Add forgejo

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/e55f9a8678adc02024a4877c2a403e3f6daf24fe' (2024-09-03)
  → 'github:nix-community/disko/22ee467a54a3ab7fa9d637ccad5330c6c087e9dc' (2024-09-16)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11)
  → 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a' (2024-09-17)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/166dee4f88a7e3ba1b7a243edb1aca822f00680e' (2024-09-09)
  → 'github:nixos/nixos-hardware/dc8b0296f68f72f3fe77469c549a6f098555c2e9' (2024-09-16)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/44a71ff39c182edaf25a7ace5c9454e7cba2c658' (2024-09-10)
  → 'github:nixos/nixpkgs/8f7492cce28977fbf8bd12c72af08b1f6c7c3e49' (2024-09-14)
• Updated input 'nixpkgsMaster':
    'github:NixOS/nixpkgs/ee9a6df34035b1d24a2171869de9912904b65e03' (2024-09-11)
  → 'github:NixOS/nixpkgs/06e78ca76feaa97082b905d330265d495eefc9f7' (2024-09-17)
• Updated input 'nur':
    'github:nix-community/NUR/458b5f46020cce18c46452b8ec16721c57142936' (2024-09-11)
  → 'github:nix-community/NUR/48b58426a0fb447bad367813e742247dc860bed6' (2024-09-17)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/a313fd7169ae43ecd1a2ea2f1e4899fe3edba4d2' (2024-09-05)
  → 'github:nix-community/poetry2nix/a0cbe913ce184bef7cd739f75ba5d123e1f41ef2' (2024-09-15)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/cede1a08039178ac12957733e97ab1006c6b6892' (2024-09-09)
  → 'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8' (2024-09-16)

flake.lock

@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1724031427,
-        "narHash": "sha256-o1HdAf+7IGv9M13R3c+zc/sJ0QgeEnhsvHBcodI4UpM=",
+        "lastModified": 1726524467,
+        "narHash": "sha256-xkPPPvfHhHK7BNX5ZrQ9N6AIEixCmFzRZHduDf0zv30=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "4e719b38fa7c85f4f65d0308ca7084c91e7bdd6d",
+        "rev": "22ee467a54a3ab7fa9d637ccad5330c6c087e9dc",
         "type": "github"
       },
       "original": {
@@ -99,11 +99,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -183,11 +183,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722589758,
-        "narHash": "sha256-sbbA8b6Q2vB/t/r1znHawoXLysCyD4L/6n6/RykiSnA=",
+        "lastModified": 1725515722,
+        "narHash": "sha256-+gljgHaflZhQXtr3WjJrGn8NXv7MruVPAORSufuCFnw=",
         "owner": "nix-community",
         "repo": "gomod2nix",
-        "rev": "4e08ca09253ef996bd4c03afa383b23e35fe28a1",
+        "rev": "1c6fd4e862bf2f249c9114ad625c64c6c29a8a08",
         "type": "github"
       },
       "original": {
@@ -203,11 +203,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720042825,
-        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
+        "lastModified": 1725703823,
+        "narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
+        "rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
         "type": "github"
       },
       "original": {
@@ -298,11 +298,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1723803910,
-        "narHash": "sha256-yezvUuFiEnCFbGuwj/bQcqg7RykIEqudOy/RBrId0pc=",
+        "lastModified": 1725513492,
+        "narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "bfef0ada09e2c8ac55bbcd0831bd0c9d42e651ba",
+        "rev": "7570de7b9b504cfe92025dd1be797bf546f66528",
         "type": "github"
       },
       "original": {
@@ -314,11 +314,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1724067415,
-        "narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=",
+        "lastModified": 1726489388,
+        "narHash": "sha256-JBHtN+n1HzKawpnOQAz6jdgvrtYV9c/kyzgoIdguQGo=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2",
+        "rev": "dc8b0296f68f72f3fe77469c549a6f098555c2e9",
         "type": "github"
       },
       "original": {
@@ -330,11 +330,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1723938990,
-        "narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=",
+        "lastModified": 1726320982,
+        "narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890",
+        "rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
         "type": "github"
       },
       "original": {
@@ -378,11 +378,11 @@
     },
     "nixpkgs-stable_3": {
       "locked": {
-        "lastModified": 1721524707,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
+        "lastModified": 1725762081,
+        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
         "type": "github"
       },
       "original": {
@@ -394,11 +394,11 @@
     },
     "nixpkgsMaster": {
       "locked": {
-        "lastModified": 1724145953,
-        "narHash": "sha256-WamuitHHkmPp/fzwAdZxprYR7BOhtNytGmDuCp0UoHg=",
+        "lastModified": 1726573629,
+        "narHash": "sha256-O4fWqykLSQrGcNmx7HCElAmrYC6riGbhdCzk1dmj4qs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1bc1437a085748a3b24c8f25047eb2eac4068318",
+        "rev": "06e78ca76feaa97082b905d330265d495eefc9f7",
         "type": "github"
       },
       "original": {
@@ -410,11 +410,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1724135985,
-        "narHash": "sha256-yImm/xJDDBganXyJawdIbwG1hCFYbeaLEwDLMSCdUvg=",
+        "lastModified": 1726569072,
+        "narHash": "sha256-x33fIaVSJGc/kLiXh+a8x97GrMN1DtnRd8Ar50sDaNs=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "0ba1aacb815bd8574f6bd25032fdb4fd77d6e630",
+        "rev": "48b58426a0fb447bad367813e742247dc860bed6",
         "type": "github"
       },
       "original": {
@@ -436,11 +436,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1724134185,
-        "narHash": "sha256-nDqpGjz7cq3ThdC98BPe1ANCNlsJds/LLZ3/MdIXjA0=",
+        "lastModified": 1726394406,
+        "narHash": "sha256-RUzT5OUT+sCNl/fA4u6u/SPc1Bye7MU96Vtu6jksfxs=",
         "owner": "nix-community",
         "repo": "poetry2nix",
-        "rev": "5ee730a8752264e463c0eaf06cc060fd07f6dae9",
+        "rev": "a0cbe913ce184bef7cd739f75ba5d123e1f41ef2",
         "type": "github"
       },
       "original": {
@@ -526,11 +526,11 @@
         "nixpkgs-stable": "nixpkgs-stable_3"
       },
       "locked": {
-        "lastModified": 1723501126,
-        "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
+        "lastModified": 1726524647,
+        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
+        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
         "type": "github"
       },
       "original": {

hosts/iron/configuration.nix

@@ -1,5 +1,6 @@
 { inputs, config, pkgs, lib, ... }:
 let
+  interfaces = import ./interfaces.nix;
   zfsKernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
   disks = [
     "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K"
@@ -46,14 +47,19 @@ with lib; {
       useDHCP = false;
       networkmanager.enable = false;
 
+      bridges = {
+        "${interfaces.lan}" = {
+          interfaces = [ "enp2s4" "enp3s5" ];
+        };
+      };
       vlans = {
         iot = {
           id = 20;
-          interface = "enp2s4";
+          interface = interfaces.lan;
         };
       };
       interfaces = {
-        enp2s4.ipv4.addresses = [{
+        "${interfaces.lan}".ipv4.addresses = [{
           address = "192.168.42.1";
           prefixLength = 24;
         }];
@@ -61,28 +67,36 @@ with lib; {
           address = "10.20.0.1";
           prefixLength = 20;
         }];
-        enp3s5 = {
+        "${interfaces.wan}" = {
           useDHCP = true;
         };
       };
 
       nat = {
         enable = true;
-        externalInterface = "enp3s5";
+        externalInterface = interfaces.wan;
         internalInterfaces = [
-          "enp2s4"
+          interfaces.lan
+          "virbr0"
         ];
       };
 
-      firewall.extraForwardRules = ''
-        tcp flags syn tcp option maxseg size set rt mtu
-      '';
+      firewall = {
+        allowedTCPPorts = [ 5201 ];
+        extraForwardRules = ''
+          tcp flags syn tcp option maxseg size set rt mtu
+        '';
+        interfaces.virbr0 = {
+          allowedTCPPorts = [ 53 ];
+          allowedUDPPorts = [ 53 67 ];
+        };
+      };
     };
 
     services.radvd = {
       enable = true;
       config = ''
-        interface enp2s4 {
+        interface ${interfaces.lan} {
           AdvSendAdvert on;
           prefix ::/64 {
             AdvOnLink on;
@@ -97,10 +111,10 @@ with lib; {
       noipv6rs
       waitip 6
 
-      interface enp3s5
+      interface ${interfaces.wan}
         ipv6rs
         ia_na 1
-        ia_pd 1/::/64 enp2s4/0/64
+        ia_pd 1/::/64 ${interfaces.lan}/0/64
     '';
 
     boot = {
@@ -219,5 +233,8 @@ with lib; {
       memoryPercent = 60;
       priority = 1;
     };
+
+
+    jalr.libvirt.enable = true;
   };
 }

hosts/iron/interfaces.nix

@@ -0,0 +1,4 @@
+{
+  lan = "br0";
+  wan = "enp0s25";
+}

hosts/iron/ports.nix

@@ -7,13 +7,14 @@ custom-utils.validatePortAttrset {
   home-assistant.tcp = 8123;
   jellyfin.tcp = 8096;
   matrix-synapse.tcp = 8008;
+  matrix-sliding-sync.tcp = 8009;
   mautrix-signal.tcp = 29319;
   mautrix-whatsapp.tcp = 29318;
   navidrome.tcp = 4533;
   nginx-http.tcp = 80;
   nginx-https.tcp = 443;
   postfix-relay.tcp = 25;
-  postfix-submission.tcp = [ 465 587 ];
+  postfix-submission.tcp = [ 465 ];
   qbittorrent-torrent.tcp = 59832;
   qbittorrent-webui.tcp = 8099;
   radicale.tcp = 5232;

hosts/iron/secrets.yaml

@@ -8,6 +8,7 @@ rspamd-worker-controller: ENC[AES256_GCM,data:7tS8bEr9i5F+YZoj3uPQa6Xd2SCsuC+jE5
 dkim-keys:
     jalr.de.default: ENC[AES256_GCM,data:mnApsYKXYGtUAHddccmNmU9yZQtekDkTiTXbJ0UJxC0rFxzQCtGsinQslIROJdNUxsxciR1ilNzxawzjJD7AaWJbcAq2TYObGJJOQZBif7t/XEN/rIxEmnAFmdeAyrSONmFb9DiEn59m6DpsU+/9Y+hnc/uwwbzueO34WHJnTqmmsxFVNQZfGR+cbSckHS3wZrfjZSKKzCRt+9DU/xxJ4voyowXLO77w00LHVkyU5liwONi0v2XJ+QeP/jIMmJeKjujZcH+qvUm/kukijqyWKGrZoAYPC2cBlL/UrNECuVdSLMXvr4KBDDTCRZCSMRgUPJ0TAfpQPTPitKJ/0igK7qQl9n/6hckY7VyP8KDS7J7G2Z2XVxfZrAR4X/7ya9B2kneVr2CNx3w954EdTcV1/lD7rcKRjKynyl3ddf8gxJFJ21k1ybo2RLnftGCRVq25qNwhyfjU8x5c7AEs+YTPDrcnmxZ/Ui276eLwpMj61oZzTp8QQhiBVwS/+ruRLC+78pu2gb1gBF/Oo3nuvQD1SOpCRikLVewCYDvfXj/hrjo+oCsjTOj+9tWRcRAEDVlhkXWCMuPXDYrdt3HrIWbQuP8NW1ezd1Ll0r1ujjtPJeSwdd8cVcUSBIoA5gU+eXnYjFaSx9BZ+sIfKqG//W3S+aBYDqAEK/z4N5q66sReb5mtSQYfbZuIZDmox9bwNMG3tJmQX0lJZgEIiuJ5/ef4ra0sj9JsRFldmIn9KUmjW9OlIwzQ42cNNvQSMD/6haNiYsE6TPzVylJ/B2kNu9Qh5FfpCIPtVORv2BAGoNvZlyhjyEiXBEZ4x2hx1l5cBwGOaGhoJ0p+1wqn2zDalIBaEFjbBVdIB6DPC6/lccvpqSwF7HvW2ugyYhW+u92vgic71/BsI4i0OlsJV18gU/zVg0Yj8SK69kEwm4wkJTrkM/I4+kkUIc5OiSAknRfjOFJc0etkh3nO34xpHLOkSv9DrKfXSAGmGZtCLtVL5LGdZeCd/g6EK0JJh6bd9Gu9koSJVq5vjdDJJFf+sgk39TCvHAvk8k1/FgdK5jMJ+pR8heJtP8G96ay3DFVm5hpbjuNKqfBvbf2rkyV6++ywRFnAQGPUiMn9g6Q4F5Ks7CC1D0Ubl7b3dCUk6BDi8rHjxy9QS0/25Yz9cF0bFd6XQDfblnyRLMi9aB36M9Vp38Oh5aB16MyvNUHzcxpaAak0yknE6OuuEMBPQZgFVADCITfy9eUXl2FoXrMWEnBO78GybQ+cV8nhynn5t0U+3koMy2E8ju5kiEofQxXylys3Q76iKRRUbQqFkh/ndWtJVVfGNpi1GrUr1w1YZM0hBY9FqqeBjf7ckj+9BdiwWJ0XauuR70o7odm02mydk1/T3Hfzt3OE5nHIXnVbum9KyPx8wXj9qc6JGFm558pQOcRUgGUi+EzGoGckkoLx4Onl+XeGysW5sXP9dbYgMBug0Tjmdo9xkoBti6znDnN/zh93bbzWITNvxMgVs8zSWEhlM0c7F02UeUXSekbTFue5FOaMdYObMvPeb53jAKBOYLr34GVFvucJhKajIaNzDvfiI6fGCMxcSsWk+P3co7gdbRlWYZELsKDu2scktZsHr/gRwRiDZXAWOLiWZL4jswQ1vXSFXJgdblEV//hr2DwsAtCAsyFcgO/LGq30xi3xNqHTkUZXo6cZYSb6EVaIywMCI5ySEnTLAp/xedySANHuo8yyVqyLxkDPI7CnnSS7JcnQF3K5z+NZ0KnIpc1ewGupOhS0fKj31XxUkoSsHEY/iWJPLNA8+4VsBkADnGdkYXHTvy/yAGV6w1k1qtjiWhDAGcE9/o6NOHctYm3cx8CVsLpve/WFUaCkGgjWJdC8XP92xsUQoE6PENn6ZzFaqGHs7hgQqE1kBcEj8N5WkEqkoMo82giHE33iYoVUdkjOTkV4iDGEqyjg1BoM0GedR2A832LseDkP7u4DjIAQfpIDu7PaeiDh7xWkPRwIMV0oDTakXTdPkPGdgFikzTaxkTzRlpCbQuV769eITqVT04kJDp7+0Rb6dtjeXc0Ennv68wZSiyrlmXbrJntg7g1wrebq28q9NMIZETAPugfK6wNDu/Iw1q1kZn2ELo6xaDlcIxHDcpzK7e2VAYYuP1k3sYnSLU3oeq54j3/yS2z1me5FEqWlPOCrjdnLkE3/GjbeMsYo2YTYJEUEd2ncacSCoXUaUoxpBnjRYcHLRUV+6jy7Amp0/52rAPzSeVlBzc+SdNiKLYA2UQ74WrMU596Gkhw1SD8jSM5QqSBhH9sL+oE4GjhjLhstMUPdkNgiwxXDTZLKcIyjN1cn+RSmvNA2KXMH6MoXrkqSkJ9u2s0QAhla51zR/LZwWbzwGOO0dkh3rwh2x+pcCfuzvlk3lYr/x5XOF2k1n8yvehXY5zIX8nk6djjLbvAzzSr/yalS7R0WYIc6CjzoUl3qz+PlneMfKHcaX00hkOlIub/ZFQf1RE+JzZxi0qQq4M8Nt1XRKGDeS448Z6znDpedStUH29krZcnjMtyLmPX7ETTsjr3HLpCOd7MQ2K1rfhmvh5BtJkn1KSUf94puZbkLH7X+WnWN0hsc+KbSXnYZvqwJ8G0/7ptp/Q+wGljqhjv+HhOeA3NUwANv1xWgbiymVIlxCodXtQwn8mxS+jxSvslGwOnyUkTT76IbFbv/IpW6PNvj/xqwOqey8a/4WCGcqs403Y7TKQ+xCflG6K3tL7U5UbMnMgXTeZvoK+DooS2eIepF2WB5XqTuOZJV2OQ6GHfaBMjXN9iGVNLi6XgkbpmcMLQ4TZq+dVmgleJb14IaTFD3n74OfmbcT9lmRfPRJEpFEMNeL3ghH54P2a91zJFASgE7x+Uv2cGcmKFtMbyc/rrhH1F/Ixlv/R37huFo1T2dPMEZ/1ouuPpbUQ5oz/JlOWw3NOxd0O6oG0x9Xib+9KxSFOusLWcFEgx70jrBQKj8s2Jj+W0gZYv+BJtPMPY0KAkRj1amt4Fd6ZrPOEXJ392EHSAEv5jssO5ba52OHKA+QkYvPPL04rwkxSAQiTl57scnEj2WEIP+Lz0/qsMnwF+3rWuz856doJZcXX+U9iuzBCaYQqA1P3BojAYhEHnXBPeolHOA3BmhT9E2TJsZ6P9SQ+GaqyLm0i4vRXGlArlkLwRBs9EZv/l4DT8q0YHha53O4rhRzGJZKAOO252Dpha1YN7+FubYGAZjaUT5O0R/7xSPrGyBejddtM8asW8+NClAn4Y6xvj1IgUg6VRpEy7ZIpZEQ+UyDWt0A4nsipaz2NyZKZ5Vxza2v1qZDdYODK8nm/zj7fR/JykaNVEVj7ceTSHdaQlajfeEWWTs92msIBcqPUXqlaR005hoVvXm+WCnzIMIXLGiyRKRsAPIDYh2hGCtvfXLSq5TYm3bnGAImL0KW3Yllt1qSqSbOYsvm5QfDmTrrccvtSLGRj0rOU3Z8f4WXjf+1YgxjZ9h8fKL+LKA8x1S6M8fl0JVGBIAU8Xe8c4+r2F1VcygJp7h+0v8o8GudM6in4djAdeMLWBgXid7r0q744joFucP56opwYQp3Lu0oFEo0omS6Rh9yPfOjdGBU2eUdjcCNXXuEJD9yHSyebviSAvDw/KH1AxYSWYnjMWACCfcbOlXf3ej7PuQgq5MdFwF7+QawXm0john4YusUon4/0fqd/IFLd6oHYYesxcFdm1jN6DeS4SAqRgeEPuEWDFERgXjLHBxl5Xdi5n+NOR3Vc7ziJ9j9/CA1DKdwmsFBBDcVKMnr2FibXpN5WsSdlBng0L2zhkL22wRH9xbz8Xk5shN20/EHoxHB5HJvwfOgHIC7ooWKOUUuNTZH43+gVN+wzRzlMfiF4X71Edw+lTnQRp6Lh03M2k9do6JPoX2+UU0h6mOYiAFkhHKzCmK3DY12c4Smx+qLJNbUGhoMgthu/WnXObm0Hr+myCooTYSVNTJx6vVjI3GZtMcat2o8B9k38u/Y5/FxqTYmyXhROwS4v3W5fXwTAaxBqQy6Xj5s4V37omBBh/Z9a43nc2VlT7dKR1wIvNB/gqhiYyYrVMtYMJqGLkeCbu50LUWT4qXyR8uaqbZTVjyJCQRxZd6fd3Zfe9wIeYe3N5qKIXkFD3n1U2Q/EyRfb3TpiA+eYkAtl6JGK0vpeWpN5M2LJ3/V79e3cIG7B7/p6BrRxKxHDnBZcu57KKaN8XM+v2KTz7XdF8bjgeu1V/B9WoBwnpzCM+3s5ffNceuUcb2gJgRAUpZvcSDLYy+9aluGU2Tvsm49fCzr851p3VSEJepgPpnvuq874AX/MbPvqidF8Y21Kss1RUbl5wrlq5IihKdM+xCSq6mjvtSPVHRvw==,iv:2NBiTTW9slOH9BvM+kVbMB/+8EiS/Dc/eaqrtiwn4HY=,tag:0rc2+ZWy9XZYE7RK/oSo3g==,type:str]
 synapse-turn-shared-secret: ENC[AES256_GCM,data:Q1XRds3Zud1kYkvD6s9WUzP+kNDNsxB5SHd6oCAaLCHhHhYENSAYTZOF+rGjCPNyKFL0e/A=,iv:zScRQrz+pXHNUh/BGOaV+TVnDR3wu1Z/UO1zXarKwtA=,tag:ckpVziE+yb0FjctcT7tAkg==,type:str]
+matrix-sliding-sync: ENC[AES256_GCM,data:CmR8Q5NL1m+eixenK4u1n3MfVh49/Q3ZIRmWfSbuFMr3u79rIGrtFf2EjaThCwBHQyXdYw1wyTouxhGZql1Fcp/HYma8u4w5nJOaJa1TXg==,iv:/kFqA/+kpCkhHZKJdhadjH11pZwh4MFiQPjY96t8M5k=,tag:aZkDCcbtonHMTv4TdBv1sQ==,type:str]
 rmfakecloud: ENC[AES256_GCM,data:ktKBKb6cRv1VF8tRvXIpxIy9hPinVPKK05mgvYzz18PEdcrCLpldm5xf7ffHtY5XzDOAMXDCiz6x4xyv7071frrF0spOEPnIzVhxwG8H2Ck=,iv:qJdHjv0RziAs4G9UGeRwGQ4GE5kaObJWpIYWpRKhr9c=,tag:PXgvU1hZK/gvWGyFJaHekg==,type:str]
 esphome: ENC[AES256_GCM,data:ufIZkZo1aP/Th/8a+9srkJBqLqPQI/ymElIEBmTKzqsJ3HE/mx9QJ1aH0vGVed9W/wSJ+7+huFpB+pNAebJMohK/fAmAVG3lzgT0wKWw8g4u33VHb6X8FIW6q1+CYRnOCQsocgM4EX26YfzaxVpw9P4PF/abwB1bVzr9xnEL2JdJfstzxnR70dKO88WTolykysc443iDW80i0scH+sCh8JIfDrV+V0l3jT+woAeTw1VA0hFa5x9i3tdfrHpzc/sN1/OW6F1CsMVS2pwUTkr7pKp5nfjxhEPi94iLMmakm0XWPZpay2213FQEUYiRqCIGmD1Oiyq0nSVcOAkc66TNwsqrdPCkCL8OPTXuTd+yIfAuU3267kUMNcN2A9kqGMx4Inj8JGlmvxuoQueuXIA4gvVFhJFBdovpl10HY/YkG/cGM0gazfF2+5xG93RgD9Uryq1g61XTFOkOaH7XtGs8Q13xnnXVwfq2pK/vnx9kQkgXJJQRU1Ng8PAg+Rw1VK6bzVz5ugj6q1ei56orNy4A8FU1z1aGyChfPT3XPaDwLr0pEXvc2Vz/6CxAosSpNHIQ6fO0XBM7nvIs/2jHZssXSVo2iwYRZsgZft60cg0FfBmDyc3QH6pVjYhoQGsBlfQt5CtW7XX3rJjQTcDLfzUlO8Ykax7TXZKnDcvtNonRm45bmV+1CqS9KLrBHouWN0axtweabAVW8dld9EnL3CrclE/RbTI0nPOR00S+Ip7wNuBto30yTACxaPHYF79izHu4rQjmm2N5Jt+nI8maEVva6IbAog16NUw6fYDaMwBDeSszBZm0BwNMf36EP/Mcp+MXrBfP1kOYe6HGjftMRDky83XYvP6Cx7FJcPXIZdsMQydxsXB3LKroFqoS2HsHBnCgQbbraQ5UWi40vKXANlKbgFcutqkATvoPW6Hbh07vfiLVfDeuHU9DUCFlgK7KHPWk/g+Uo+TUmgTVKNhbGU/vFu/9h4kIrbf/ocqL/tyMjwA5Yp9e0rQCez8w5Zqfbtqm4N1WB518Q7p52r8C+yLBAua7yB0gAc7SENXWFafkbHClchZXi3c0hY64YvuweDp8G/bPFT/yLuY/yBvA3F2G3CxZXzCMvhMVQfm2yzJeOL20vWumZ8LuIaXJ/13AzLp+lUrc8RmJvU/Hrp6xsEqzXz34qMiBNUR1BKjNAS86WJ1rzD3QtejeETGDwsw016jNbyIMcShgxiEMHnD6HXzWnfTv2fO5xICiAG/VMm5h+vC3MweW2XO01P3O0/Rq/OSy3R8ZlEFErlhR1HiXhc2CdxuuxqDySi0/rP/Jpxf25Zi8mY9YBTFlV0T9ApzJoTwlobMmmxHmqq+vQSKAxLq0lJ/bpO+8utchHbnQNUICveCkX4w+rK9Vnls3zbiLTBnsf+J4y5zpLZ5HkDCUNcEnD29ZR30IYoBTLUG3PlfyH++rLl5ynW5QKUWLnUdjvf9ZwS2veFAZw6tfHelzjkZ5tps5BkjS8YAi/x70Jw4qs3fzZudq6Lej4fsMdkBnYSSN2s7Sc3A1,iv:jSR/M4KS+cZMQgtTZWtPcpmKFD5QNr7s8ClAbXzpR2s=,tag:sp3BnZi+b9WuIiCPapG6Bw==,type:str]
 home-assistant: ENC[AES256_GCM,data:wcFMxDdRCHf/shO9v2WaGgrsa9J2WP62xFs=,iv:9ckeIO62cFZUo8fPyQj445CrJVTooNlwLapM/oTsrkk=,tag:mlfxtXDPsB3T79P9BX9oJQ==,type:str]
@@ -26,8 +27,8 @@ sops:
             SU1USkxFUUY2NVhmUHBhZkdrNDR1Q0kKiXIicInELRjDR3tuyA+lnXeCcd9lYvbV
             GnBRGPM7BNO/6AA7HhAei48Kt+XE6+jQX66yTXyviKhK7Lpjrlb2YQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-06T15:25:14Z"
-    mac: ENC[AES256_GCM,data:JfgVZ7I/S22cN4yiXqE5nJY0KBq+ZLJABlMTi58VUw5jGf1vUmyTDkzm67QmZtVVL3R/xodrSMJw5CodF7wgVvJFilSvez/ygr1P8KKo7CDMxzl5VTO5uHq5aszOmRFF5N9ZGfUFZxjl3iuCwQofckcMKgeyG/1wOIf37H4Gstw=,iv:oLS4yQdl0LE363gVIkRUieFJ5M2N8Fc4Rge7SuTN85k=,tag:N4uxXbKIHfZonkiV1GxckQ==,type:str]
+    lastmodified: "2024-09-11T16:10:31Z"
+    mac: ENC[AES256_GCM,data:7STJaln+9X6xZFAyLSoMCw2PKNiRr4GNhxGbZRPRf+nKfkFh7wJRS3YWVrxd9iOonSPsuHfPnBrAPiq7ILXqwfjNcyf2HtOIPxHz0utE6b0X7KvEwmLSRMOQG9rpsETE5UBQ+DgtU9IwZzTXgh9CGZpHWQAPeOI+lK4OKLlXvkk=,iv:E++ECn4SJy43lW5RWxjSDc7dj0LWDXIuO+5fVFE3+zU=,tag:QFvao9PWSllzXXhGwFQgrw==,type:str]
     pgp:
         - created_at: "2024-01-31T01:20:30Z"
           enc: |-

hosts/iron/services/dnsmasq.nix

@@ -1,12 +1,14 @@
 { lib, pkgs, ... }:
 
 let
+  interfaces = import ../interfaces.nix;
   stateDir = "/var/lib/dnsmasq";
 in
 {
   services.dnsmasq = {
     enable = true;
     settings = {
+      bind-interfaces = true;
       listen-address = [
         "192.168.42.1"
         "10.20.0.1"
@@ -41,7 +43,7 @@ in
   };
 
   networking.firewall.interfaces = lib.attrsets.genAttrs [
-    "enp2s4"
+    interfaces.lan
     "iot"
   ]
     (

hosts/iron/services/dyndns.nix

@@ -1,4 +1,7 @@
 { config, ... }:
+let
+  interfaces = import ../interfaces.nix;
+in
 {
   sops.secrets.duckdns-secret = {
     sopsFile = ../secrets.yaml;
@@ -11,7 +14,7 @@
     username = "nouser";
     passwordFile = config.sops.secrets.duckdns-secret.path;
     domains = [ "jalr-bw" ];
-    use = "if, if=enp3s5";
+    use = "if, if=${interfaces.wan}";
     #usev6=ifv6, ifv6=enp3s4
   };
 }

hosts/iron/services/home-assistant.nix

@@ -135,7 +135,7 @@ in
           platform = "bluetooth_le_tracker";
         }
       ];
-      script = [
+      "script nix" = [
         {
           lights_off_except = {
             icon = "mdi:home-lightbulb";
@@ -159,6 +159,7 @@ in
           };
         }
       ];
+      "script ui" = "!include scripts.yaml";
       calendar = [
         {
           platform = "caldav";

hosts/iron/services/matrix.nix

@@ -2,6 +2,8 @@ args@{ config, pkgs, custom-utils, ... }:
 
 let
   ports = import ../ports.nix args;
+  signalPhoneNumber = "+4915566437153";
+  signalUser = "jalr";
 in
 {
   sops.secrets = {
@@ -9,12 +11,19 @@ in
       owner = "matrix-synapse";
       sopsFile = ../secrets.yaml;
     };
+    matrix-sliding-sync = {
+      sopsFile = ../secrets.yaml;
+    };
   };
   jalr.matrix = {
     enable = true;
     fqdn = "matrix.jalr.de";
     domain = "jalr.de";
     synapse.port = ports.matrix-synapse.tcp;
+    sliding-sync = {
+      port = ports.matrix-sliding-sync.tcp;
+      secretFile = config.sops.secrets.matrix-sliding-sync.path;
+    };
     turn = {
       host = "turn.jalr.de";
       sharedSecretFile = config.sops.secrets.synapse-turn-shared-secret.path;
@@ -31,7 +40,7 @@ in
       };
     };
     mautrix-signal = {
-      enable = false;
+      enable = true;
       port = ports.mautrix-signal.tcp;
       settings.bridge = {
         permissions = {
@@ -43,4 +52,27 @@ in
       };
     };
   };
+
+  systemd.services.signal-cli-receive = {
+    description = "Run signal-cli to receive messages";
+    serviceConfig = {
+      Type = "oneshot";
+      User = signalUser;
+      CapabilityBoundingSet = null;
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictNamespaces = true;
+      SystemCallFilter = "@system-service";
+    };
+    script = "${pkgs.signal-cli}/bin/signal-cli -u ${signalPhoneNumber} receive";
+  };
+  systemd.timers.signal-cli-receive = {
+    description = "Run signal-cli to receive messages";
+    after = [ "network.target" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      Persistent = true;
+      OnCalendar = "*-*-* *:00:00";
+      Unit = config.systemd.services.signal-cli-receive.name;
+    };
+  };
 }

hosts/iron/services/unifi-controller.nix

@@ -2,13 +2,14 @@ args@{ pkgs, custom-utils, ... }:
 
 let
   ports = import ../ports.nix args;
+  interfaces = import ../interfaces.nix;
 in
 {
   services.unifi = {
     enable = true;
     unifiPackage = pkgs.unifi8;
   };
-  networking.firewall.interfaces.enp2s4.allowedTCPPorts = [
+  networking.firewall.interfaces."${interfaces.lan}".allowedTCPPorts = [
     ports.unifi-http.tcp
     ports.unifi-https.tcp
   ];

hosts/magnesium/ports.nix

@@ -1,4 +1,4 @@
-{ lib, custom-utils, ... }:
+{ custom-utils, ... }:
 
 custom-utils.validatePortAttrset {
   coturn-cli.tcp = 5766;
@@ -9,4 +9,5 @@ custom-utils.validatePortAttrset {
   nginx-http.tcp = 80;
   nginx-https.tcp = 443;
   wireguard-public-ip-tunnel.udp = 51000;
+  forgejo-ssh.tcp = 2022;
 }

hosts/magnesium/secrets.yaml

@@ -1,6 +1,7 @@
 wireguard_key_hetzner-ha: ENC[AES256_GCM,data:HEW+EalHg6/mq7pRKZkasGz0nqbkSppkf0H/uV5QMJnWwKw9a9W21Y77OSw=,iv:OA6yml1T5kVafX0RYd0Es7DHcGjJazUxP2M6a5Pwkag=,tag:lX5UPIseIQ136HLrHbzZyw==,type:str]
 turn-static-auth-secret: ENC[AES256_GCM,data:rzhixUemFPwKj1BcVPZd7KtUO9OA6A2R4qEQ1BZGVG0=,iv:uYHYe4Cywxovt3b/Ho1tQVHrpgVic+AKh9AjYMYSZcM=,tag:rr8RW/if06t38GpZCYQB4w==,type:str]
 gitlab-runner_fablab-nea-hcloud-labsync: ENC[AES256_GCM,data:+znVO8cQxjDdhch7oUALZvt84iJmWnAx6lTM0+WGkGtaRWTCTPjgnst5waSJpw/Oysrd1PkXZKmLHyHuU7K/CHQij7sWH50G3ZcUum58klJc3dCPztlrLpDVHeSwyYiLpsqkQTfjqLPfrMkxuxBgTEVXlq2ZnFuyOGbFx9hubPxLeyQKakiW3qZWGjbFXYAps7Gl61AVdKJj3y1otX2JbCjG9x2i6FHZpl5ywwQCjKNM,iv:7v+I/oJtWDap6PNIJ4Qm3Si9dGs7a79SaMhnr/tbe1A=,tag:7jgoLtdWAEKMkWoXZ10owA==,type:str]
+forgejo-mail: ENC[AES256_GCM,data:eZv9dM0a06wFJaDUZjo=,iv:L32ab5k/AX8HqSACJA5w+WbzLlBijA5++Gcr2SrnYIU=,tag:ddyTXikWTMnxq86IijgyYg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -16,8 +17,8 @@ sops:
             QTBqZDZLeDFLK0k2MHF4Uk1mQTIxRHcKeLHz+lSnHLyTgw2Aq+IVGpIi9X8SQx+Q
             bCSPPMPIZsL4VLInuZmcd2n/kEr80fQM2P3/ktW8RnViQjTU+kKbMg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-13T18:27:53Z"
-    mac: ENC[AES256_GCM,data:8DPq0aGtoiMOdFyD+0NKGZ9OrDi1VXXS/6y3tH4DwlkLDpDqb2QsxunTDwoHlILQBu300nB2lUeGuGlp4/0FimFdiddlu2Ljq8vLh3wt+sz660RgfeaIcgWLSHtulyNIIQJ91wzzgbRADafFRCavVFvJALnIgeE+QDQa4ybLus0=,iv:T3xwELbHbqDszIkGs8BeJn9WV0LjagF1T+HLxCR/Aeo=,tag:NAIBPTRcnRtkGKhpWpe5Pw==,type:str]
+    lastmodified: "2024-09-17T12:35:12Z"
+    mac: ENC[AES256_GCM,data:ji+KDLN/7nQG448ZMxOFCuCTrzwnn00xbey84itd2cHpGP3oWYCFDWqdMg18C7koZ8eVtudgi3v6++bYLunAMONcvVwqconiEgEy17GKMzaladkEVDzSTRLipbcby/k4VYzS+iBP02eEn1gHYaNWTeIN/8X+42kIdhq3Itx44fU=,iv:X72KO/yNE1RI8lSPEc5llmCUuO0bZrtD4kizHf4dnzA=,tag:jZOIX1hhF1yfy7U8f47/VA==,type:str]
     pgp:
         - created_at: "2024-01-31T01:20:03Z"
           enc: |-
@@ -31,4 +32,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

hosts/magnesium/services/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./coturn.nix
+    ./forgejo.nix
     ./gitlab-runner.nix
     ./mosquitto.nix
     ./public-ip-tunnel.nix

hosts/magnesium/services/forgejo.nix

@@ -0,0 +1,68 @@
+args@{ config, custom-utils, ... }:
+let
+  domain = "git.jalr.de";
+  cfg = config.services.forgejo;
+  ports = import ../ports.nix args;
+in
+{
+  sops.secrets.forgejo-mail = {
+    owner = cfg.user;
+    sopsFile = ../secrets.yaml;
+  };
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    mailerPasswordFile = config.sops.secrets.forgejo-mail.path;
+    settings = {
+      DEFAULT.APP_NAME = "jalr's git";
+      avatar.DISABLE_GRAVATAR = true;
+      mailer = {
+        ENABLED = true;
+        PROTOCOL = "smtps";
+        SMTP_ADDR = "hha.jalr.de";
+        FROM = "git@jalr.de";
+        USER = "git@jalr.de";
+      };
+      server = {
+        DOMAIN = domain;
+        PROTOCOL = "http+unix";
+        ROOT_URL = "https://${domain}/";
+
+        DISABLE_ROUTER_LOG = true;
+        OFFLINE_MODE = true;
+
+        BUILTIN_SSH_SERVER_USER = "git";
+        START_SSH_SERVER = true;
+        SSH_PORT = ports.forgejo-ssh.tcp;
+        SSH_SERVER_HOST_KEYS = "ssh/forgejo.ed25519";
+      };
+      service = {
+        DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        ENABLE_NOTIFY_MAIL = false;
+        REGISTER_MANUAL_CONFIRM = true;
+        DISABLE_REGISTRATION = true;
+      };
+      session = {
+        PROVIDER = "file";
+        COOKIE_SECURE = true;
+      };
+      log.level = "Warn";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ cfg.settings.server.SSH_PORT ];
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://unix:/run/forgejo/forgejo.sock";
+    };
+
+    extraConfig = ''
+      client_max_body_size 1G;
+    '';
+  };
+}

hosts/magnesium/services/webserver.nix

@@ -44,7 +44,7 @@ in
               add_header Content-Type application/json;
               return 200 '${builtins.toJSON {
                 "m.server" = "${matrixDomain}:443";
-                }}';
+              }}';
             '';
             "=/.well-known/matrix/client".extraConfig = ''
               ${parentHeaders}
@@ -52,6 +52,7 @@ in
               add_header Access-Control-Allow-Origin *;
               return 200 '${builtins.toJSON {
                 "m.homeserver"."base_url" = "https://${matrixDomain}";
+                "org.matrix.msc3575.proxy"."url" = "https://${matrixDomain}";
               }}';
             '';
           };

hosts/weinturm-pretix-prod/ports.nix

@@ -4,5 +4,5 @@ custom-utils.validatePortAttrset {
   nginx-http.tcp = 80;
   nginx-https.tcp = 443;
   ports.postfix-relay.tcp = 25;
-  ports.postfix-submission.tcp = [ 465 587 ];
+  ports.postfix-submission.tcp = [ 465 ];
 }

modules/default.nix

@@ -67,6 +67,8 @@
       ];
     };
 
+    programs.nano.enable = false;
+
     security.acme = {
       acceptTerms = true;
       defaults = {

modules/dji-goggles.nix

@@ -1,6 +1,6 @@
 {
   services.udev.extraRules = ''
     # DJI Goggles
-    SUBSYSTEM=="usb", ATTRS{idVendor}=="2ca3", ATTRS{idProduct}=="001f", GROUP="video", MODE="0660"
+    SUBSYSTEM=="usb", ATTR{idVendor}=="2ca3", ATTR{idProduct}=="001f", MODE="0660", GROUP="plugdev"
   '';
 }

modules/mailserver/postfix.nix

@@ -41,7 +41,7 @@ lib.mkIf cfg.enable {
 
     relayPort = cfg.relayPort;
 
-    enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions)
+    enableSubmission = false; # plain/STARTTLS (latter is forced in submissionOptions)
     enableSubmissions = true; # submission with implicit TLS (TCP/465)
 
     hostname = cfg.fqdn;
@@ -147,7 +147,7 @@ lib.mkIf cfg.enable {
 
   networking.firewall.allowedTCPPorts = [
     25 # SMTP
-    587 # SMTP submission
+    465 # SMTPS (implicit TLS)
   ];
 
   systemd.services.postfix = {

modules/matrix/default.nix

@@ -21,6 +21,16 @@ in
         };
       };
     };
+    sliding-sync = {
+      port = mkOption {
+        description = "TCP port for synapse service.";
+        type = port;
+      };
+      secretFile = mkOption {
+        type = path;
+        description = "Location of the file to set secret environment variables.";
+      };
+    };
     fqdn = mkOption {
       type = str;
       description = ''
@@ -82,6 +92,7 @@ in
   imports = [
     ./mautrix-signal.nix
     ./mautrix-whatsapp.nix
+    ./sliding-sync.nix
     ./synapse.nix
   ];
 }

modules/matrix/sliding-sync.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.jalr.matrix;
+in
+lib.mkIf cfg.enable {
+  services.matrix-sliding-sync = {
+    enable = true;
+    settings = {
+      SYNCV3_SERVER = "https://${cfg.fqdn}";
+      SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.sliding-sync.port}";
+    };
+    environmentFile = cfg.sliding-sync.secretFile;
+  };
+  services.nginx.virtualHosts."${cfg.fqdn}".locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = {
+    proxyPass = "http://127.0.0.1:${toString cfg.sliding-sync.port}";
+  };
+}

users/jalr/default.nix

@@ -16,6 +16,7 @@ in
       "libvirtd"
       "lp"
       "networkmanager"
+      "plugdev"
       "scanner"
       "video"
       "wheel"
@@ -56,6 +57,14 @@ in
           pwgen
         ];
 
+        xdg.mimeApps = {
+          enable = true;
+          defaultApplications = {
+            "application/pdf" = "org.gnome.Evince.desktop";
+            "image/svg+xml" = "org.inkscape.Inkscape.desktop";
+          };
+        };
+
         accounts.email.accounts = {
           "jalr" = {
             primary = true;
@@ -72,10 +81,10 @@ in
             };
             smtp = {
               host = "hha.jalr.de";
-              port = 587;
+              port = 465;
               tls = {
                 enable = true;
-                useStartTls = true;
+                useStartTls = false;
               };
             };
             thunderbird = {
@@ -97,10 +106,10 @@ in
             };
             smtp = {
               host = "mail.agenturserver.de";
-              port = 587;
+              port = 465;
               tls = {
                 enable = true;
-                useStartTls = true;
+                useStartTls = false;
               };
             };
             thunderbird = {
@@ -147,10 +156,10 @@ in
             };
             smtp = {
               host = "hha.jalr.de";
-              port = 587;
+              port = 465;
               tls = {
                 enable = true;
-                useStartTls = true;
+                useStartTls = false;
               };
             };
             thunderbird = {

users/jalr/modules/neovim.nix

@@ -84,6 +84,7 @@ in
       NeoSolarized
       deoplete-nvim
       editorconfig-vim
+      jinja-vim
       nvim-lspconfig
       {
         plugin = telescope-nvim;