+      ./modules/nixos/networking/ssh-as-root.nix
-      ({config, ...}: {
+      ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})
-        services.openssh.enable = true;
-        users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
-      })
 
       # TODO add Impermanence to the following services
 
       # simple-nixos-mailserver email server
       # mail.domain
-      # ./modules/nixos/mailserver.nix
+      ./modules/nixos/mailserver.nix
 
       # roundcube webmail client
       # webmail.domain
-      # ./modules/nixos/roundcube.nix
+      ./modules/nixos/roundcube.nix
 
+      # forgejo
+      # git.domain
+      ./modules/nixos/forgejo.nix
+
+      # BROKEN
       # zulip chat client
       # chat.domain
       # zulip chat server

modules/nixos/boot/109-199-104-83.nix

@@ -3,4 +3,7 @@
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
 }

modules/nixos/forgejo.nix

@@ -0,0 +1,27 @@
+{config, ...}: {
+  services.nginx = {
+    virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M
+      '';
+      locations."/".proxyPass = "https://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = rec {
+        DOMAIN = "git.galaxious.de";
+        ROOT_URL = "https://${DOMAIN}";
+        HTTP_PORT = 4043;
+        SSH_PORT = 4022;
+      };
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+  services.openssh.ports = [config.services.forgejo.settings.server.SSH_PORT];
+}

modules/nixos/mailserver.nix

@@ -28,4 +28,12 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/dkim"
+      "/var/vmail"
+      "/var/lib/redis-rspamd"
+      "/var/lib/acme"
+    ];
+  };
 }

modules/nixos/roundcube.nix

@@ -9,4 +9,8 @@
       $config['smtp_pass'] = "%p";
     '';
   };
+  environment.persistence."/persist".directories = [
+    "/var/lib/roundcube"
+    "/var/lib/postgresql"
+  ];
 }

pub-keys.nix

@@ -16,7 +16,7 @@
     ssh = {
       andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
       lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJe5ol56yC23fivSEKeK4HZQm934ROX46AM7o0aE2hMq root@vmi2998419";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqjbjFrGZD98tAb8tnayeGjkcsJ17nAdREugZub3AWz root@109-199-104-83";
     };
   };
 }

secrets/andromeda-pw.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg 4fCTrNibFdjnVfsIbXi6plbd56K8ZDDqtgryXPk2SUA
+-> ssh-ed25519 mT2fyg lpbWxTU6p0TLqdrqEAJLZp9lMuGZiTwZviuMBSq8dAI
-vKlbDi+HpyYlSsN39GRh6GRwdHRSjypCEqguOaHPFDM
+hapEREw5ZqDrUsGYFbVy3ZybfxKv7cKtgsCIRUJNMeQ
--> ssh-ed25519 UHxfvA RqrDa4xJoAy1Gdzvq6Z5eTSNTDtHzUmzRoLC+j+HxiI
+-> ssh-ed25519 UHxfvA SrK+1CTq/fkEj/KlSHM+9iQq7AcNFjDwwwEVenbKSCs
-+5CohUFSDB9oiLU0T25FKrQrz07DCviVuzZsVcUltOc
+zVNGyZbWQCrgmQ/uNCv23O6i6GfDdOoYHPN0E7A0XbE
---- SQ5zQx9lL5UdNinOgP6yG5WWiBdhSwFqJVt6u3SNpLA
+--- KpfV8+Snrp9R69h5TVphgzvxEsDgaXI1Wva8iq5Y0Mk
-<EFBFBD>6<EFBFBD><16><0B><>U<><55><EFBFBD>p<70><EE9087><EFBFBD><EFBFBD>Q<>]<5D>N<EFBFBD>;K;1y<31><79><EFBFBD>
+<iv<69><07><>j<EFBFBD>/
z<12>뗹m…<6D>?<3F><><EFBFBD><EFBFBD><EFBFBD>~\<>=<3D>5<>L<EFBFBD>M<08><>D<EFBFBD><44><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(H$<24><><EFBFBD>^<5E>f<>9<EFBFBD><39>;<3B>j<>aV8<56>q<06>w<EFBFBD>e<EFBFBD>료<EFBFBD>%ۇ<>U

secrets/mailserver-acc-admin-pw.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg Lt6EG5R9iQWuD/eDXM+vsablwqCn7wUBKFuNO3qcq04
+-> ssh-ed25519 mT2fyg VKndh6ieX+XzpTHBh+ov96IrqGCIQeYcKji5wt6HlXA
-07jSpN+5/CJFCaBAEVB5TYqLEnGj8Fbt6z3qIVSijqU
+LW+yUqS5KFWVTvZHAcUOBH9VS+FoFupqnzajU5nR0EI
--> ssh-ed25519 UHxfvA 8iIyIoZxJUYrvL9DFmleATVYs0TSZvPjSFqxSWYnVFs
+-> ssh-ed25519 UHxfvA p1bCzcd97Ra//YUnes9g6Q/qp07n+f+dDkaCNZiBpEc
-XDQQGlQXJqjjAqslyfJerVATPIO4vCxTPRWOcBuF7f8
+ZJ/khm5EuOZj6OyG/JNP7MeyM6SAVAfnx6GkFULHXTs
--> ssh-ed25519 Xoin5w tE8Tx9cSJH+4eJoEpG8CVf9+C1WrurERvGG0kOLatG4
+-> ssh-ed25519 EL/Tyg 9AL2BfGioplxgC+Paid3OMpTxAAZ/MqgD2cZ9JGuNzM
-YUUPvg6Ev3+7idthbcUeLeRZ+iE8yp+uirJojSt1gVg
+fY2puHpjjNbCUJpHX1DIoqcpu5pM/yxhgZxkSlJYMBw
---- FamPgM9+DjHiHQBkCmPaHe9aLLXIL3ZPCUtmtEtNOAI
+--- AnUcifoSL3SM3R+dKgldV2//mRjs6f+7t1v7xAEjUbU
-Ց<EFBFBD><EFBFBD>}<7D>_rT6<54>Uwz<77>|<7C><<3C>_<EFBFBD><0F><><EFBFBD><EFBFBD>5<><35><EFBFBD>!~<>N<EFBFBD><18>cǦi<>*<2A>E<10>M?H?<3F>QSb<53><62><EFBFBD><EFBFBD><EFBFBD>\<5C>۝<EFBFBD><DB9D>z<>K	?z<><7A>;<1C><>R<EFBFBD>Jp<4A>Ҷ<><D2B6>ɴs<C9B4>蔈<EFBFBD>y<EFBFBD><EFBFBD>
+<EFBFBD><EFBFBD>7<><37>r<EFBFBD>L6<4C>TDr<44><72><EFBFBD>/<2F>E<15><>xȩ<11>u<>cN<63>J<EFBFBD>4<EFBFBD>Y)<29>]<5D>N<EFBFBD>Թ[<5B><>q}<7D>-<2D>ʼn=;2<>hI<68>꫎He<48>_F<15><13>o<EFBFBD><EFBFBD><EFBFBD>
+<EFBFBD>}<7D><><EFBFBD>I@3<><33>)<29><>O<EFBFBD>=<08><02><04>

secrets/mailserver-acc-test-pw.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg slLOkD/9TAYOuZ/g5U4NvPWUlmYZeie12xzggioviw0
+-> ssh-ed25519 mT2fyg BHPXb0yAMGIMJoEFJFzq5YQrlj7C0IyXcIKHtEbQmiw
-E0uAj4RMgv7DTJpvtEO54G9XHNLFOgFflR54Cl6/X8g
+0ilGBqIPjzYe0l6N/PXdTWW3spJZIsIBC0B62wdutNc
--> ssh-ed25519 UHxfvA xHFujOdegur0PLNHZP+h5RxHhVD2K906NZx7nprMkUs
+-> ssh-ed25519 UHxfvA 4KodpMUl2mkRcsKY7EzoMgIeWQ0yqyW+NqQheyHd6w0
-PdDxzD5QBdE/yWPMnF+CDGROEpE4nYvg12v1G3QK9XI
+JMei4drWd0VG/qHDAlucoFtYlDAv/whTKrs23q9YX+c
--> ssh-ed25519 Xoin5w YWsO9HtEFB79+aKr6eWi5Sg5geKfzT+IrDy2L5qEmx4
+-> ssh-ed25519 EL/Tyg Ip6g9rPqiKDUlmrBO+Bfu+VAi6rx90zUBxzbKupXHXE
-sXLRmcRDyAv64nSGs8QXcHmKYO+F11Pzea1EVGmpEys
+AK9id0HQqWPzNrK3AVox4vUO4mQlI/uZY7+ez8992K4
---- Sjg8SqkkEEL4X0G1GOUoHO702ZtrM0hMniIdS7yIsDA
+--- rhCvXjaEy9bzdG5UTR6HcQvHfioEJi4H0BFjyrQopLc
-'<27>B<EFBFBD><42>(<28><>7Dϓ=<3D><>h<EFBFBD><10><>h	f<>ɮ<13>xT<78><54>!K.<2E><1D><>~س<>,<2C>ߓ<>D|<7C><>+p<><70><EFBFBD>"<22>t<EFBFBD><74>G<EFBFBD>y<EFBFBD>Q<EFBFBD><51>RcP<63>Q<EFBFBD><51>Q<><51>
+<04><>٠<EFBFBD>Jl<4A>O<EFBFBD>W<EFBFBD><57>u<EFBFBD>1<EFBFBD><31>ʀ<EFBFBD><CA80><EFBFBD>˱<EFBFBD>X<EFBFBD>d1	<09>[<15><><EFBFBD>||Bt<42>\<5C> <20>h<EFBFBD>#<23><>ѣ'<27>b<EFBFBD><62>A<EFBFBD><41>z"n1\<5C><>q0<71><30>a<EFBFBD>:Ѯ<>T<EFBFBD><54><EFBFBD>EG<45>
	b<><62>Cy<43><79>7U<37><1E>
W

secrets/mailserver-acc-zulip+admin-pw.age

@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg JsKjySZOoC/xK6HFjgBSYumrg/Ak7EBjYCqa9uszXGo
+-> ssh-ed25519 mT2fyg /YSp9eYFPJT5Vj1lkw19CfDCW8bauZ2b1BiMtdZKTnY
-daQvoxsqkxA4OClbWm4YHes5zkky8wikEKg94ceeNWw
+sJL2tL8nmh7q/8raA6Nnha2J9witk3994fxyvGcmBoA
--> ssh-ed25519 UHxfvA yDtvX6SqI9HFN3v1teeRfVicMXpS0fYLiyxe391kIHY
+-> ssh-ed25519 UHxfvA 68lyvttT185FSxrJLdAv2Qdb9/50Dn8zL5K5v7knz2A
-xpYokiMmAlFbZHuOIqxKeGXtgiB9yOvRquI8OY5mdqE
+hrT93PeA+zX+ilXUjVuNQQi3nHED/ksmY82x89gJxj0
--> ssh-ed25519 Xoin5w 9ND7dZoaaLXVu7VN3fYF6bZa23QpCr29b4DNIOSRi2Q
+-> ssh-ed25519 EL/Tyg RDA+VpzH1QetDunca2R3KyzvBs0c1Hyp/BCDSGB+DQc
-L6oOEQ8XSZZuQyfxPwgGYycMqAKfslEtFRJbBHbomoY
+o9k3z0FO/VXubhug6eeSDRwed2zvu+pbWeed6cKOun0
---- ewcxsNTgXUy+wlZ3MiSC2KYO0BowGOAn/JvvV7x3pBc
+--- 8dCuX7j1i7EiXtF6jILoMUt8RxxBXnMgDqvqp2uMSOk
-<08>V<EFBFBD>5a<35><61><EFBFBD>.<2E>B'K<><4B>7<EFBFBD><37><17>LR9h`<60><>€<EFBFBD>շ<>I<EFBFBD><18><EFBFBD>
+<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.<1E><><EFBFBD>g5<67><35>T<EFBFBD>oek'<27>nέ-7:<3A><><EFBFBD>XE<58>a<EFBFBD><61><EFBFBD><EFBFBD>pb<70>R<EFBFBD><52>dQ<1F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><<04>)n^q<>y<EFBFBD>EJ<EFBFBD>
-8c<EFBFBD>%)<29>ۣ<EFBFBD>5<EFBFBD><35><EFBFBD><1C><1E><><EFBFBD><EFBFBD>KLR<4C><52>y<EFBFBD>199Y?<3F>v<EFBFBD><1E><16><><EFBFBD>2<EFBFBD>ЖK<D096>f<02><>ԏ!<21><>{3<>)<29>,
+ˬ<EFBFBD>૳a<18>e9u<39><75><EFBFBD>*N$<24><>X<EFBFBD>V<EFBFBD><56>mg<>(Ê<>&<26>

secrets/zulip-rabbitmqPassword.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg N+K4UqHYGQTzqq5wMhEs5ijh8a8uXarYy2BpWH2GAUY
+-> ssh-ed25519 mT2fyg zafxexSagQeL9Upbgi6UCWKIWN93OIViw3U/aFn6p28
-7mWlRNsudiBCr34QMXkzwkyRZa9K6pAPLX0phQBIH1A
+jEUjCPoCuIHJ1ICP8gkHj4kWQaTAhEtoS4QDJLCQQek
--> ssh-ed25519 UHxfvA i5e8E+FMsG+n+jl5ASBYbPvnME7X58sMMAlYelZAm3A
+-> ssh-ed25519 UHxfvA UiU/MjBeFl7r0HIjMqTMSYGGa/S84ZpyEXMoyKhrMwc
-ARlV+vWRRsFVAsjdk+JgUMgp49muyGFF5g+iyzpyJQY
+sCCXk319YR7WOd2YGjl+hgi4xk+yE7eyN9Z6I1qDu40
--> ssh-ed25519 Xoin5w 0EH6bLW0DwwVi8GMjq4ZjlBak1QQ0cxh/+KK/e1rPTY
+-> ssh-ed25519 EL/Tyg 4YvWb6Ht4w6jtJZ7ROXzOLDIKjK0H5nDJSFADTcYiDg
-yIpSegzmBeJ86jApt23Kv9vZ2sVLC8dFYa9t43/x8MM
+pDaPf5o6dFfE+J6CsEG4grI1DmBGuLCPcOys5q28pHo
---- c4PhDnZ271mJc2sc7DSIRqVF503JSsZhBj2ANwcT2po
+--- rtPaK/w9Hla1apU/p3m+oORkmorylxOokUf64Le6A08
-PK<EFBFBD>F<0C><0E>!"<22><08><><EFBFBD>Mgo<67>/<2F><><EFBFBD>gF<67><46>0@<19><><EFBFBD>gA<15><>΄<EFBFBD>P<EFBFBD><50><EFBFBD>m+u<><75>Lo<4C>
+<EFBFBD>-sN<><4E>}<7D>v
+lQw<03><><EFBFBD>
++<2B><>>Ɏ<><C98E><EFBFBD>#	<09><><EFBFBD>cĻ<63>&<26><><EFBFBD>u<7F><75><14><>(F<>S*<2A><>@k'(<28><>KzƳ<7A>©P<C2A9>K