move packages to modules

.gitignore

@@ -0,0 +1 @@
+result

authorizedKeys.nix

@@ -2,4 +2,6 @@
 # todo: use post-quantum keys for ssh (not possible yet, yikes)
 [
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
+  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
 ]

configuration.nix

@@ -1,131 +1,28 @@
 { lib, config, inputs, pkgs, ... }:
 let
-  root_host = "grimmauld.de";
-
-  # git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt
-  root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0);
-
-  puffer_port = 8080;
-  puffer_sftp_port = 5657;
-  puffer_host = "puffer.${root_host}";
-
-  gitea_host = "git.${root_host}";
-  gitea_port = 8081;
-
-  matrix_host = "matrix.${root_host}";
+  inherit (config.networking) domain;
 in {
   imports = [
     ./hardware-configuration.nix    
   ];
 
-  services.postgresql = {
-    enable = true;
-    # CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
-    ensureDatabases = [ "synapse" ];
-    package = pkgs.postgresql_15;
-    ensureUsers = [
-      {
-        name = "synapse";
-        ensureDBOwnership = true;
-      }
-    ];
-    authentication = pkgs.lib.mkOverride 10 ''
-      #type database  DBuser  auth-method
-local   all             postgres                                peer
-local   all             all                                     peer
-host    all             all             127.0.0.1/32            md5
-host    synapse         matrix-synapse         ::1/128                 md5
-host    all             all             ::1/128                 md5
-local   replication     all                                     peer
-host    replication     all             127.0.0.1/32            md5
-host    replication     all             ::1/128                 md5
-    '';
-    identMap = ''
-    # ArbitraryMapName systemUser DBUser
-       superuser_map      root      postgres
-       superuser_map      matrix-synapse synapse
-       superuser_map      postgres  postgres
-       # Let other names login as themselves
-       superuser_map      /^(.*)$   \1
-  '';
-  };
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  services.logrotate.checkConfig = false; # needed or this explodes
 
-  systemd.services.postgresql.postStart = let
-    password_file_path = config.age.secrets.synapse_db_pass.path;
-  in ''
-    $PSQL -tA <<'EOF'
-      DO $$
-      DECLARE password TEXT;
-      BEGIN
-        password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
-        EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password);
-      END $$;
-    EOF
-  '';
+  time.timeZone = "Europe/Berlin";
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
 
-  services.matrix-synapse-next = {
-    enable = true;
-
-    workers.federationSenders = 1;
-    workers.federationReceivers = 1;
-    workers.initialSyncers = 1;
-    workers.normalSyncers = 1;
-    workers.eventPersisters = 2;
-    workers.useUserDirectoryWorker = true;
-
-    enableNginx = true;
-    enableSlidingSync = false;
-
-    settings = {
-      server_name = root_host;
-      public_baseurl = "https://${root_host}";
-      enable_registration = false;
-      enable_registration_without_verification = true;
-
-#      registrations_require_3pid = [ "email" ];
-      database = {
-        name = "psycopg2";
-        args = {
-          host = "localhost";
-          port = 5432;
-          dbname = "synapse";
-          user = "synapse";
-          cp_min = 5;
-          cp_max = 10;
-          client_encoding = "auto";
-          passfile = config.age.secrets.synapse_db_pass_prepared.path;
-        };
-      };
-    };  
-  };
-  services.redis.servers."".enable = true;
-
-  services.gitea = {
-    enable = true;
-    settings = {
-      service.DISABLE_REGISTRATION = true;
-      server = {
-        HTTP_PORT = gitea_port;
-        ROOT_URL = "https://${gitea_host}/";
-        DISABLE_SSH = true;
-      };
-#      log.LEVEL = "Debug";
-    };
-    lfs.enable = true;
-  };
-
-  age.secrets = {
-    synapse_db_pass = {
-      file = ./secrets/synapse_db_pass.age;
-      owner = "postgres";
-      group = "postgres";
-    };
-    synapse_db_pass_prepared = {
-      file = ./secrets/synapse_db_pass_prepared.age;
-      owner = "matrix-synapse";
-      group = "matrix-synapse";
-      mode = "0600";
-    };
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    LC_IDENTIFICATION = "de_DE.UTF-8";
+    LC_MEASUREMENT = "de_DE.UTF-8";
+    LC_MONETARY = "de_DE.UTF-8";
+    LC_NAME = "de_DE.UTF-8";
+    LC_NUMERIC = "de_DE.UTF-8";
+    LC_PAPER = "de_DE.UTF-8";
+    LC_TELEPHONE = "de_DE.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
   };
 
   users.users.grimmauld = {
@@ -134,7 +31,6 @@ host    replication     all             ::1/128                 md5
     extraGroups = [ "wheel" "docker" ];
     shell = pkgs.xonsh;
     packages = with pkgs; [
-      hyfetch
     ];
     openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
   };
@@ -142,160 +38,57 @@ host    replication     all             ::1/128                 md5
   programs.xonsh.enable = true;
   environment.systemPackages = with pkgs; [
     wget
+    hyfetch
+    vulnix #
     tree
-    vim
-    git
     file
-    git-lfs
     util-linux
     btop
-    cached-nix-shell
-    cloud-utils
-    parted
-    visualvm
     linuxPackages.perf
-    lshw
-    pciutils
-    gitea
-#    ffmpeg-full
-
-    pufferpanel
-    (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
-    pypy3
   ];
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = root_email;
-    certs."${root_host}" = {
-      webroot = "/var/lib/acme/acme-challenge/";
-      extraDomainNames = [ puffer_host gitea_host];
-    };
-  };
-
   environment.sessionVariables = {
     NIXPKGS_ALLOW_UNFREE="1";
-    OMP_NUM_THREADS = "4";
+    OMP_NUM_THREADS = "8";
   };
 
-  users.users.nginx.extraGroups = [ "acme" ];
-
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 8448 8008 ];
     allowPing = true;
-    allowedUDPPortRanges = [
-#      { from = 4000; to = 4007; }
-    ];
+    allowedUDPPortRanges = [];
   };
   
-  services.pufferpanel = {
-    enable = true;
-    environment = {
-      PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
-      PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
-    };
-    extraPackages = with pkgs; [ jdk17_headless ];
-    extraGroups = [ "podman" "docker" ];
-  };
 
-  virtualisation.podman.enable = true;
-  virtualisation.docker.enable = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.hostName = "grimmauld-nixos-server";
+  networking.domain = "grimmauld.de";
+  services.openssh.enable = true;
+  system.stateVersion = "23.11";
 
-  services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
   services.nginx = {
+    # package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
     enable = true;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-
-
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
-    virtualHosts."${root_host}" = {
+    virtualHosts."${domain}" = {
       forceSSL = true;
-      enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies
-      useACMEHost = root_host;
+      enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
+      useACMEHost = domain;
       locations."/" = {
-          root = "/var/www/grimmauld.duckdns.org"; 
-      };
-      locations."/.well-known/matrix/server" = {
-        return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
-        extraConfig = ''
-default_type application/json;
-add_header Access-Control-Allow-Origin *;
-add_header Accept-Ranges bytes;'';
-      };
-      locations."/.well-known/matrix/client" = {
-        return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'";
-        extraConfig = ''
-add_header Access-Control-Allow-Origin *;
-default_type application/json;
-'';
-      };
-      locations."/_matrix" = {
-        proxyPass = "http://$synapse_backend";
-        extraConfig = ''
-          add_header X-debug-backend $synapse_backend;
-          add_header X-debug-group $synapse_uri_group;
-          client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
-          proxy_read_timeout 10m;
-        '';
-      };
-      locations."~ ^/_matrix/client/(r0|v3)/sync$" = {
-        proxyPass = "http://$synapse_backend";
-        extraConfig = ''
-          proxy_read_timeout 1h;
-        '';
-      };
-      locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = {
-        proxyPass = "http://synapse_worker_initial_sync";
-        extraConfig = ''
-          proxy_read_timeout 1h;
-        '';
-      };
-      locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = {
-        proxyPass = "http://synapse_worker_initial_sync";
-        extraConfig = ''
-          proxy_read_timeout 1h;
-        '';
-      };
-      locations."/_synapse/client" = {
-        proxyPass = "http://$synapse_backend";
-      };
-      locations."/.well-known/matrix" = {
-        proxyPass = "http://$synapse_backend";
-      };
-    };
-
-    virtualHosts."${puffer_host}" = {
-      serverName = puffer_host;
-      forceSSL = true;
-      useACMEHost = root_host;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
-      };
-    };
-
-    virtualHosts."${gitea_host}" = {
-      serverName = gitea_host;
-      forceSSL = true;
-      useACMEHost = root_host;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString gitea_port}";
+          root = "/var/www/${domain}"; 
       };
     };
   };
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  system.stateVersion = "unstable";
   nixpkgs.config.allowUnfree = true;
-
   boot.tmp.cleanOnBoot = true;
+  
   zramSwap.enable = true;
-  networking.hostName = "grimmauld-nixos-server";
-  networking.domain = "";
-  services.openssh.enable = true;
-#  users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
+
+  #  users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
 }

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1703433843,
-        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
+        "lastModified": 1715101957,
+        "narHash": "sha256-fs5uVQFTfgb4L9pnhldeyTHNcYwn1U4nKYoCBJ6W3W4=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
+        "rev": "07479c2e7396acaaaac5925483498154034ea80a",
         "type": "github"
       },
       "original": {
@@ -21,6 +21,22 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "darwin": {
       "inputs": {
         "nixpkgs": [
@@ -43,6 +59,22 @@
         "type": "github"
       }
     },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -64,16 +96,40 @@
         "type": "github"
       }
     },
-    "nixos-matrix-modules": {
+    "nixos-mailserver": {
       "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "blobs": "blobs",
+        "flake-compat": "flake-compat",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-23_05": "nixpkgs-23_05",
+        "nixpkgs-23_11": "nixpkgs-23_11",
+        "utils": "utils"
       },
       "locked": {
-        "lastModified": 1701507532,
-        "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
+        "lastModified": 1706872533,
+        "narHash": "sha256-IeIIhd18Tp1oNipwxmRKnLr4dFxl6VUHWykQ1uVYIWE=",
+        "ref": "Grimmauld-master-patch-84178",
+        "rev": "bcd01ccb19e29ce8046962cb22ecfaa78bf1bfdd",
+        "revCount": 577,
+        "type": "git",
+        "url": "https://gitlab.com/Grimmauld/nixos-mailserver"
+      },
+      "original": {
+        "ref": "Grimmauld-master-patch-84178",
+        "type": "git",
+        "url": "https://gitlab.com/Grimmauld/nixos-mailserver"
+      }
+    },
+    "nixos-matrix-modules": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1710311999,
+        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
         "ref": "refs/heads/master",
-        "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
-        "revCount": 56,
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
+        "revCount": 63,
         "submodules": true,
         "type": "git",
         "url": "https://github.com/dali99/nixos-matrix-modules"
@@ -100,28 +156,89 @@
         "type": "github"
       }
     },
-    "nixpkgs-lib": {
+    "nixpkgs-23_05": {
       "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
+        "lastModified": 1704290814,
+        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
+        "id": "nixpkgs",
+        "ref": "nixos-23.05",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-23_11": {
+      "locked": {
+        "lastModified": 1706098335,
+        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1714971268,
+        "narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1703255338,
-        "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
+        "lastModified": 1705856552,
+        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
+        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1706098335,
+        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1714906307,
+        "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588",
         "type": "github"
       },
       "original": {
@@ -134,8 +251,10 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "nixos-mailserver": "nixos-mailserver",
         "nixos-matrix-modules": "nixos-matrix-modules",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_4",
+        "nixpkgs-stable": "nixpkgs-stable"
       }
     },
     "systems": {
@@ -152,6 +271,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -7,21 +7,44 @@
     nixpkgs = {
       url = "github:NixOS/nixpkgs/nixos-unstable";
     };
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
     nixos-matrix-modules = {
       url = "git+https://github.com/dali99/nixos-matrix-modules?submodules=1";
       flake = true;
     };
+    nixos-mailserver = {
+#      url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver";
+      url = "git+https://gitlab.com/Grimmauld/nixos-mailserver?ref=Grimmauld-master-patch-84178";
+      flake = true;
+    };
   };
 
-  outputs = { nixos-matrix-modules, self, nixpkgs, agenix }: let
+  outputs = { nixos-mailserver, nixos-matrix-modules, self, nixpkgs-stable, nixpkgs, agenix, ... } @ inputs: let
     system = "x86_64-linux";
+    stable = import nixpkgs-stable { inherit system; config.allowUnfree = true; };
   in {
     nixosConfigurations = {
       grimmauld-nixos-server = nixpkgs.lib.nixosSystem {
         inherit system;
+        specialArgs = { inherit inputs stable; };
         modules = [
           ./configuration.nix
+          ./modules/matrix.nix
+          ./modules/puffer.nix
+          ./modules/gitea.nix
+          ./modules/grafana.nix
+          ./modules/nextcloud.nix
+          ./modules/prometheus.nix
+          ./modules/letsencrypt.nix
+#          ./modules/mjolnir.nix
+          ./modules/fail2ban.nix
+          ./modules/email.nix
+          ./modules/discord-matrix-bridge.nix
+          ./modules/mastodon.nix
+          ./modules/toolchains.nix
+#          ./modules/ptero.nix
           agenix.nixosModules.default
+          nixos-mailserver.nixosModules.default
           nixos-matrix-modules.nixosModules.default
           { environment.systemPackages = [ agenix.packages.${system}.default ]; }
         ];

modules/discord-matrix-bridge.nix

@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ...}: let
+  bridge_port = 9005; # netstat -nlp | grep 9005
+in {
+  nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
+      src = pkgs.fetchFromGitHub {
+        owner = "t2bot";
+        repo = "matrix-appservice-discord";
+        rev = "8361ca6121bf1f0902154baa538cb6d5766e477f";
+        hash = "sha256-oXon6pFJgqQ1uBLtsSVNH7XSOpxxJYqpW2n9cFrs3sU=";
+      };
+      patches = (let oldPatches = old.patches or []; in if oldPatches == null then [] else oldPatches) ++ [ ./patch_bridge_perms.patch ];
+      doCheck = false;
+    });})
+  ];
+
+
+  age.secrets.matrix_discord_bridge_token.file = ../secrets/matrix_discord_bridge_token.age;
+
+  services.matrix-synapse-next.settings.app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" ];
+
+  services.matrix-appservice-discord = {
+    enable = true;
+    settings = {
+      auth = {
+        usePrivilegedIntents = true; # typing status and stuff
+      };
+      bridge = {
+        enableSelfServiceBridging = true;
+        inherit (config.networking) domain;
+        homeserverUrl = "https://${config.networking.domain}";
+        disablePresence = true;
+        disableTypingNotifications = true;
+      };
+#      logging.console = "silly";
+    };
+    serviceDependencies = ["matrix-synapse.target"];
+    port = bridge_port;
+    localpart = "_discord_";
+    package = pkgs.matrix-appservice-discord;
+    environmentFile = config.age.secrets.matrix_discord_bridge_token.path;
+  };
+}
+

modules/email.nix

@@ -0,0 +1,47 @@
+{ config, ... }: 
+let
+  inherit (config.networking) domain;
+  mail_host = "mail.${domain}";
+in {
+  security.acme.certs."${domain}".extraDomainNames = [ mail_host ];
+
+#  services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
+  mailserver = {
+    enable = true;
+    fqdn = mail_host;
+    domains = [ domain ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "contact@${domain}" = {
+        hashedPasswordFile = ./mailpass/contact;
+        aliases = ["kontakt@${domain}"];
+      };
+      "admin@${domain}" = {
+        hashedPasswordFile = ./mailpass/admin;
+      };
+      "grimmauld@${domain}" = {
+        hashedPasswordFile = ./mailpass/grimmauld;
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "manual";
+    certificateFile = "/var/lib/acme/${domain}/fullchain.pem";
+    keyFile = "/var/lib/acme/${domain}/key.pem";
+  };
+
+    services.nginx = {
+    enable = true;
+    virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P
+      serverName = mail_host;
+      forceSSL = true;
+      useACMEHost = domain;
+      locations."/" = {
+        return = "307 https://${domain}";
+      };
+    };
+  };
+}

modules/fail2ban.nix

@@ -0,0 +1,19 @@
+{ ... }: {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      # Whitelist some subnets
+      "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
+      "matrix.org"
+      "app.element.io" # don't ratelimit matrix users
+    ];
+    bantime = "1h"; # Ban IPs for 1h at first.
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 4 8 16 32 64 128 256";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+  };
+}

modules/gitea.nix

@@ -0,0 +1,50 @@
+{ lib, config, inputs, pkgs, ... }:
+let
+  inherit (config.networking) domain;
+  gitea_host = "git.${domain}";
+  gitea_port = 8081;
+  gitea_ssh_port = 2222;
+in {
+  services.gitea = {
+    enable = true;
+    settings = {
+      service.DISABLE_REGISTRATION = true;
+      server = {
+        HTTP_PORT = gitea_port;
+        ROOT_URL = "https://${gitea_host}/";
+        DISABLE_SSH = false;
+        SSH_DOMAIN = domain;
+        START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_PORT = gitea_ssh_port;
+#        SSH_LISTEN_HOST="::"; # fixme?
+#         SSH_AUTHORIZED_PRINCIPALS_ALLOW="username";
+      };
+#      log.LEVEL = "Debug";
+      "ssh.minimum_key_sizes".RSA = 2048;
+      "git.timeout".MIGRATE = 6000;
+    };
+    lfs.enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    gitea
+  ];
+
+
+  security.acme.certs."${domain}".extraDomainNames = [ gitea_host];
+  networking.firewall.allowedTCPPorts = [ gitea_ssh_port ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${gitea_host}" = {
+      serverName = gitea_host;
+      forceSSL = true;
+      useACMEHost = domain;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}";
+      };
+    };
+  };
+}
+

modules/grafana.nix

@@ -0,0 +1,43 @@
+{ config, ... }:
+let
+  inherit (config.networking) domain;
+  grafana_host = "grafana.${domain}";
+  grafana_port = 8082;
+in {
+  age.secrets.grafana_admin_pass = {
+    file = ../secrets/grafana_admin_pass.age;
+    owner = "grafana";
+    group = "grafana";
+    mode = "0600";
+  };
+
+  security.acme.certs."${domain}".extraDomainNames = [ grafana_host ];
+  services.grafana = {
+    enable = true;
+    settings = {
+      security = {
+        admin_user = "admin";
+        admin_email = "admin@${domain}";
+        admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
+      };
+      server = {
+        domain = grafana_host;
+        root_url = "https://${grafana_host}";
+        http_port = grafana_port;
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${grafana_host}" = {
+      serverName = grafana_host;
+      forceSSL = true;
+      useACMEHost = domain;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

modules/letsencrypt.nix

@@ -0,0 +1,15 @@
+{ lib, config, inputs, pkgs, ... }:
+let
+  inherit (config.networking) domain;
+  root_email = "contact@${domain}";
+in {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = root_email;
+    certs."${domain}" = {
+      webroot = "/var/lib/acme/acme-challenge/";
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+}

modules/mailpass/admin

@@ -0,0 +1 @@
+$2b$05$9E2phVa/06fZW3daV3CeYuLTCLcBBDY7xF5TOpeHdCBGU5yNemBgy

modules/mailpass/contact

@@ -0,0 +1 @@
+$2b$05$WsEwEXHa3kzDdMJdluirn.ExpK5BGJENEf3iH2AAjW6IFUPSpBWVa

modules/mailpass/grimmauld

@@ -0,0 +1 @@
+$2b$05$nmY9QnYyOhhhXn3OOalxkeWWLZtlaxD2vGwr0f6gtHNUz5EfZXvsa

modules/mastodon.nix

@@ -0,0 +1,17 @@
+{ config, ... } :
+let
+  inherit (config.networking) domain;
+  mastodon_host = "mastodon.${domain}";
+in {
+  security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ];
+  services.mastodon = {
+    enable = true;
+    localDomain = mastodon_host;
+    streamingProcesses = 7;
+    configureNginx = true;
+    smtp = {
+      fromAddress = "noreply@${domain}";
+    };
+    extraConfig.SINGLE_USER_MODE = "true";
+  };
+}

modules/matrix.nix

@@ -0,0 +1,175 @@
+{ lib, config, inputs, pkgs, ... }:
+let
+  inherit (config.networking) domain;
+  matrix_host = "matrix.${domain}";
+in {
+services.postgresql = {
+    enable = true;
+    # CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
+    ensureDatabases = [ "synapse" ];
+    package = pkgs.postgresql_15;
+    ensureUsers = [
+      {
+        name = "synapse";
+        ensureDBOwnership = true;
+      }
+    ];
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser  auth-method
+local   all             postgres                                peer
+local   all             all                                     peer
+host    all             all             127.0.0.1/32            md5
+host    synapse         matrix-synapse         ::1/128                 md5
+host    nextcloud       nextcloud       ::1/128                 md5
+host    all             all             ::1/128                 md5
+local   replication     all                                     peer
+host    replication     all             127.0.0.1/32            md5
+host    replication     all             ::1/128                 md5
+    '';
+    identMap = ''
+    # ArbitraryMapName systemUser DBUser
+       superuser_map      root      postgres
+       superuser_map      matrix-synapse synapse
+       superuser_map      nextcloud nextcloud
+       superuser_map      postgres  postgres
+       # Let other names login as themselves
+       superuser_map      /^(.*)$   \1
+  '';
+  };
+
+  systemd.services.postgresql.postStart = let
+    password_file_path = config.age.secrets.synapse_db_pass.path;
+  in ''
+    $PSQL -tA <<'EOF'
+      DO $$
+      DECLARE password TEXT;
+      BEGIN
+        password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
+        EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password);
+      END $$;
+    EOF
+  '';
+
+  services.matrix-synapse-next = {
+    enable = true;
+
+    workers.federationSenders = 1;
+    workers.federationReceivers = 1;
+    workers.initialSyncers = 1;
+    workers.normalSyncers = 1;
+    workers.eventPersisters = 2;
+    workers.useUserDirectoryWorker = true;
+    mainLogConfig = ./matrix_synapse_log_config.yaml;
+
+    enableNginx = true;
+    enableSlidingSync = false;
+
+    settings = {
+      suppress_key_server_warning = true;
+      server_name = domain;
+      public_baseurl = "https://${domain}";
+      enable_registration = true;
+      registration_requires_token = true;
+      registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
+#      enable_registration_without_verification = true;
+#      mainLogConfig = ./matrix_synapse_log_config.yaml;
+
+#      registrations_require_3pid = [ "email" ];
+
+      database = {
+        name = "psycopg2";
+        args = {
+          host = "localhost";
+          port = 5432;
+          dbname = "synapse";
+          user = "synapse";
+          cp_min = 5;
+          cp_max = 10;
+          client_encoding = "auto";
+          passfile = config.age.secrets.synapse_db_pass_prepared.path;
+        };
+      };
+    };  
+  };
+  services.redis.servers."".enable = true;
+
+  age.secrets.synapse_db_pass = {
+    file = ../secrets/synapse_db_pass.age;
+    owner = "postgres";
+    group = "postgres";
+  };
+  age.secrets.synapse_db_pass_prepared = {
+    file = ../secrets/synapse_db_pass_prepared.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    mode = "0600";
+  };
+  age.secrets.synapse_registration_shared_secret = {
+    file = ../secrets/synapse_registration_shared_secret.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    mode = "0600";
+  };
+
+  environment.systemPackages = with pkgs; [
+    matrix-synapse-tools.synadm
+    matrix-synapse
+  ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${domain}" = {
+      forceSSL = true;
+      enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies
+      useACMEHost = domain;
+      locations."/.well-known/matrix/server" = {
+        return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
+        extraConfig = ''
+default_type application/json;
+add_header Access-Control-Allow-Origin *;
+add_header Accept-Ranges bytes;'';
+      };
+      locations."/.well-known/matrix/client" = {
+        return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'";
+        extraConfig = ''
+add_header Access-Control-Allow-Origin *;
+default_type application/json;
+'';
+      };
+      locations."/_matrix" = {
+        proxyPass = "http://$synapse_backend";
+        extraConfig = ''
+          add_header X-debug-backend $synapse_backend;
+          add_header X-debug-group $synapse_uri_group;
+          client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
+          proxy_read_timeout 10m;
+        '';
+      };
+      locations."~ ^/_matrix/client/(r0|v3)/sync$" = {
+        proxyPass = "http://$synapse_backend";
+        extraConfig = ''
+          proxy_read_timeout 1h;
+        '';
+      };
+      locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = {
+        proxyPass = "http://synapse_worker_initial_sync";
+        extraConfig = ''
+          proxy_read_timeout 1h;
+        '';
+      };
+      locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = {
+        proxyPass = "http://synapse_worker_initial_sync";
+        extraConfig = ''
+          proxy_read_timeout 1h;
+        '';
+      };
+      locations."/_synapse/client" = {
+        proxyPass = "http://$synapse_backend";
+      };
+      locations."/.well-known/matrix" = {
+        proxyPass = "http://$synapse_backend";
+      };
+    };
+  };
+#  networking.firewall.allowedTCPPorts = [ 8448 8008 ];
+}

modules/matrix_synapse_log_config.yaml

@@ -0,0 +1,25 @@
+version: 1
+
+# In systemd's journal, loglevel is implicitly stored, so let's omit it
+# from the message text.
+formatters:
+    journal_fmt:
+        format: '%(name)s: [%(request)s] %(message)s'
+
+filters:
+    context:
+        (): synapse.util.logcontext.LoggingContextFilter
+        request: ""
+
+handlers:
+    journal:
+        class: systemd.journal.JournalHandler
+        formatter: journal_fmt
+        filters: [context]
+        SYSLOG_IDENTIFIER: synapse
+
+root:
+    level: WARNING
+    handlers: [journal]
+
+disable_existing_loggers: False

modules/mjolnir.nix

@@ -0,0 +1,69 @@
+{ config, ... } : 
+let
+
+in {
+  age.secrets = { 
+    matrix_mjolnir_pass = {
+      file = ../secrets/matrix_mjolnir_pass.age;
+      owner = "mjolnir";
+      group = "mjolnir";
+      mode = "0600";
+    };
+
+    matrix_mjolnir_tle_pass = {
+      file = ../secrets/matrix_mjolnir_tle_pass.age;
+      owner = "mjolnir";
+      group = "mjolnir";
+      mode = "0777";  # not ideal, but containers are weird
+    };
+  };
+
+  # global mjolnir  
+  services.mjolnir = {
+    enable = true;
+    homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl;
+    protectedRooms = [
+      "https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de"
+    ];
+    managementRoom = "!kgfXXqEYHGgToIwhMP:grimmauld.de";
+    pantalaimon = {
+      enable = true;
+      username = "mjolnir";
+      options = {
+        homeserver = config.services.matrix-synapse-next.settings.public_baseurl;
+      };
+      passwordFile = config.age.secrets.matrix_mjolnir_pass.path;
+    };
+  };
+
+  services.logrotate.checkConfig = false; # needed or this explodes
+  containers.mjolnirtle = let 
+    baseurl = config.services.matrix-synapse-next.settings.public_baseurl; 
+    pass_file = config.age.secrets.matrix_mjolnir_tle_pass.path;
+  in {
+    privateNetwork = false; # don't want nat
+    autoStart = true;
+    bindMounts."${pass_file}".isReadOnly = true;
+    config = { config, ... }: {
+      system.stateVersion = "unstable";
+  # tle mjolnir  
+  services.logrotate.checkConfig = false;
+  services.mjolnir = {
+    enable = true;
+    homeserverUrl = baseurl;
+    protectedRooms = [
+      "https://matrix.to/#/!BgDBnHgMgilMMnPMyp:grimmauld.de"
+    ];
+    managementRoom = "!NQedmlMeoQErGgAwxm:grimmauld.de";
+    pantalaimon = {
+      enable = true;
+      username = "mjolnir_tle";
+      options = {
+        homeserver = baseurl;
+      };
+      passwordFile = pass_file;
+    };
+  };
+    };
+  };  
+}

modules/nextcloud.nix

@@ -0,0 +1,82 @@
+{ lib, pkgs, config, ...} :
+let
+  inherit (config.networking) domain;
+  nextcloud_host = "cloud.${domain}";
+  nextcloud_port = 8083;
+in {
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  security.acme.certs."${domain}".extraDomainNames = [ nextcloud_host ];
+  age.secrets = {
+    nextcloud_admin_pass = {
+      file = ../secrets/nextcloud_admin_pass.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+      mode = "0600";
+    };
+  };
+
+  services.redis.servers.nextcloud = {
+    enable = true;
+    bind = "::1";
+    port = 6379;
+  };
+
+  systemd.services.nextcloud-setup.serviceConfig.ExecStartPost = pkgs.writeScript "nextcloud-redis.sh" ''
+    #!${pkgs.runtimeShell}
+    nextcloud-occ config:system:set redis 'host' --value '::1' --type string
+    nextcloud-occ config:system:set redis 'port' --value 6379 --type integer
+    nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string
+    nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string
+  '';  
+
+  services.nextcloud = {
+    enable = true;
+    https = true;
+    hostName = nextcloud_host;
+    package = pkgs.nextcloud28;
+    caching.redis = true;
+
+#    extraApps = with config.services.nextcloud.package.packages.apps; [
+#      news contacts calendar tasks;
+#    ];
+    config = {
+      adminpassFile = config.age.secrets.nextcloud_admin_pass.path;
+      dbuser = "nextcloud";
+      dbhost= "localhost:${builtins.toString config.services.postgresql.port}";
+      dbtype = "pgsql";
+    };
+    settings = {
+      overwriteProtocol = "https";
+      defaultPhoneRegion = "DE";
+      filelocking.enabled = true;
+      redis = {
+        host = "localhost";
+        port = 6379;
+        timeout = 0.0;
+      };
+
+    };
+    phpOptions = {
+      "opcache.interned_strings_buffer" = "12";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${nextcloud_host}" = {
+      serverName = nextcloud_host;
+      forceSSL = true;
+      useACMEHost = domain;
+    };
+  };
+}

modules/patch_bridge_perms.patch

@@ -0,0 +1,12 @@
+diff --git a/src/util.ts b/src/util.ts
+index f09190e..c7bc841 100644
+--- a/src/util.ts
++++ b/src/util.ts
+@@ -353,6 +353,7 @@ export class Util {
+         if (res && res.users && res.users[userId] !== undefined) {
+             haveLevel = res.users[userId];
+         }
++        requiredLevel = 50;
+         return haveLevel >= requiredLevel;
+     }
+ 

modules/prometheus.nix

@@ -0,0 +1,52 @@
+{ config, ... } :
+let
+  inherit (config.networking) domain;
+  prometheus_host = "prometheus.${domain}";
+  prometheus_port = 9090; # netstat -nlp | grep 9090
+in {
+  security.acme.certs."${domain}".extraDomainNames = [ prometheus_host];
+
+  services.prometheus = {
+    enable = true;
+    port = prometheus_port;
+    globalConfig.scrape_interval = "15s";
+    scrapeConfigs = [
+      {
+        job_name = "chrysalis";
+        static_configs = [{
+          targets = [
+            "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
+            "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
+            "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"
+          ];
+        }];
+      }
+    ];
+    exporters = {
+      nginx.enable = true;
+      redis.enable = true;
+      domain.enable = true;
+      postgres.enable = true;
+      nginxlog.enable = true;
+      jitsi.enable = true;
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${prometheus_host}" = {
+      serverName = prometheus_host;
+      forceSSL = true;
+      useACMEHost = domain;
+      locations."/" = {
+#        proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
+        return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you!
+      };
+    };
+  };
+}

modules/ptero.nix

@@ -0,0 +1,130 @@
+{config, pkgs, ...}: let
+  inherit (config.networking) domain;
+  root_email = "contact@${domain}";
+  ptero_host = "ptero.${domain}";
+  DATA_DIR = "/var/lib/pterodactylpanel";
+  panel_user = "pterodactyl";
+  local_bridge = "ptero-local-br";
+  ptero_ver = "1.11.5";
+  ptero_port = "8042";
+in {
+  users.users.${panel_user} = {
+    isSystemUser = true;
+    extraGroups = ["docker"];
+    group = panel_user;
+  };
+  users.groups.${panel_user} = {};
+
+  age.secrets.ptero_env = {
+    file = ../secrets/ptero_env.age;
+  };
+
+  systemd.services.init-ptero-data-dir = {
+    description = "Create the pterodactyl panel data dir";
+    wantedBy = [ "multi-user.target" ];
+  
+    serviceConfig.Type = "oneshot";
+    script =''
+mkdir -p ${DATA_DIR}/database
+mkdir -p ${DATA_DIR}/cache
+mkdir -p ${DATA_DIR}/panel/var
+mkdir -p ${DATA_DIR}/panel/logs
+mkdir -p ${DATA_DIR}/panel/nginx
+chown ${panel_user}:${panel_user} -R ${DATA_DIR}
+chmod +777 -R ${DATA_DIR}
+'';
+  };
+
+  virtualisation.oci-containers.backend = "podman";
+
+  systemd.services.init-ptero-local-network = {
+    description = "Create the network bridge ${local_bridge} for ptero.";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+  
+    serviceConfig.Type = "oneshot";
+    script = let podmancli = "${config.virtualisation.podman.package}/bin/podman";
+           in ''
+             check=$(${podmancli} pod ls | grep "ptero" || true)
+             if [ -z "$check" ]; then
+               ${podmancli} pod create -p "${ptero_port}:80" ptero
+             else
+               echo "ptero pod already exists"
+             fi
+           '';
+  };
+
+
+  virtualisation.oci-containers.containers."ptero-mysql" = {
+    image = "library/mysql:8.0";
+    workdir = "${DATA_DIR}/database";
+    extraOptions = [ "--pod=ptero" ];
+    environment = {
+      "MYSQL_USER" = "pterodactyl";
+      "MYSQL_DATABASE" = "panel";
+    };
+    environmentFiles = [ config.age.secrets.ptero_env.path ];
+    volumes = ["${DATA_DIR}/database:/var/lib/mysql" "${DATA_DIR}/database:${DATA_DIR}/database"];
+    cmd=["--default-authentication-plugin=mysql_native_password"];
+  };
+
+  virtualisation.oci-containers.containers."ptero-cache" = {
+    image = "redis:alpine";
+    workdir = "${DATA_DIR}/cache";
+    volumes = ["${DATA_DIR}/cache:${DATA_DIR}/cache"];
+    extraOptions = [ "--pod=ptero" ];
+  };
+
+  virtualisation.oci-containers.containers."ptero-panel" = {
+    image = "ghcr.io/pterodactyl/panel:v${ptero_ver}";
+    volumes = [
+      "${DATA_DIR}/panel/var/:/app/var/"
+      "${DATA_DIR}/panel/logs/:/app/storage/logs"
+      "${DATA_DIR}/panel/nginx/:/etc/nginx/conf.d/"
+    ];
+    extraOptions = [ "--pod=ptero" ];
+    environment = {
+      "APP_URL" = "https://${ptero_host}";
+      "APP_TIMEZONE" =  "Europe/Berlin";
+      "APP_SERVICE_AUTHOR" = root_email;
+
+      "MAIL_FROM" = "noreply@${domain}";
+      "MAIL_DRIVER" = "smtp";
+      "MAIL_HOST" = "mail";
+      "MAIL_PORT" = "25";
+      "MAIL_USERNAME" = "";
+      "MAIL_PASSWORD" = "";
+      "MAIL_ENCRYPTION" = "true";
+
+      "APP_ENV"= "production";
+      "APP_ENVIRONMENT_ONLY"= "false";
+      "CACHE_DRIVER" = "redis";
+      "SESSION_DRIVER" = "redis";
+      "QUEUE_DRIVER" = "redis";
+      "REDIS_HOST" = "127.0.0.1";
+      "DB_HOST" = "127.0.0.1";
+      "TRUSTED_PROXIES" = "*";
+    };
+    labels = {
+      "traefik.http.routers.pterodactyl_panel.entrypoints"="web";
+    };
+    environmentFiles = [ config.age.secrets.ptero_env.path ];
+  };
+
+  security.acme.certs."${domain}".extraDomainNames = [ ptero_host ];
+  services.nginx = {
+    enable = true;
+    virtualHosts."${ptero_host}" = {
+      serverName = ptero_host;
+      forceSSL = true;
+      useACMEHost = domain;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${ptero_port}";
+      };
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    (writeShellScriptBin "ptero-nix" "${config.virtualisation.podman.package}/bin/podman exec -it ptero-panel php artisan $@")
+  ];
+}

modules/puffer.nix

@@ -0,0 +1,50 @@
+{ lib, config, inputs, pkgs, ... }:
+let
+  inherit (config.networking) domain;
+  puffer_port = 8080;
+  puffer_sftp_port = 5657;
+  puffer_host = "puffer.${domain}";
+  tlemap_host = "tlemap.${domain}";
+  tlemap_port = 8100;
+in {
+  services.pufferpanel = {
+    enable = true;
+    environment = {
+      PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
+      PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
+    };
+    extraPackages = with pkgs; [];
+    extraGroups = [ "docker" ];
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${puffer_host}" = {
+      serverName = puffer_host;
+      forceSSL = true;
+      useACMEHost = domain;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
+      };
+    };
+    virtualHosts."${tlemap_host}" = {
+      serverName = tlemap_host;
+      forceSSL = true;
+      useACMEHost = domain;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
+      };
+    };
+
+  };
+  security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ];
+  networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ];
+
+#  virtualisation.podman.enable = true;
+  virtualisation.docker.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    pufferpanel
+    (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
+  ];
+}

modules/toolchains.nix

@@ -0,0 +1,50 @@
+{config, pkgs, ...}: let
+  git_user = "Grimmauld";
+in {
+  environment.systemPackages = with pkgs; [
+    (writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
+    (writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
+    (writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
+    mkpasswd
+    node2nix
+  ];
+
+  programs.git = {
+    enable = true;
+    lfs.enable = true;
+    config = {
+      init.defaultBranch = "main";
+      credential.username = git_user;
+      core.editor = "${pkgs.neovim}/bin/nvim";
+      user.name = git_user;
+      user.email = "${git_user}@grimmauld.de";
+    };
+  };
+
+  programs.tmux = {
+    enable = true;
+    historyLimit = 42000;
+    #keyMode = "vi";
+  };
+
+  programs.neovim = {
+    enable = true;
+    viAlias = true;
+    defaultEditor = true;
+    configure = {
+      customRC = ''
+        set number
+        set hidden
+        set nocompatible
+  '';
+      packages.myVimPackage = with pkgs.vimPlugins; {
+        # loaded on launch
+        start = [ vim-nix vim-scala fugitive autoclose-nvim ];
+        # manually loadable by calling `:packadd $plugin-name`
+        opt = [ ];
+      };
+    };
+  };
+
+  programs.xonsh.enable = true;
+}

result

@@ -1 +0,0 @@
-/nix/store/wf6nyixk6236i1h6ws7yn3lnq7plhyd8-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc

secrets/grafana_admin_pass.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+ieBCGzdQNeFiy2vjh2SbQz2jM9SFsqESvydY3ok681KYIBZKhw0FkQQPADCJElnM
+L0XxLSXkOB2l3hhie5i+O3iSHKlXAwPvbfxUcsZmDgV9F9MJtdqrDWrp8qpnIzau
+qsecyM28o37laD0hr+Zt6nG8QWPDmSBnNfVfdflYUkMQCPaNHrMa0+XQqABAJ7mi
+PssjYLHkVJzPTi4p0bYkewkBS45gsp7j6DlF2Gg5Ce+l2FxB+RWc5Pl8mp76IntR
+Vxm8gaGXG667IjwFqfxhsIbygyIZ2SX38GUJbtn3Is0aSOQCZtSkdLTkrjFtB+LP
+FUfvvqkPKC5ttQm6lkODrMo3Ai0VfT6kCo/F52A0T5mkrF5jVCQdeqo92zBPWI6S
+Um93uNLFmQ+OIDNnSVZKO0znpw6Vq9N7Q7LUPG1etRasnH5agMzBVlAeotbvD9Y/
+Y6jLOB7aTruX4Snw83WF8J4jjzr6MYG71wQ/0aGOA5EfS/njrWRT6PSgVERny/WW
+h/TaVV+Zw7vm7kw4cxSmnwcnvpst2W4Xg2hulj2MPO0OXlXPvIuIg68Olcctclox
+HR2BKjDDQ+9jScu0cQcYIsnXuJ5JillpETtYI5Z4AGmKLj0rqXxrZDmjr0WKE5AE
+qlbOw6/Jpn5vtmS4qEuSnbK11vhm4EWN/tv0Zz7KShM
+--- yNCRCxrMUj+Kx54kwJ0Tq3X/QmxRi3eUcDCIkAtnrk8
+~‰E~
ß}IÝR9•<39>â*·\–™f›rèÿyÅU›w¤BÔ
 1<>!¨ÝÞã÷ðtez“yxX¾W<øs!ëÛ

secrets/matrix_admin_pass.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+Y34uAa+VEd/xy3iIs0rDEpF9iBQVpU//AQcTpP/lo1idGdUbVS2KeqkWZiGFfiOL
+PZNBZ9TkQhqKvw4dD7xdVNZoO9R2O9KApMIAtf4XRN+YvNA6l9dnpu/UDLFzh2F0
+NJY4TXRXJPRB3k5ngbCvYv2anQ6yMi7cpHZNEIgM/LdKGJ/56YHXQAxtOe4o+0Mz
+Q1FQOsEFGa2Kb5f5D9wdjfZvDkoUzG9W2Cao2GAKdtJQx0yAP3T4uEt+22nYo5OB
+mOuKJ0qNwfoSk0ErC+dYlkgknG6W4QsxA/G7ZMzFq/E70yNzAOAViXPMRSnJYpr2
+p2C8nhQ3lhlS2bFu46Jgi4NTj9FvnABVH+QiwL3P+WtqCMGy+LRfHDMJ1i14M35/
+6cTaeSw1d4UiZekxgCsHXrT4BipC70pH+9vZYGTVzP3SxfkbilwhQJvpREnNZq1o
+e2vfMHod3syDvZfYEILayODY+WwuqVp4O6NIOoPNygKwdoN+DiYKs7vhUFXU/AWA
+iVL5jQ0p4fI7qQm/jrNL3E7Mj+FMYQMBKTvSjF8O/YFBymsDtcN0bLlKIOdSdLP/
+Tm0tffNargbnrF9a4ZNjOihbNYocDfID7hyFsdpqF9TsANXeiRkBGWT/RnOzMBs0
+QZLz3iChOR87PPC4loqZJpQSYLnQ77m7ZcODzDnScwo
+--- UWFxzIGon0JaPMjmKUkZQGNLa44SSusFKXVb3eGhyFE
+̶¼w“ÂT©XP=žïÓ/m$nyßwϧç¿ð«‰,þïoùïƒØNé0Fò ’ø±,øî<C3B8>
+¡d
+ËSâ”

secrets/matrix_discord_bridge_token.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+NjaxRq6jsJbscI9ySg58c9D8HEOUjEusNfEDn2aCEcyvmO0AeLImCK/MI08x8hJ2
+FwSmPVpumzatiTd9U8orgUj7ivr5On5yItg1FJs1yGojDotnvXKx2P2ulAkeGs/B
+KHx7UZnCwm9gAzwz8r6Uki+R56/Wu/TCfygbGq0sRI1+Tyo2PdZv0EiXXQ+f5g0c
+VS23NyxGxzO3yIHRV0hRB9xRfUlYddSINVqcfRr54q2DIFi1DKU2BueAchGF2tIl
+9uazNaWetXeqLF15UAYbxv1Sh5/YOmZKSr6WXhTfmzT6bSTnDwu6IqYhgBagRIEO
+lv17r0wbmNAHhDZKuj60Fv+28tbWdU4WENOVhrxsImJMP6iHC79iCpNM/uHLALwN
+yB1MF4oFAajX2LzW4tmmoR3bM2LCy/aW3oNccLm8M1mWuPg6pqyhiejAk/09b0BT
+73HqqHSBys4DMEUjxntG+BhtwAm+3e+zcG+7MSa9fVf3yb566EUnVNHjm60pX0JN
+FIn08qwIS1vtDD/2vGDMB575sYafurh6gJ6kmwikv2IOlbJBoyXBONEb7Q5TGeJ6
+mon6l7zdqgW/sYgW2wAsmwGrUTHeJNVV/CUNt1sPhmb7VyqRpP0a/fWif/S2XpxY
+Caiv38ccsmpmm639BhBV7iF8BhV//Ovja/hKwsLUsoM
+--- suzKNMEdOeEQQnOg6BIVnTTGqCg7b0+eAiVS6PR8W2c
+´êõG"ÎÇu¿ívʪ¦¡ÚH"ÅtH aËÅz#¶0.é<>â‚ɳ:žI’勾_†DU‡7xª¼MÌ@‰¹#ÆP£¢µ9ªz5¿”;Çš-<2D>êk“jhHâªáy[cü>ÖPÖ¯õî७Axî°¾áÐJàâ¸,í	=í^%Ùá}éŽn\s½{«qÎ~AgxÛ6Š©ÿpÊfwæ8ÇÝ"yê³Ô²Ý¦ñ|=Ȅ륷T4Ï<>TxÀ]<5D>—©|>¬*Õ‚ä

secrets/matrix_mjolnir_pass.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+jXawkbb/FkE0/pdY3wvHC+iVx9RgIB7ytAKsk+mxx0hhwAOZL4oswvvKsnYdkUjv
+5UMexnENT9I1+ZLyVMusvxvlMM+LxZtkNOLCylFF4G/Xyrq6QS5NMFK5aD0slT1U
+nwufnIABuheku4yK3W/lYJcwsHT+lFfkSyqXw214AMHI37YVnsSxgjgV3KhC9ZhG
+dxWG010li/7uFh1+/006+DKoa7VejrJM7OUeUVCjBjSwYazMUAi8okuaZzhMeeWG
+sC8v7RmnZTM/mS0nBu0wcZxUB7Vz2c2evBNUuARELfMzxRfh9yIQMzg3k5A7xNqC
+qjj3KchocgNPoTrzG/x4uFFhCmF523LJ/85IlFIQ8X/1MrAgZg/L5N5fEmhHLRG6
+yVGRm0xs9wEWf1ZzSPALHO/fLUa6K+9IEo9e5Ne3+HtzeiSrlBTgAThm4iS/j9gJ
+Gh5cnAuG8dmvZsnV0VJLZCCa938PugsKxsbEGRgtIwj5FaBudLd6DzNwqq9n88Y3
+H3Vnc56ru/XWHVTnVNKAstXkUmAxCH2SKpETXgb2Nd7aLBEYd0Dp334wdYOYaBnR
+3p0jTTpU2TFA8zfLJRy0CnElfC11YYp5aF3+ONEuGFbiAdFSoixRd0xUdxKvQ6Ym
+KK875Yhl3KBCbQGHGzT9TRwqFv4GM5gntoV6QFXv8R4
+--- mty/HLWaSdsD6bxDTO2KJ9itaRpuI1OKyH3+KAMX6TM
+j©¡©Ÿžƒ÷¼ÍhŒV¹4*µ °á
+ÿÞ…tñÝ3šJ0ð!ÁhFB‚¹”'Ráxí¶}jÒJ¥

secrets/matrix_mjolnir_tle_pass.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+MbJMn9f+sg1SygW+O6rIF8fXmieYHkQFnSuI/U71YG3JIJwMDQLMqN8dB1pi5fvg
+j4wQU2211KdUsOjmpSFAoylielEMVRSm8ae+0pMDrCli6z8xb0Izd495EMexxwH8
++FWQORHvrXIaxPgHcOQ4g0SApkDAhEGl8XrI3dvC2szEy9tM5ph3LrXIAV6GBKp/
+SlHD385bgZkuN8lwaczKGTjBktYiK2h1lpJBb+sQkuOP3h8rpHetU6CCbooJkQ4c
+x8ND7fu3ptd/YhzVRAhTMOaQU62f1FEJoGP67hsm79rOm+0vnH5K1r16gAB2jjAh
+RHXYFhzpPLrYUUCwdklGGtCFcTRc2g4gRglDx4IutTZ+2EBkrzePZ8OqXpR5/2xO
+yROb3L3wex0bm9MqIyClaPFq9eUtSI4ca8s5TCZV///6FrzJVEsAlj0xZFQFGTT3
+T1zOOEEzEX4f9878Wj/Rl+MZhtZUJYG39fwonFS799Omgks+NcSXi5pnPTMXnONq
+cVXQM1y2wvLlxf9qbPkFCnvkqq6pWMXma18BTiAakbOZ0y/EpOGQG+vAz+zZ5wq1
+le3fgfiKPM4oXuPrMPxuCd1QsmoHj5YYDSSGPWYgxHt3kKKpDVadpqgRp2FyrFGA
+KGKGwqbOv12pbzmP2S3WlbAhQiUodg6my93H4kroPPM
+--- q4gCKxg3dPi7iXSqByd4F3dQ6hv2h8ZH4vz1Abzzovo
+„źŇgyÂŢşňŹIîŻnó<6E>ÔŚşeË*é(¨a5ĘTüÓ}ÚâDú%€ĽŔÇľUqg4\b ˘ýc5´ĆÜoY

secrets/nextcloud_admin_pass.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+Q/jX41H5vQpkJf7eEOKeRezpVFRM8NS4puvIrPXE/zUx4DTn38BpSbVuv+PUH/D1
+LPAplIAh8JmeXGE9V0LcVX3cvwQ/IwYZ6Iwu82yCBFOv4F4EjbFZsXRjva64m4lj
+Nr5vikahk3IVezsMqFn5f46/G5ZCRyPZSlOyojPZ4YA+mZq3g1PuL4Cd/296y0SI
+0xNeYG9F8gCEW1iAKKjX5QBLBx/HztgJrYm6MVEK0jRDe1LC1JBWa670smI3ALH5
+V1uQbPutsOkuyZw46Nbb9bBYLQLDoKoVmAetj6AIak9p7q4/vzWMEv1zgmHczAMC
+7T3zuQ1D2zjS+ePXXhof2ZpBT4yr/hfRtf0V7NhDokFZZOleJE9K3BLkQCVdUTA8
+ZSzX2MnZe4OXKXSh+8+KFD37AyR7P0G4eZF5rZJ2IIrdUz6/MFjheKUAQanfg8nm
+Uh4YWFu2wyVYy1OYeuSoAhzj8VpGiEa4E1WRA7Hb7AdK9t2JvIIOG5duAWw+qHXY
+leh5LKHeTdtEPqEY8QqdcUoEnU+q8DseXGrRJx16aPZgP1trjlDPRWNT9Ko8gIOn
+kLctSbJ3v/wv9hI9waEaWw93LCDG6E+MK5pD03f6vKcr6HQoqEMg8+eVzX+dCoa4
+AF6DiI1pXrYzjLztPLcUwb7Az/hPFrVrAZ6x7KUq2E4
+--- QKrzExwjVrJvMy+dzU0aQ1PCye2SwR4e5ZJXEN/yX6c
+˜vú4
Ás/ö¤R"y—RJˆC?oâ«O]«ä¬aHézêš…’âl››À(
y?¡šÀ™à /GM’

secrets/nextcloud_db_pass.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+ULPpqCrbkoqF5Zx+YNl2igi962ho+4bJv4ZqkdUJWXKvwBCKBujUhTRubao3E1H7
+M6Qa1X/ENOjLRjaDGN/LHTKl+7yv7TyayHxWlPVylBHgs2m18Zr0+pcIl+771FSm
+E0QFs61ENZibrBubOv9sib0Drb/8hi393kLAuBIIblzVt8Td3eLz9oXBltkXDJ26
+ndY61jJbMcOkaS/AgcENSdwuDETxlceOBNuIRucjpcGFDrobngJyNbV8amH3Fc4D
+07iwIGFK5xF+Z3h1dH+oKPTqenDcBsq32LYNOUczap0ia4/CCw/by/VrTnudX9FC
+VGJ3MmJIXLaeCMMSsHEQNrNf6hq+rysuAeW3rUco8k9lWv4J08l2Z4wEfwIX3UdT
+LmyTe9FeKib8ul4FuAnAXWl5Mwik2xG87Ci375/qeZgIduH6UyelBErzGA5HwtV+
+Zhfo+moImBg5wkQAMqBEYo3llMU4S0uV3A7sxcFSGrKnW+qFt46+TzkAAZJCBaFC
+tXM44LI+JceJhlBnI83sayEf1kEQlsxGqqdOpRQaVI5xBX7rGduFOFsVFAOO60I9
+jIESQSoV36KVgm4w+v99jYiLI9mfHRNzC0KH5qeTW8tST6N1+TyP0uhzfIoNVfpg
+buHTgKaPO37VciLDT2qGz8VVcbg7wlFE2neNPqQQss4
+--- CWjL7M33VOuujkVFJG+zj8JwUwvA2ymMNvjIXvAxNxE
+âê`á
ßnœ÷\<5C>çU‘D…Ð`Až‚î?xM7ž½¤ReœNÓJÕïIëÒ}GŽøý=x“<78>@åÙ”“Ü4)ÉžR°f¯rwÄã¹	£}ºÍZ2

secrets/secrets.nix

@@ -6,4 +6,13 @@ in
   # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
   "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
   "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
+  "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ];
+  "nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub ];
+  "nextcloud_db_pass.age".publicKeys = [ contabo_nix_pub ];
+  "synapse_registration_shared_secret.age".publicKeys = [ contabo_nix_pub ];
+  "matrix_admin_pass.age".publicKeys = [ contabo_nix_pub ];
+  "matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub ];
+  "matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub ];
+  "matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub ];
+  "ptero_env.age".publicKeys = [ contabo_nix_pub ];
 }