malobeo/infrastructure
2
1
Fork 1
Code Issues 41 Pull Requests 4 Actions Projects 3 Releases Wiki Activity

Compare commits

merge into: malobeo:nixpkgs_bump_20260604
Branches Tags
malobeo:master malobeo:26_05_upgrade malobeo:nixpkgs_bump_20260615 malobeo:nixpkgs_bump_20260604 malobeo:nixpkgs_bump_20260409 malobeo:debug_mode malobeo:dns malobeo:vaultwarden malobeo:nextcloud_deck_derivation malobeo:staging malobeo:script malobeo:zineshop malobeo:nextcloud_upgrade_31 malobeo:printer-module malobeo:microvm-dirs malobeo:sanoid malobeo:issue77 malobeo:reproducible-deployments malobeo:reproducible-deployments-filestructure malobeo:issue31 malobeo:microvm-module malobeo:issue47 malobeo:hostbuilder malobeo:better-workflows malobeo:issue51 malobeo:local-testing-v2 malobeo:gitea malobeo:fileserver
...
pull from: malobeo:26_05_upgrade
Branches Tags
malobeo:26_05_upgrade malobeo:nixpkgs_bump_20260615 malobeo:master malobeo:nixpkgs_bump_20260604 malobeo:nixpkgs_bump_20260409 malobeo:debug_mode malobeo:dns malobeo:vaultwarden malobeo:nextcloud_deck_derivation malobeo:staging malobeo:script malobeo:zineshop malobeo:nextcloud_upgrade_31 malobeo:printer-module malobeo:microvm-dirs malobeo:sanoid malobeo:issue77 malobeo:reproducible-deployments malobeo:reproducible-deployments-filestructure malobeo:issue31 malobeo:microvm-module malobeo:issue47 malobeo:hostbuilder malobeo:better-workflows malobeo:issue51 malobeo:local-testing-v2 malobeo:gitea malobeo:fileserver

11 Commits
nixpkgs_bu ... 26_05_upgr

Author SHA1 Message Date
ahtlon
529848d89e [docs] update nextcloud instructions
Some checks failed
Hydra callback / on_push (pull_request) Has been skipped
Details
Hydra callback / on_pr (pull_request) Failing after 3h10m18s
Details
Check flake syntax / flake-check (push) Successful in 20m18s
Details
2026-06-17 11:52:48 +02:00
ahtlon
cf89ece4d6 Multilingual keyword not supported
Some checks failed
Check flake syntax / flake-check (push) Has been cancelled
Details
Hydra callback / on_push (pull_request) Has been cancelled
Details
Hydra callback / on_pr (pull_request) Has been cancelled
Details
2026-06-17 11:45:07 +02:00
ahtlon
0b77bbd8a6 [Nextcloud] build deck in flake 
Changes from a cloud filehost to a local build, should also be more maintainable
 2026-06-17 11:43:37 +02:00
ahtlon
b5b84e2ec8 change mpd config to declarative
Some checks failed
Check flake syntax / flake-check (push) Has been cancelled
Details
Hydra callback / on_push (pull_request) Has been cancelled
Details
Hydra callback / on_pr (pull_request) Has been cancelled
Details
2026-06-17 10:47:15 +02:00
ahtlon
90d631f73c Change credentialsFile to environmentFile
Some checks failed
Check flake syntax / flake-check (push) Has been cancelled
Details
Hydra callback / on_push (pull_request) Has been cancelled
Details
Hydra callback / on_pr (pull_request) Has been cancelled
Details
2026-06-17 10:38:47 +02:00
ahtlon
8c9b49f5c3 Hardcode grafana security key 
Grafana's secret key (services.grafana.settings.security.secret_key) doesn't have a default  value anymore. Please generate your own and use a file-provider on this option! See also https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#secret_key for more information. See https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-database-encryption/#re-encrypt-secrets on how to re-encrypt.
As stated in the NixOS changelog for 26.05, there's no official way to rotate.
 Either hard-code the old key ("SW2YcwTIb9zpOOhoPsMm") if your setup doesn't have any secrets in the DB that need special protection or perform a rotation with a 3rd-party tool (d9dc788902).
 2026-06-17 10:34:11 +02:00
ahtlon
a575d16ec0 Promtail is EOL 
Recomended migtration to grafana-alloy (https://grafana.com/docs/alloy/latest/set-up/migrate/from-promtail/) or fluent-bit (https://docs.fluentbit.io/manual/data-pipeline/outputs/loki)
I chose alloy because of the compatability.
This needs to be reworked to a native implementation later
 2026-06-17 10:29:03 +02:00
ahtlon
1cc93d5dc2 Update to 26.05
Some checks failed
Hydra callback / on_pr (pull_request) Waiting to run
Details
Check flake syntax / flake-check (push) Failing after 3m41s
Details
Hydra callback / on_push (pull_request) Has been skipped
Details
2026-06-17 09:56:13 +02:00
ahtlon
017e2ca556 [Update] update and allow EOL electron
Some checks failed
Check flake syntax / flake-check (push) Failing after 47m39s
Details
Hydra callback / on_pr (push) Has been skipped
Details
Hydra callback / on_push (push) Has been skipped
Details
Weekly Flake Update / update_and_check_flake (push) Successful in 7m24s
Details
2026-06-10 17:35:47 +02:00
ahtlon
c31a576fbd I might be stupid...
All checks were successful
Check flake syntax / flake-check (push) Successful in 30m43s
Details
2026-06-06 00:15:42 +02:00
ahtlon
34db721709 [workflow] fix autoupdate not running -.-
All checks were successful
Check flake syntax / flake-check (push) Successful in 23m34s
Details
2026-06-04 15:24:52 +02:00
12 changed files with 132 additions and 64 deletions
Expand all files Collapse all files

26
.gitea/workflows/autoupdate.yml
View File

@@ -2,7 +2,7 @@ name: Weekly Flake Update
on:
schedule:
- cron: "0 4 /14 * *"
- cron: "0 4 1/14 * *"
workflow_dispatch:
permissions:
@@ -89,6 +89,18 @@ jobs:
grep -q ${{ github.ref_name }} &&
exit 1 ||
exit 0
- name: close other bump requests
run: |
for i in $(tea pr -o simple | grep "Automatic Nixpkgs update" | awk '{print $1}')
do
if [ "$i" = "" ]
then
echo "No bumps to close"
exit 0
else
tea pr close $i
fi
done
- name: Force push branch
run: git push --force -u origin nixpkgs_bump_$(date +%Y%m%d)
- name: Create pull request
@@ -102,18 +114,6 @@ jobs:
-L "bump"
-t "$COMMIT_MSG"
-d "$COMMIT_DESC"
- name: close other bump requests
run: |
for i in $(tea pr -o simple | grep "Automatic Nixpkgs update" | awk '{print $1}')
do
if [ "$i" = "" ]
then
echo "No bumps to close"
exit 0
else
tea pr close $i
fi
done
- name: Skip pull request
if: steps.no-pr.outcome == 'failure'
shell: bash

1
doc/book.toml
View File

@@ -1,6 +1,5 @@
[book]
authors = ["ahtlon"]
language = "de"
multilingual = false
src = "src"
title = "Malobeo Infrastruktur Dokumentation"

7
doc/src/anleitung/update_nextcloud.md
View File

@@ -1,7 +1,14 @@
### Updating nextcloud
## Updating the draggable patch
As of 17.06.26 the patch now gets applied automaticly while building the package.
On a nextcloud update:
- Change the `services.nextcloud.package` to the next version (ex.: `pkgs.nextcloud33`)
- Change `services.nextcloud.extraApps.deck.src.rev` to the next version (ex.: `stable33`)
- update hashes
### Building the package manually
The draggable patch is a one line patch found in the deck repo under `src/components/cards/CardItem.vue`
Direct link: https://git.dynamicdiscord.de/ahtlon/deck/commit/77cbcf42ca80dd32e450839f02faca2e5fed3761

66
flake.lock generated
View File

@@ -85,16 +85,16 @@
]
},
"locked": {
"lastModified": 1763992789,
"narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=",
"lastModified": 1781319724,
"narHash": "sha256-ZGuxexEMo4Xv28KJ0dX/m/PHN4oZIOnxHZpNTyrvx4M=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3",
"rev": "8355f0a16b2dbb06a97959a918af5b239bbe05ae",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.05",
"ref": "release-26.05",
"repo": "home-manager",
"type": "github"
}
@@ -126,11 +126,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1776340739,
"narHash": "sha256-s4FDictJlPtY6Shd6scG5hgrDMiHth09+svtvTA5NLA=",
"lastModified": 1781389237,
"narHash": "sha256-Ne1/E5XNUq0gleaQz0vW5R4xf/0h/uEZ+bOW1aNjeQk=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "2f2f62fdfdca2750e3399f66bd03986ab967e5ca",
"rev": "6ad601df0a07d9855c5e8f9b81135ecaf7c287eb",
"type": "github"
},
"original": {
@@ -176,12 +176,15 @@
}
},
"nixos-hardware": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1777917524,
"narHash": "sha256-k+LVe9YaO2BEPB9AaCtTtOMCeGi4dxDo6gt4Un3qoPY=",
"lastModified": 1781622756,
"narHash": "sha256-JrPh4M6S7aPsEE9tOENuZrxC6o2szSLlK+t4+nLke9s=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "df7783100babf59001340a7a874ba3824e441ecb",
"rev": "08018c72174a4df5657f8d94178ac69fb9c243e5",
"type": "github"
},
"original": {
@@ -209,11 +212,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1777578337,
"narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
"lastModified": 1781577229,
"narHash": "sha256-lrp67w8AulE9Ks53n27I45ADSzbOCn4H+CNW1Ck8B+8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
"rev": "567a49d1913ce81ac6e9582e3553dd90a955875f",
"type": "github"
},
"original": {
@@ -225,16 +228,29 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1777673416,
"narHash": "sha256-5c2POKPOjU40Kh0MirOdScBLG0bu9TAuPYAtPRNZMBs=",
"lastModified": 1767892417,
"narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
"rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
"url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1781216227,
"narHash": "sha256-9mUW6gNwoN2SWc/l0fW4svPNOulXLl8ijqKyeSOGgJE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "26ef669cffa904b6f6832ab57b77892a37c1a671",
"rev": "a0374025a863d007d98e3297f6aa46cc3141c2f0",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"ref": "nixos-26.05",
"repo": "nixpkgs",
"type": "github"
}
@@ -249,7 +265,7 @@
"microvm": "microvm",
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"tasklist": "tasklist",
@@ -264,11 +280,11 @@
]
},
"locked": {
"lastModified": 1777944972,
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"lastModified": 1780547341,
"narHash": "sha256-Gq8KNx5A7hBB3uGJaj6eQfLDIz5YdLu92gqBcvHvoUo=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"rev": "9ed65852b6257fbeae4355bc24ecfea307ca759a",
"type": "github"
},
"original": {
@@ -280,11 +296,11 @@
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1772189877,
"narHash": "sha256-i1p90Rgssb//aNiTDFq46ZG/fk3LmyRLChtp/9lddyA=",
"lastModified": 1778940603,
"narHash": "sha256-voSM8dZNlaOWN3kbYFky+FNY6fFQOEw0xF+ZMpZKkCQ=",
"ref": "refs/heads/main",
"rev": "fe39e122d898f66e89ffa17d4f4209989ccb5358",
"revCount": 1255,
"rev": "367dd227f539267eae2b62770b4c17b88ac8c1f1",
"revCount": 1265,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},

4
flake.nix
View File

@@ -3,7 +3,7 @@
inputs = {
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -43,7 +43,7 @@
};
home-manager= {
url = "github:nix-community/home-manager/release-25.05";
url = "github:nix-community/home-manager/release-26.05";
inputs = {
nixpkgs.follows = "nixpkgs";
};

2
machines/fanny/configuration.nix
View File

@@ -165,7 +165,7 @@ in
defaults.email = "malobeo@systemli.org";
defaults = {
dnsProvider = "njalla";
credentialsFile = config.sops.secrets.njala_api_key.path;
environmentFile = config.sops.secrets.njala_api_key.path;
dnsPropagationCheck = false;
};
};

2
machines/louise/configuration.nix
View File

@@ -46,6 +46,8 @@
];
};
nixpkgs.config.permittedInsecurePackages = [ "electron-39.8.10" ];
services.tor = {
enable = true;
client.enable = true;

24
machines/lucia/configuration.nix
View File

@@ -67,17 +67,17 @@ in
mpd = {
enable = true;
musicDirectory = "/var/lib/mpd/music";
extraConfig = ''
audio_output {
type "alsa"
name "My ALSA"
device "hw:0,0" # optional
format "44100:16:2" # optional
mixer_type "hardware"
mixer_device "default"
mixer_control "PCM"
}
'';
settings = {
audio_output = [{
type = "alsa";
name = "My ALSA";
device = "hw:0,0"; # optional
format = "44100:16:2"; # optional
mixer_type = "hardware";
mixer_device = "default";
mixer_control = "PCM";
}];
};
# Optional:
network.listenAddress = "any"; # if you want to allow non-localhost connections
@@ -199,7 +199,7 @@ in
defaults.email = "malobeo@systemli.org";
defaults = {
dnsProvider = "njalla";
credentialsFile = config.sops.secrets.njala_api_key.path;
environmentFile = config.sops.secrets.njala_api_key.path;
dnsPropagationCheck = false;
};
};

13
machines/modules/malobeo/metrics.nix
View File

@@ -41,17 +41,22 @@ in
};
};
services.promtail = {
services.alloy = {
enable = cfg.enablePromtail;
configFile = import ./promtail_config.nix {
extraFlags = ["--config.format=promtail"]; #TODO please change this to native alloy config later
configPath = import ./promtail_config.nix {
lokiAddress = cfg.lokiHost;
logNginx = cfg.logNginx;
config = config;
pkgs = pkgs;
};
};
users.users.promtail.extraGroups = [ "systemd-journal" ] ++ (lib.optionals cfg.logNginx [ "nginx" ]) ;
users.groups.promtail = {};
users.users.promtail = {
isNormalUser = true;
group = "promtail";
extraGroups = [ "systemd-journal" ] ++ (lib.optionals cfg.logNginx [ "nginx" ]) ;
};
};
}

25
machines/nextcloud/0001-Patch-cards-to-be-draggable.patch Normal file
View File

@@ -0,0 +1,25 @@
From 0d4b14e8eb62b0f0ed01f45bbaa7c2721245f7d6 Mon Sep 17 00:00:00 2001
From: ahtlon <git@ahtlon.de>
Date: Thu, 9 Oct 2025 12:22:08 +0200
Subject: [PATCH] Patch cards to be draggable
---
src/components/cards/CardItem.vue | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/components/cards/CardItem.vue b/src/components/cards/CardItem.vue
index 7539ac53e..aaf9f2fe0 100644
--- a/src/components/cards/CardItem.vue
+++ b/src/components/cards/CardItem.vue
@@ -20,7 +20,7 @@
<CardCover v-if="showCardCover" :card-id="card.id" />
<div class="card-upper">
<h4 v-if="editingTitle === 0" key="title-view" dir="auto">
- <span class="dragDisabled" contenteditable="false">{{ displayTitle }}</span>
+ <span contenteditable="false">{{ displayTitle }}</span>
</h4>
<h4 v-if="editingTitle >= 1"
key="title-edit"
--
2.54.0

25
machines/nextcloud/configuration.nix
View File

@@ -39,7 +39,7 @@ in
services.nextcloud = {
enable = true;
package = pkgs.nextcloud32;
package = pkgs.nextcloud33;
hostName = "cloud.malobeo.org";
config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
maxUploadSize = "10G";
@@ -54,11 +54,24 @@ in
extraAppsEnable = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
deck = pkgs.fetchNextcloudApp {
sha256 = "sha256-epjwIANb6vTNx9KqaG6jZc14YPoFMBTCj+/c9JHcWkA=";
url = "https://link.storjshare.io/raw/jvrl62dakd6htpyxohjkiiqiw5ma/mal/deck32.tar.gz";
license = "agpl3Plus";
};
deck = pkgs.php.buildComposerProject2 (finalAttrs: {
pname = "deck";
version = "1.18.0";
src = pkgs.fetchFromGitHub {
owner = "nextcloud";
repo = "deck";
rev = "stable33";
hash = "sha256-7R0IteB34mWFwUlHptvqNlfmeFhJcGMRlKFtDqsw1Dw=";
};
composerNoDev = false;
composerStrictValidation = false;
vendorHash = "sha256-gAuG5kKVpuaOpw2HvAP/hu89lmcVWUiSwujoN++I/ZA=";
patches = [ ./0001-Patch-cards-to-be-draggable.patch ];
postInstall = ''
cp -r $out/share/php/deck/* $out/
rm -r $out/share
'';
});
};
settings = {
trusted_domains = [ "cloud.malobeo.org" "cloud.hq.malobeo.org" ];

1
machines/overwatch/configuration.nix
View File

@@ -37,6 +37,7 @@ in
services.grafana = {
enable = true;
settings = {
security.secret_key = "SW2YcwTIb9zpOOhoPsMm";
server = {
domain = "grafana.malobeo.org";
http_port = 2342;