Lemmy broken on Germany

2024-02-10 16:53:55 -08:00 · 2024-02-10 16:53:55 -08:00 · cf10f910bd
commit cf10f910bd
parent 7a73028ad2
18 changed files with 1501 additions and 920 deletions
--- a/config/domain-config/fudo.org.nix
+++ b/config/domain-config/fudo.org.nix
@ -6,22 +6,41 @@ let
  localDomain = "fudo.org";
  domainSecrets = config.fudo.secrets.files.domain-secrets."${localDomain}";
  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
-  inherit (pkgs.lib) getDomainHosts getHostIpv4 getHostIpv6 getHostFqdn;
+  inherit (pkgs.lib)
    getDomainHosts getHostIpv4 getHostIpv6 getHostFqdn getSiteV4PrefixLength;
  domain = config.fudo.domains."${localDomain}";
  authentikHost = "legatus";
  authentikImage = "ghcr.io/goauthentik/server:2023.10.7";
  primaryNameserver = "germany";
  webmailHost = "germany";
  defaultHost = "germany";
  mastodonHost = "germany";
  mastodonHostname = "fudo.live";
  giteaHost = "germany";
  giteaHostname = "fudo.dev";
  giteaIpv4Address = "208.81.3.118";
  cloudHost = "germany";
  cloudHostname = "fudo.cloud";
  lemmyHost = "germany";
  lemmyHostname = "fudo.social";
  matrixHost = "germany";
  matrixHostname = "fudo.im";
  immichHost = "germany";
  immichHostname = "pics.fudo.org";
  servedDomains = [
    "fudo.org"
    "test.fudo.org"
@ -30,35 +49,36 @@ let
    "fudo.im"
    "fudo.live"
    "fudo.social"
    "fudo.dev"
    "fudo.cloud"
    "stewartsoundservices.ca"
  ];
  static = ../../static;
 in {
  imports = [
-    (import ./fudo.org/authentik.nix {
+    (import ./fudo.org/authentik.nix { inherit authentikHost authentikImage; })
      inherit authentikHost;
      authentikImage = "ghcr.io/goauthentik/server:2023.10.6";
    })
    (import ./fudo.org/mastodon.nix {
-      mastodonHost = "germany";
+      mastodonHost = mastodonHost;
      mastodonHostname = mastodonHostname;
      mastodonWebDomain = mastodonHostname;
      mastodonOidcClientId = domainSecrets."mastodon-oidc.clientid";
      mastodonOidcClientSecret = domainSecrets."mastodon-oidc.secret";
    })
    (import ./fudo.org/nextcloud.nix {
-      nextcloudHost = "legatus";
+      nextcloudHost = cloudHost;
-      nextcloudHostname = "cloud.fudo.org";
+      nextcloudHostname = cloudHostname;
      nextcloudPackage = pkgs.nextcloud28;
    })
    (import ./fudo.org/matrix.nix {
-      matrixHost = "germany";
+      matrixHost = matrixHost;
-      matrixServerName = "fudo.im";
+      matrixServerName = matrixHostname;
      openIdClientId = readFile domainSecrets."matrix-oidc.clientid";
      openIdClientSecret = readFile domainSecrets."matrix-oidc.secret";
    })
    (import ./fudo.org/mail-server.nix (rec {
-      primaryMailserver = "france";
+      primaryMailserver = "germany";
      primaryDomain = "fudo.org";
      authentikServer = "authentik.fudo.org";
      ldapBase = "dc=fudo,dc=org";
@ -73,8 +93,21 @@ in {
  ];
  config = {
-    # All Fudo hosts should redirect selby.ca to the selbyhomecentre website.
+    systemd.services = { lemmy.after = [ "postgresql.service" ]; };
    services = {
      immichContainer = mkIf (hostname == immichHost) {
        enable = true;
        images = let immichVersion = "v1.94.1";
        in {
          immich = "ghcr.io/immich-app/immich-server:${immichVersion}";
          immich-ml =
            "ghcr.io/immich-app/immich-machine-learning:${immichVersion}";
          redis = "redis:6.2-alpine";
          postgresql = "tensorchord/pgvecto-rs:pg14-v0.1.11";
        };
      };
      nginx.virtualHosts = {
        # Pass requests to selby on to selbyhomecentre
        "selby.ca".locations."/".return =
@ -82,34 +115,110 @@ in {
        "www.selby.ca".locations."/".return =
          "301 https://selbyhomecentre.com$request_uri";
-        # For Mastodon
+        "pics.fudo.org" = mkIf (hostname == immichHost) {
-        "fudo.org".locations = {
+          enableACME = true;
-          "/.well-known/webfinger" = {
+          forceSSL = true;
-            return = "301 http://${mastodonHostname}";
+          locations."/" = {
-            extraConfig = "add_header Access-Control-Allow-Origin '*';";
+            proxyPass = "http://localhost:${
                toString config.services.immichContainer.port
              }/";
            proxyWebsockets = true;
          };
-          "/.well-known/host-meta" = {
+        };
-            return = "301 https://${mastodonHostname}$request_uri";
+
        "fudo.org" = mkIf (hostname == defaultHost) {
          enableACME = true;
          forceSSL = true;
          locations = let
            mkWellKnown = data: ''
              add_header Content-Type application/json;
              add_header Access-Control-Allow-Origin *;
              return 200 '${builtins.toJSON data}';
            '';
          in {
            # Mastodon
            "/.well-known/webfinger" = {
              return = "301 https://${mastodonHostname}";
              extraConfig = "add_header Access-Control-Allow-Origin '*';";
            };
            "/.well-known/host-meta" = {
              return = "301 https://${mastodonHostname}$request_uri";
            };
            # Matrix
            "/.well-known/matrix/server".extraConfig =
              mkWellKnown { "m.server" = "matrix.${matrixHostname}:443"; };
            "/.well-known/matrix/client".extraConfig = mkWellKnown {
              "m.homeserver".base_url = "https://web.${matrixHostname}:443";
            };
            "/.well-known/acme-challenge" = {
              root = "/var/lib/acme/acme-challenge/";
              extraConfig = "auth_basic off;";
            };
          };
        };
      };
-      lemmyDocker = {
+      # lemmyContainer = {
-        enable = config.instance.hostname == lemmyHost;
+      #   enable = config.instance.hostname == lemmyHost;
-        hostname = lemmyHostname;
+      #   hostname = lemmyHostname;
-        site-name = "Fudo Lemmy";
+      #   site-name = "Fudo Lemmy";
-        version = "0.19.2";
+      #   smtp.host = "mail.fudo.org:587";
-        smtp-server = "mail.fudo.org:587";
+      #   # admin-password-file = hostSecrets.lemmyAdminPasswd.target-file;
-        docker-images = {
+      #   server-package = pkgs.pkgsUnstable.lemmy-server;
-          pictrs = "asonix/pictrs:0.5.1";
+      # };
          postgres = "postgres:15-alpine";
        };
      };
    };
    fudo = {
      secrets.host-secrets."${hostname}" = {
        lemmyAdminPasswd = {
          source-file =
            pkgs.lib.passwd.stablerandom-passwd-file "lemmy-admin.passwd"
            config.instance.build-seed;
          target-file = "/run/lemmy/admin.passwd";
        };
      };
      zones = {
        "fudo.org".aliases = {
          cloud = "germany.fudo.org.";
          pics = "germany.fudo.org.";
          webmail = "germany.fudo.org.";
        };
        "selby.ca".aliases.webmail = "germany.fudo.org.";
      };
      webmail = {
        enable = hostname == webmailHost;
        sites = {
          "webmail.fudo.org" = {
            title = "Fudo Webmail";
            favicon = "${static}/fudo.org/favicon.ico";
            mail-server = "mail.fudo.org";
            domain = "fudo.org";
            edit-mode = "Plain";
          };
          "webmail.fudo.link" = {
            title = "Fudo Link Webmail";
            favicon = "${static}/fudo.link/favicon.ico";
            mail-server = "mail.fudo.org";
            domain = "fudo.link";
            edit-mode = "Plain";
            layout-mode = "bottom";
          };
          "webmail.selby.ca" = {
            title = "Selby Webmail";
            favicon = "${static}/selby.ca/favicon.ico";
            mail-server = "mail.fudo.org";
            domain = "selby.ca";
          };
        };
      };
      services = {
-        # TEMPORARY
+        # DON'T enable, we're using mail-container instead
        mail-server.enable = false;
        jabber = {
@ -127,6 +236,25 @@ in {
          };
        };
        lemmy = {
          enable = hostname == lemmyHost;
          hostname = "fudo.social";
          site-name = "Fudo Lemmy";
          smtp.host = "mail.fudo.org";
        };
        gitea-container = let siteName = config.fudo.hosts."${giteaHost}".site;
        in {
          enable = hostname == giteaHost;
          site-name = "Fudo Git";
          hostname = giteaHostname;
          trusted-networks = config.instance.local-networks;
          networking.ipv4 = {
            address = giteaIpv4Address;
            prefixLength = getSiteV4PrefixLength siteName;
          };
        };
        authoritative-dns = {
          enable = hostname == primaryNameserver;
@ -167,23 +295,56 @@ in {
            mkDomain = domain: extraConfig:
              {
                default-host = defaultDeets;
                ksk =
                  config.fudo.secrets.files.dns.key-signing-keys."${domain}";
              } // extraConfig;
            getDeets = hostname: description: {
              inherit (config.fudo.zones."fudo.org".hosts."${hostname}")
                ipv4-address ipv6-address sshfp-records;
            };
          in {
            "fudo.org" = mkDomain "fudo.org" {
              reverse-zones = [ "208.81.1.128/28" "208.81.3.112/28" ];
              mail = fudoMailservers;
              default-host = defaultDeets;
            };
            "test.fudo.org" = mkDomain "test.fudo.org" { };
-            "selby.ca" = mkDomain "selby.ca" { mail = fudoMailservers; };
+            "selby.ca" = mkDomain "selby.ca" {
-            "fudo.ca" = mkDomain "fudo.ca" { mail = fudoMailservers; };
+              mail = fudoMailservers;
-            "fudo.im" = mkDomain "fudo.im" { mail = fudoMailservers; };
+              default-host = defaultDeets;
-            "stewartsoundservices.ca" =
+            };
-              mkDomain "stewartsoundservices.ca" { mail = fudoMailservers; };
+            "fudo.ca" = mkDomain "fudo.ca" {
-            "fudo.live" = mkDomain "fudo.live" { mail = fudoMailservers; };
+              mail = fudoMailservers;
-            "fudo.social" = mkDomain "fudo.social" { mail = fudoMailservers; };
+              default-host = defaultDeets;
            };
            "fudo.im" = mkDomain "fudo.im" {
              mail = fudoMailservers;
              default-host = getDeets matrixHost "fudo.im primary server";
            };
            "stewartsoundservices.ca" = mkDomain "stewartsoundservices.ca" {
              mail = fudoMailservers;
              default-host = defaultDeets;
            };
            "fudo.live" = mkDomain "fudo.live" {
              mail = fudoMailservers;
              default-host = getDeets mastodonHost "fudo.live primary server";
            };
            "fudo.social" = mkDomain "fudo.social" {
              mail = fudoMailservers;
              default-host = getDeets lemmyHost "fudo.social primary server";
            };
            "fudo.dev" = mkDomain "fudo.dev" {
              mail = fudoMailservers;
              default-host = {
                ipv4-address = giteaIpv4Address;
                description = "fudo.dev";
              };
            };
            "fudo.cloud" = mkDomain "fudo.cloud" {
              mail = fudoMailservers;
              default-host = getDeets cloudHost "fudo.dev primary server";
            };
          };
        };
      };
--- a/config/domain-config/fudo.org/mail-server.nix
+++ b/config/domain-config/fudo.org/mail-server.nix
@ -22,39 +22,48 @@ in {
    # };
    fudo = {
-      zones."${primaryDomain}" = let
+      zones = let
-        mailserverDomain = config.fudo.hosts."${primaryMailserver}".domain;
+        mailserverIp = getHostIpv4 primaryMailserver;
-        mailserverIps = {
+        spfRecords = [
-          ipv4-address = getHostIpv4 primaryMailserver;
+          ''@ IN TXT "v=spf1 mx ip4:${mailserverIp}/32 -all"''
-          ipv6-address = getHostIpv6 primaryMailserver;
+          ''@ IN SPF "v=spf1 mx ip4:${mailserverIp}/32 -all"''
-        };
+        ];
        srvRecord = host: port: [{ inherit host port; }];
      in {
-        srv-records = {
+        "${primaryDomain}" = let
-          tcp = {
+          mailserverDomain = config.fudo.hosts."${primaryMailserver}".domain;
-            imap = srvRecord "imap.${primaryDomain}" 143;
+          mailserverIps = {
-            imaps = srvRecord "imap.${primaryDomain}" 993;
+            ipv4-address = getHostIpv4 primaryMailserver;
-            smtp = srvRecord "smtp.${primaryDomain}" 25;
+            ipv6-address = getHostIpv6 primaryMailserver;
            submission = srvRecord "smtp.${primaryDomain}" 587;
            submissions = srvRecord "smtp.${primaryDomain}" 465;
          };
-          udp = {
+          srvRecord = host: port: [{ inherit host port; }];
-            smtp = srvRecord "smtp.${primaryDomain}" 25;
+        in {
-            submission = srvRecord "smtp.${primaryDomain}" 587;
+          srv-records = {
            tcp = {
              imap = srvRecord "mail.${primaryDomain}" 143;
              imaps = srvRecord "mail.${primaryDomain}" 993;
              smtp = srvRecord "mail.${primaryDomain}" 25;
              submission = srvRecord "mail.${primaryDomain}" 587;
              submissions = srvRecord "mail.${primaryDomain}" 465;
            };
            udp = {
              smtp = srvRecord "mail.${primaryDomain}" 25;
              submission = srvRecord "mail.${primaryDomain}" 587;
            };
          };
        };
-        metric-records = genAttrs [ "dovecot" "postfix" "rspamd" ]
+          metric-records = genAttrs [ "dovecot" "postfix" "rspamd" ]
-          (_: srvRecord "mail-stats.${primaryDomain}" 443);
+            (_: srvRecord "mail-stats.${primaryDomain}" 443);
-        hosts = {
+          hosts = {
-          imap = mailserverIps;
+            imap = mailserverIps;
-          smtp = mailserverIps;
+            smtp = mailserverIps;
-          mail = mailserverIps;
+            mail = mailserverIps;
-          mail-stats = mailserverIps;
+            mail-stats = mailserverIps;
          };
          verbatim-dns-records = [ dkimRecord ] ++ spfRecords;
        };
-        verbatim-dns-records = [ dkimRecord ];
+      } // (genAttrs (filter (dom: dom != primaryDomain) servedDomains)
-      };
+        (domain: { verbatim-dns-records = [ dkimRecord ] ++ spfRecords; }));
      metrics.prometheus.service-discovery-dns =
        (genAttrs [ "dovecot" "postfix" "rspamd" ]
@ -68,14 +77,14 @@ in {
        sasl-domain = saslDomain;
        trusted-networks = config.instance.local-networks;
        smtp = {
-          hostname = "smtp.${primaryDomain}";
+          hostname = "mail.${primaryDomain}";
          ssl-directory =
-            config.security.acme.certs."smtp.${primaryDomain}".directory;
+            config.security.acme.certs."mail.${primaryDomain}".directory;
        };
        imap = {
-          hostname = "imap.${primaryDomain}";
+          hostname = "mail.${primaryDomain}";
          ssl-directory =
-            config.security.acme.certs."imap.${primaryDomain}".directory;
+            config.security.acme.certs."mail.${primaryDomain}".directory;
        };
        ldap = {
          authentik-host = "https://${authentikServer}";
@ -112,7 +121,7 @@ in {
        "imap.${primaryDomain}" = {
          enableACME = true;
          forceSSL = true;
-          locations."/".return = "301 https://webmail.${primaryDomain}";
+          locations."/".return = "403 Forbidden";
        };
        "mail.${primaryDomain}" = {
          enableACME = true;
@ -122,7 +131,7 @@ in {
        "smtp.${primaryDomain}" = {
          enableACME = true;
          forceSSL = true;
-          locations."/".return = "301 https://webmail.${primaryDomain}";
+          locations."/".return = "403 Forbidden";
        };
      };
    };
--- a/config/domain-config/fudo.org/mastodon.nix
+++ b/config/domain-config/fudo.org/mastodon.nix
@ -7,50 +7,46 @@ with lib;
 let
  hostname = config.instance.hostname;
  isMastodon = hostname == mastodonHost;
  mkEnvFile = vars:
    pkgs.writeText "mastodon.env"
    (concatStringsSep "\n" (mapAttrsToList (k: v: ''${k}="${v}"'') vars));
 in {
  config = {
    fudo.secrets.host-secrets."${hostname}".mastodonEnv = {
      source-file = mkEnvFile {
        OIDC_ENABLED = "true";
        OIDC_DISPLAY_NAME = "fudo auth";
        OIDC_DISCOVERY = "true";
        OIDC_ISSUER = "https://authentik.fudo.org/application/o/mastodon/";
        OIDC_AUTH_ENDPOINT =
          "https://authentik.fudo.org/application/o/authorize/";
        OIDC_SCOPE = "openid,profile,email";
        OIDC_UID_FIELD = "sub";
        OIDC_CLIENT_ID = readFile mastodonOidcClientId;
        OIDC_CLIENT_SECRET = readFile mastodonOidcClientSecret;
        OIDC_REDIRECT_URI =
          "https://fudo.live/auth/auth/openid_connect/callback";
        OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
        OMNIAUTH_ONLY = "true";
        ONE_CLICK_SSO_LOGIN = "true";
      };
      target-file = "/run/mastodon/env";
    };
    services = {
      mastodonContainer = mkIf isMastodon {
        enable = true;
-        hostname = mastodonWebDomain;
+        hostname = mastodonHostname;
-        web-domain = mastodonHostname;
+        domain = mastodonWebDomain;
-        version = "v4.1.6";
+        environment-files = [
-        state-directory = "/state/services/mastodon";
+          config.fudo.secrets.host-secrets."${hostname}".mastodonEnv.target-file
-        smtp.server = "mail.fudo.org";
+        ];
-        environment = {
+        smtp = {
-          OIDC_ENABLED = "true";
+          host = "mail.fudo.org";
-          OIDC_DISPLAY_NAME = "fudo auth";
+          port = 25;
          OIDC_DISCOVERY = "true";
          OIDC_ISSUER = "https://authentik.fudo.org/application/o/mastodon/";
          OIDC_AUTH_ENDPOINT =
            "https://authentik.fudo.org/application/o/authorize/";
          OIDC_SCOPE = "openid,profile,email";
          OIDC_UID_FIELD = "sub";
          OIDC_CLIENT_ID = readFile mastodonOidcClientId;
          OIDC_CLIENT_SECRET = readFile mastodonOidcClientSecret;
          OIDC_REDIRECT_URI =
            "https://mastodon.fudo.org/auth/auth/openid_connect/callback";
          OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
        };
      };
      nginx = mkIf isMastodon {
        enable = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        virtualHosts = {
          "${mastodonHostname}" = {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://localhost:${
                  toString config.services.mastodonContainer.port
                }";
              proxyWebsockets = true;
            };
          };
        };
        allow-registrations = false;
      };
    };
  };
--- a/config/domain-config/fudo.org/nextcloud.nix
+++ b/config/domain-config/fudo.org/nextcloud.nix
@ -40,6 +40,10 @@ in {
          };
          extraConfig = ''
            client_body_buffer_size 1024m;
            client_max_body_size 4096m;
            fastcgi_read_timeout 120s;
            proxy_max_temp_file_size 4096m;
            proxy_buffering off;
          '';
        };
      };
--- a/config/domain-config/sea.fudo.org.nix
+++ b/config/domain-config/sea.fudo.org.nix
@ -5,6 +5,8 @@ let
  hostname = config.instance.hostname;
  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
  domainName = "sea.fudo.org";
  frigateExternalHost = "sea-cam.fudo.link";
  frigateHost = "zbox";
  frigateDirectory = frigateCfg.state-directory;
@ -12,9 +14,15 @@ let
    pkgs.lib.passwd.stablerandom-passwd-file "frigate-mqtt-passwd"
    config.instance.build-seed;
  immichHost = "toothless";
 in {
  config = {
-    fudo.zones."sea.fudo.org".aliases = { "frigate" = "zbox"; };
+    fudo.zones."sea.fudo.org".aliases = {
      chat = "nostromo";
      frigate = "zbox";
      immich = immichHost;
    };
    fudo = {
      services = {
        metrics = {
@ -37,8 +45,33 @@ in {
    };
    services = {
-      frigateContainer = {
+      immichContainer = mkIf (hostname == immichHost) {
-        enable = config.instance.hostname == frigateHost;
+        enable = true;
        images = let immichVersion = "v1.94.1";
        in {
          immich = "ghcr.io/immich-app/immich-server:${immichVersion}";
          immich-ml =
            "ghcr.io/immich-app/immich-machine-learning:${immichVersion}";
          redis = "redis:6.2-alpine";
          postgresql = "tensorchord/pgvecto-rs:pg14-v0.1.11";
        };
      };
      nginx = mkIf (hostname == immichHost) {
        enable = true;
        recommendedOptimisation = true;
        recommendedGzipSettings = true;
        recommendedProxySettings = true;
        virtualHosts."immich.${domainName}".locations."/" = {
          proxyPass = "http://${immichHost}.${domainName}:${
              toString config.services.immichContainer.port
            }/";
          recommendedProxySettings = true;
        };
      };
      frigateContainer = mkIf (config.instance.hostname == frigateHost) {
        enable = true;
        log-level = "info";
        images.frigate = "ghcr.io/blakeblackshear/frigate:0.13.0-beta5";
        cameras =
--- a/config/hardware/germany.nix
+++ b/config/hardware/germany.nix
@ -1,5 +1,6 @@
 { config, lib, pkgs, ... }:
 with lib;
 let generateMac = pkgs.lib.network.generate-mac-address;
 in {
@ -22,6 +23,8 @@ in {
    extraModulePackages = [ ];
    kernelPackages = pkgs.linuxPackages_latest;
    supportedFilesystems = [ "bcachefs" ];
    loader.grub = {
      enable = true;
      devices = [
@ -85,11 +88,45 @@ in {
      fsType = "btrfs";
      options = [ "subvol=@container-data" "noatime" "compress=zstd" "noexec" ];
    };
    ## BROKEN!
    # "/store" = {
    #   device = lib.concatStringsSep ":" [
    #     "/dev/disk/by-id/ata-Crucial_CT525MX300SSD1_171516B3CB40"
    #     "/dev/disk/by-id/ata-ST8000DM004-2U9188_ZR153N5H"
    #     "/dev/disk/by-id/ata-ST8000DM004-2U9188_ZR153CDK"
    #   ];
    #   fsType = "bcachefs";
    #   options = [ "noexec" "compression=zstd" ];
    # };
  };
  systemd.services.mount-bcachefs-store = let
    mountpoint = "/store";
    deviceString = concatStringsSep ":" [
      "/dev/disk/by-id/ata-Crucial_CT525MX300SSD1_171516B3CB40"
      "/dev/disk/by-id/ata-ST8000DM004-2U9188_ZR153N5H"
      "/dev/disk/by-id/ata-ST8000DM004-2U9188_ZR153CDK"
    ];
    options = concatStringsSep "," [ "noexec" "compression=zstd" ];
  in {
    description =
      "Mount ${mountpoint} filesystem (can't use fileSystems with multiple devices).";
    wantedBy = [ "local-fs.target" ];
    script = ''
      [ -d ${mountpoint} ] || mkdir ${mountpoint}
      if ${pkgs.util-linux}/bin/findmnt ${mountpoint}; then
        echo "already mounted: ${mountpoint}"
      else
        echo "mounting filesystem: ${mountpoint}"
        ${pkgs.bcachefs-tools}/bin/mount.bcachefs ${deviceString} -o ${options} ${mountpoint}
      fi
    '';
  };
  swapDevices = [{ device = "/dev/disk/by-label/germany-swap"; }];
-  nix.settings.max-jobs = lib.mkDefault 24;
+  nix.settings.max-jobs = mkDefault 24;
  hardware.bluetooth.enable = false;
--- a/config/host-config/fimbria.nix
+++ b/config/host-config/fimbria.nix
@ -248,6 +248,16 @@ in {
              (trustedNetworkClauses ++ [ "deny all;" ]);
            };
          };
          "pics.fudo.link" = {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://immich.sea.fudo.org/";
              proxyWebsockets = true;
              recommendedProxySettings = true;
            };
          };
        };
      };
--- a/config/host-config/germany.nix
+++ b/config/host-config/germany.nix
@ -31,7 +31,7 @@ in {
      };
      firewall = {
        enable = false;
-        interfaces."podman+".allowedUDPPorts = [ 53 ];
+        interfaces."podman[0-9]+".allowedUDPPorts = [ 53 ];
      };
    };
@ -60,6 +60,11 @@ in {
            '';
          };
        };
        webmail-init = {
          after = [ "fudo-secrets.target" ];
          requires = [ "fudo-secrets.target" ];
        };
      };
      timers.fudo-mail-sync = {
@ -79,13 +84,42 @@ in {
        enable = true;
        autoPrune.enable = true;
        dockerSocket.enable = true;
-        defaultNetwork.settings.dns_enabled = true;
+        dockerCompat = true;
        defaultNetwork.settings = {
          dns_enabled = true;
          network_dns_servers = [ "1.1.1.1" "8.8.4.4" ];
        };
      };
      oci-containers.backend = "podman";
      arion.backend = "podman-socket";
    };
-    services.lemmyDocker.state-directory = "/state/services/lemmy";
+    services = {
      lemmyContainer.state-directory = "/state/services/lemmy-container";
      mastodonContainer.streaming-processes = 6;
      nextcloudContainer = {
        state-directory = "/state/services/nextcloud";
        store-directory = "/store/nextcloud";
      };
      immichContainer = {
        state-directory = "/state/services/immich";
        store-directory = "/store/immich";
      };
      nginx = {
        enable = true;
        commonHttpConfig = ''
          log_format with_response_time '$remote_addr - $remote_user [$time_local] '
                       '"$request" $status $body_bytes_sent '
                       '"$http_referer" "$http_user_agent" '
                       '"$request_time" "$upstream_response_time"';
          access_log /var/log/nginx/access.log with_response_time;
        '';
        recommendedTlsSettings = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
      };
    };
    fudo = {
      client.dns = {
@ -105,12 +139,18 @@ in {
        state-directory = "/state/services/postgresql";
      };
      webmail.state-directory = "/state/services/webmail";
      services = {
        auth = {
          kerberos.state-directory = "/state/services/kerberos";
          ldap.state-directory = "/state/services/ldap";
        };
        authoritative-dns.state-directory = "/state/services/dns";
        gitea-container = {
          networking.interface = "enp5s0f0";
          state-directory = "/state/services/gitea-container";
        };
        jabber.state-directory = "/state/services/jabber";
        logging.loki.state-directory = "/state/services/loki";
        mail-server.state-directory = "/state/services/mail";
@ -118,6 +158,7 @@ in {
          prometheus.state-directory = "/state/services/prometheus";
          grafana.state-directory = "/state/services/grafana";
        };
        nexus.dns-server.listen-addresses = [ primary-ip ];
        postgresql = {
          state-directory = "/state/services/postgresql";
          keytab = extractFudoKeytab {
--- a/config/host-config/nostromo.nix
+++ b/config/host-config/nostromo.nix
@ -125,22 +125,6 @@ in {
      local-networks = config.instance.local-networks;
      state-directory = "/state/services/postgresql";
    };
    services.gitea-container = {
      enable = true;
      site-name = "Seattle Fudo Git";
      hostname = "git.fudo.org";
      state-directory = "/state/services/gitea";
      trusted-networks = config.instance.local-networks;
      openid-urls = [ "https://authentik.fudo.org/" ];
      networking = {
        interface = "eno2";
        ipv4 = {
          address = "10.0.0.15";
          prefixLength = 24;
        };
      };
    };
  };
  virtualisation = {
--- a/config/host-config/nutboy3.nix
+++ b/config/host-config/nutboy3.nix
@ -14,7 +14,7 @@ let
  host-secrets = config.fudo.secrets.host-secrets.${hostname};
-  postgresql-user = config.systemd.services.postgresql.serviceConfig.User;
+  # postgresql-user = config.systemd.services.postgresql.serviceConfig.User;
  files = config.fudo.secrets.files;
@ -48,10 +48,10 @@ in {
        "L /etc/adjtime - - - - /state/etc/adjtime"
        "d /state/services 0555 - - - -"
      ];
-      services.grafana = {
+      # services.grafana = {
-        bindsTo = [ "postgresql.service" ];
+      #   bindsTo = [ "postgresql.service" ];
-        requires = [ "postgresql.service" ];
+      #   requires = [ "postgresql.service" ];
-      };
+      # };
    };
    environment = { systemPackages = local-packages; };
@ -69,11 +69,11 @@ in {
          #   part-of = [ config.fudo.auth.ldap-server.systemd-target ];
          # };
-          postgresql = {
+          # postgresql = {
-            user = postgresql-user;
+          #   user = postgresql-user;
-            dependent-services = [ "postgresql.service" ];
+          #   dependent-services = [ "postgresql.service" ];
-            part-of = [ config.fudo.postgresql.systemd-target ];
+          #   part-of = [ config.fudo.postgresql.systemd-target ];
-          };
+          # };
        };
      };
@ -99,13 +99,13 @@ in {
          };
        };
-        postgresql = {
+        # postgresql = {
-          state-directory = "/state/services/postgresql";
+        #   state-directory = "/state/services/postgresql";
-          keytab = extractFudoKeytab {
+        #   keytab = extractFudoKeytab {
-            realm = domain.gssapi-realm;
+        #     realm = domain.gssapi-realm;
-            principals = [ "postgres/${host-fqdn}" ];
+        #     principals = [ "postgres/${host-fqdn}" ];
-          };
+        #   };
-        };
+        # };
        metrics = {
          prometheus.state-directory = "/state/services/prometheus";
--- a/config/host-config/toothless.nix
+++ b/config/host-config/toothless.nix
@ -28,21 +28,14 @@ in {
      Defaults lecture = never
    '';
    services = {
      immichContainer = {
        state-directory = "/state/immich/state";
        store-directory = "/state/immich/store";
      };
    };
    fudo = {
      # minecraft-server = {
      #   enable = true;
      #   data-dir = "/state/services/minecraft";
      #   world-name = "TLS";
      #   motd = "Welcome to Jasper's TLS minecraft server.";
      #   game-mode = "survival";
      #   difficulty = 1;
      #   allow-cheats = true;
      #   allocated-memory = 16;
      #   port = 25555;
      #   query-port = 25556;
      #   rcon-port = 25557;
      #   world-seed = 2090763904884813452;
      # };
      minecraft-clj = {
        enable = true;
        state-directory = "/state/services/minecraft-clj";
@ -86,6 +79,21 @@ in {
      };
    };
    virtualisation = {
      podman = {
        enable = true;
        autoPrune.enable = true;
        dockerSocket.enable = true;
        dockerCompat = true;
        defaultNetwork.settings = {
          dns_enabled = true;
          network_dns_servers = [ "1.1.1.1" "8.8.4.4" ];
        };
      };
      oci-containers.backend = "podman";
      arion.backend = "podman-socket";
    };
    systemd.targets = {
      sleep.enable = false;
      suspend.enable = false;
--- a/config/service/authoritative-dns.nix
+++ b/config/service/authoritative-dns.nix
@ -34,9 +34,9 @@ let
            isReadOnly = false;
          };
        } // (mapAttrs' (zoneName: _:
-          let zoneKeyName = zoneKeySecret zoneName;
+          nameValuePair "/run/nsd/keys/${zoneName}" {
-          in nameValuePair "/run/nsd/keys/${zoneKeyName}" {
+            hostPath =
-            hostPath = hostSecrets."${zoneKeyName}".target-file;
+              dirOf hostSecrets."${zoneKeySecret zoneName}".target-file;
          }) securedZones);
        config = let
          nameserverHost = cfg.container.hostname;
@ -82,7 +82,10 @@ let
            domains = mapAttrs' (zoneName: zoneCfg:
              nameValuePair zoneCfg.domain {
-                ksk.key-file = "/run/nsd/keys/${zoneKeySecret zoneName}";
+                ksk.key-file = "/run/nsd/keys/${zoneName}/${
                    baseNameOf
                    hostSecrets."${zoneKeySecret zoneName}".target-file
                  }";
                reverse-zones = zoneCfg.reverse-zones;
                notify = mkIf cfg.enable-notifications {
                  ipv4 = concatMap
@ -280,11 +283,21 @@ in {
    };
    fudo = {
-      secrets.host-secrets."${hostname}" = mapAttrs' (zone: zoneCfg:
+      secrets.host-secrets."${hostname}" = concatMapAttrs (zone: zoneCfg: {
-        nameValuePair (zoneKeySecret zone) {
+        "${zoneKeySecret zone}" = {
          source-file = zoneCfg.ksk.private-key;
-          target-file = "/run/nsd/${baseNameOf zoneCfg.ksk.private-key}";
+          target-file =
-        }) (filterAttrs (_: zoneCfg: zoneCfg.ksk != null) cfg.zones);
+            "/run/nsd/${zone}/${baseNameOf zoneCfg.ksk.private-key}";
        };
        "${zone}-ds" = {
          source-file = zoneCfg.ksk.ds;
          target-file = "/run/nsd/${zone}/${baseNameOf zoneCfg.ksk.ds}";
        };
        "${zone}-pubkey" = {
          source-file = zoneCfg.ksk.public-key;
          target-file = "/run/nsd/${zone}/${baseNameOf zoneCfg.ksk.public-key}";
        };
      }) (filterAttrs (_: zoneCfg: zoneCfg.ksk != null) cfg.zones);
      zones = mapAttrs (zone-name: zoneCfg:
        let
--- a/config/service/gitea-container.nix
+++ b/config/service/gitea-container.nix
@ -1,7 +1,20 @@
 { config, lib, pkgs, ... }:
 with lib;
-let cfg = config.fudo.services.gitea-container;
+let
  cfg = config.fudo.services.gitea-container;
  hostname = config.instance.hostname;
  domainName = config.fudo.hosts."${hostname}".domain;
  zoneName = config.fudo.domains."${domainName}".zone;
  siteName = config.fudo.hosts."${hostname}".site;
  getSiteGatewayV4 = pkgs.lib.getSiteGatewayV4;
  keyPaths = {
    ed25519 = "/state/ssh/ed25519.key";
    ecdsa = "/state/ssh/ecdsa.key";
  };
 in {
  options.fudo.services.gitea-container = with types; {
@ -29,11 +42,6 @@ in {
      default = [ ];
    };
    openid-urls = mkOption {
      type = listOf str;
      description = "List of authorized OpenID providers.";
    };
    networking = {
      interface = mkOption {
        type = str;
@ -75,7 +83,10 @@ in {
  };
  config = mkIf cfg.enable {
-    systemd.tmpfiles.rules = [ "d ${cfg.state-directory} 700 root root - -" ];
+    systemd.tmpfiles.rules = [
      "d ${cfg.state-directory}/gitea 755 root root - -"
      "d ${cfg.state-directory}/acme 755 root root - -"
    ];
    containers.gitea = {
      autoStart = true;
@ -83,18 +94,63 @@ in {
      macvlans = [ cfg.networking.interface ];
      bindMounts = {
        "/state" = {
-          hostPath = cfg.state-directory;
+          hostPath = "${cfg.state-directory}/gitea";
          isReadOnly = false;
        };
        "/var/lib/acme" = {
          hostPath = "${cfg.state-directory}/acme";
          isReadOnly = false;
        };
      };
      config = {
        nixpkgs.pkgs = pkgs;
-        systemd = { tmpfiles.rules = [ "d /state 0755 root root - -" ]; };
+        systemd = {
          tmpfiles.rules = [ "d /state 0755 root root - -" ];
          services = {
            gitea-chown = {
              requiredBy = [ "gitea.service" ];
              before = [ "gitea.service" ];
              serviceConfig.Type = "oneshot";
              script = "chown -R gitea:gitea /state";
            };
            gitea-keygen = {
              requiredBy = [ "gitea.service" ];
              before = [ "gitea.service" ];
              serviceConfig.Type = "oneshot";
              script = let
                keygenScripts = mapAttrsToList (type: path:
                  let dir = dirOf path;
                  in ''
                    if [ ! -f ${path} ]; then
                      mkdir -p ${dir}
                      ${pkgs.openssh}/bin/ssh-keygen -q -N "" -t ${type} -f ${path}
                      chown -R gitea:gitea ${dir}
                      chmod 0750 ${dir}
                      chmod 0440 ${path}
                    fi
                  '') keyPaths;
              in concatStringsSep "\n" keygenScripts;
            };
          };
        };
        environment.systemPackages = let
          giteaCli = pkgs.writeShellApplication {
            name = "gitea-cli";
            runtimeInputs = with pkgs; [ gitea ];
            text = ''gitea --config /state/gitea/custom/conf/app.ini "$@"'';
          };
        in [ giteaCli ];
        networking = {
-          defaultGateway = config.networking.defaultGateway;
+          defaultGateway = {
            address = getSiteGatewayV4 siteName;
            interface = "mv-${cfg.networking.interface}";
          };
          enableIPv6 = !isNull cfg.networking.ipv6;
          nameservers = config.networking.nameservers;
          firewall = {
            enable = true;
            allowedTCPPorts = [ 22 80 443 ];
@ -111,6 +167,11 @@ in {
          };
        };
        security.acme = {
          acceptTerms = true;
          defaults.email = "admin@${cfg.hostname}";
        };
        services = {
          gitea = {
            enable = true;
@ -122,7 +183,10 @@ in {
            repositoryRoot = "/state/repositories";
            stateDir = "/state/gitea";
            settings = {
-              service.DISABLE_REGISTRATION = true;
+              service = {
                #DISABLE_REGISTRATION = true;
                ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
              };
              security = {
                INSTALL_LOCK = true;
                LOGIN_REMEMBER_DAYS = 30;
@ -133,26 +197,23 @@ in {
                # Host & port to display in the clone URL
                SSH_DOMAIN = cfg.hostname;
                # SSH_LISTEN_HOST = "0.0.0.0";
                SSH_PORT = 22;
                SSH_LISTEN_PORT = 2222;
                SSH_LISTEN_HOST = "0.0.0.0";
                DOMAIN = cfg.hostname;
                ROOT_URL = "https://${cfg.hostname}";
                SSH_SERVER_HOST_KEYS =
                  concatStringsSep "," (attrValues keyPaths);
                HTTP_ADDR = "127.0.0.1";
                HTTP_PORT = 8080;
              };
              openid = {
                ENABLE_OPENID_SIGNIN = true;
                WHITELISTED_URIS = concatStringsSep "," cfg.openid-urls;
              };
              oauth2_client = {
                REGISTER_EMAIL_CONFIRM = false;
                OPENID_CONNECT_SCOPES =
                  concatStringsSep "," [ "email" "profile" ];
-                ENABLE_AUTO_REGISTRATION = true;
+                #ENABLE_AUTO_REGISTRATION = true;
                USERNAME = "email";
                UPDATE_AVATAR = true;
                ACCOUNT_LINKING = "login";
@ -164,8 +225,8 @@ in {
            enable = true;
            services = [{
              name = "ssh";
-              # port = 22;
+              port = 22;
-              # protocol = "tcp";
+              protocol = "tcp";
              extraConfig = ''
                redirect    = localhost 2222
                wait        = no
@ -185,9 +246,13 @@ in {
            recommendedTlsSettings = true;
            recommendedGzipSettings = true;
            virtualHosts."${cfg.hostname}" = {
-              # enableACME = true;
+              enableACME = true;
-              # forceSSL = true;
+              forceSSL = true;
-              locations."/".proxyPass = "http://127.0.0.1:8080";
+              locations."/" = {
                proxyPass = "http://127.0.0.1:8080";
                proxyWebsockets = true;
                recommendedProxySettings = true;
              };
              locations."/metrics" = mkIf (cfg.trusted-networks != [ ]) {
                proxyPass = "http://127.0.0.1:8080/metrics";
                extraConfig = let
--- a/config/service/lemmy.nix
+++ b/config/service/lemmy.nix
@ -2,20 +2,12 @@
 with lib;
 let
  lemmyDbPasswd = pkgs.lib.passwd.stablerandom-passwd-file "lemmy-server-passwd"
    "lemmy-server-${config.instance.build-seed}";
  cfg = config.fudo.services.lemmy;
  hostname = config.instance.hostname;
  domainName = config.fudo.hosts."${hostname}".domain;
  postgresqlServer = config.fudo.domains."${domainName}".postgresql-server;
  postgresqlFqdn = pkgs.lib.getHostFqdn postgresqlServer;
  isPostgresServer = hostname == postgresqlServer;
  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
 in {
@ -27,38 +19,55 @@ in {
      description = "Hostname at which this server will be reachable.";
    };
-    port = mkOption {
+    site-name = mkOption {
-      type = port;
+      type = str;
-      description = "Port on which to listen for requests";
+      description = "Site Name";
      default = 8536;
    };
-    listen-ip = mkOption {
+    smtp = {
-      type = str;
+      host = mkOption {
-      description = "IP on which to listen for incoming requests.";
+        type = str;
-      default = "0.0.0.0";
+        description = "SMTP server to relay Lemmy emails.";
      };
      port = mkOption {
        type = port;
        description = "Port to which to send outgoing messages.";
        default = 25;
      };
    };
  };
  config = mkIf cfg.enable {
    fudo = {
-      secrets.host-secrets."${hostname}" = {
+      secrets.host-secrets."${hostname}" = let
-        dbLemmyPasswd = mkIf isPostgresServer {
+        lemmyDbPasswdFile =
-          source-file = lemmyDbPasswd;
+          pkgs.lib.passwd.stablerandom-passwd-file "lemmy-server-passwd"
          "lemmy-server-${config.instance.build-seed}";
        lemmyDbPasswd = readFile lemmyDbPasswdFile;
      in {
        lemmyDbUrl = {
          source-file = let
            url =
              "postgres:///lemmy?user=lemmy&password=${lemmyDbPasswd}&host=/var/run/postgresql";
          in pkgs.writeText "lemmy-db.url" url;
          target-file = "/run/lemmy/db.url";
        };
        dbLemmyPasswd = {
          source-file = lemmyDbPasswdFile;
          target-file = "/run/postgres/lemmy.passwd";
          user = config.systemd.services.postgresql.serviceConfig.User;
        };
-        lemmyEnv = mkIf cfg.enable {
+        lemmyAdminPasswdFile = {
-          source-file = pkgs.writeText "lemmy.env" ''
+          source-file =
-            LEMMY_DATABASE_URL=postgres:///lemmy:${
+            pkgs.lib.passwd.stablerandom-passwd-file "lemmy-admin.passwd"
-              readFile lemmyDbPasswd
+            config.instance.build-seed;
-            }@${postgresqlFqdn}:5432/lemmy
+          target-file = "/run/lemmy/admin.passwd";
          '';
          target-file = "/run/lemmy/env";
        };
      };
-      postgresql = mkIf isPostgresServer {
+      postgresql = {
        enable = true;
        databases.lemmy.users = config.instance.local-admins;
        users.lemmy = {
          password-file = hostSecrets.dbLemmyPasswd.target-file;
@ -74,35 +83,36 @@ in {
    };
    systemd.services.lemmy = {
-      requires = [ "fudo-secret-lemmyEnv.service" ];
+      requires = [ "fudo-secret-lemmyDbUrl.service" "postgresql.service" ];
-      after = [ "fudo-secret-lemmyEnv.service" ];
+      after = [ "fudo-secret-lemmyDbUrl.service" "postgresql.service" ];
      environment.LEMMY_DATABASE_URL = mkForce null;
      serviceConfig = mkIf cfg.enable {
        LoadCredential = [ "env:${hostSecrets.lemmyEnv.target-file}" ];
        EnvironmentFile = "$$CREDENTIALS_DIRECTORY/env";
      };
    };
-    services.lemmy = mkIf cfg.enable {
+    services.nginx.virtualHosts."${cfg.hostname}" = {
      enableACME = true;
      forceSSL = true;
    };
    services.lemmy = {
      enable = true;
      nginx.enable = true;
      adminPasswordFile = hostSecrets.lemmyAdminPasswdFile.target-file;
      database.uriFile = hostSecrets.lemmyDbUrl.target-file;
      ui.port = 50395;
      settings = {
        hostname = cfg.hostname;
-        federation.enabled = true;
+        host = cfg.hostname;
        captcha.enabled = true;
-        database = {
+        email = {
-          user = "lemmy";
+          smtp_server = "${cfg.smtp.host}:${toString cfg.smtp.port}";
-          host = pkgs.lib.getHostFqdn postgresqlServer;
+          smtp_from_address = "noreply@${cfg.hostname}";
-          database = "lemmy";
+          tls_type = "starttls";
-          password = readFile lemmyDbPasswd;
+        };
        admin_username = "admin";
        setup = {
          site_name = cfg.site-name;
          admin_username = "admin";
        };
        bind = cfg.listen-ip;
        port = cfg.port;
      };
    };
    networking.firewall = {
      allowedTCPPorts = [ cfg.port ];
      allowedUDPPorts = [ cfg.port ];
    };
  };
 }
--- a/config/service/mail-server.nix
+++ b/config/service/mail-server.nix
@ -103,22 +103,6 @@ in {
        };
      };
      zones = {
        ${mailserver-domain.zone} = let
          server-ipv4 = pkgs.lib.network.host-ipv4 config mailserver-host;
          server-ipv6 = pkgs.lib.network.host-ipv6 config mailserver-host;
          srv-record = host: port: [{ inherit host port; }];
        in {
          aliases = mkIf metricsEnabled { mail-stats = "${mailserver-fqdn}."; };
          metric-records = mkIf metricsEnabled
            (genAttrs [ "dovecot" "postfix" "rspamd" ]
              (_: srv-record "mail-stats" 443));
        };
      };
      metrics.prometheus.service-discovery-dns = mkIf metricsEnabled
        (genAttrs [ "dovecot" "postfix" "rspamd" ]
          (mtype: [ "${mtype}._metrics._tcp.${mailserver-domain-name}" ]));
--- a/config/service/postgresql.nix
+++ b/config/service/postgresql.nix
@ -56,7 +56,7 @@ in {
        };
      zones."${zone-name}".aliases.postgresql =
-        pkgs.lib.getHostFqdn domain.postgresql-server;
+        "${pkgs.lib.getHostFqdn domain.postgresql-server}.";
      postgresql = mkIf isPostgresHost (let
        ssl-config = optionalAttrs publicNetwork (let
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -98,6 +98,14 @@
      };
    };
    lemmy-container = {
      url = "git+https://git.fudo.org/fudo-public/lemmy-container.git";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        arion.follows = "arion";
      };
    };
    authentik-container = {
      url = "git+https://git.fudo.org/fudo-nix/authentik-container.git";
      inputs = {
@ -121,7 +129,18 @@
    mail-server = {
      url = "git+https://git.fudo.org/fudo-public/mail-server.git";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs = {
        arion.follows = "arion";
        nixpkgs.follows = "nixpkgs";
      };
    };
    immich-container = {
      url = "git+https://git.fudo.org/fudo-public/immich-container.git";
      inputs = {
        arion.follows = "arion";
        nixpkgs.follows = "nixpkgs";
      };
    };
    authoritative-dns = {
@ -150,7 +169,8 @@
    , objectifier, nexus, suanni, snooper, tattler, lemmy-docker
    , tesla-mate-container, mastodon-container, authentik-container
    , nextcloud-container, textfiles, matrix-module, mail-server
-    , authoritative-dns, frigate-container, grafana-module, ... }@inputs:
+    , authoritative-dns, frigate-container, grafana-module, lemmy-container
    , immich-container, ... }@inputs:
    with nixpkgs.lib;
    let
      fudo-nixos-hosts = filterAttrs (hostname: hostOpts: hostOpts.nixos-system)
@ -232,6 +252,8 @@
            authoritative-dns.nixosModules.default
            frigate-container.nixosModules.default
            grafana-module.nixosModules.default
            lemmy-container.nixosModules.default
            immich-container.nixosModules.default
            nexus.nixosModules.nexus-client
            nexus.nixosModules.nexus-server