comparing 7b05921dc47248b4a87cba67a1e53a642adee1fc and main on ryan.freumh.org/eilean-nix

+37 -55

flake.lock

···

       22
       22
        
               "nixpkgs": [

     

       23
       23
        
                 "nixpkgs"

     

       24
       24
        
               ],

     

       25
       25
       -
               "opam-nix": "opam-nix",

     

       26
       26
       -
               "opam-repository": "opam-repository"

     

       25
       25
       +
               "opam-nix": "opam-nix"

     

       27
       26
        
             },

     

       28
       27
        
             "locked": {

     

       29
       29
       -
               "lastModified": 1718122335,

     

       30
       30
       -
               "narHash": "sha256-ooeplCUj5dY2KT840ecFtR+iDq1V2iB5rDsFqjbdFSs=",

     

       28
       28
       +
               "lastModified": 1738666931,

     

       29
       29
       +
               "narHash": "sha256-dTF+etN5ZDPVwK8XV/huQByY6JohiVgpCfzVJWAZY1I=",

     

       31
       30
        
               "owner": "RyanGibb",

     

       32
       31
        
               "repo": "eon",

     

       33
       33
       -
               "rev": "87b7ec1cd6cb7dc0f950d8d37a91845465780faf",

     

       32
       32
       +
               "rev": "42523d1d8f720215ab5108a1b42e9c5b7d17d4bf",

     

       34
       33
        
               "type": "github"

     

       35
       34
        
             },

     

       36
       35
        
             "original": {

     
···

       42
       41
        
           "flake-compat": {

     

       43
       42
        
             "flake": false,

     

       44
       43
        
             "locked": {

     

       45
       45
       -
               "lastModified": 1627913399,

     

       46
       46
       -
               "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=",

     

       44
       44
       +
               "lastModified": 1696426674,

     

       45
       45
       +
               "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",

     

       47
       46
        
               "owner": "edolstra",

     

       48
       47
        
               "repo": "flake-compat",

     

       49
       49
       -
               "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2",

     

       48
       48
       +
               "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",

     

       50
       49
        
               "type": "github"

     

       51
       50
        
             },

     

       52
       51
        
             "original": {

     
···

       76
       75
        
               "systems": "systems"

     

       77
       76
        
             },

     

       78
       77
        
             "locked": {

     

       79
       79
       -
               "lastModified": 1710146030,

     

       80
       80
       -
               "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",

     

       78
       78
       +
               "lastModified": 1731533236,

     

       79
       79
       +
               "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",

     

       81
       80
        
               "owner": "numtide",

     

       82
       81
        
               "repo": "flake-utils",

     

       83
       83
       -
               "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",

     

       82
       82
       +
               "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",

     

       84
       83
        
               "type": "github"

     

       85
       84
        
             },

     

       86
       85
        
             "original": {

     
···

       92
       91
        
           "mirage-opam-overlays": {

     

       93
       92
        
             "flake": false,

     

       94
       93
        
             "locked": {

     

       95
       95
       -
               "lastModified": 1661959605,

     

       96
       96
       -
               "narHash": "sha256-CPTuhYML3F4J58flfp3ZbMNhkRkVFKmBEYBZY5tnQwA=",

     

       94
       94
       +
               "lastModified": 1710922379,

     

       95
       95
       +
               "narHash": "sha256-j4QREQDUf8oHOX7qg6wAOupgsNQoYlufxoPrgagD+pY=",

     

       97
       96
        
               "owner": "dune-universe",

     

       98
       97
        
               "repo": "mirage-opam-overlays",

     

       99
       99
       -
               "rev": "05f1c1823d891ce4d8adab91f5db3ac51d86dc0b",

     

       98
       98
       +
               "rev": "797cb363df3ff763c43c8fbec5cd44de2878757e",

     

       100
       99
        
               "type": "github"

     

       101
       100
        
             },

     

       102
       101
        
             "original": {

     
···

       109
       108
        
             "inputs": {

     

       110
       109
        
               "blobs": "blobs",

     

       111
       110
        
               "flake-compat": "flake-compat_2",

     

       112
       112
       -
               "nixpkgs": "nixpkgs",

     

       111
       111
       +
               "nixpkgs": [

     

       112
       112
       +
                 "nixpkgs"

     

       113
       113
       +
               ],

     

       113
       114
        
               "nixpkgs-24_05": "nixpkgs-24_05",

     

       114
       115
        
               "utils": "utils"

     

       115
       116
        
             },

     
···

       130
       131
        
           },

     

       131
       132
        
           "nixpkgs": {

     

       132
       133
        
             "locked": {

     

       133
       133
       -
               "lastModified": 1709703039,

     

       134
       134
       -
               "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",

     

       135
       135
       -
               "owner": "NixOS",

     

       134
       134
       +
               "lastModified": 1732981179,

     

       135
       135
       +
               "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=",

     

       136
       136
       +
               "owner": "nixos",

     

       136
       137
        
               "repo": "nixpkgs",

     

       137
       137
       -
               "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",

     

       138
       138
       +
               "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65",

     

       138
       139
        
               "type": "github"

     

       139
       140
        
             },

     

       140
       141
        
             "original": {

     

       141
       141
       -
               "id": "nixpkgs",

     

       142
       142
       -
               "ref": "nixos-unstable",

     

       143
       143
       -
               "type": "indirect"

     

       142
       142
       +
               "owner": "nixos",

     

       143
       143
       +
               "ref": "nixos-24.11",

     

       144
       144
       +
               "repo": "nixpkgs",

     

       145
       145
       +
               "type": "github"

     

       144
       146
        
             }

     

       145
       147
        
           },

     

       146
       148
        
           "nixpkgs-24_05": {

     
···

       158
       160
        
               "type": "indirect"

     

       159
       161
        
             }

     

       160
       162
        
           },

     

       161
       161
       -
           "nixpkgs_2": {

     

       162
       162
       -
             "locked": {

     

       163
       163
       -
               "lastModified": 1732981179,

     

       164
       164
       -
               "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=",

     

       165
       165
       -
               "owner": "nixos",

     

       166
       166
       -
               "repo": "nixpkgs",

     

       167
       167
       -
               "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65",

     

       168
       168
       -
               "type": "github"

     

       169
       169
       -
             },

     

       170
       170
       -
             "original": {

     

       171
       171
       -
               "owner": "nixos",

     

       172
       172
       -
               "ref": "nixos-24.11",

     

       173
       173
       -
               "repo": "nixpkgs",

     

       174
       174
       -
               "type": "github"

     

       175
       175
       -
             }

     

       176
       176
       -
           },

     

       177
       163
        
           "opam-nix": {

     

       178
       164
        
             "inputs": {

     

       179
       165
        
               "flake-compat": "flake-compat",

     
···

       187
       173
        
                 "nixpkgs"

     

       188
       174
        
               ],

     

       189
       175
        
               "opam-overlays": "opam-overlays",

     

       190
       190
       -
               "opam-repository": [

     

       191
       191
       -
                 "eon",

     

       192
       192
       -
                 "opam-repository"

     

       193
       193
       -
               ],

     

       176
       176
       +
               "opam-repository": "opam-repository",

     

       194
       177
        
               "opam2json": "opam2json"

     

       195
       178
        
             },

     

       196
       179
        
             "locked": {

     

       197
       197
       -
               "lastModified": 1703105504,

     

       198
       198
       -
               "narHash": "sha256-z7X1i2T1H37Lj9hEIJA5T0+sdE5E+PSWiiSyvYGyGSY=",

     

       199
       199
       -
               "owner": "RyanGibb",

     

       180
       180
       +
               "lastModified": 1732617437,

     

       181
       181
       +
               "narHash": "sha256-jj25fziYrES8Ix6HkfSiLzrN6MZjiwlHUxFSIuLRjgE=",

     

       182
       182
       +
               "owner": "tweag",

     

       200
       183
        
               "repo": "opam-nix",

     

       201
       201
       -
               "rev": "ccf2e75e8854aefe933c4e504f436a3b315802ee",

     

       184
       184
       +
               "rev": "ea8b9cb81fe94e1fc45c6376fcff15f17319c445",

     

       202
       185
        
               "type": "github"

     

       203
       186
        
             },

     

       204
       187
        
             "original": {

     

       205
       205
       -
               "owner": "RyanGibb",

     

       206
       206
       -
               "ref": "pin-depends-path",

     

       188
       188
       +
               "owner": "tweag",

     

       207
       189
        
               "repo": "opam-nix",

     

       208
       190
        
               "type": "github"

     

       209
       191
        
             }

     
···

       211
       193
        
           "opam-overlays": {

     

       212
       194
        
             "flake": false,

     

       213
       195
        
             "locked": {

     

       214
       214
       -
               "lastModified": 1654162756,

     

       215
       215
       -
               "narHash": "sha256-RV68fUK+O3zTx61iiHIoS0LvIk0E4voMp+0SwRg6G6c=",

     

       196
       196
       +
               "lastModified": 1726822209,

     

       197
       197
       +
               "narHash": "sha256-bwM18ydNT9fYq91xfn4gmS21q322NYrKwfq0ldG9GYw=",

     

       216
       198
        
               "owner": "dune-universe",

     

       217
       199
        
               "repo": "opam-overlays",

     

       218
       218
       -
               "rev": "c8f6ef0fc5272f254df4a971a47de7848cc1c8a4",

     

       200
       200
       +
               "rev": "f2bec38beca4aea9e481f2fd3ee319c519124649",

     

       219
       201
        
               "type": "github"

     

       220
       202
        
             },

     

       221
       203
        
             "original": {

     
···

       227
       209
        
           "opam-repository": {

     

       228
       210
        
             "flake": false,

     

       229
       211
        
             "locked": {

     

       230
       230
       -
               "lastModified": 1712915335,

     

       231
       231
       -
               "narHash": "sha256-CLxKnc9GgeNom5LzGhDyq4ZP8Mx8NtwYsg2YQfcSk3U=",

     

       212
       212
       +
               "lastModified": 1732612513,

     

       213
       213
       +
               "narHash": "sha256-kju4NWEQo4xTxnKeBIsmqnyxIcCg6sNZYJ1FmG/gCDw=",

     

       232
       214
        
               "owner": "ocaml",

     

       233
       215
        
               "repo": "opam-repository",

     

       234
       234
       -
               "rev": "03178cf5192dd1a55105844365e56a2294cd9225",

     

       216
       216
       +
               "rev": "3d52b66b04788999a23f22f0d59c2dfc831c4f32",

     

       235
       217
        
               "type": "github"

     

       236
       218
        
             },

     

       237
       219
        
             "original": {

     
···

       266
       248
        
             "inputs": {

     

       267
       249
        
               "eon": "eon",

     

       268
       250
        
               "nixos-mailserver": "nixos-mailserver",

     

       269
       269
       -
               "nixpkgs": "nixpkgs_2"

     

       251
       251
       +
               "nixpkgs": "nixpkgs"

     

       270
       252
        
             }

     

       271
       253
        
           },

     

       272
       254
        
           "systems": {

+6 -1

flake.nix

···

       3
       3
        
           nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";

     

       4
       4
        
           nixos-mailserver.url = "gitlab:RyanGibb/nixos-mailserver/fork-24.05";

     

       5
       5
        
           eon.url = "github:RyanGibb/eon";

     

       6
       6
       +
       

     

       6
       7
        
           eon.inputs.nixpkgs.follows = "nixpkgs";

     

       8
       8
       +
           nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";

     

       7
       9
        
         };

     

       8
       10
        
       

     

       9
       11
        
         outputs = { nixpkgs, nixos-mailserver, eon, ... }: {

     

       10
       12
        
           packages = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed (system:

     

       11
       13
        
             let pkgs = nixpkgs.legacyPackages.${system};

     

       12
       12
       -
             in { manpage = import ./man { inherit pkgs system nixos-mailserver; }; });

     

       14
       14
       +
             in {

     

       15
       15
       +
               manpage = import ./man { inherit pkgs system nixos-mailserver; };

     

       16
       16
       +
               packages.mautrix-meta = (pkgs.callPackage ./pkgs/mautrix-meta.nix { });

     

       17
       17
       +
             });

     

       13
       18
        
       

     

       14
       19
        
           nixosModules.default = {

     

       15
       20
        
             imports = [

modules/default.nix

···

       10
       10
        
           ./mailserver.nix

     

       11
       11
        
           ./gitea.nix

     

       12
       12
        
           ./dns.nix

     

       13
       13
       +
           ./fail2ban.nix

     

       13
       14
        
           ./matrix/synapse.nix

     

       14
       15
        
           ./matrix/mautrix-instagram.nix

     

       15
       16
        
           ./matrix/mautrix-messenger.nix

+42

modules/fail2ban.nix

···

       1
       1
       +
       { config, pkgs, lib, ... }:

     

       2
       2
       +
       

     

       3
       3
       +
       with lib;

     

       4
       4
       +
       let cfg = config.eilean;

     

       5
       5
       +
       in {

     

       6
       6
       +
         options.eilean.fail2ban = {

     

       7
       7
       +
           enable = mkEnableOption "TURN server";

     

       8
       8
       +
           radicale = mkOption {

     

       9
       9
       +
             type = types.bool;

     

       10
       10
       +
             default = cfg.radicale.enable;

     

       11
       11
       +
           };

     

       12
       12
       +
         };

     

       13
       13
       +
       

     

       14
       14
       +
         config = mkIf cfg.fail2ban.enable {

     

       15
       15
       +
           services.fail2ban = {

     

       16
       16
       +
             enable = true;

     

       17
       17
       +
             bantime = "24h";

     

       18
       18
       +
             bantime-increment = {

     

       19
       19
       +
               enable = true;

     

       20
       20
       +
               multipliers = "1 2 4 8 16 32 64";

     

       21
       21
       +
               maxtime = "168h";

     

       22
       22
       +
               overalljails = true;

     

       23
       23
       +
             };

     

       24
       24
       +
             jails."radicale".settings = mkIf cfg.fail2ban.radicale {

     

       25
       25
       +
               port = "5232";

     

       26
       26
       +
               filter = "radicale";

     

       27
       27
       +
               banaction = "%(banaction_allports)s[name=radicale]";

     

       28
       28
       +
               backend = "systemd";

     

       29
       29
       +
               journalmatch = "_SYSTEMD_UNIT=radicale.service";

     

       30
       30
       +
               maxRetry = 2;

     

       31
       31
       +
               bantime = -1;

     

       32
       32
       +
               findtime = 14400;

     

       33
       33
       +
             };

     

       34
       34
       +
           };

     

       35
       35
       +
           environment.etc = {

     

       36
       36
       +
             "fail2ban/filter.d/radicale.local".text = mkIf cfg.fail2ban.radicale ''

     

       37
       37
       +
               [Definition]

     

       38
       38
       +
               failregex = ^.*Failed\slogin\sattempt\sfrom\s.*\(forwarded for \'<HOST>\'.*\):\s.*

     

       39
       39
       +
             '';

     

       40
       40
       +
           };

     

       41
       41
       +
         };

     

       42
       42
       +
       }

+2 -4

modules/matrix/synapse.nix

···

       137
       137
        
                   }];

     

       138
       138
        
                 }];

     

       139
       139
        
                 max_upload_size = "100M";

     

       140
       140
       -
                 app_service_config_files = (optional cfg.matrix.bridges.whatsapp

     

       141
       141
       -
                   "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml")

     

       142
       142
       -
                   ++ (optional cfg.matrix.bridges.instagram

     

       143
       143
       -
                     "/var/lib/mautrix-instagram/instagram-registration.yaml")

     

       140
       140
       +
                 app_service_config_files = (optional cfg.matrix.bridges.instagram

     

       141
       141
       +
                   "/var/lib/mautrix-instagram/instagram-registration.yaml")

     

       144
       142
        
                   ++ (optional cfg.matrix.bridges.messenger

     

       145
       143
        
                     "/var/lib/mautrix-messenger/messenger-registration.yaml");

     

       146
       144
        
               }

+1 -1

modules/radicale.nix

···

       41
       41
        
       

     

       42
       42
        
           systemd.services.radicale = {

     

       43
       43
        
             serviceConfig.ReadWritePaths = [ "/var/lib/radicale" ];

     

       44
       44
       -
             preStart = lib.mkIf (cfg.radicale.users != null)''

     

       44
       44
       +
             preStart = lib.mkIf (cfg.radicale.users != null) ''

     

       45
       45
        
               if (! test -d "${passwdDir}"); then

     

       46
       46
        
                 mkdir "${passwdDir}"

     

       47
       47
        
                 chmod 755 "${passwdDir}"

+1 -1

modules/services/dns/eon.nix

···

       27
       27
        
               local record_type=$(echo "$input" | ${pkgs.gawk}/bin/awk '{print $3}')

     

       28
       28
        
               local ttl=3600

     

       29
       29
        
               local record_value=$(echo "$input" | ${pkgs.gnused}/bin/sed -E 's/[^"]*"([^"]*)"[^"]*/\1/g')

     

       30
       30
       -
               ${config.services.eon.package}/bin/capc update /var/lib/eon/caps/domain/''${domain}.cap -u add:''${record_name}.''${domain}:''${record_type}:"''${record_value}":''${ttl} || exit 0

     

       30
       30
       +
               ${config.services.eon.package}/bin/capc update /var/lib/eon/caps/domain/''${domain}.cap -u "add|''${record_name}.''${domain}|''${record_type}|''${record_value}|''${ttl}" || exit 0

     

       31
       31
        
             }

     

       32
       32
        
             shopt -s nullglob

     

       33
       33
        
           '';

+3 -1

modules/turn.nix

···

       39
       39
        
               script = ''

     

       40
       40
        
                 if [ ! -f '${staticAuthSecretFile}' ]; then

     

       41
       41
        
                   umask 077

     

       42
       42
       +
                   DIR="$(dirname '${staticAuthSecretFile}')"

     

       43
       43
       +
                   mkdir -p "$DIR"

     

       42
       44
        
                   tr -dc A-Za-z0-9 </dev/urandom | head -c 32 > '${staticAuthSecretFile}'

     

       43
       43
       -
                   chown ${config.systemd.services.coturn.serviceConfig.User}:${config.systemd.services.coturn.serviceConfig.Group} '${staticAuthSecretFile}'

     

       45
       45
       +
                   chown -R ${config.systemd.services.coturn.serviceConfig.User}:${config.systemd.services.coturn.serviceConfig.Group} "$DIR"

     

       44
       46
        
                 fi

     

       45
       47
        
               '';

     

       46
       48
        
               serviceConfig.Type = "oneshot";

+6 -4

pkgs/mautrix-meta.nix

···

       1
       1
        
       { lib, buildGoModule, fetchFromGitHub, olm }:

     

       2
       2
        
       

     

       3
       3
       -
       buildGoModule rec {

     

       3
       3
       +
       let version = "0.4.4";

     

       4
       4
       +
       in buildGoModule rec {

     

       4
       5
        
         name = "mautrix-meta";

     

       6
       6
       +
         inherit version;

     

       5
       7
        
       

     

       6
       8
        
         src = fetchFromGitHub {

     

       7
       9
        
           owner = "mautrix";

     

       8
       10
        
           repo = "meta";

     

       9
       9
       -
           rev = "7941e937055b792d2cbfde5d9c8c4df75e68ff0a";

     

       10
       10
       -
           hash = "sha256-QDqN6AAaEngWo4UxKAyIXB7BwCEJqsMTeuMb2fKu/9o=";

     

       11
       11
       +
           rev = "v${version}";

     

       12
       12
       +
           hash = "sha256-S8x3TGQEs+oh/3Q1Gz00M8dOcjjuHSgzVhqlbikZ8QE=";

     

       11
       13
        
         };

     

       12
       14
        
       

     

       13
       15
        
         buildInputs = [ olm ];

     

       14
       16
        
       

     

       15
       15
       -
         vendorHash = "sha256-ClHg3OEKgXYsmBm/aFKWZXbaLOmKdNyvw42QGhtTRik=";

     

       17
       17
       +
         vendorHash = "sha256-sUnvwPJQOoVzxbo2lS3CRcTrWsPjgYPsKClVw1wZJdM=";

     

       16
       18
        
       

     

       17
       19
        
         doCheck = false;

     

       18
       20

Compare changes