From cb5e68ef16c3f416770c45786ff777fa487c8979 Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 26 Jan 2026 14:05:12 +0100 Subject: [PATCH 01/41] [dns] init --- flake.lock | 39 +++++++++++++++++++++++++++++- flake.nix | 5 ++++ machines/hosts.nix | 36 ++++++++++++++++++++++++--- machines/modules/malobeo/zones.nix | 39 ++++++++++++++++++++++++++++++ machines/ns1/configuration.nix | 34 ++++++++++++++++++++++++++ 5 files changed, 148 insertions(+), 5 deletions(-) create mode 100644 machines/modules/malobeo/zones.nix create mode 100644 machines/ns1/configuration.nix diff --git a/flake.lock b/flake.lock index 47faa6b..a2b47a2 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,27 @@ "type": "github" } }, + "dns": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1768143854, + "narHash": "sha256-E5/kyPz4zAZn/lZdvqlF83jMgCWNxmqYjjWuadngCbk=", + "owner": "kirelagin", + "repo": "dns.nix", + "rev": "a97cf4156e9f044fe4bed5be531061000dfabb07", + "type": "github" + }, + "original": { + "owner": "kirelagin", + "repo": "dns.nix", + "type": "github" + } + }, "ep3-bs": { "inputs": { "nixpkgs": [ @@ -43,6 +64,21 @@ } }, "flake-utils": { + "locked": { + "lastModified": 1614513358, + "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "inputs": { "systems": "systems_3" }, @@ -102,7 +138,7 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], @@ -225,6 +261,7 @@ "root": { "inputs": { "disko": "disko", + "dns": "dns", "ep3-bs": "ep3-bs", "home-manager": "home-manager", "mfsync": "mfsync", diff --git a/flake.nix b/flake.nix index 90300a6..decbc2c 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,11 @@ disko.url = "github:nix-community/disko/latest"; disko.inputs.nixpkgs.follows = "nixpkgs"; + dns = { + url = "github:kirelagin/dns.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + utils = { url = "github:numtide/flake-utils"; }; diff --git a/machines/hosts.nix b/machines/hosts.nix index 41dee83..4130a61 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -1,27 +1,53 @@ { ... }: { + #TODO: fix local 192.168.1.0/24 addresses they are just palceholders! malobeo = { hosts = { louise = { type = "host"; + network = { + local = true; + address = "192.168.1.11"; + }; }; bakunin = { type = "host"; + network = { + local = true; + address = "192.168.1.12"; + }; }; fanny = { type = "host"; + network = { + local = true; + address = "192.168.1.13"; + }; + }; + + ns1 = { + type = "host"; + network = { + local = true; + address = "192.168.1.14"; + }; }; lucia = { type = "rpi"; + network = { + local = true; + address = "192.168.1.15"; + }; }; durruti = { type = "microvm"; network = { + local = true; address = "10.0.0.5"; mac = "52:DA:0D:F9:EF:F9"; }; @@ -30,6 +56,7 @@ vpn = { type = "microvm"; network = { + local = true; address = "10.0.0.10"; mac = "D0:E5:CA:F0:D7:E6"; }; @@ -38,6 +65,7 @@ infradocs = { type = "microvm"; network = { + local = true; address = "10.0.0.11"; mac = "D0:E5:CA:F0:D7:E7"; }; @@ -46,6 +74,7 @@ uptimekuma = { type = "microvm"; network = { + local = true; address = "10.0.0.12"; mac = "D0:E5:CA:F0:D7:E8"; }; @@ -54,6 +83,7 @@ nextcloud = { type = "microvm"; network = { + local = true; address = "10.0.0.13"; mac = "D0:E5:CA:F0:D7:E9"; }; @@ -62,6 +92,7 @@ overwatch = { type = "microvm"; network = { + local = true; address = "10.0.0.14"; mac = "D0:E5:CA:F0:D7:E0"; }; @@ -70,14 +101,11 @@ zineshop = { type = "microvm"; network = { + local = true; address = "10.0.0.15"; mac = "D0:E5:CA:F0:D7:F1"; }; }; - - testvm = { - type = "host"; - }; }; }; } diff --git a/machines/modules/malobeo/zones.nix b/machines/modules/malobeo/zones.nix new file mode 100644 index 0000000..1affbdc --- /dev/null +++ b/machines/modules/malobeo/zones.nix @@ -0,0 +1,39 @@ +{ inputs }: + +let + vpnNS = "vpn"; + localNS = "hq"; + peers = import ./peers.nix; + hosts = ((import ../../hosts.nix ) {}).malobeo.hosts; + +in +{ + SOA = { + nameServer = "ns1"; + adminEmail = "admin@malobeo.org"; + serial = 2019030800; + }; + useOrigin = false; + + NS = [ + "ns1.malobeo.org." + ]; + + A = [ "23.23.23.23" ]; #TODO: update + AAAA = [ "4321:0:1:2:3:4:567:89ab" ]; #TODO: update + + subdomains = { + ${localNS} = { + subdomains = builtins.mapAttrs (name: value: if value.network.local == true then { + A = [ value.network.address ]; + } else {}) hosts; + }; + + ${vpnNS} = { + A = [ peers.vpn.address ]; + subdomains = builtins.mapAttrs (name: value: if value.role != "server" then { + A = [ value.address ]; + } else {}) peers; + }; + }; +} diff --git a/machines/ns1/configuration.nix b/machines/ns1/configuration.nix new file mode 100644 index 0000000..f64d578 --- /dev/null +++ b/machines/ns1/configuration.nix @@ -0,0 +1,34 @@ +{ config, self, lib, inputs, pkgs, ... }: + +with lib; +with inputs; + +let + dns = inputs.dns; +in +{ + networking = { + hostName = mkDefault "ns1"; + useDHCP = false; + }; + + imports = [ + ../modules/malobeo_user.nix + ../modules/sshd.nix + ../modules/minimal_tools.nix + ../modules/autoupdate.nix + ]; + + services.bind = { + enable = true; + zones = { + "malobeo.org" = { + master = true; + file = pkgs.writeText "zone-malobeo.org" (dns.lib.toString "malobeo.org" (import ../modules/malobeo/zones.nix { inherit inputs; })); + }; + }; + }; + + system.stateVersion = "22.11"; # Did you read the comment? +} + From eb1ec22605e10a1b9a1827a390e2b65e7336f2e1 Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 26 Jan 2026 14:10:49 +0100 Subject: [PATCH 02/41] [hosts] dont configure network on offsite hosts --- machines/hosts.nix | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/machines/hosts.nix b/machines/hosts.nix index 4130a61..0f51c2d 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -30,10 +30,7 @@ ns1 = { type = "host"; - network = { - local = true; - address = "192.168.1.14"; - }; + network.local = false; }; lucia = { @@ -55,11 +52,7 @@ vpn = { type = "microvm"; - network = { - local = true; - address = "10.0.0.10"; - mac = "D0:E5:CA:F0:D7:E6"; - }; + network.local = false; }; infradocs = { @@ -73,11 +66,7 @@ uptimekuma = { type = "microvm"; - network = { - local = true; - address = "10.0.0.12"; - mac = "D0:E5:CA:F0:D7:E8"; - }; + network.local = false; }; nextcloud = { From 62c92821b425030b9ff342a6c43b62d3f5ac64d9 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 28 Jan 2026 15:27:21 +0100 Subject: [PATCH 03/41] [microvm] put vms on local network --- machines/hosts.nix | 79 +++++++++++------------ machines/modules/host_builder.nix | 15 ++--- machines/modules/malobeo/microvm_host.nix | 60 +++++++++++------ 3 files changed, 85 insertions(+), 69 deletions(-) diff --git a/machines/hosts.nix b/machines/hosts.nix index 0f51c2d..fe78508 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -1,5 +1,22 @@ { ... }: +let + createMaloNet = hostId: mac: { + local = true; + address = "192.168.1.${hostId}"; + gateway = "192.168.1.1"; + nameservers = [ "192.168.1.17" "1.1.1.1" ]; #setting ns1 as nameserver + mac = mac; + }; + + createOffsiteNet = address: mac: { + local = false; + address = address; + gateway = "10.0.10.1"; + nameservers = [ "1.1.1.1" ]; + mac = mac; + }; +in { #TODO: fix local 192.168.1.0/24 addresses they are just palceholders! malobeo = { @@ -19,7 +36,7 @@ address = "192.168.1.12"; }; }; - + fanny = { type = "host"; network = { @@ -27,12 +44,7 @@ address = "192.168.1.13"; }; }; - - ns1 = { - type = "host"; - network.local = false; - }; - + lucia = { type = "rpi"; network = { @@ -40,60 +52,45 @@ address = "192.168.1.15"; }; }; - + durruti = { type = "microvm"; - network = { - local = true; - address = "10.0.0.5"; - mac = "52:DA:0D:F9:EF:F9"; - }; + network = createMaloNet "5" "52:DA:0D:F9:EF:F9"; }; - + vpn = { type = "microvm"; - network.local = false; + network = createOffsiteNet "10.0.0.10" "52:DA:0D:F9:EF:E6"; }; - + infradocs = { type = "microvm"; - network = { - local = true; - address = "10.0.0.11"; - mac = "D0:E5:CA:F0:D7:E7"; - }; + network = createMaloNet "11" "52:DA:0D:F9:EF:E7"; }; - + uptimekuma = { type = "microvm"; - network.local = false; + network = createOffsiteNet "10.0.0.12" "52:DA:0D:F9:EF:E8"; }; - + nextcloud = { type = "microvm"; - network = { - local = true; - address = "10.0.0.13"; - mac = "D0:E5:CA:F0:D7:E9"; - }; + network = createMaloNet "13" "52:DA:0D:F9:EF:E9"; }; - + overwatch = { type = "microvm"; - network = { - local = true; - address = "10.0.0.14"; - mac = "D0:E5:CA:F0:D7:E0"; - }; + network = createMaloNet "14" "52:DA:0D:F9:EF:E0"; }; - + zineshop = { type = "microvm"; - network = { - local = true; - address = "10.0.0.15"; - mac = "D0:E5:CA:F0:D7:F1"; - }; + network = createMaloNet "15" "52:DA:0D:F9:EF:F1"; + }; + + ns1 = { + type = "microvm"; + network = createMaloNet "17" "52:DA:0D:F9:EF:F3"; }; }; }; diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix index 14fac78..beb3a0f 100644 --- a/machines/modules/host_builder.nix +++ b/machines/modules/host_builder.nix @@ -43,7 +43,7 @@ rec { ]; defaultModules = baseModules; - makeMicroVM = hostName: ipv4Addr: macAddr: modules: [ + makeMicroVM = hostName: network: modules: [ { microvm = { hypervisor = "cloud-hypervisor"; @@ -83,7 +83,7 @@ rec { { type = "tap"; id = "vm-${hostName}"; - mac = "${macAddr}"; + mac = "${network.mac}"; } ]; }; @@ -93,9 +93,9 @@ rec { systemd.network.networks."20-lan" = { matchConfig.Type = "ether"; networkConfig = { - Address = [ "${ipv4Addr}/24" ]; - Gateway = "10.0.0.1"; - DNS = ["1.1.1.1"]; + Address = [ "${network.address}/24" ]; + Gateway = "${network.gateway}"; + DNS = network.nameservers; DHCP = "no"; }; }; @@ -210,8 +210,7 @@ rec { specialArgs.self = self; config = { imports = (makeMicroVM "${name}" - "${hosts.malobeo.hosts.${name}.network.address}" - "${hosts.malobeo.hosts.${name}.network.mac}" [ + hosts.malobeo.hosts.${name}.network [ ../${name}/configuration.nix (vmMicroVMOverwrites name { withNetworking = true; @@ -250,7 +249,7 @@ rec { modules = (if (settings.type != "microvm") then defaultModules ++ [ ../${host}/configuration.nix ] else - makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [ + makeMicroVM "${host}" settings.network [ inputs.microvm.nixosModules.microvm ../${host}/configuration.nix ]); diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index b11881a..745e18b 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -14,6 +14,26 @@ in description = lib.mdDoc "Setup bridge device for microvms."; }; + interface = mkOption { + default = "eno1"; + type = types.str; + }; + + gateway = mkOption { + default = "10.0.0.1"; + type = types.str; + }; + + address = mkOption { + default = "10.0.0.1/24"; + type = types.str; + }; + + dns = mkOption { + default = [ "1.1.1.1" ]; + type = types.listOf types.str; + }; + enableHostBridgeUnstable = mkOption { default = false; type = types.bool; @@ -47,29 +67,29 @@ in systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) { enable = true; - # create a bride device that all the microvms will be connected to - netdevs."10-microvm".netdevConfig = { - Kind = "bridge"; - Name = "microvm"; - }; - - networks."10-microvm" = { - matchConfig.Name = "microvm"; + networks."10-lan" = { + matchConfig.Name = [ "${cfg.interface}" "vm-*"]; networkConfig = { - DHCPServer = true; - IPv6SendRA = true; + Bridge = "malobeo0"; }; - addresses = if cfg.enableHostBridgeUnstable then [ - { Address = "10.0.0.1/24"; } - ] else [ - { Address = "10.0.0.1/24"; } - ]; }; - - # connect the vms to the bridge - networks."11-microvm" = { - matchConfig.Name = "vm-*"; - networkConfig.Bridge = "microvm"; + + netdevs."malobeo0" = { + netdevConfig = { + Name = "malobeo0"; + Kind = "bridge"; + }; + }; + + networks."10-lan-bridge" = { + matchConfig.Name = "malobeo0"; + networkConfig = { + Address = [ "${cfg.address}" ]; + Gateway = "${cfg.gateway}"; + DNS = cfg.dns; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; }; }; From bec232a023e6e1685f5d2cbc879bc8fc33bb6f20 Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 30 Jan 2026 20:24:43 +0100 Subject: [PATCH 04/41] [run-vm] override network cfg for local testing --- machines/modules/host_builder.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix index beb3a0f..2460343 100644 --- a/machines/modules/host_builder.nix +++ b/machines/modules/host_builder.nix @@ -165,6 +165,16 @@ rec { }); }; + systemd.network.networks."20-lan" = pkgs.lib.mkForce { + matchConfig.Type = "ether"; + networkConfig = { + Address = [ "10.0.0.${hosts.malobeo.hosts.${hostname}.network.hostId}/24" ]; + Gateway = "10.0.0.1"; + DNS = [ "1.1.1.1" ]; + DHCP = "no"; + }; + }; + boot.isContainer = pkgs.lib.mkForce false; services.timesyncd.enable = false; users.users.root.password = ""; From b4d199d00cc51b9b9b08ebc987dc66f4e8f3a2a4 Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 30 Jan 2026 20:25:10 +0100 Subject: [PATCH 05/41] [ns1] setup forwarding, open ports --- machines/ns1/configuration.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/machines/ns1/configuration.nix b/machines/ns1/configuration.nix index f64d578..7721eea 100644 --- a/machines/ns1/configuration.nix +++ b/machines/ns1/configuration.nix @@ -19,8 +19,26 @@ in ../modules/autoupdate.nix ]; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; + services.bind = { enable = true; + forwarders = [ + "1.1.1.1" + "1.0.0.1" + ]; + + cacheNetworks = [ + "127.0.0.0/24" + "10.0.0.0/24" + "192.168.1.0/24" + "10.100.0.0/24" + ]; + zones = { "malobeo.org" = { master = true; From f0e1f07c3e822690c2d8766f65efeb2245886e34 Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 30 Jan 2026 20:25:49 +0100 Subject: [PATCH 06/41] [zones] set ns1 A record --- machines/modules/malobeo/zones.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/machines/modules/malobeo/zones.nix b/machines/modules/malobeo/zones.nix index 1affbdc..218ae79 100644 --- a/machines/modules/malobeo/zones.nix +++ b/machines/modules/malobeo/zones.nix @@ -11,7 +11,7 @@ in SOA = { nameServer = "ns1"; adminEmail = "admin@malobeo.org"; - serial = 2019030800; + serial = 2019030801; }; useOrigin = false; @@ -19,11 +19,13 @@ in "ns1.malobeo.org." ]; - A = [ "23.23.23.23" ]; #TODO: update - AAAA = [ "4321:0:1:2:3:4:567:89ab" ]; #TODO: update - subdomains = { + ns1 = { + A = [ hosts.ns1.network.address ]; + }; + ${localNS} = { + A = [ hosts.fanny.network.address ]; subdomains = builtins.mapAttrs (name: value: if value.network.local == true then { A = [ value.network.address ]; } else {}) hosts; From 0347fa68c7c8aca254fe18b902f608e54a54a502 Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 30 Jan 2026 20:26:12 +0100 Subject: [PATCH 07/41] [hosts] use hostId in offsite net --- machines/hosts.nix | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/machines/hosts.nix b/machines/hosts.nix index fe78508..2143d4d 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -3,16 +3,18 @@ let createMaloNet = hostId: mac: { local = true; + hostId = hostId; address = "192.168.1.${hostId}"; gateway = "192.168.1.1"; nameservers = [ "192.168.1.17" "1.1.1.1" ]; #setting ns1 as nameserver mac = mac; }; - createOffsiteNet = address: mac: { + createOffsiteNet = hostId: mac: { local = false; - address = address; - gateway = "10.0.10.1"; + hostId = hostId; + address = "10.0.0.${hostId}"; + gateway = "10.0.0.1"; nameservers = [ "1.1.1.1" ]; mac = mac; }; @@ -25,6 +27,7 @@ in type = "host"; network = { local = true; + hostId = "11"; address = "192.168.1.11"; }; }; @@ -33,6 +36,7 @@ in type = "host"; network = { local = true; + hostId = "12"; address = "192.168.1.12"; }; }; @@ -41,6 +45,7 @@ in type = "host"; network = { local = true; + hostId = "13"; address = "192.168.1.13"; }; }; @@ -49,6 +54,7 @@ in type = "rpi"; network = { local = true; + hostId = "15"; address = "192.168.1.15"; }; }; @@ -60,7 +66,7 @@ in vpn = { type = "microvm"; - network = createOffsiteNet "10.0.0.10" "52:DA:0D:F9:EF:E6"; + network = createOffsiteNet "10" "52:DA:0D:F9:EF:E6"; }; infradocs = { @@ -70,7 +76,7 @@ in uptimekuma = { type = "microvm"; - network = createOffsiteNet "10.0.0.12" "52:DA:0D:F9:EF:E8"; + network = createOffsiteNet "12" "52:DA:0D:F9:EF:E8"; }; nextcloud = { From c73ffe95c59cac07178a13a76b54d650171d9379 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Wed, 18 Feb 2026 22:24:55 +0100 Subject: [PATCH 08/41] Add autoupdate runner + fix a typo in the vaultwarden config --- .gitea/workflows/autoupdate.yml | 42 ++++++++++++++++++++++++++ machines/vaultwarden/configuration.nix | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 .gitea/workflows/autoupdate.yml diff --git a/.gitea/workflows/autoupdate.yml b/.gitea/workflows/autoupdate.yml new file mode 100644 index 0000000..cb1d476 --- /dev/null +++ b/.gitea/workflows/autoupdate.yml @@ -0,0 +1,42 @@ +name: Weekly Flake Update + +on: + schedule: + - cron: "0 0 * * 4" + workflow_dispatch: + +permissions: + contents: write + +jobs: + update_and_check_flake: + runs-on: ubuntu-latest + env: + NIXPKGS_ALLOW_UNFREE: 1 + steps: + - name: Install sudo + run: | + apt-get update + apt-get install -y sudo + - uses: https://code.forgejo.org/actions/checkout@v6 + + - name: Set up Nix + uses: https://github.com/cachix/install-nix-action@v31 + with: + github_access_token: ${{ secrets.AHTLONS_GITHUB_TOKEN }} #Fuck github + + - name: Run nix flake update + run: nix flake update + - name: Run nix flake check + run: nix flake check --all-systems --verbose + + - name: Create Gitea PR + uses: https://github.com/infinilabs/gitea-pr@v0 + with: + url: https://git.dynamicdiscord.de + token: ${{ secrets.AHTLONS_GITEA_TOKEN }} + commit-message: 'Update flake.lock' + committer: 'malobot ' + base: 'master' + title: 'Update flake.lock' + assignee: 'ahtlon' diff --git a/machines/vaultwarden/configuration.nix b/machines/vaultwarden/configuration.nix index 8ae1e29..8a43711 100644 --- a/machines/vaultwarden/configuration.nix +++ b/machines/vaultwarden/configuration.nix @@ -38,7 +38,7 @@ with lib; backupDir = "/var/local/vaultwarden/backup"; environmentFile = config.sops.secrets.vaultwarden_env.path; config = { - DOMAIN = "http://keys.malobeo.org"; + DOMAIN = "https://keys.malobeo.org"; SIGNUPS_ALLOWED = true; #WEBSERVER ROCKET_ADDRESS = "127.0.0.1"; From a92336fb3004131925feca905a1c63344cf768de Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 19:36:58 +0100 Subject: [PATCH 09/41] [fanny] add njala api token --- machines/fanny/dummy.yaml | 11 ++++------- machines/fanny/secrets.yaml | 11 ++++------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/machines/fanny/dummy.yaml b/machines/fanny/dummy.yaml index 1edbe77..c38ce53 100644 --- a/machines/fanny/dummy.yaml +++ b/machines/fanny/dummy.yaml @@ -1,9 +1,6 @@ wg_private: ENC[AES256_GCM,data:YEmIfgtyHE9msYijva0Ye2w7shVmYBPZ3mcKRF7Cy20xa6yHEUQ0kC2OWnM=,iv:ouK6fHcrxrEtsmiPmtCz9Ca8Ec1algOifrgZSBNHi74=,tag:524e/SQt++hwVyeWruCsLg==,type:str] +njala_api_key: ENC[AES256_GCM,data:uEzx7KeI7ZZP63Igu5vHmuvASVxJai8bezM40UZVobQMr7r6opjnVTc0BPyIGfnG2mx/6Bo=,iv:lch04oGn6bkqtBGVzYlz6B97FGXlGOoxkiT1IplSxm4=,tag:bzXx2jSqFBv1hgJO1r5i+w==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng enc: | @@ -23,8 +20,8 @@ sops: NjJ5cFdTVS9NZmVWMjcrcHo2WDZEZDgKiDwkuUn90cDmidwYGZBb5qp+4R1HafV0 vMQfjT9GrwB5K/O1GumOmvbzLNhvO2vRZJhfVHzyHLzQK64abQgF5Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-19T22:46:09Z" - mac: ENC[AES256_GCM,data:eU3SIqAGrgbO2tz4zH1tgYcif7oe5j+/wmdYl2xXXI+D6IhiKrTJGvzE3rd3ElEpb+Bg0UQId952U2Ut0yPTfxGLtdlbJA66CmhLAksByoJ8lOXUcp/qDyA4yMRSuwYG2v7uF2crvue9fyRfZ7hl7abE/Q7Z2UjOKqhSZC5cO3U=,iv:NmCVvtBWZRzhpr5nMLy+98VuQZWoUms7xFSxq8PMvBA=,tag:UWjA7oqoNWh4wb0myNg7FA==,type:str] + lastmodified: "2026-02-20T18:33:50Z" + mac: ENC[AES256_GCM,data:YlsQVjfgtlcSObjLiZif/sOJNx2PqH9q0kguPgBSwAoNiX2/eJhNH2WwtQ8uXQfdPiX7kwfFrl2E0xevqwLv+4AICr+9v6oCfcUHJYPRdkLfCs0jXyvnZr52LzfyV3GOPah/j8Uye9d9sspUMqqaXewoeWtrXHgo277pQVdrKxM=,iv:Xb5ckc/cvpGqkZoViTrw8rUniO2OWy0/rNfhF+Qb/iM=,tag:ZhI4jS2Iyig9juVGAeii+w==,type:str] pgp: - created_at: "2025-01-19T22:45:26Z" enc: |- @@ -65,4 +62,4 @@ sops: -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.11.0 diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index fba35ac..c7eb046 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -1,11 +1,8 @@ wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str] shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str] shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str] +njala_api_key: ENC[AES256_GCM,data:T9cZas/3ju54h22SaDnx/dx4lhJiMi6foRilxSDxQ+e0bw2A8szkFPdxqK6XSuRckCUg3YI=,iv:HonCrH0H2rfUC7VMk8jRV/12NJBXh8uICos0OAHfETI=,tag:aGoiGzljuoX2RoPDlOKgOA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk enc: | @@ -25,8 +22,8 @@ sops: QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-14T10:34:55Z" - mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str] + lastmodified: "2026-02-20T18:33:24Z" + mac: ENC[AES256_GCM,data:JpZRz3fUMkGbIVVtP1TerhQ+BY3nOsgJsTxb7Uqw9RL7JxvurbWeYK9GTAUzJeGi5O7XQia6/M2MI+K1xxGF4AM7NeSLiZEfGeGC4zmV7inIFgNJy/1lUdnsnZkw8NeOKx16t1b+GqY4xGhDcpVU12RaU4D7/Z0BBM+soc9O6hg=,iv:Um49dRgm5i0I0BrWqsEwn4zjm8eOdnl6SQgG9gScCXU=,tag:0JaSpb8V4WoismawGEYTlg==,type:str] pgp: - created_at: "2025-02-11T18:32:49Z" enc: |- @@ -67,4 +64,4 @@ sops: -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.11.0 From 93fb64b2c6696b6bee03c7e7564c3a397d8bbce5 Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 19:37:22 +0100 Subject: [PATCH 10/41] [fanny] update proxy for local access and dyndns --- machines/fanny/configuration.nix | 62 ++++++++++++++++++++++++++++---- 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 3051782..bfbd70d 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -7,6 +7,7 @@ in sops.defaultSopsFile = ./secrets.yaml; sops.secrets.wg_private = {}; sops.secrets.shop_auth = {}; + sops.secrets.njala_api_key = {}; imports = [ # Include the results of the hardware scan. @@ -149,6 +150,16 @@ in }; }; + security.acme = { + acceptTerms = true; + defaults.email = "malobeo@systemli.org"; + defaults = { + dnsProvider = "njalla"; + credentialsFile = config.sops.secrets.njala_api_key.path; + dnsPropagationCheck = false; + }; + }; + services.nginx = { enable = true; virtualHosts."docs.malobeo.org" = { @@ -160,9 +171,27 @@ in }; }; - virtualHosts."cloud.malobeo.org" = { + virtualHosts."cloud.hq.malobeo.org" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; locations."/" = { - proxyPass = "http://10.0.0.13"; + proxyPass = "http://192.168.1.13"; + extraConfig = '' + proxy_set_header Host $host; + client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize}; + client_body_timeout 3600s; + send_timeout 3600s; + fastcgi_buffers 64 4K; + ''; + }; + }; + + virtualHosts."cloud.malobeo.org" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.13"; extraConfig = '' proxy_set_header Host $host; client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize}; @@ -191,12 +220,31 @@ in }; }; - virtualHosts."zines.malobeo.org" = { - # created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo' - # then content of foo.txt put into sops - # basicAuthFile = config.sops.secrets.shop_auth.path; + virtualHosts."zines.hq.malobeo.org" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; locations."/" = { - proxyPass = "http://10.0.0.15:8080"; + proxyPass = "http://192.168.1.15:8080"; + extraConfig = '' + proxy_set_header Host $host; + + client_body_in_file_only clean; + client_body_buffer_size 32K; + + client_max_body_size 50M; + + sendfile on; + send_timeout 300s; + ''; + }; + }; + + virtualHosts."zines.malobeo.org" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.15:8080"; extraConfig = '' proxy_set_header Host $host; From 4d101aee29fc1213cd59d5d70984f5b80ab28254 Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 19:38:43 +0100 Subject: [PATCH 11/41] [durruti][vpn] rm deprecated cloud/zineshop proxies --- machines/durruti/host_config.nix | 31 ---------------------------- machines/vpn/configuration.nix | 35 -------------------------------- 2 files changed, 66 deletions(-) diff --git a/machines/durruti/host_config.nix b/machines/durruti/host_config.nix index ae6406e..29e2ead 100644 --- a/machines/durruti/host_config.nix +++ b/machines/durruti/host_config.nix @@ -43,20 +43,6 @@ in }; }; - services.nginx.virtualHosts."cloud.malobeo.org" = { - forceSSL = true; - enableACME= true; - locations."/" = { - proxyPass = "http://10.0.0.10"; - extraConfig = '' - client_max_body_size 10G; - client_body_timeout 3600s; - send_timeout 3600s; - fastcgi_buffers 64 4K; - ''; - }; - }; - services.nginx.virtualHosts."grafana.malobeo.org" = { forceSSL = true; enableACME= true; @@ -78,23 +64,6 @@ in }; - services.nginx.virtualHosts."zines.malobeo.org" = { - forceSSL = true; - enableACME= true; - locations."/" = { - proxyPass = "http://10.0.0.10"; - extraConfig = '' - client_body_in_file_only clean; - client_body_buffer_size 32K; - - client_max_body_size 50M; - - sendfile on; - send_timeout 300s; - ''; - }; - }; - services.nginx.virtualHosts."status.malobeo.org" = { forceSSL = true; enableACME= true; diff --git a/machines/vpn/configuration.nix b/machines/vpn/configuration.nix index 3904971..67603e7 100644 --- a/machines/vpn/configuration.nix +++ b/machines/vpn/configuration.nix @@ -40,19 +40,6 @@ with lib; }; }; - virtualHosts."cloud.malobeo.org" = { - locations."/" = { - proxyPass = "http://10.100.0.101"; - extraConfig = '' - proxy_set_header Host $host; - client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize}; - client_body_timeout 3600s; - send_timeout 3600s; - fastcgi_buffers 64 4K; - ''; - }; - }; - virtualHosts."grafana.malobeo.org" = { locations."/" = { proxyPass = "http://10.100.0.101"; @@ -70,28 +57,6 @@ with lib; ''; }; }; - - virtualHosts."zines.malobeo.org" = { - locations."/" = { - proxyPass = "http://10.100.0.101"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Authorization $http_authorization; # Pass the Authorization header - proxy_pass_header Authorization; - - client_body_in_file_only clean; - client_body_buffer_size 32K; - - client_max_body_size 50M; - - sendfile on; - send_timeout 300s; - ''; - }; - }; }; system.stateVersion = "22.11"; # Did you read the comment? From b012b89a4812c01db4647d38039eef42dee8d69d Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 19:39:16 +0100 Subject: [PATCH 12/41] [fanny] update hostbridge for local access --- machines/fanny/configuration.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index bfbd70d..b010e69 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -129,7 +129,12 @@ in privateKeyFile = config.sops.secrets.wg_private.path; }; - services.malobeo.microvm.enableHostBridge = true; + services.malobeo.microvm = { + enableHostBridge = true; + interface = "enp1s0"; + gateway = "192.168.1.1"; + address = "192.168.1.2/24"; + }; services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" From 6661357f055c4b43c6aa9c5899dbfb3c5d38fdc2 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 20 Feb 2026 19:49:48 +0100 Subject: [PATCH 13/41] [fanny] add dyndns service --- machines/fanny/configuration.nix | 1 + machines/fanny/dyndns.nix | 22 ++++++++++++++++++++++ machines/fanny/secrets.yaml | 11 ++++------- 3 files changed, 27 insertions(+), 7 deletions(-) create mode 100644 machines/fanny/dyndns.nix diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 1617b5b..ff4814e 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -21,6 +21,7 @@ in inputs.self.nixosModules.malobeo.metrics inputs.self.nixosModules.malobeo.users inputs.self.nixosModules.malobeo.backup + ./dyndns.nix ]; virtualisation.vmVariantWithDisko = { diff --git a/machines/fanny/dyndns.nix b/machines/fanny/dyndns.nix new file mode 100644 index 0000000..ff14ffd --- /dev/null +++ b/machines/fanny/dyndns.nix @@ -0,0 +1,22 @@ +{... }: +{ + sops.secrets.njala = {}; + systemd.services."dyndns" = { + script = '' + KEY=$(cat /run/secrets/njalla) + ${pkgs.curl}/bin/curl --fail --silent --show-error "https://njal.la/update/?h=cloud.malobeo.org&k="$KEY"&auto" + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + systemd.timers."dyndns" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "100s"; + OnUnitActiveSec = "10m"; + Unit = "dyndns.service"; + }; + }; +} \ No newline at end of file diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index fba35ac..1bb0bca 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -1,11 +1,8 @@ wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str] shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str] shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str] +njalla: ENC[AES256_GCM,data:O/jUfA0UOYhXUqaCvmPEIw==,iv:ilzXLehV0cCxyUx/8fmwo6aU+yLzduZ5FoelQWYiPmw=,tag:KOL5RB7aYxe+1vY/WwTNJg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk enc: | @@ -25,8 +22,8 @@ sops: QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-14T10:34:55Z" - mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str] + lastmodified: "2026-02-20T18:48:58Z" + mac: ENC[AES256_GCM,data:zUoEtRovtCt4cNfThimcKefMnT4DdQUFrleiiPYz6XWcG9UEdYTw4dEc97OGavkzipm1R4tDDIrNSzKWG6oi8iSKk5EBEbKMn3wbCqogYt9fCJFuW25S0NY7smOr1nC6NumZlY+YiGAhEfrIGasp6qiwuD9A/S5a+6QNV5yEsK8=,iv:cB+SftKUCgAfuzNLT45WXf7NZPVVdZbQdpHYESWLjq4=,tag:oqhgWlREZEcHiQNO1hKiuQ==,type:str] pgp: - created_at: "2025-02-11T18:32:49Z" enc: |- @@ -67,4 +64,4 @@ sops: -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.11.0 From e46c6bef00ba346d265254446ddbd3bd49348e90 Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 19:59:27 +0100 Subject: [PATCH 14/41] [general] update local vm ip addresses --- machines/durruti/configuration.nix | 1 - machines/fanny/configuration.nix | 17 +++++++++-------- machines/infradocs/configuration.nix | 1 - machines/modules/malobeo/metrics.nix | 3 ++- machines/nextcloud/configuration.nix | 8 +++++--- machines/overwatch/configuration.nix | 14 ++++++++------ machines/overwatch/dashboards/node_full.json | 4 ++-- machines/overwatch/promtail.yaml | 2 +- machines/zineshop/configuration.nix | 1 - 9 files changed, 27 insertions(+), 24 deletions(-) diff --git a/machines/durruti/configuration.nix b/machines/durruti/configuration.nix index e86456a..f0573d0 100644 --- a/machines/durruti/configuration.nix +++ b/machines/durruti/configuration.nix @@ -29,7 +29,6 @@ with lib; enable = true; enablePromtail = true; logNginx = true; - lokiHost = "10.0.0.14"; }; services.malobeo-tasklist.enable = true; diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index b010e69..befaee0 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -2,6 +2,7 @@ let sshKeys = import ../ssh_keys.nix; peers = import ../modules/malobeo/peers.nix; + hosts = import ../hosts.nix {}; in { sops.defaultSopsFile = ./secrets.yaml; @@ -35,7 +36,7 @@ in enable = true; enablePromtail = true; logNginx = true; - lokiHost = "10.0.0.14"; + lokiHost = hosts.malobeo.hosts.overwatch.network.address; }; malobeo.autoUpdate = { @@ -169,7 +170,7 @@ in enable = true; virtualHosts."docs.malobeo.org" = { locations."/" = { - proxyPass = "http://10.0.0.11:9000"; + proxyPass = "http://${hosts.malobeo.hosts.infradocs.network.address}:9000"; extraConfig = '' proxy_set_header Host $host; ''; @@ -181,7 +182,7 @@ in enableACME = true; acmeRoot = null; locations."/" = { - proxyPass = "http://192.168.1.13"; + proxyPass = "http://${hosts.malobeo.hosts.nextcloud.network.address}"; extraConfig = '' proxy_set_header Host $host; client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize}; @@ -196,7 +197,7 @@ in forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://192.168.1.13"; + proxyPass = "http://${hosts.malobeo.hosts.nextcloud.network.address}"; extraConfig = '' proxy_set_header Host $host; client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize}; @@ -209,7 +210,7 @@ in virtualHosts."grafana.malobeo.org" = { locations."/" = { - proxyPass = "http://10.0.0.14"; + proxyPass = "http://${hosts.malobeo.hosts.overwatch.network.address}"; extraConfig = '' proxy_set_header Host $host; ''; @@ -218,7 +219,7 @@ in virtualHosts."tasklist.malobeo.org" = { locations."/" = { - proxyPass = "http://10.0.0.5:8080"; + proxyPass = "http://${hosts.malobeo.hosts.durruti.network.address}:8080"; extraConfig = '' proxy_set_header Host $host; ''; @@ -230,7 +231,7 @@ in enableACME = true; acmeRoot = null; locations."/" = { - proxyPass = "http://192.168.1.15:8080"; + proxyPass = "http://${hosts.malobeo.hosts.zineshop.network.address}:8080"; extraConfig = '' proxy_set_header Host $host; @@ -249,7 +250,7 @@ in forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://192.168.1.15:8080"; + proxyPass = "http://${hosts.malobeo.hosts.zineshop.network.address}:8080"; extraConfig = '' proxy_set_header Host $host; diff --git a/machines/infradocs/configuration.nix b/machines/infradocs/configuration.nix index d1cc2fa..7064a96 100644 --- a/machines/infradocs/configuration.nix +++ b/machines/infradocs/configuration.nix @@ -19,7 +19,6 @@ with lib; enable = true; enablePromtail = true; logNginx = true; - lokiHost = "10.0.0.14"; }; system.stateVersion = "22.11"; # Did you read the comment? diff --git a/machines/modules/malobeo/metrics.nix b/machines/modules/malobeo/metrics.nix index c5f320b..9c74b10 100644 --- a/machines/modules/malobeo/metrics.nix +++ b/machines/modules/malobeo/metrics.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: let cfg = config.malobeo.metrics; + hosts = import ../../hosts.nix {}; in { options.malobeo.metrics = { @@ -21,7 +22,7 @@ in }; lokiHost = lib.mkOption { type = lib.types.str; - default = "10.0.0.14"; + default = hosts.malobeo.hosts.overwatch.network.address; description = "Address of loki host"; }; }; diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix index baccf2a..c63682f 100644 --- a/machines/nextcloud/configuration.nix +++ b/machines/nextcloud/configuration.nix @@ -2,6 +2,9 @@ with lib; +let + hosts = import ../hosts.nix {}; +in { sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { @@ -28,7 +31,6 @@ with lib; enable = true; enablePromtail = true; logNginx = true; - lokiHost = "10.0.0.14"; }; services.postgresqlBackup = { @@ -59,8 +61,8 @@ with lib; }; }; settings = { - trusted_domains = ["10.0.0.13"]; - trusted_proxies = [ "10.0.0.1" ]; + trusted_domains = [ "cloud.malobeo.org" ]; + trusted_proxies = [ hosts.malobeo.hosts.fanny.network.address ]; "maintenance_window_start" = "1"; "default_phone_region" = "DE"; }; diff --git a/machines/overwatch/configuration.nix b/machines/overwatch/configuration.nix index d6ece49..5beaca3 100644 --- a/machines/overwatch/configuration.nix +++ b/machines/overwatch/configuration.nix @@ -2,6 +2,9 @@ with lib; +let + hosts = import ../hosts.nix {}; +in { networking = { hostName = mkDefault "overwatch"; @@ -21,7 +24,6 @@ with lib; enable = true; enablePromtail = true; logNginx = false; - lokiHost = "10.0.0.14"; }; services.grafana = { @@ -101,31 +103,31 @@ with lib; { job_name = "durruti"; static_configs = [{ - targets = [ "10.0.0.5:9002" ]; + targets = [ "${hosts.malobeo.hosts.durruti.network.address}:9002" ]; }]; } { job_name = "infradocs"; static_configs = [{ - targets = [ "10.0.0.11:9002" ]; + targets = [ "${hosts.malobeo.hosts.infradocs.network.address}:9002" ]; }]; } { job_name = "nextcloud"; static_configs = [{ - targets = [ "10.0.0.13:9002" ]; + targets = [ "${hosts.malobeo.hosts.nextcloud.network.address}:9002" ]; }]; } { job_name = "zineshop"; static_configs = [{ - targets = [ "10.0.0.15:9002" ]; + targets = [ "${hosts.malobeo.hosts.zineshop.network.address}:9002" ]; }]; } { job_name = "fanny"; static_configs = [{ - targets = [ "10.0.0.1:9002" ]; + targets = [ "${hosts.malobeo.hosts.fanny.network.address}:9002" ]; }]; } # add vpn - check how to reach it first. most probably 10.100.0.1 diff --git a/machines/overwatch/dashboards/node_full.json b/machines/overwatch/dashboards/node_full.json index 7f19c9f..75776f6 100644 --- a/machines/overwatch/dashboards/node_full.json +++ b/machines/overwatch/dashboards/node_full.json @@ -23750,8 +23750,8 @@ }, { "current": { - "text": "10.0.0.13:9002", - "value": "10.0.0.13:9002" + "text": "192.168.1.13:9002", + "value": "192.168.1.13:9002" }, "datasource": { "type": "prometheus", diff --git a/machines/overwatch/promtail.yaml b/machines/overwatch/promtail.yaml index 8030572..2d42cbb 100644 --- a/machines/overwatch/promtail.yaml +++ b/machines/overwatch/promtail.yaml @@ -6,7 +6,7 @@ positions: filename: /tmp/positions.yaml clients: - - url: http://10.0.0.13:3100/loki/api/v1/push + - url: http://192.168.1.13:3100/loki/api/v1/push scrape_configs: diff --git a/machines/zineshop/configuration.nix b/machines/zineshop/configuration.nix index aac419e..11bb260 100644 --- a/machines/zineshop/configuration.nix +++ b/machines/zineshop/configuration.nix @@ -20,7 +20,6 @@ with lib; enable = true; enablePromtail = true; logNginx = true; - lokiHost = "10.0.0.14"; }; services.printing.enable = true; From f28125c9a44556fd98502c98d32105a10d34a78e Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 19:59:51 +0100 Subject: [PATCH 15/41] [louise] new ip --- machines/hosts.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/hosts.nix b/machines/hosts.nix index 2143d4d..67c40f2 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -28,7 +28,7 @@ in network = { local = true; hostId = "11"; - address = "192.168.1.11"; + address = "192.168.1.101"; }; }; From 329305a916cd0660006812d52bc2161379c2f8ba Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 20 Feb 2026 20:08:54 +0100 Subject: [PATCH 16/41] [fanny] added zines to dyndns --- machines/fanny/dyndns.nix | 11 +++++++---- machines/fanny/secrets.yaml | 8 +++++--- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/machines/fanny/dyndns.nix b/machines/fanny/dyndns.nix index ff14ffd..fda86f3 100644 --- a/machines/fanny/dyndns.nix +++ b/machines/fanny/dyndns.nix @@ -1,10 +1,13 @@ -{... }: +{pkgs, ...}: { - sops.secrets.njala = {}; + sops.secrets.njalacloud = {}; + sops.secrets.njalazines = {}; systemd.services."dyndns" = { script = '' - KEY=$(cat /run/secrets/njalla) - ${pkgs.curl}/bin/curl --fail --silent --show-error "https://njal.la/update/?h=cloud.malobeo.org&k="$KEY"&auto" + KEYCLOUD=$(cat /run/secrets/njallacloud) + KEYZINES=$(cat /run/secrets/njallazines) + ${pkgs.curl}/bin/curl --fail --silent --show-error "https://njal.la/update/?h=cloud.malobeo.org&k="$KEYCLOUD"&auto" + ${pkgs.curl}/bin/curl --fail --silent --show-error "https://njal.la/update/?h=zines.malobeo.org&k="$KEYZINES"&auto" ''; serviceConfig = { Type = "oneshot"; diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index 1bb0bca..70662c2 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -1,7 +1,9 @@ wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str] shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str] shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str] -njalla: ENC[AES256_GCM,data:O/jUfA0UOYhXUqaCvmPEIw==,iv:ilzXLehV0cCxyUx/8fmwo6aU+yLzduZ5FoelQWYiPmw=,tag:KOL5RB7aYxe+1vY/WwTNJg==,type:str] +njallacloud: ENC[AES256_GCM,data:HBFew0tXEYG34G0N5hab9Q==,iv:q4PgqLJkST5exS3fYOQoAN9AubcfYafdjhhRQAIe0Yc=,tag:SZeM1ZcszSJeNo7uZfS0bQ==,type:str] +njallazines: ENC[AES256_GCM,data:dySUyb1/IBGfjvyGx4iF1Q==,iv:dq60RACMotAzZoiv3+DTx4X6+HK8Wg4CMVzDi3qr6fA=,tag:niHK/B8xYIcEfjHuPkKaQw==,type:str] +njala_api_key: ENC[AES256_GCM,data:ohSVzQUvFjia/s9WceqnZCdLyk3N1Lm2BCBmXeBlkWD2dyrohKCnd9GiJ499IORpuYcOXyM=,iv:Uczk8op5mgqe8gefxgU9YuTqOsYvjzHCKvzA7GDsgio=,tag:XA7JRq/LsGkpHcQSO36Whg==,type:str] sops: age: - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk @@ -22,8 +24,8 @@ sops: QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-20T18:48:58Z" - mac: ENC[AES256_GCM,data:zUoEtRovtCt4cNfThimcKefMnT4DdQUFrleiiPYz6XWcG9UEdYTw4dEc97OGavkzipm1R4tDDIrNSzKWG6oi8iSKk5EBEbKMn3wbCqogYt9fCJFuW25S0NY7smOr1nC6NumZlY+YiGAhEfrIGasp6qiwuD9A/S5a+6QNV5yEsK8=,iv:cB+SftKUCgAfuzNLT45WXf7NZPVVdZbQdpHYESWLjq4=,tag:oqhgWlREZEcHiQNO1hKiuQ==,type:str] + lastmodified: "2026-02-20T19:08:38Z" + mac: ENC[AES256_GCM,data:PnCsmzbOji2iD3cwOl3vkXNMZJjxXqfxLuzlQgczwbHzDRXS9Xma2HuoQ9rnraA4CGc0LCgD/E2X0/LlL2lYks2Rh5Axd1kuBIn3pg2ihvzEAb+zBfnLzFGJW7xq4XJHB+OOnr4301cGFD8aPxlI6wrPeY6qu06rx7hGjsKrNTE=,iv:lhsVRbUUvUYrvC5EutX5Hn9O4tzfmED9TvRpt75qY9s=,tag:fs90cns6OeCaKUE6L0sG/A==,type:str] pgp: - created_at: "2025-02-11T18:32:49Z" enc: |- From 6182318a29d36a44808f8e0705769394e129b5d9 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 20 Feb 2026 20:19:57 +0100 Subject: [PATCH 17/41] [actions] fix the autoupdate action --- .gitea/workflows/autoupdate.yml | 93 ++++++++++++++++++++++++++++----- 1 file changed, 81 insertions(+), 12 deletions(-) diff --git a/.gitea/workflows/autoupdate.yml b/.gitea/workflows/autoupdate.yml index dc9e06d..afcaa15 100644 --- a/.gitea/workflows/autoupdate.yml +++ b/.gitea/workflows/autoupdate.yml @@ -18,8 +18,27 @@ jobs: run: | apt-get update apt-get install -y sudo + - name: Install Tea + env: + TEA_DL_URL: "https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64" + shell: bash + run: | + TEA_DIR=$(mktemp -d -t tmp.XXXX) + pushd $TEA_DIR + wget "$TEA_DL_URL" + wget "${TEA_DL_URL}.sha256" + if $(sha256sum --quiet -c "tea-0.9.2-linux-amd64.sha256"); then + mv "tea-0.9.2-linux-amd64" /usr/bin/tea + chmod +x /usr/bin/tea + popd + rm -rf $TEA_DIR + else + popd + rm -rf $TEA_DIR + echo "::error title=⛔ error hint::Tea v0.9.2 Checksum Failed" + exit 1 + fi - uses: https://code.forgejo.org/actions/checkout@v6 - - name: Set up Nix uses: https://github.com/cachix/install-nix-action@v31 with: @@ -27,15 +46,65 @@ jobs: - name: Run nix flake update run: nix flake update - - name: Run nix flake check - run: nix flake check --all-systems --verbose - - name: Create Gitea PR - uses: https://github.com/Mai0313/create-pull-request@main - with: - github-server-url: https://git.dynamicdiscord.de - token: ${{ secrets.AHTLONS_GITEA_TOKEN }} - commit-message: 'Update flake.lock' - committer: 'malobot ' - title: 'Update flake.lock' - assignees: 'ahtlon' + - name: Commit flake.lock + run: | + git config user.name "malobot" + git config user.email "malobot@systemli.org" + git stash push + git branch nixpkgs_bump_$(date +%Y%m%d) + git checkout nixpkgs_bump_$(date +%Y%m%d) + git stash pop + git add flake.lock + git diff --staged --quiet || git commit -m "Update flake.lock" + + - name: Check for eval warnings + id: commit + shell: bash + run: | + { + echo "COMMIT_DESC<&1 | grep evaluation | awk '!seen[$0]++' || echo "None :)" + echo EOF + } >> "$GITHUB_OUTPUT" + + + - name: Login to Gitea + shell: bash + env: + GIT_SERVER_URL: https://git.dynamicdiscord.de + GIT_SERVER_TOKEN: ${{ secrets.AHTLONS_GITEA_TOKEN }} + run: >- + tea login add + -u "$GIT_SERVER_URL" + -t "$GIT_SERVER_TOKEN" + - name: Check for existing pull request + id: no-pr + continue-on-error: true + shell: bash + run: >- + tea pr -f head -o simple | + grep -q ${{ github.ref_name }} && + exit 1 || + exit 0 + - name: Force push branch + run: git push --force -u origin nixpkgs_bump_$(date +%Y%m%d) + - name: Create pull request + if: steps.no-pr.outcome == 'success' + env: + COMMIT_MSG: Automatic Nixpkgs update + COMMIT_DESC: ${{ steps.commit.outputs.COMMIT_DESC }} + shell: bash + run: >- + tea pr create + -L "bump" + -t "$COMMIT_MSG" + -d "$COMMIT_DESC" + - name: Skip pull request + if: steps.no-pr.outcome == 'failure' + shell: bash + run: > + echo "::error title=⛔ error hint:: + A PR already exists for this branch: ${{ github.ref_name }}" \ No newline at end of file From f6dc3d46e91dddbd2efeb1b1937e9d83feffc3bb Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 20:26:41 +0100 Subject: [PATCH 18/41] [fanny] fix secrets --- machines/fanny/dummy.yaml | 6 ++++-- machines/fanny/dyndns.nix | 6 +++--- machines/fanny/secrets.yaml | 8 ++++---- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/machines/fanny/dummy.yaml b/machines/fanny/dummy.yaml index c38ce53..77c62bd 100644 --- a/machines/fanny/dummy.yaml +++ b/machines/fanny/dummy.yaml @@ -1,5 +1,7 @@ wg_private: ENC[AES256_GCM,data:YEmIfgtyHE9msYijva0Ye2w7shVmYBPZ3mcKRF7Cy20xa6yHEUQ0kC2OWnM=,iv:ouK6fHcrxrEtsmiPmtCz9Ca8Ec1algOifrgZSBNHi74=,tag:524e/SQt++hwVyeWruCsLg==,type:str] njala_api_key: ENC[AES256_GCM,data:uEzx7KeI7ZZP63Igu5vHmuvASVxJai8bezM40UZVobQMr7r6opjnVTc0BPyIGfnG2mx/6Bo=,iv:lch04oGn6bkqtBGVzYlz6B97FGXlGOoxkiT1IplSxm4=,tag:bzXx2jSqFBv1hgJO1r5i+w==,type:str] +njalacloud: ENC[AES256_GCM,data:Xg85D9LMMYd8po8vrpxHZA==,iv:L5Gsm3bX61WW1PAdWswFNrScFoBipS2qDGU7iTubt1U=,tag:M2PCfE1h4IkW/iFq8XeIrA==,type:str] +njalazines: ENC[AES256_GCM,data:ooDRj4HqKVFrgRyzgFGQjg==,iv:9X8r1eY+6FqXv19mO0uMRd5A2tpvtmT11P77t9BQaCk=,tag:4BE55c8x66/UxyTCpCmdUg==,type:str] sops: age: - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng @@ -20,8 +22,8 @@ sops: NjJ5cFdTVS9NZmVWMjcrcHo2WDZEZDgKiDwkuUn90cDmidwYGZBb5qp+4R1HafV0 vMQfjT9GrwB5K/O1GumOmvbzLNhvO2vRZJhfVHzyHLzQK64abQgF5Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-20T18:33:50Z" - mac: ENC[AES256_GCM,data:YlsQVjfgtlcSObjLiZif/sOJNx2PqH9q0kguPgBSwAoNiX2/eJhNH2WwtQ8uXQfdPiX7kwfFrl2E0xevqwLv+4AICr+9v6oCfcUHJYPRdkLfCs0jXyvnZr52LzfyV3GOPah/j8Uye9d9sspUMqqaXewoeWtrXHgo277pQVdrKxM=,iv:Xb5ckc/cvpGqkZoViTrw8rUniO2OWy0/rNfhF+Qb/iM=,tag:ZhI4jS2Iyig9juVGAeii+w==,type:str] + lastmodified: "2026-02-20T19:26:21Z" + mac: ENC[AES256_GCM,data:D8ZOgcDCY+I2rFc6+GSRj53QjnhZP0oz5wPgG2x4dOfVRWYMEgR2pnb/IIF95Dq0XR6ja9PLgw42PfdI1dS7vITb1jW5IExcnkB/Pa/RjB3GFeXPFTV6QCAQcK9cLct6yhB/pPbHdt8qHQt7kddiN162RlMHDyR6BAh4gO0Rf3w=,iv:f1RWrxbqNNUdANDR6V+OFuEYJ2ZLVde+5GTcFmSXYSQ=,tag:IBEdkSEz/w4Rxwb6uSBpTw==,type:str] pgp: - created_at: "2025-01-19T22:45:26Z" enc: |- diff --git a/machines/fanny/dyndns.nix b/machines/fanny/dyndns.nix index fda86f3..0e1a925 100644 --- a/machines/fanny/dyndns.nix +++ b/machines/fanny/dyndns.nix @@ -4,8 +4,8 @@ sops.secrets.njalazines = {}; systemd.services."dyndns" = { script = '' - KEYCLOUD=$(cat /run/secrets/njallacloud) - KEYZINES=$(cat /run/secrets/njallazines) + KEYCLOUD=$(cat /run/secrets/njalacloud) + KEYZINES=$(cat /run/secrets/njalazines) ${pkgs.curl}/bin/curl --fail --silent --show-error "https://njal.la/update/?h=cloud.malobeo.org&k="$KEYCLOUD"&auto" ${pkgs.curl}/bin/curl --fail --silent --show-error "https://njal.la/update/?h=zines.malobeo.org&k="$KEYZINES"&auto" ''; @@ -22,4 +22,4 @@ Unit = "dyndns.service"; }; }; -} \ No newline at end of file +} diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index 70662c2..8aa3e94 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -1,8 +1,8 @@ wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str] shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str] shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str] -njallacloud: ENC[AES256_GCM,data:HBFew0tXEYG34G0N5hab9Q==,iv:q4PgqLJkST5exS3fYOQoAN9AubcfYafdjhhRQAIe0Yc=,tag:SZeM1ZcszSJeNo7uZfS0bQ==,type:str] -njallazines: ENC[AES256_GCM,data:dySUyb1/IBGfjvyGx4iF1Q==,iv:dq60RACMotAzZoiv3+DTx4X6+HK8Wg4CMVzDi3qr6fA=,tag:niHK/B8xYIcEfjHuPkKaQw==,type:str] +njalacloud: ENC[AES256_GCM,data:sp79Ij1vd9pQZuPUR1phmw==,iv:AWKZoOfBA/n16pWQCfA0dZmH1KajCztnLvYItoZZbgA=,tag:BIUrobBoO96pxUz1sjIYIw==,type:str] +njalazines: ENC[AES256_GCM,data:fnObUEnXYvdj9HtkZNzXVA==,iv:0Zj2n2we9w4fj/n7e1ayd9XgFEMAGCHk4QLTu1IlRnQ=,tag:zeOLAB0oE6XbxqdqhdRNxw==,type:str] njala_api_key: ENC[AES256_GCM,data:ohSVzQUvFjia/s9WceqnZCdLyk3N1Lm2BCBmXeBlkWD2dyrohKCnd9GiJ499IORpuYcOXyM=,iv:Uczk8op5mgqe8gefxgU9YuTqOsYvjzHCKvzA7GDsgio=,tag:XA7JRq/LsGkpHcQSO36Whg==,type:str] sops: age: @@ -24,8 +24,8 @@ sops: QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-20T19:08:38Z" - mac: ENC[AES256_GCM,data:PnCsmzbOji2iD3cwOl3vkXNMZJjxXqfxLuzlQgczwbHzDRXS9Xma2HuoQ9rnraA4CGc0LCgD/E2X0/LlL2lYks2Rh5Axd1kuBIn3pg2ihvzEAb+zBfnLzFGJW7xq4XJHB+OOnr4301cGFD8aPxlI6wrPeY6qu06rx7hGjsKrNTE=,iv:lhsVRbUUvUYrvC5EutX5Hn9O4tzfmED9TvRpt75qY9s=,tag:fs90cns6OeCaKUE6L0sG/A==,type:str] + lastmodified: "2026-02-20T19:25:05Z" + mac: ENC[AES256_GCM,data:g+bFYqJN1X8F52tpIO60S2WKxLG27ZrP399fsfE6o7rPtIMimZou/4oUo7i+kpNtygEuCr3+suP8TPas4x5zMXhRjnjJuwJwL/NwdciHZU0O3rPJgucCEWqr9OdAtxezDM9c2vv+jzqZxWT9t0fIpB9RxO5oy1pHZs0RCgjAJR4=,iv:v6RdTMeQUxSdjIVNFbx2HtxCsdVgFTQTzMXS5Fj62is=,tag:pLoZMBRIXYElO5rY+xX9zg==,type:str] pgp: - created_at: "2025-02-11T18:32:49Z" enc: |- From dabda0ccb957fffb084f0bfe28cb135d6f4bc8bb Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 20:28:59 +0100 Subject: [PATCH 19/41] [general] fix physical host ips --- machines/hosts.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/machines/hosts.nix b/machines/hosts.nix index 624de8d..067179d 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -37,7 +37,7 @@ in network = { local = true; hostId = "12"; - address = "192.168.1.12"; + address = "192.168.1.102"; }; }; @@ -46,7 +46,7 @@ in network = { local = true; hostId = "13"; - address = "192.168.1.13"; + address = "192.168.1.103"; }; }; @@ -55,7 +55,7 @@ in network = { local = true; hostId = "15"; - address = "192.168.1.15"; + address = "192.168.1.105"; }; }; From 5403d97506a320f025dbc63b52789ba21b8e8fa9 Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 20:31:09 +0100 Subject: [PATCH 20/41] [fanny] open 443 --- machines/fanny/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index f472355..1909894 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -154,7 +154,7 @@ in }; firewall = { - allowedTCPPorts = [ 80 ]; + allowedTCPPorts = [ 80 443 ]; }; }; From 5a35febf775334e403da421e7b42ff4f252f706d Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 22:58:10 +0100 Subject: [PATCH 21/41] [fanny] fix ip --- machines/fanny/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 1909894..0be72a3 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -135,8 +135,9 @@ in enableHostBridge = true; interface = "enp1s0"; gateway = "192.168.1.1"; - address = "192.168.1.2/24"; + address = "192.168.1.103/24"; }; + services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" From 04ee3105c184c73bd13d3acb6bdccd15b12a5532 Mon Sep 17 00:00:00 2001 From: kalipso Date: Fri, 20 Feb 2026 22:58:16 +0100 Subject: [PATCH 22/41] [hosts] fix dns --- machines/hosts.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/hosts.nix b/machines/hosts.nix index 067179d..f04d03d 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -6,7 +6,7 @@ let hostId = hostId; address = "192.168.1.${hostId}"; gateway = "192.168.1.1"; - nameservers = [ "192.168.1.17" "1.1.1.1" ]; #setting ns1 as nameserver + nameservers = [ "192.168.1.1" "1.1.1.1" ]; #setting ns1 as nameserver mac = mac; }; From 66a043314818004dce2ba1834b676fe0c23fdb72 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 20 Feb 2026 23:22:19 +0100 Subject: [PATCH 23/41] [nextcloud] add hq to trusted_domains --- machines/nextcloud/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix index c63682f..1929f05 100644 --- a/machines/nextcloud/configuration.nix +++ b/machines/nextcloud/configuration.nix @@ -61,7 +61,7 @@ in }; }; settings = { - trusted_domains = [ "cloud.malobeo.org" ]; + trusted_domains = [ "cloud.malobeo.org" "cloud.hq.malobeo.org" ]; trusted_proxies = [ hosts.malobeo.hosts.fanny.network.address ]; "maintenance_window_start" = "1"; "default_phone_region" = "DE"; From e32c1f31bc728290b272a162437fe1122acf458d Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 20 Feb 2026 23:49:04 +0100 Subject: [PATCH 24/41] [fanny] fix keys.malobeo.org proxypass --- machines/fanny/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 0be72a3..1d494c8 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -213,7 +213,7 @@ in virtualHosts."keys.malobeo.org" = { locations."/" = { - proxyPass = "http://10.0.0.16"; + proxyPass = "http://${hosts.malobeo.hosts.vaultwarden.network.address}"; extraConfig = '' proxy_set_header Host $host; ''; From 8afc42d46f69a51e465b5eaf147707327e489ba4 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 20 Feb 2026 23:55:27 +0100 Subject: [PATCH 25/41] update the update domain to prepare for repo move --- machines/modules/malobeo/microvm_host.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index 745e18b..26ac75f 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -101,7 +101,7 @@ in # under nixosConfigurations flake = inputs.malobeo; # Specify from where to let `microvm -u` update later on - updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure"; + updateFlake = "git+https://git.dynamicdiscord.de/malobeo/infrastructure"; }; }; in builtins.listToAttrs (map mapperFunc cfg.deployHosts); From a07b8ffd6873f432d65c4450b800470423b1b993 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 22 Feb 2026 21:48:18 +0100 Subject: [PATCH 26/41] [run-vm] add testHost option to module to allow local testing again --- machines/modules/malobeo/microvm_host.nix | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index 26ac75f..805255e 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -14,6 +14,12 @@ in description = lib.mdDoc "Setup bridge device for microvms."; }; + testHost = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc "Enable when the host is used for development and testing using run-vm"; + }; + interface = mkOption { default = "eno1"; type = types.str; @@ -68,7 +74,7 @@ in systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) { enable = true; networks."10-lan" = { - matchConfig.Name = [ "${cfg.interface}" "vm-*"]; + matchConfig.Name = ["vm-*"] ++ (if !cfg.testHost then [ "${cfg.interface}" ] else [ ]); networkConfig = { Bridge = "malobeo0"; }; @@ -81,7 +87,7 @@ in }; }; - networks."10-lan-bridge" = { + networks."10-lan-bridge" = if !cfg.testHost then { matchConfig.Name = "malobeo0"; networkConfig = { Address = [ "${cfg.address}" ]; @@ -90,6 +96,17 @@ in IPv6AcceptRA = true; }; linkConfig.RequiredForOnline = "routable"; + } else { + matchConfig.Name = "malobeo0"; + networkConfig = { + DHCPServer = true; + IPv6SendRA = true; + }; + addresses = if cfg.enableHostBridgeUnstable then [ + { Address = "10.0.0.1/24"; } + ] else [ + { Address = "10.0.0.1/24"; } + ]; }; }; From d5767508ef3fff70a6ddf9618de097d0c72a056b Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 23 Feb 2026 01:04:54 +0100 Subject: [PATCH 27/41] [louise] add bitwarden-desktop --- machines/louise/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/louise/configuration.nix b/machines/louise/configuration.nix index 5215879..73c375b 100644 --- a/machines/louise/configuration.nix +++ b/machines/louise/configuration.nix @@ -42,6 +42,7 @@ mpv vlc simple-scan + bitwarden-desktop ]; }; From 344eeb437b0aa29baee1227e48878f987e21e296 Mon Sep 17 00:00:00 2001 From: malobot Date: Thu, 26 Feb 2026 00:03:38 +0000 Subject: [PATCH 28/41] Update flake.lock --- flake.lock | 80 ++++++++++++++++-------------------------------------- 1 file changed, 23 insertions(+), 57 deletions(-) diff --git a/flake.lock b/flake.lock index 61f5589..6b27710 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1746728054, - "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=", + "lastModified": 1768920986, + "narHash": "sha256-CNzzBsRhq7gg4BMBuTDObiWDH/rFYHEuDRVOwCcwXw4=", "owner": "nix-community", "repo": "disko", - "rev": "ff442f5d1425feb86344c028298548024f21256d", + "rev": "de5708739256238fb912c62f03988815db89ec9a", "type": "github" }, "original": { @@ -78,24 +78,6 @@ "type": "github" } }, - "flake-utils_2": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -138,18 +120,17 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], "spectrum": "spectrum" }, "locked": { - "lastModified": 1764549796, - "narHash": "sha256-Mswg665P92EoHkBwCwPr/7bdnj04g2Qfb+t02ZEYTHA=", + "lastModified": 1772055583, + "narHash": "sha256-iPIm1orqkhsxqju6EVODOrV1BmyA5HNTZ8a1o812bFM=", "owner": "astro", "repo": "microvm.nix", - "rev": "030d055e877cc13d7525b39f434150226d5e4482", + "rev": "f6dcfb7c16cc3775536c825dc0698d4ede13d063", "type": "github" }, "original": { @@ -181,11 +162,11 @@ ] }, "locked": { - "lastModified": 1764234087, - "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", + "lastModified": 1769813415, + "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", + "rev": "8946737ff703382fda7623b9fab071d037e897d5", "type": "github" }, "original": { @@ -196,11 +177,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1764440730, - "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=", + "lastModified": 1771969195, + "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3", + "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e", "type": "github" }, "original": { @@ -228,11 +209,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1764517877, - "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", + "lastModified": 1771848320, + "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", + "rev": "2fc6539b481e1d2569f25f8799236694180c0993", "type": "github" }, "original": { @@ -244,11 +225,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1764522689, - "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=", + "lastModified": 1771903837, + "narHash": "sha256-sdaqdnsQCv3iifzxwB22tUwN/fSHoN7j2myFW5EIkGk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f", + "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951", "type": "github" }, "original": { @@ -283,11 +264,11 @@ ] }, "locked": { - "lastModified": 1764483358, - "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", + "lastModified": 1772048434, + "narHash": "sha256-/wA0OaH6kZ/pFA+nXR/tvg5oupOmEDmMS5us79JT60o=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5aca6ff67264321d47856a2ed183729271107c9c", + "rev": "334daa7c273dd8bf7a0cd370e4e16022b64e55e9", "type": "github" }, "original": { @@ -372,21 +353,6 @@ "type": "github" } }, - "systems_5": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "tasklist": { "inputs": { "nixpkgs": [ @@ -445,7 +411,7 @@ }, "utils_3": { "inputs": { - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -463,7 +429,7 @@ }, "utils_4": { "inputs": { - "systems": "systems_5" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, From a1bfa0120cc65560ec9b7d1f3e81afc4177dcdbe Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 22 Feb 2026 21:47:34 +0100 Subject: [PATCH 29/41] [pretalx] init --- machines/fanny/configuration.nix | 9 ++++ machines/hosts.nix | 5 ++ machines/pretalx/configuration.nix | 74 ++++++++++++++++++++++++++++++ 3 files changed, 88 insertions(+) create mode 100644 machines/pretalx/configuration.nix diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 1d494c8..276aae7 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -229,6 +229,15 @@ in }; }; + virtualHosts."talks.malobeo.org" = { + locations."/" = { + proxyPass = "http://${hosts.malobeo.hosts.pretalx.network.address}"; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; + }; + virtualHosts."tasklist.malobeo.org" = { locations."/" = { proxyPass = "http://${hosts.malobeo.hosts.durruti.network.address}:8080"; diff --git a/machines/hosts.nix b/machines/hosts.nix index f04d03d..e194ed1 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -103,6 +103,11 @@ in type = "microvm"; network = createMaloNet "17" "52:DA:0D:F9:EF:F3"; }; + + pretalx = { + type = "microvm"; + network = createMaloNet "18" "52:DA:0D:F9:EF:F4"; + }; }; }; } diff --git a/machines/pretalx/configuration.nix b/machines/pretalx/configuration.nix new file mode 100644 index 0000000..7387523 --- /dev/null +++ b/machines/pretalx/configuration.nix @@ -0,0 +1,74 @@ +{ config, self, lib, pkgs, ... }: + +with lib; + +let + hosts = import ../hosts.nix {}; +in +{ + networking = { + hostName = mkDefault "pretalx"; + useDHCP = false; + }; + + imports = [ + self.nixosModules.malobeo.metrics + ../modules/malobeo_user.nix + ../modules/sshd.nix + ../modules/minimal_tools.nix + ../modules/autoupdate.nix + ]; + + malobeo.metrics = { + enable = true; + enablePromtail = true; + logNginx = true; + }; + + services.postgresqlBackup = { + enable = true; + }; + + services.nginx = { + enable = true; + commonHttpConfig = /* nginx */ '' + proxy_headers_hash_bucket_size 64; + ''; + virtualHosts = { + "talks.malobeo.org" = { + forceSSL = false; + enableACME = false; + }; + }; + }; + + + services.pretalx = { + enable = true; + celery.extraArgs = [ + "--concurrency=${toString config.microvm.vcpu}" + ]; + gunicorn.extraArgs = [ + # https://docs.pretalx.org/administrator/installation/#step-6-starting-pretalx-as-a-service + "--log-level=info" + "--max-requests-jitter=50" + "--max-requests=1200" + "--workers=${toString config.microvm.vcpu}" + + # TODO: 25.11 upstream + "--name=pretalx" + "--preload" + ]; + nginx.domain = "talks.malobeo.org"; + settings = { + locale = { + language_code = "de"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + system.stateVersion = "22.11"; # Did you read the comment? +} + From bbf8decea167c7afb480a9c1d90203b2d7453b59 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 22 Feb 2026 21:52:50 +0100 Subject: [PATCH 30/41] [pretalx] add monitoring --- machines/overwatch/configuration.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/machines/overwatch/configuration.nix b/machines/overwatch/configuration.nix index 8fd70fd..72fbbf3 100644 --- a/machines/overwatch/configuration.nix +++ b/machines/overwatch/configuration.nix @@ -144,6 +144,12 @@ in targets = [ "${hosts.malobeo.hosts.zineshop.network.address}:9002" ]; }]; } + { + job_name = "pretalx"; + static_configs = [{ + targets = [ "${hosts.malobeo.hosts.pretalx.network.address}:9002" ]; + }]; + } { job_name = "fanny"; static_configs = [{ From 56c1ae5332858f87d0f1bb34b8792dfc43bb0d1f Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 22 Feb 2026 21:53:05 +0100 Subject: [PATCH 31/41] [vaultwarden] add monitoring --- machines/overwatch/configuration.nix | 6 ++++++ machines/vaultwarden/configuration.nix | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/machines/overwatch/configuration.nix b/machines/overwatch/configuration.nix index 72fbbf3..06cac14 100644 --- a/machines/overwatch/configuration.nix +++ b/machines/overwatch/configuration.nix @@ -144,6 +144,12 @@ in targets = [ "${hosts.malobeo.hosts.zineshop.network.address}:9002" ]; }]; } + { + job_name = "vaultwarden"; + static_configs = [{ + targets = [ "${hosts.malobeo.hosts.vaultwarden.network.address}:9002" ]; + }]; + } { job_name = "pretalx"; static_configs = [{ diff --git a/machines/vaultwarden/configuration.nix b/machines/vaultwarden/configuration.nix index 8a43711..5e6461a 100644 --- a/machines/vaultwarden/configuration.nix +++ b/machines/vaultwarden/configuration.nix @@ -22,6 +22,12 @@ with lib; networking.firewall.allowedTCPPorts = [ 80 ]; + malobeo.metrics = { + enable = true; + enablePromtail = true; + logNginx = true; + }; + services.nginx = { enable = true; virtualHosts."keys.malobeo.org" = { From ff340d69fb03d6657050e787e84b28f0e6cef764 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 22 Feb 2026 21:55:44 +0100 Subject: [PATCH 32/41] [fanny] deploy pretalx --- machines/fanny/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 276aae7..8e1c3ff 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -145,6 +145,7 @@ in "durruti" "zineshop" "vaultwarden" + "pretalx" ]; networking = { From e021f46b4d721b56009aba709515f2b85ff937bc Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 22 Feb 2026 23:28:56 +0100 Subject: [PATCH 33/41] [vaultwarden] fix missing input --- machines/vaultwarden/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/vaultwarden/configuration.nix b/machines/vaultwarden/configuration.nix index 5e6461a..cc6a088 100644 --- a/machines/vaultwarden/configuration.nix +++ b/machines/vaultwarden/configuration.nix @@ -18,6 +18,7 @@ with lib; imports = [ ../modules/malobeo_user.nix ../modules/sshd.nix + inputs.self.nixosModules.malobeo.metrics ]; networking.firewall.allowedTCPPorts = [ 80 ]; From c3474f9c273206c4b0aaa09a2374e6cf83eaa973 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 7 Mar 2026 16:01:15 +0100 Subject: [PATCH 34/41] [pretalx] proxy through vpn --- machines/durruti/host_config.nix | 10 ++++++++++ machines/vpn/configuration.nix | 9 +++++++++ 2 files changed, 19 insertions(+) diff --git a/machines/durruti/host_config.nix b/machines/durruti/host_config.nix index bcef133..cd71b11 100644 --- a/machines/durruti/host_config.nix +++ b/machines/durruti/host_config.nix @@ -63,6 +63,16 @@ in }; }; + services.nginx.virtualHosts."talks.malobeo.org" = { + forceSSL = true; + enableACME= true; + locations."/" = { + proxyPass = "http://10.0.0.10"; + extraConfig = '' + ''; + }; + }; + services.nginx.virtualHosts."tasklist.malobeo.org" = { forceSSL = true; enableACME= true; diff --git a/machines/vpn/configuration.nix b/machines/vpn/configuration.nix index e2ebee3..21720a8 100644 --- a/machines/vpn/configuration.nix +++ b/machines/vpn/configuration.nix @@ -58,6 +58,15 @@ with lib; }; }; + virtualHosts."talks.malobeo.org" = { + locations."/" = { + proxyPass = "http://10.100.0.101"; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; + }; + virtualHosts."tasklist.malobeo.org" = { locations."/" = { proxyPass = "http://10.100.0.101"; From e32e4d77741fa24bc898146adae2bc1806f9ffde Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 7 Mar 2026 16:03:02 +0100 Subject: [PATCH 35/41] [pretalx] enable admin user --- machines/pretalx/configuration.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/machines/pretalx/configuration.nix b/machines/pretalx/configuration.nix index 7387523..ff903af 100644 --- a/machines/pretalx/configuration.nix +++ b/machines/pretalx/configuration.nix @@ -13,7 +13,7 @@ in imports = [ self.nixosModules.malobeo.metrics - ../modules/malobeo_user.nix + inputs.self.nixosModules.malobeo.users ../modules/sshd.nix ../modules/minimal_tools.nix ../modules/autoupdate.nix @@ -25,6 +25,11 @@ in logNginx = true; }; + malobeo.users = { + admin = true; + }; + + services.postgresqlBackup = { enable = true; }; From cd5db6a61619872fff89c9b289322d8c86ee9b52 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 7 Mar 2026 16:10:07 +0100 Subject: [PATCH 36/41] [pretalx] fix wrong import --- machines/pretalx/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/pretalx/configuration.nix b/machines/pretalx/configuration.nix index ff903af..22114d0 100644 --- a/machines/pretalx/configuration.nix +++ b/machines/pretalx/configuration.nix @@ -13,7 +13,7 @@ in imports = [ self.nixosModules.malobeo.metrics - inputs.self.nixosModules.malobeo.users + self.nixosModules.malobeo.users ../modules/sshd.nix ../modules/minimal_tools.nix ../modules/autoupdate.nix From f385b0318b069dea615e463072c5ecc7e6229a12 Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 9 Mar 2026 12:59:04 +0100 Subject: [PATCH 37/41] [pretalx] setup email --- machines/.sops.yaml | 9 +++++ machines/pretalx/configuration.nix | 19 +++++++++ machines/pretalx/dummy.yaml | 64 ++++++++++++++++++++++++++++++ machines/pretalx/secrets.yaml | 64 ++++++++++++++++++++++++++++++ 4 files changed, 156 insertions(+) create mode 100644 machines/pretalx/dummy.yaml create mode 100644 machines/pretalx/secrets.yaml diff --git a/machines/.sops.yaml b/machines/.sops.yaml index ffb8e6b..dd7e698 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -15,6 +15,7 @@ keys: - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk - &machine_nextcloud age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe - &machine_vaultwarden age1zs9puemeevc5kt84w9d2mc5396w0t9p60qxymkpatwvwxunzs5usmxr3an + - &machine_pretalx age1y04q8n7mgk82c87rfddm0u72h0ny6sfzktjsk0cc3gu93kezudfqdp9v9g #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng creation_rules: @@ -105,6 +106,14 @@ creation_rules: age: - *admin_atlan - *machine_vaultwarden + - path_regex: pretalx/secrets.yaml$ + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *admin_atlan + - *machine_pretalx - path_regex: .*/secrets/.* key_groups: - pgp: diff --git a/machines/pretalx/configuration.nix b/machines/pretalx/configuration.nix index 22114d0..a54dc59 100644 --- a/machines/pretalx/configuration.nix +++ b/machines/pretalx/configuration.nix @@ -6,6 +6,14 @@ let hosts = import ../hosts.nix {}; in { + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + pretalx_smtp = { + owner = "pretalx"; + group = "pretalx"; + }; + }; + networking = { hostName = mkDefault "pretalx"; useDHCP = false; @@ -65,10 +73,21 @@ in "--preload" ]; nginx.domain = "talks.malobeo.org"; + environmentFiles = [ + config.sops.secrets.pretalx_smtp.path + ]; settings = { locale = { language_code = "de"; }; + settings.mail = { + from = "malobot@systemli.org"; + host = "mail.systemli.org"; + port = "465"; + ssl = true; + tls = true; + }; + }; }; diff --git a/machines/pretalx/dummy.yaml b/machines/pretalx/dummy.yaml new file mode 100644 index 0000000..c133f3a --- /dev/null +++ b/machines/pretalx/dummy.yaml @@ -0,0 +1,64 @@ +pretalx_smtp: ENC[AES256_GCM,data:zYnhuulpJAEEacXxpqNG2GEVrV21H0UZfx3sqZaZxWYL2HW6WwFMZ2PeGL8bWCv92+iZ2DGkhg==,iv:kMJLfeQ+9ZZFc6T+HnS64p9BJUy38nXrakAOXdQ0gIU=,tag:l8/eSrcOtt9MLnqcif5v2A==,type:str] +sops: + age: + - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZXExRE14NDF6cnFRSE9G + RjdxV09UMXUvczBQai9GQW5PT2g0eUZhSUVvClRZL1dJVlpKUTArTkhhR2JCV1VG + cktFb21wNDZiZC9oc2l5VS9hdzVhbFUKLS0tIGZZa2Z2R0Nvd3RUbWRHMkFJMjVK + QXdRdkVwSFg2TVRBYU1qWFJ2bE9hWFUK8HuJ9ErFU0yH3QlXl1tnmawNX0fHDOFb + g+DpDYKccGcC6PxNOE/CsftJqGLtFlToYHOYWG18bFjNZawUoaOfLQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3S0s4UlZuSWc3K3cvTDBR + WEt2L3hYSGRVWHBYbEtoci9rYkJEK1hYSkRZCkM5S25YNGM2Y3R0MG9lWUNJem9P + bnJXbTRFZUpUVmhWVVVqeVhjdDV2SWMKLS0tIEdXbXU0RkJ6ZzBTcTdiZlJPbG83 + RW8zUzBkNjViYnVFY3MyM1ZENmZXVmcK4144dF921EuNaofNhaYw9Yh56KHdfQD/ + vxPkp5jC02Wbb6hjImd+oMUg3jgCbWC4j3Qpvaky8Ig2AaJRhtqlxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-09T11:58:41Z" + mac: ENC[AES256_GCM,data:n11H0rFtXvCeleTKXnQ8tORm3YH11tvjRd/PYSRof8EIUpQ7ZtyVqdYqPZCUuck12LG8hh9+GBBpXIRDhwEJlteC61Vl0syW9bQvCbfETvIgRZsoIZr+mofYHe1twm73sd7YaGzC6xxVm5HZG/qS1LflHah6jFO6NkgQ0GpLPTE=,iv:np3bKJIbVwn96rMBeedLmw6f1him35waUWN6LJ5MLNk=,tag:fs8rmrSkK1REaUKJHxeSbw==,type:str] + pgp: + - created_at: "2026-03-09T11:58:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQv/VMIZlsBZPEolTd0yUfHyZ5PRsQDirt4hOuVFGXdKi8tb + Pk+L3y69ynfF+ZJsu41+GdVgaNX58bbdqJfnEgE+k35IrJxYmVlNuUmd5s79rOHQ + b1dn6SdoVrKTAgtrnicO0n0F41XZBSpqP4wKVHigsWgfHkaUUsI+5d/T/2F+VCcS + slhvveCMKNjDlK9sukp5TBiX+xrWTq4QIbMS7L6VSlwHod72bp73o7RV9PgoO4vy + aodYiPmJqDjF0Az7JXdu2UdWJGUYxNWb5jHCT3qpcZyX1kVSmZvcRjxtVVCySFx+ + agcavtdlEV3t8JOOvVmYoxwNOGjDvJ83k6wdueFpoJFE4Z1pHy/XCVCHykmWH/+m + nYADzmg+GiOSrTR2xWEmkesrByOMucYiZngDV3RLuZraE+8PJbqX2aAAip1Ol6AX + eYGCtLw/cXvDM1ngdj/4vaelek/TMLRRmuDyzVHevnqMGhdgAp4Ns6+ihZajSYkK + 4YqUSKOMHrfEwbZgGYGW0lgB4cv1uzPgyufcPWzg8oAS0/2jW6KjZPLIx4SYcp41 + C3BE/osbnyzGhzmabNstFbVmBYF1iK73O/Np2PGj3glBsE7PNMmcDu4ASaEI1nNw + CpOmQCR9jRGi + =6itD + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2026-03-09T11:58:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUAQ//aQNOD855rikMtrXENG/XA5dZeKGaLQAv0kWUHuJbRddn + IB9pW+Y8AgyB6xc9A4oKOKgjT8TCSYvGI6zDchf5tjrvQwmiMlpQouflcjR+UgDy + mANqL2+7GLFVcTuQfRPbEdK54Q78KciQ2bxMeh0WDZ5vV8fCTz+aPsvlNT8AJBcq + BO4dyG1oqCT13ln7g7LoHPn22wAj+H93F8aqyFk6YjgomKRf0j9gAW/NI1w8TIsg + etgMBrn0AupANrADQHAij1zSS+GaK8ZMBVgCoInc9gAQl97ytMLp/eQj4Ll69r+z + JRhFdFDZgP0UIIFurAU5eFixNq8IZnFYvFRGpR/XzAiOh8JfgWUDs5HSLyRcADi9 + XxLsEnTFm1kfoI+lpma0WtlAIXg2WpCoaU3B2kB15T4giVs6LWGmssux5t8uKTFR + DySHvdl9o78zBFPVxhW+j9h04fAeUmCWZYKpnEdFwKpBmGWtnC5rvz22Xwu3Q/wT + HioLzvETqVn+knc/ErR6Axw4A9zeLi1AccJdceVopR7rEq+0DjpLV/zYqwGruQaa + q1qtQIgPf888TKtNgAGSxQ2nUfkMM2oK2cC6r2juhxwbmTFcz6FUV41To9/hCo1c + 1SE4ZiRu7R8i+KFn4K2y6RGRkJo75trJkxuwGvAYuo6gGUmj50EeimFx0rKRddfS + WAH8JPQH6ohAqaA1hdrQRM7lPtwjPCfJW/fUqPHAR5Ytwn9xmt0A+jQYvmubH9dR + UT8OMUOIh2XC2JDYt4P4pFXXODB6WPb3Fdft6S95+vLhx6eHuo7PvVM= + =KkYj + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/machines/pretalx/secrets.yaml b/machines/pretalx/secrets.yaml new file mode 100644 index 0000000..2ebf65b --- /dev/null +++ b/machines/pretalx/secrets.yaml @@ -0,0 +1,64 @@ +pretalx_smtp: ENC[AES256_GCM,data:Jrgx1/AsgTb1KxtgiTPGRkgtl5EHPWHPde4ItwOHH9lcmakAb1b2n4JP70vF53uuKIfiyCPeVQ==,iv:fcVFgjKSGTaFxC1DAX2Sb6WD/IbJO0s1A63wrQkLWbg=,tag:NjcNwa+6h/boRemEg1j9ng==,type:str] +sops: + age: + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxb1dGalUyNzVtYjFFNm9T + a3ord2NSTEE3UkhrTm1TbHdMV3lITHJRLzJvCnAxeUZib0d0dCtUZ0x3NUtsdzdD + SjVYY0Y4MXhGRVZGZTRiNHJHSHNkb0kKLS0tIGtCL0puTDRZcUsrc2VRUU1URERs + Y084Z0tGR3JPZkw5ci9icFVSd051bE0KXaT1mPUBFUorZ/zgYjDyqWGbnHAkcjmZ + KVZJae9HC35+mq9mme7XOH96NX6tq69Hg+TUFoQg1m2Ifz27GKD3bQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y04q8n7mgk82c87rfddm0u72h0ny6sfzktjsk0cc3gu93kezudfqdp9v9g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVVJyZFZCTVZhUXN0WFJu + UWU2UWxTY3ErWHVhMGNGU0t3N0c2ekM5a0NvCkVtTDdyeEVMQzY5RUg1NnVZVHd1 + a1U4cytPSjU3K0NaSmJDdk5peHM5emMKLS0tIGhTemxzbjBzNkFILy9QRG53V0lX + dEZTQVpCOUNDSW0yRS9rYkZkVjZPRG8K/Hea01veMQ0Gxo//24PRhDcncYUuExpQ + T4ff4CNXF2vDYDsSIPDlhHdmSRGmoCw00ChCZ8vvIlHl2O86Qmd0Ng== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-09T11:58:07Z" + mac: ENC[AES256_GCM,data:QWFdEg+I1YUH65qPUQvOwwb7i+X+HYKdhYJiLoku+XcvYq4xFaoBvFTW3eZ/S2i20yK1SQcAVjUe7JQEgZDtqzPdZH6w4YIZJVvQdDMPy99xdXXEZrnW+rHOy60XFS7WiyeUdLA3TQ4+Ec1f2kkQw7MhbDbOoOh0obsvfhtz3OE=,iv:h4Qn/LpayhXCWWsO/nm18Rapz6WXQcjItF9YwyiFJJ0=,tag:bxtQQMNgVyFkHp+pbSP3UQ==,type:str] + pgp: + - created_at: "2026-03-09T11:57:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQwAkahLpq8vqQn6N5EyrbC+33Ohl61ZbBPR6NnQaLvU3s+i + WJ3xe7T+LP0jv2C2t//VhYvVNolQ2LBA+yLE3Cvjw6JCyVhu54ZRDJciY2w/wY5J + MN++Bqac6avoEYHkvoN6m1/F8JK46fzgQT7xXFTGix+g1W48aSC70GRZUmsg469p + ZFYbj/mEseG1ICxhZANU2NgRgW7kA/La/fe3/+YE8tkNHSXF2ZevQvluarm7kXT9 + KWani1wMlUMwZoCpwbfNwKpXPL0jW48FJsFIlxPbDrDCkR1gih1PHFVyqd45am9g + Uo0hJ1NOKzm5Cy5c/3xJzaP62UWyNJf+v5VojEg2XfSGqtaZDFQsLK0of5G/XArn + C7k7UbQJqz15rHWPznIppv2h+cTIsVDQcz77es1/qaOQyCMHdYqdkzi5YV7DJBZS + K6PP3Nt77uL4LGRL0vFtBgdhKFtXAAf8lhRfZJcJ2P9BYvaFdRUfjm/r0TNfCref + k2WCesk4F/pQSyB3ofuR0lYBJzlZ3iNpl7DlfyZ6DRZ/+aVFceRf9A8QKtkVmdMt + noqBJfLzhWgVmUUh3DO97mJV5pNOx8238vqVTxWrUqZXjXdXaUDaFUDXvgwg3GOA + N28ZjLy1XA== + =mIVi + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2026-03-09T11:57:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUAQ//cnVHHJEwQn+W8Jkt+jwgnKCgbRutvG3U8hlXizzdk2RI + j6nVPpv2DwuXvX3ktnng8XrmWwXf9rFRRltVs7alenEnHLxiDd5w+WYeH4NCHOFr + +vvFwxNOxzLDj5B2Fjod4El70jUdrP6Mqzy37DPu1Gb2qIUEwdF1LEzM4FMWdeWL + BA0wCJzlTXzdlb0shw7xEsqvmnL11u+aQ8AVU3kgWxSkn0VZJIYYkwegUYfflSIr + wZsNsh8k+wG58f5IVr8SqnzkfxRfJSoxNKWV9dK3a9hJnnD3DUhqnOgvCnPCRKSP + drH+7KxqmNBxqQK3f2iJvgcyLQwyEEqF2Rt6gXwyDByHy3ewupAQD0aQwi5HMWcK + iEUVSQVZ6jRfAIyDs3sBnBHceB9BShFr+NN9eUjKJWm2QD4TdQamnpMLsQGpdZv5 + Lomk9VfdZPNw7DAKJs1oDeBRmhAP/crlOW/ZZho9mewKHr7Htu3VZP812GVupJns + IK9mMnpwAhgCtChcOj/ule9NcA/AWKcrtdAyId11SvjtMO+ZjRFrOCK1wKgIif3p + ogjaK38v/7gy4/8CDyVgru+luNklsRHfZr+BuPGBDDL8M7umXilK+GyGO1CnrjxW + DJXdvMe+u75OsYvGv7eX0tqd+ePanCEoDXxFJbMc2QZigD2kZgq+qRM9CxJ2jCXS + VgEEHybyGrOo5RcJkpk+UQpb2aTMLgFNqkTn0PRQSMFeXVQIt584a9xZs1TQ7ZsT + 5H4jaFXFcS+GG09CORbkf2fkQI2KpaqBAGFct21K2hY17Tpm7kgC + =yGms + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.11.0 From 696f1aeb9059943569962d0ed897c56c7b8c6b8f Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 9 Mar 2026 13:00:37 +0100 Subject: [PATCH 38/41] [pretalx] rename talks.malobeo -> events.malobeo --- machines/durruti/host_config.nix | 2 +- machines/fanny/configuration.nix | 2 +- machines/pretalx/configuration.nix | 4 ++-- machines/vpn/configuration.nix | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/machines/durruti/host_config.nix b/machines/durruti/host_config.nix index cd71b11..46beee9 100644 --- a/machines/durruti/host_config.nix +++ b/machines/durruti/host_config.nix @@ -63,7 +63,7 @@ in }; }; - services.nginx.virtualHosts."talks.malobeo.org" = { + services.nginx.virtualHosts."events.malobeo.org" = { forceSSL = true; enableACME= true; locations."/" = { diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 8e1c3ff..f2cc70d 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -230,7 +230,7 @@ in }; }; - virtualHosts."talks.malobeo.org" = { + virtualHosts."events.malobeo.org" = { locations."/" = { proxyPass = "http://${hosts.malobeo.hosts.pretalx.network.address}"; extraConfig = '' diff --git a/machines/pretalx/configuration.nix b/machines/pretalx/configuration.nix index a54dc59..7431cfe 100644 --- a/machines/pretalx/configuration.nix +++ b/machines/pretalx/configuration.nix @@ -48,7 +48,7 @@ in proxy_headers_hash_bucket_size 64; ''; virtualHosts = { - "talks.malobeo.org" = { + "events.malobeo.org" = { forceSSL = false; enableACME = false; }; @@ -72,7 +72,7 @@ in "--name=pretalx" "--preload" ]; - nginx.domain = "talks.malobeo.org"; + nginx.domain = "events.malobeo.org"; environmentFiles = [ config.sops.secrets.pretalx_smtp.path ]; diff --git a/machines/vpn/configuration.nix b/machines/vpn/configuration.nix index 21720a8..c6d3f0a 100644 --- a/machines/vpn/configuration.nix +++ b/machines/vpn/configuration.nix @@ -58,7 +58,7 @@ with lib; }; }; - virtualHosts."talks.malobeo.org" = { + virtualHosts."events.malobeo.org" = { locations."/" = { proxyPass = "http://10.100.0.101"; extraConfig = '' From e32ee42ed15f36c635a51cc803042873def62156 Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 9 Mar 2026 13:02:56 +0100 Subject: [PATCH 39/41] [pretalx] rm redundant 'settings' --- machines/pretalx/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/pretalx/configuration.nix b/machines/pretalx/configuration.nix index 7431cfe..ae5eba2 100644 --- a/machines/pretalx/configuration.nix +++ b/machines/pretalx/configuration.nix @@ -80,7 +80,7 @@ in locale = { language_code = "de"; }; - settings.mail = { + mail = { from = "malobot@systemli.org"; host = "mail.systemli.org"; port = "465"; From d7278d18dd724e945108e13eed87763497b4f200 Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 9 Mar 2026 13:40:45 +0100 Subject: [PATCH 40/41] [pretalx] fix missing user and disable ssl in favor of tls --- machines/pretalx/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/pretalx/configuration.nix b/machines/pretalx/configuration.nix index ae5eba2..6ef5c8c 100644 --- a/machines/pretalx/configuration.nix +++ b/machines/pretalx/configuration.nix @@ -82,9 +82,10 @@ in }; mail = { from = "malobot@systemli.org"; + user = "malobot@systemli.org"; host = "mail.systemli.org"; port = "465"; - ssl = true; + ssl = false; tls = true; }; From 1e540bb39c6770298ba408bb61d05ecdccef83fa Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 9 Mar 2026 14:48:04 +0100 Subject: [PATCH 41/41] [pretalx] flip ssl/tls due to error --- machines/pretalx/configuration.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/pretalx/configuration.nix b/machines/pretalx/configuration.nix index 6ef5c8c..59f39d9 100644 --- a/machines/pretalx/configuration.nix +++ b/machines/pretalx/configuration.nix @@ -85,8 +85,8 @@ in user = "malobot@systemli.org"; host = "mail.systemli.org"; port = "465"; - ssl = false; - tls = true; + ssl = true; + tls = false; }; };