fix ssh

machines.nix

@@ -36,6 +36,7 @@
     modules = [
       # impermanence
       ./modules/nixos/impermanence.nix
+      ./modules/nixos/impermanence-ssh.nix
 
       # hardware configuration
       # verbatim as `nixos-generate-config` AND `system.stateVersion`
@@ -53,23 +54,25 @@
 
       # ssh through port 5522 among other things
       # andromeda@lenovo is the only user allowed access
-      # ./modules/nixos/networking/hard-ssh.nix
+      ./modules/nixos/networking/hard-ssh.nix
-      #./modules/nixos/networking/ssh-as-root.nix
+      ./modules/nixos/networking/ssh-as-root.nix
-      ({config, ...}: {
+      ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})
-        services.openssh.enable = true;
-        users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
-      })
 
       # TODO add Impermanence to the following services
 
       # simple-nixos-mailserver email server
       # mail.domain
-      # ./modules/nixos/mailserver.nix
+      ./modules/nixos/mailserver.nix
 
       # roundcube webmail client
       # webmail.domain
-      # ./modules/nixos/roundcube.nix
+      ./modules/nixos/roundcube.nix
 
+      # forgejo
+      # git.domain
+      ./modules/nixos/forgejo.nix
+
+      # BROKEN
       # zulip chat client
       # chat.domain
       # zulip chat server

modules/nixos/boot/109-199-104-83.nix

@@ -3,4 +3,7 @@
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
 }

modules/nixos/forgejo.nix

@@ -0,0 +1,27 @@
+{config, ...}: {
+  services.nginx = {
+    virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M
+      '';
+      locations."/".proxyPass = "https://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = rec {
+        DOMAIN = "git.galaxious.de";
+        ROOT_URL = "https://${DOMAIN}";
+        HTTP_PORT = 4043;
+        SSH_PORT = 4022;
+      };
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+  services.openssh.ports = [config.services.forgejo.settings.server.SSH_PORT];
+}

modules/nixos/mailserver.nix

@@ -28,4 +28,12 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/dkim"
+      "/var/vmail"
+      "/var/lib/redis-rspamd"
+      "/var/lib/acme"
+    ];
+  };
 }

modules/nixos/roundcube.nix

@@ -9,4 +9,8 @@
       $config['smtp_pass'] = "%p";
     '';
   };
+  environment.persistence."/persist".directories = [
+    "/var/lib/roundcube"
+    "/var/lib/postgresql"
+  ];
 }

pub-keys.nix

@@ -16,7 +16,7 @@
     ssh = {
       andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
       lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJe5ol56yC23fivSEKeK4HZQm934ROX46AM7o0aE2hMq root@vmi2998419";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFD4kO9MhIHUiwYvX3VoFmDDTfWGesimrxUwFTmxTZ0D root@109-199-104-83";
     };
   };
 }

secrets/mailserver-acc-admin-pw.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg Lt6EG5R9iQWuD/eDXM+vsablwqCn7wUBKFuNO3qcq04
+-> ssh-ed25519 mT2fyg buCWpIVMGywNNngFQANXWWwzPCefsKayl1UHS3AY0Wc
-07jSpN+5/CJFCaBAEVB5TYqLEnGj8Fbt6z3qIVSijqU
+DHaaAaFg7CA09npMxqdMPtGb/0IviAZyFYXD5ALsdgk
--> ssh-ed25519 UHxfvA 8iIyIoZxJUYrvL9DFmleATVYs0TSZvPjSFqxSWYnVFs
+-> ssh-ed25519 UHxfvA 9YSvbT4oL7BjoFHVqO0rZgqmPl+bKX7peEYRdptAO3E
-XDQQGlQXJqjjAqslyfJerVATPIO4vCxTPRWOcBuF7f8
+OFyyFmYIXYyRVoVWYrQgjZ0mz66Cr1nwVeriAGAqsPo
--> ssh-ed25519 Xoin5w tE8Tx9cSJH+4eJoEpG8CVf9+C1WrurERvGG0kOLatG4
+-> ssh-ed25519 ZES6hg DKddux+yxF4N1dXATOT4hhZXIs1+ajE4yvzNR0ZUQlI
-YUUPvg6Ev3+7idthbcUeLeRZ+iE8yp+uirJojSt1gVg
+0e23BqxD/LrfMdbJPHuDfVnSbcnvEUHYDSlX60k/BoQ
---- FamPgM9+DjHiHQBkCmPaHe9aLLXIL3ZPCUtmtEtNOAI
+--- yRcytWZZF7qHGvO5Na0fjMFzeDUdaVRgpLomcN0bKsE
-Ց<EFBFBD><EFBFBD>}<7D>_rT6<54>Uwz<77>|<7C><<3C>_<EFBFBD><0F><><EFBFBD><EFBFBD>5<><35><EFBFBD>!~<>N<EFBFBD><18>cǦi<>*<2A>E<10>M?H?<3F>QSb<53><62><EFBFBD><EFBFBD><EFBFBD>\<5C>۝<EFBFBD><DB9D>z<>K	?z<><7A>;<1C><>R<EFBFBD>Jp<4A>Ҷ<><D2B6>ɴs<C9B4>蔈<EFBFBD>y<EFBFBD><EFBFBD>
+<EFBFBD><EFBFBD><EFBFBD>%-<2D>kf32]<5D><><EFBFBD>j<0C>I<EFBFBD>i'<04>^]<5D><07><><EFBFBD><10>gF<67>V<EFBFBD>r<>j<19><03><>&<26><>BI5P<><50><EFBFBD>1<EFBFBD><31>F<EFBFBD>[<5B><><EFBFBD>BG<42><16><>l<EFBFBD>j%<25>*<2A><0F>p{<7B><><02>p<EFBFBD>6<17>r	^<5E><>p<EFBFBD>v<EFBFBD><EFBFBD>

secrets/mailserver-acc-test-pw.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg slLOkD/9TAYOuZ/g5U4NvPWUlmYZeie12xzggioviw0
+-> ssh-ed25519 mT2fyg xKR9bPGrd4bpdJEiP2n51SrEsG7ylsS5/ewD9WBr2WM
-E0uAj4RMgv7DTJpvtEO54G9XHNLFOgFflR54Cl6/X8g
+WMyKGvjzZlNRsujnuFU1oklcd+IZD4gv1C7/5reMnLY
--> ssh-ed25519 UHxfvA xHFujOdegur0PLNHZP+h5RxHhVD2K906NZx7nprMkUs
+-> ssh-ed25519 UHxfvA IWgm1Vn8nQEan2i9shbX8tSez/uIXTHDEO5eGXhLrSo
-PdDxzD5QBdE/yWPMnF+CDGROEpE4nYvg12v1G3QK9XI
+e5uHHcdHru0zfhByA15AvOjhgoMqte/oaI1zkoUjjgg
--> ssh-ed25519 Xoin5w YWsO9HtEFB79+aKr6eWi5Sg5geKfzT+IrDy2L5qEmx4
+-> ssh-ed25519 ZES6hg sy+1upJggjItuGBgOZmXQwmF7joSAw8JSzH90UYIIng
-sXLRmcRDyAv64nSGs8QXcHmKYO+F11Pzea1EVGmpEys
+GS9GAZMT3hc+IfbUUquFaTM7Q57LSzxEUS95CjqB1Yg
---- Sjg8SqkkEEL4X0G1GOUoHO702ZtrM0hMniIdS7yIsDA
+--- 4pW1Y7aE72Adf8Ru9YSB35gaTA0eoamnpyFlRLkBS3M
-'<27>B<EFBFBD><42>(<28><>7Dϓ=<3D><>h<EFBFBD><10><>h	f<>ɮ<13>xT<78><54>!K.<2E><1D><>~س<>,<2C>ߓ<>D|<7C><>+p<><70><EFBFBD>"<22>t<EFBFBD><74>G<EFBFBD>y<EFBFBD>Q<EFBFBD><51>RcP<63>Q<EFBFBD><51>Q<><51>
+4V8 b<>Z<EFBFBD>@<0C><><EFBFBD>D6<44>eE;<3B><>P<EFBFBD>a)<29>	C<>P<>Љ<EFBFBD><EFBFBD><7F>?<3F>BUQ<55>V#u<><75><0E>hgd<67><64><EFBFBD><EFBFBD>~Nm<4E><6D>&J<><4A><EFBFBD><EFBFBD><12><>^SH<>{<7B>M<EFBFBD>RF<52><46>Tx<54><78>g<EFBFBD>ή<EFBFBD>y,<2C>ͣ<EFBFBD>O

secrets/mailserver-acc-zulip+admin-pw.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg JsKjySZOoC/xK6HFjgBSYumrg/Ak7EBjYCqa9uszXGo
+-> ssh-ed25519 mT2fyg FckDPvAO+2LoXSeSdk98iOtLYddEJMdCuzUWHOuRn3Y
-daQvoxsqkxA4OClbWm4YHes5zkky8wikEKg94ceeNWw
+gDxYp3LbyHuRIJRRr8Ax1nEbZvyzOFRYD22JuAZm91k
--> ssh-ed25519 UHxfvA yDtvX6SqI9HFN3v1teeRfVicMXpS0fYLiyxe391kIHY
+-> ssh-ed25519 UHxfvA Cbu32dAgNSi6rHk9sfmPkSB1TGDZipxlXO+G5mz9SQA
-xpYokiMmAlFbZHuOIqxKeGXtgiB9yOvRquI8OY5mdqE
+oU67uMNnAnrmFaC+IRuFykN05R3zfd1gvwKgt+BjA20
--> ssh-ed25519 Xoin5w 9ND7dZoaaLXVu7VN3fYF6bZa23QpCr29b4DNIOSRi2Q
+-> ssh-ed25519 ZES6hg zovj1v3RgqL7ZzWvi9E4NN5ugdyNLXweC4z/F6544lI
-L6oOEQ8XSZZuQyfxPwgGYycMqAKfslEtFRJbBHbomoY
+MnV7cWUcPxvckPbbwi+DsFokWPCuw83pWu1Zz4pHftQ
---- ewcxsNTgXUy+wlZ3MiSC2KYO0BowGOAn/JvvV7x3pBc
+--- zSHop8M98qVi6eCboZWh6j7zZCRNVQyJK3y+751Nd90
-<08>V<EFBFBD>5a<35><61><EFBFBD>.<2E>B'K<><4B>7<EFBFBD><37><17>LR9h`<60><>€<EFBFBD>շ<>I<EFBFBD><18><EFBFBD>
+<EFBFBD><02>K<EFBFBD>t<EFBFBD>w<EFBFBD>1<EFBFBD>
<01><><EFBFBD><EFBFBD>3<0B><19><>l<EFBFBD><6C><EFBFBD>1S̾<53>>P<16><>2<EFBFBD><32>#<23><><EFBFBD><0B>EpK<08><>E<EFBFBD>{Y<><59>J<EFBFBD><06>^<5E><>z<EFBFBD><1F><>V)@<0F>V^<5E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><12><><EFBFBD><EFBFBD><EFBFBD>-(P<>O<EFBFBD>H<EFBFBD>$h<EFBFBD>
-8c<EFBFBD>%)<29>ۣ<EFBFBD>5<EFBFBD><35><EFBFBD><1C><1E><><EFBFBD><EFBFBD>KLR<4C><52>y<EFBFBD>199Y?<3F>v<EFBFBD><1E><16><><EFBFBD>2<EFBFBD>ЖK<D096>f<02><>ԏ!<21><>{3<>)<29>,

secrets/zulip-rabbitmqPassword.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg N+K4UqHYGQTzqq5wMhEs5ijh8a8uXarYy2BpWH2GAUY
+-> ssh-ed25519 mT2fyg ql8WbEb0upNb8vi67sdsCHoU4AqGyUnDDv8uTJowTnc
-7mWlRNsudiBCr34QMXkzwkyRZa9K6pAPLX0phQBIH1A
+miQpsxN7uJAgvbzDV92zNE+iYJlfCzhiUSR6YlYv6Bc
--> ssh-ed25519 UHxfvA i5e8E+FMsG+n+jl5ASBYbPvnME7X58sMMAlYelZAm3A
+-> ssh-ed25519 UHxfvA c0B/trTLxmBtHjC/XXvdLVxG8ipAuy/SPtR3RJKK5wQ
-ARlV+vWRRsFVAsjdk+JgUMgp49muyGFF5g+iyzpyJQY
+EbeCJJAlNZJD28V0if2hNfKrx+b5L3ry3neO9bCiEVs
--> ssh-ed25519 Xoin5w 0EH6bLW0DwwVi8GMjq4ZjlBak1QQ0cxh/+KK/e1rPTY
+-> ssh-ed25519 ZES6hg a+efiHUVOHQOSH4xbAO4QL0OfKxbGtrpLAA/+/9xkGY
-yIpSegzmBeJ86jApt23Kv9vZ2sVLC8dFYa9t43/x8MM
+rG7U16hCSG/i3O6hhzqgWezJfHKntfvB7CpTTaz3818
---- c4PhDnZ271mJc2sc7DSIRqVF503JSsZhBj2ANwcT2po
+--- +UoSwrL5gRW146WmG0fN6MbcFDnOw4LXka49DM0G8iQ
-PK<EFBFBD>F<0C><0E>!"<22><08><><EFBFBD>Mgo<EFBFBD>/<EFBFBD><EFBFBD><EFBFBD>gF<EFBFBD><EFBFBD>0@<19><><EFBFBD>gA<15><>΄<EFBFBD>P<EFBFBD><50><EFBFBD>m+u<><75>Lo<EFBFBD>
+<EFBFBD>,<2C>:<3A><><EFBFBD>J<EFBFBD><4A><EFBFBD>h#٘<>~y2<79>l<EFBFBD>o<EFBFBD><EFBFBD><EFBFBD><EFBFBD>]<17>w<>'jޫ<6A>n<EFBFBD><6E>,=k7<16>_<EFBFBD><5F><EFBFBD>o<1D>I<EFBFBD>,{e<><1B>uO˵
3<><33><EFBFBD><EFBFBD>