fix ssh

forgejo
fix agenix boot problem on remote?
2026-01-10 15:30:17 +01:00 · 2026-01-10 15:23:02 +01:00 · 2026-01-10 10:33:06 +01:00 · 2026-01-10 10:21:04 +01:00 · 2026-01-10 10:08:40 +01:00 · 2026-01-10 10:07:01 +01:00
17 changed files with 86 additions and 42 deletions
--- a/machines.nix
+++ b/machines.nix
@@ -36,6 +36,7 @@
    modules = [
      # impermanence
      ./modules/nixos/impermanence.nix
+      ./modules/nixos/impermanence-ssh.nix

      # hardware configuration
      # verbatim as `nixos-generate-config` AND `system.stateVersion`
@@ -53,23 +54,25 @@

      # ssh through port 5522 among other things
      # andromeda@lenovo is the only user allowed access
-      # ./modules/nixos/networking/hard-ssh.nix
-      #./modules/nixos/networking/ssh-as-root.nix
-      ({config, ...}: {
-        services.openssh.enable = true;
-        users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
-      })
+      ./modules/nixos/networking/hard-ssh.nix
+      ./modules/nixos/networking/ssh-as-root.nix
+      ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})

      # TODO add Impermanence to the following services

      # simple-nixos-mailserver email server
      # mail.domain
-      # ./modules/nixos/mailserver.nix
+      ./modules/nixos/mailserver.nix

      # roundcube webmail client
      # webmail.domain
-      # ./modules/nixos/roundcube.nix
+      ./modules/nixos/roundcube.nix

+      # forgejo
+      # git.domain
+      ./modules/nixos/forgejo.nix
+
+      # BROKEN
      # zulip chat client
      # chat.domain
      # zulip chat server
--- a/modules/nixos/boot/109-199-104-83.nix
+++ b/modules/nixos/boot/109-199-104-83.nix
@@ -3,4 +3,7 @@
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
 }
--- a/modules/nixos/forgejo.nix
+++ b/modules/nixos/forgejo.nix
@@ -0,0 +1,27 @@
+{config, ...}: {
+  services.nginx = {
+    virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M
+      '';
+      locations."/".proxyPass = "https://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = rec {
+        DOMAIN = "git.galaxious.de";
+        ROOT_URL = "https://${DOMAIN}";
+        HTTP_PORT = 4043;
+        SSH_PORT = 4022;
+      };
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+  services.openssh.ports = [config.services.forgejo.settings.server.SSH_PORT];
+}
--- a/modules/nixos/mailserver.nix
+++ b/modules/nixos/mailserver.nix
@@ -28,4 +28,12 @@
    acceptTerms = true;
    defaults.email = "mtgmonket@gmail.com";
  };
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/dkim"
+      "/var/vmail"
+      "/var/lib/redis-rspamd"
+      "/var/lib/acme"
+    ];
+  };
 }
--- a/modules/nixos/roundcube.nix
+++ b/modules/nixos/roundcube.nix
@@ -9,4 +9,8 @@
      $config['smtp_pass'] = "%p";
    '';
  };
+  environment.persistence."/persist".directories = [
+    "/var/lib/roundcube"
+    "/var/lib/postgresql"
+  ];
 }
--- a/pub-keys.nix
+++ b/pub-keys.nix
@@ -16,7 +16,7 @@
    ssh = {
      andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
      lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJe5ol56yC23fivSEKeK4HZQm934ROX46AM7o0aE2hMq root@vmi2998419";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFD4kO9MhIHUiwYvX3VoFmDDTfWGesimrxUwFTmxTZ0D root@109-199-104-83";
    };
  };
 }
--- a/secrets/andromeda-pw.age
+++ b/secrets/andromeda-pw.age
--- a/secrets/mailserver-acc-admin-pw.age
+++ b/secrets/mailserver-acc-admin-pw.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg Lt6EG5R9iQWuD/eDXM+vsablwqCn7wUBKFuNO3qcq04
-07jSpN+5/CJFCaBAEVB5TYqLEnGj8Fbt6z3qIVSijqU
-> ssh-ed25519 UHxfvA 8iIyIoZxJUYrvL9DFmleATVYs0TSZvPjSFqxSWYnVFs
-XDQQGlQXJqjjAqslyfJerVATPIO4vCxTPRWOcBuF7f8
-> ssh-ed25519 Xoin5w tE8Tx9cSJH+4eJoEpG8CVf9+C1WrurERvGG0kOLatG4
-YUUPvg6Ev3+7idthbcUeLeRZ+iE8yp+uirJojSt1gVg
--- FamPgM9+DjHiHQBkCmPaHe9aLLXIL3ZPCUtmtEtNOAI
-Õ‘žâ}ƒ_rT6ÖUwzù|–<ÿ_Ñø®¬×5 ®û!~‹N<E280B9>ácÇ¦i<>*þE<10>M?H?›QSbùàÀòâ\ŠÛ<C5A0>‰ÑzèK	?zŒÕ;¦×R¶JpËÒ¶í‡É´sóè”ˆœy›Ä
+-> ssh-ed25519 mT2fyg buCWpIVMGywNNngFQANXWWwzPCefsKayl1UHS3AY0Wc
+DHaaAaFg7CA09npMxqdMPtGb/0IviAZyFYXD5ALsdgk
+-> ssh-ed25519 UHxfvA 9YSvbT4oL7BjoFHVqO0rZgqmPl+bKX7peEYRdptAO3E
+OFyyFmYIXYyRVoVWYrQgjZ0mz66Cr1nwVeriAGAqsPo
+-> ssh-ed25519 ZES6hg DKddux+yxF4N1dXATOT4hhZXIs1+ajE4yvzNR0ZUQlI
+0e23BqxD/LrfMdbJPHuDfVnSbcnvEUHYDSlX60k/BoQ
+--- yRcytWZZF7qHGvO5Na0fjMFzeDUdaVRgpLomcN0bKsE
+éìë%-ñkf32]<5D>á÷jÆIÓi'è^]‰ÀÒ•gF§V²rÔjªú€&<26>ÈBI5P¸¿ß1ôËFà[<5B>àÞBGÉ•<>l¾j%ª*äÏp{§ÒÌpÄ6×r	^ýùp°v¿ž
--- a/secrets/mailserver-acc-test-pw.age
+++ b/secrets/mailserver-acc-test-pw.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg slLOkD/9TAYOuZ/g5U4NvPWUlmYZeie12xzggioviw0
-E0uAj4RMgv7DTJpvtEO54G9XHNLFOgFflR54Cl6/X8g
-> ssh-ed25519 UHxfvA xHFujOdegur0PLNHZP+h5RxHhVD2K906NZx7nprMkUs
-PdDxzD5QBdE/yWPMnF+CDGROEpE4nYvg12v1G3QK9XI
-> ssh-ed25519 Xoin5w YWsO9HtEFB79+aKr6eWi5Sg5geKfzT+IrDy2L5qEmx4
-sXLRmcRDyAv64nSGs8QXcHmKYO+F11Pzea1EVGmpEys
--- Sjg8SqkkEEL4X0G1GOUoHO702ZtrM0hMniIdS7yIsDA
-'ÏBâÉ(<28>–7DÏ“=ù³h•áÊh	fëÉ®×xT Ž!K.»‰‚~Ø³ò,…ß“<C39F>D|éä+pû<70>ü"Òt‚ÝG¢yñQ¬ÏRcPÁQüúQßÐ
+-> ssh-ed25519 mT2fyg xKR9bPGrd4bpdJEiP2n51SrEsG7ylsS5/ewD9WBr2WM
+WMyKGvjzZlNRsujnuFU1oklcd+IZD4gv1C7/5reMnLY
+-> ssh-ed25519 UHxfvA IWgm1Vn8nQEan2i9shbX8tSez/uIXTHDEO5eGXhLrSo
+e5uHHcdHru0zfhByA15AvOjhgoMqte/oaI1zkoUjjgg
+-> ssh-ed25519 ZES6hg sy+1upJggjItuGBgOZmXQwmF7joSAw8JSzH90UYIIng
+GS9GAZMT3hc+IfbUUquFaTM7Q57LSzxEUS95CjqB1Yg
+--- 4pW1Y7aE72Adf8Ru9YSB35gaTA0eoamnpyFlRLkBS3M
+4V8 bÕZ<C395>@åäñD6ÃeE;ÊûPåa)ø	CãPôÐ‰ÒòÑ?ñBUQºV#uµÒšhgdö‘Æü~Nmˆä&J¼ ‡Ñ€ü^SHÜ{<7B>M¶RF·ÁTxˆ¡gÂÎ®ÿy,ÈÍ£¿O
--- a/secrets/mailserver-acc-zulip+admin-pw.age
+++ b/secrets/mailserver-acc-zulip+admin-pw.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg JsKjySZOoC/xK6HFjgBSYumrg/Ak7EBjYCqa9uszXGo
-daQvoxsqkxA4OClbWm4YHes5zkky8wikEKg94ceeNWw
-> ssh-ed25519 UHxfvA yDtvX6SqI9HFN3v1teeRfVicMXpS0fYLiyxe391kIHY
-xpYokiMmAlFbZHuOIqxKeGXtgiB9yOvRquI8OY5mdqE
-> ssh-ed25519 Xoin5w 9ND7dZoaaLXVu7VN3fYF6bZa23QpCr29b4DNIOSRi2Q
-L6oOEQ8XSZZuQyfxPwgGYycMqAKfslEtFRJbBHbomoY
--- ewcxsNTgXUy+wlZ3MiSC2KYO0BowGOAn/JvvV7x3pBc
-ýVÖ5aƒ›Ð.°B'Kì¸7¹ì²LR9h`™<>Â€ƒÕ·<C395>Iúéª
-8cˆ%)ÅÛ£Ö5³‡<C2B3>ä¾ä©ÕKLR¢˜yÞ199Y?©v’Û’¼‘2<E28098>Ð–KûfãºÔ<C2BA>!€©{3‚)æ,
+-> ssh-ed25519 mT2fyg FckDPvAO+2LoXSeSdk98iOtLYddEJMdCuzUWHOuRn3Y
+gDxYp3LbyHuRIJRRr8Ax1nEbZvyzOFRYD22JuAZm91k
+-> ssh-ed25519 UHxfvA Cbu32dAgNSi6rHk9sfmPkSB1TGDZipxlXO+G5mz9SQA
+oU67uMNnAnrmFaC+IRuFykN05R3zfd1gvwKgt+BjA20
+-> ssh-ed25519 ZES6hg zovj1v3RgqL7ZzWvi9E4NN5ugdyNLXweC4z/F6544lI
+MnV7cWUcPxvckPbbwi+DsFokWPCuw83pWu1Zz4pHftQ
+--- zSHop8M98qVi6eCboZWh6j7zZCRNVQyJK3y+751Nd90
+ÚÅKÉt§w¢1èž„ŒŒ3Ü“Îlúøç1SÌ¾Ý>P²«2šˆ#ˆÖî²EpK³<>E¾{Yô³J–¢^¨Ôz¼›¯V)@€V^¹¡Çð¥ùp·<70>Øå±ŽÀŽì-(PèO<C3A8>HÁ$hÿ
--- a/secrets/mtgmonkey-pw.age
+++ b/secrets/mtgmonkey-pw.age
--- a/secrets/zulip-avatarSaltKey.age
+++ b/secrets/zulip-avatarSaltKey.age
--- a/secrets/zulip-camoKey.age
+++ b/secrets/zulip-camoKey.age
--- a/secrets/zulip-extraSecrets-email_password.age
+++ b/secrets/zulip-extraSecrets-email_password.age
--- a/secrets/zulip-rabbitmqPassword.age
+++ b/secrets/zulip-rabbitmqPassword.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 mT2fyg N+K4UqHYGQTzqq5wMhEs5ijh8a8uXarYy2BpWH2GAUY
-7mWlRNsudiBCr34QMXkzwkyRZa9K6pAPLX0phQBIH1A
-> ssh-ed25519 UHxfvA i5e8E+FMsG+n+jl5ASBYbPvnME7X58sMMAlYelZAm3A
-ARlV+vWRRsFVAsjdk+JgUMgp49muyGFF5g+iyzpyJQY
-> ssh-ed25519 Xoin5w 0EH6bLW0DwwVi8GMjq4ZjlBak1QQ0cxh/+KK/e1rPTY
-yIpSegzmBeJ86jApt23Kv9vZ2sVLC8dFYa9t43/x8MM
--- c4PhDnZ271mJc2sc7DSIRqVF503JSsZhBj2ANwcT2po
-PKŽFª†!"¤š<>“Mgoí/¶úÁgF®Š0@‚ì‡gA³ŸÎ„åP¶úæm+u‘éLoŠ
+-> ssh-ed25519 mT2fyg ql8WbEb0upNb8vi67sdsCHoU4AqGyUnDDv8uTJowTnc
+miQpsxN7uJAgvbzDV92zNE+iYJlfCzhiUSR6YlYv6Bc
+-> ssh-ed25519 UHxfvA c0B/trTLxmBtHjC/XXvdLVxG8ipAuy/SPtR3RJKK5wQ
+EbeCJJAlNZJD28V0if2hNfKrx+b5L3ry3neO9bCiEVs
+-> ssh-ed25519 ZES6hg a+efiHUVOHQOSH4xbAO4QL0OfKxbGtrpLAA/+/9xkGY
+rG7U16hCSG/i3O6hhzqgWezJfHKntfvB7CpTTaz3818
+--- +UoSwrL5gRW146WmG0fN6MbcFDnOw4LXka49DM0G8iQ
+þ,¿:ø–žJÊã‘h#Ù˜Í~y2ÁlÇoƒû²ˆ]½w×'jÞ«<C39E>nßÊ,=k7î_ÒÚÁo…I¶,{eõ²uOËµ3œ÷ÐÆ
--- a/secrets/zulip-secretKey.age
+++ b/secrets/zulip-secretKey.age
--- a/secrets/zulip-sharedSecretKey.age
+++ b/secrets/zulip-sharedSecretKey.age
Author	SHA1	Message	Date
andromeda	45f5249165	fix ssh	2026-01-10 15:30:17 +01:00
andromeda	90dd0582b0	forgejo	2026-01-10 15:23:02 +01:00
andromeda	0781c8428d	fix agenix boot problem on remote?	2026-01-10 10:33:06 +01:00
andromeda	2d1048b00f	add roundcube persist	2026-01-10 10:21:04 +01:00
andromeda	58f011079c	rekey	2026-01-10 10:08:40 +01:00
andromeda	d32f99baf5	persist acme, update public key	2026-01-10 10:07:01 +01:00
andromeda	13141933b4	enable roundcube, backup mailserver	2026-01-10 10:01:38 +01:00
andromeda	a57edbf3fd	enable mailserver	2026-01-10 09:48:42 +01:00
andromeda	bf22a9de21	add /etc/ssh persist to remote	2026-01-10 09:02:24 +01:00