style: format using nixfmt-rfc-style

matrix: Enable rendezvous server
This will allow sign-in and device verification using QR codes
2024-11-20 15:49:31 +01:00 · 2024-11-20 17:15:41 +05:30
49 changed files with 571 additions and 717 deletions
--- a/.forgejo/workflows/check.yml
+++ b/.forgejo/workflows/check.yml
@ -18,7 +18,20 @@ jobs:
          # Prevent cache garbage collection by creating GC roots
          mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results

-          sed -i 's/virtualisation.cores .*/virtualisation.cores = 16;/' tests/keycloak.nix
-          sed -i 's/virtualisation.memorySize .*/virtualisation.memorySize = 16384;/' tests/keycloak.nix
-          # 1 eval-worker needs about 13GB of memory
-          nix --accept-flake-config --access-tokens '' develop --command nix-fast-build --no-nom --skip-cached --systems "x86_64-linux" --max-jobs 10 --eval-workers 2 --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/nix-fast-build
+          for target in $(nix flake show --json --all-systems | jq --raw-output '
+            .["nixosConfigurations"] |
+            to_entries[] |
+            .key'
+          ); do
+            nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
+              build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$target" ".#nixosConfigurations.${target}.config.system.build.toplevel"
+          done
+
+          for check in $(nix flake show --json --all-systems | jq --raw-output '
+            .checks."x86_64-linux" |
+            to_entries[] |
+            .key'
+          ); do
+            nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
+              build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$check" ".#checks.x86_64-linux.${check}"
+          done
--- a/docs/administrative-access.md
+++ b/docs/administrative-access.md
@ -28,18 +28,18 @@ People with admin access to the infrastructure are added to [`logins/admins.nix`
 SSH is not reachable from the open internet. Instead, SSH Port 22 is protected by a wireguard VPN network. Thus, to get root access on the servers, at least two pieces of information have to be added to the admins config:

 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
-2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network uses the subnets `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
+2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).

 One can access our hosts using this domain scheme:

 ```
-ssh <unix-username>@<hostname>.wg.pub.solar
+ssh barkeeper@<hostname>.wg.pub.solar
 ```

 So, for example for `nachtigall`:

 ```
-ssh teutat3s@nachtigall.wg.pub.solar
+ssh barkeeper@nachtigall.wg.pub.solar
 ```

 Example NixOS snippet for WireGuard client config
--- a/docs/deletion-request.md
+++ b/docs/deletion-request.md
@ -34,13 +34,7 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server
 ### Mastodon

 ```
-mkdir /tmp/tootctl
-sudo chown mastodon /tmp/tootctl
-cd /tmp/tootctl
-
 sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
-
-rm -r /tmp/tootctl
 ```

 Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
--- a/docs/deploying.md
+++ b/docs/deploying.md
@ -7,29 +7,16 @@ be manually deployed.
 To deploy, make sure you have a [working development shell](./development-shell.md).
 Then, run `deploy-rs` with the hostname of the server you want to deploy:

-### Dry-run
-
-Use `--dry-activate` to show a diff of updated packages and all services that
-would be restarted by the update. This will also put all files in place without
-switching to the new generation, enabling a quick switch to the new config at a
-later moment.
-
 For nachtigall.pub.solar:

 ```
-deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --dry-activate
-```
-
-After reviewing the changes, apply the update with:
-
-```
-deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results
+deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false --keep-result --result-path ./results
 ```

 For metronom.pub.solar (aarch64-linux):

 ```
-deploy --targets '.#metronom' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build
+deploy --targets '.#metronom' --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build
 ```

 Usually we skip all rollback functionality, but if you want to deploy a change
@ -38,6 +25,9 @@ that might lock you out, e.g. to SSH, it might make sense to set these to `true`
 To skip flake checks, e.g. because you already ran them manually before
 deployment, add the flag `--skip-checks` at the end of the command.

+`--dry-activate` can be used to only put all files in place without switching,
+to enable switching to the new config quickly at a later moment.
+
 We use `--keep-result --result-path ./results` to keep the last `result`
 symlink of each `deploy` from being garbage collected. That way, we keep builds
 cached in the Nix store. This is optional and both flags can be removed if disk
--- a/docs/garage.md
+++ b/docs/garage.md
@ -8,7 +8,7 @@ Requirements:
 - [Setup WireGuard](./administrative-access.md#ssh-access) for hosts: `trinkgenossin`, optionally: `delite`, `blue-shell`

 ```
-ssh <unix-username>@trinkgenossin.wg.pub.solar
+ssh barkeeper@trinkgenossin.wg.pub.solar
 ```

 ```
@ -58,7 +58,7 @@ Further reading:
 ### Notes on manual setup steps

 ```
-ssh <unix-username>@trinkgenossin.wg.pub.solar
+ssh barkeeper@trinkgenossin.wg.pub.solar

 # Add a few spaces to avoid leaking the secret to the shell history
    export GARAGE_RPC_SECRET=<secret-in-keepass>
--- a/docs/keycloak/delete-unverified-accounts.md
+++ b/docs/keycloak/delete-unverified-accounts.md
@ -12,7 +12,7 @@ Run following after SSH'ing to `nachtigall`.
 Credentials for the following command are in keepass. Create a keycloak
 config/credentials file at `/tmp/kcadm.config`:

-```bash
+```
 sudo --user keycloak kcadm.sh config credentials \
  --config /tmp/kcadm.config \
  --server https://auth.pub.solar \
@ -22,7 +22,7 @@ sudo --user keycloak kcadm.sh config credentials \

 Get list of accounts without a verified email address:

-```bash
+```
 sudo --user keycloak kcadm.sh get \
  --config /tmp/kcadm.config \
  users \
@ -35,7 +35,7 @@ Review list of accounts, especially check `createdTimestamp` if any accounts
 were created in the past 2 days. If so, delete those from the
 `/tmp/keycloak-unverified-accounts` file.

-```bash
+```
 createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )

 # timestamps are in nanoseconds since epoch, so we need to strip the last three digits
@ -46,17 +46,17 @@ vim /tmp/keycloak-unverified-accounts

 Check how many accounts are going to be deleted:

-```bash
+```
 jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
 ```

-```bash
+```
 jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
 ```

 Final check before deletion (dry-run):

-```bash
+```
 for id in $(cat /tmp/keycloak-unverified-account-ids)
  do
    echo sudo --user keycloak kcadm.sh delete \
@ -68,7 +68,7 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)

 THIS WILL DELETE ACCOUNTS:

-```bash
+```
 for id in $(cat /tmp/keycloak-unverified-account-ids)
  do
    sudo --user keycloak kcadm.sh delete \
@ -77,9 +77,3 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
      --realm pub.solar
  done
 ```
-
-Delete the temp files:
-
-```bash
-sudo rm /tmp/kcadm.config /tmp/keycloak-unverified-accounts /tmp/keycloak-unverified-account-ids
-```
--- a/docs/matrix-suspend-account.md
+++ b/docs/matrix-suspend-account.md
@ -1,27 +0,0 @@
-# Matrix account suspension
-
-> Unlike [account locking](https://spec.matrix.org/v1.12/client-server-api/#account-locking),
-> [suspension](https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/3823-code-for-account-suspension.md)
-> allows the user to have a (largely) readonly view of their account.
-> Homeserver administrators and moderators may use this functionality to
-> temporarily deactivate an account, or place conditions on the account's
-> experience. Critically, like locking, account suspension is reversible, unlike
-> the deactivation mechanism currently available in Matrix - a destructive,
-> irreversible, action.
-
-Required:
-
- `matrix-synapse admin token`
- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)
-
-## Suspending an account
-
-```bash
-curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": true}'
-```
-
-## Unsuspending an account
-
-```bash
-curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": false}'
-```
--- a/docs/nix-flake-updates.md
+++ b/docs/nix-flake-updates.md
@ -41,7 +41,3 @@ wrapped-ruby-mastodon-gems: 4.2.1 → 4.2.3
 zfs-kernel: 2.2.1-6.1.64 → 2.2.2-6.1.66
 zfs-user: 2.2.1 → 2.2.2
 ```
-
-### Deploying updates
-
-See [deploying.md](./deploying.md).
--- a/flake.lock
+++ b/flake.lock
@ -14,11 +14,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1736955230,
-        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
        "type": "github"
      },
      "original": {
@ -94,11 +94,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738765162,
-        "narHash": "sha256-3Z40qHaFScWUCVQrGc4Y+RdoPsh1R/wIh+AN4cTXP0I=",
+        "lastModified": 1731895210,
+        "narHash": "sha256-z76Q/OXLxO/RxMII3fIt/TG665DANiE2lVvnolK2lXk=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "ff3568858c54bd306e9e1f2886f0f781df307dff",
+        "rev": "639d1520df9417ca2761536c3072688569e83c80",
        "type": "github"
      },
      "original": {
@ -185,11 +185,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1738453229,
-        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
@ -236,16 +236,16 @@
    },
    "fork": {
      "locked": {
-        "lastModified": 1738846146,
-        "narHash": "sha256-cIPiBEspPXQxju2AUZK9kjh6oqea+HkPFqmGv7yUztM=",
+        "lastModified": 1729963002,
+        "narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
        "owner": "teutat3s",
        "repo": "nixpkgs",
-        "rev": "e370f40b129e47b08562524ab4f053a172a94273",
+        "rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
        "type": "github"
      },
      "original": {
        "owner": "teutat3s",
-        "ref": "init-matrix-authentication-service-module-0.13.0",
+        "ref": "init-matrix-authentication-service-module",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -257,16 +257,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1736373539,
-        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
+        "lastModified": 1726989464,
+        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
+        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-24.11",
+        "ref": "release-24.05",
        "repo": "home-manager",
        "type": "github"
      }
@ -280,11 +280,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738012343,
-        "narHash": "sha256-agMgWwVxXII+RtCqok8ROjzpKJung/5N5f2BVDmMC5Q=",
+        "lastModified": 1731518114,
+        "narHash": "sha256-h9Wb3VjmXBZwTO3prRweUKwp2H9hZHCQKrkbU+2WPQs=",
        "ref": "main",
-        "rev": "4ffd7bc8ea032991756c5e8e8a37b039789045bc",
-        "revCount": 38,
+        "rev": "060ecccc5f8c92a0705ab91ff047811efd559468",
+        "revCount": 36,
        "type": "git",
        "url": "https://git.pub.solar/pub-solar/keycloak-theme"
      },
@ -298,11 +298,11 @@
      "flake": false,
      "locked": {
        "dir": "web",
-        "lastModified": 1733177811,
-        "narHash": "sha256-1n7bPSCRw7keTCIu4tJGnUlkoId6H1+dPsTPzKo3Rrk=",
+        "lastModified": 1718796561,
+        "narHash": "sha256-RKAAHve17lrJokgAPkM2k/E+f9djencwwg3Xcd70Yfw=",
        "owner": "maunium",
        "repo": "stickerpicker",
-        "rev": "89d3aece041c85ebe5a1ad4e620388af5227cbb0",
+        "rev": "333567f481e60443360aa7199d481e1a45b3a523",
        "type": "github"
      },
      "original": {
@ -320,11 +320,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1739034224,
-        "narHash": "sha256-Mj/8jDzh1KNmUhWqEeVlW3hO9MZkxqioJGnmR7rivaE=",
+        "lastModified": 1732016537,
+        "narHash": "sha256-XwXUK+meYnlhdQz2TVE4Wv+tsx1CkdGbDPt1tRzCNH4=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "0b6f96a6b9efcfa8d3cc8023008bcbcd1b9bc1a4",
+        "rev": "61cee20168a3ebb71a9efd70a55adebaadfbe4d4",
        "type": "github"
      },
      "original": {
@ -336,30 +336,30 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1739055578,
-        "narHash": "sha256-2MhC2Bgd06uI1A0vkdNUyDYsMD0SLNGKtD8600mZ69A=",
+        "lastModified": 1731797254,
+        "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a45fa362d887f4d4a7157d95c28ca9ce2899b70e",
+        "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.11",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1738452942,
-        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      }
    },
    "root": {
@ -387,21 +387,22 @@
        "nixpkgs": [
          "unstable"
        ],
-        "nixpkgs-24_11": [
+        "nixpkgs-24_05": [
          "nixpkgs"
-        ]
+        ],
+        "utils": "utils_2"
      },
      "locked": {
-        "lastModified": 1734884447,
-        "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
+        "lastModified": 1718084203,
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "63209b1def2c9fc891ad271f474a3464a5833294",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
-        "ref": "nixos-24.11",
+        "ref": "nixos-24.05",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
@ -466,13 +467,28 @@
        "type": "github"
      }
    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "unstable": {
      "locked": {
-        "lastModified": 1739020877,
-        "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
+        "lastModified": 1731676054,
+        "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
+        "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
        "type": "github"
      },
      "original": {
@ -499,6 +515,24 @@
        "repo": "flake-utils",
        "type": "github"
      }
+    },
+    "utils_2": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1709126324,
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -1,14 +1,14 @@
 {
  inputs = {
    # Track channels with commits tested and built by hydra
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
    unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module-0.13.0";
+    fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";

    nix-darwin.url = "github:lnl7/nix-darwin/master";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";

-    home-manager.url = "github:nix-community/home-manager/release-24.11";
+    home-manager.url = "github:nix-community/home-manager/release-24.05";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";

    flake-parts.url = "github:hercules-ci/flake-parts";
@ -37,8 +37,8 @@
    element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker";
    element-stickers.inputs.nixpkgs.follows = "nixpkgs";

-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
-    simple-nixos-mailserver.inputs.nixpkgs-24_11.follows = "nixpkgs";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
+    simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "nixpkgs";
    simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable";
  };

@ -73,28 +73,11 @@
              overlays = [ inputs.agenix.overlays.default ];
            };
            unstable = import inputs.unstable { inherit system; };
+            master = import inputs.master { inherit system; };
          };

          checks =
            let
-              machinesPerSystem = {
-                aarch64-linux = [
-                  "metronom"
-                ];
-                x86_64-linux = [
-                  "blue-shell"
-                  "delite"
-                  "nachtigall"
-                  "tankstelle"
-                  "trinkgenossin"
-                  "underground"
-                ];
-              };
-              nixosMachines = inputs.nixpkgs.lib.mapAttrs' (n: inputs.nixpkgs.lib.nameValuePair "nixos-${n}") (
-                inputs.nixpkgs.lib.genAttrs (machinesPerSystem.${system} or [ ]) (
-                  name: self.nixosConfigurations.${name}.config.system.build.toplevel
-                )
-              );
              nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
              testDir = builtins.attrNames (builtins.readDir ./tests);
              testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir;
@ -111,13 +94,12 @@
                  }
                );
              }) testFiles
-            )
-            // nixosMachines;
+            );

          devShells.default = pkgs.mkShell {
            buildInputs = with pkgs; [
              deploy-rs
-              nix-fast-build
+              nixpkgs-fmt
              agenix
              age-plugin-yubikey
              cachix
@ -126,9 +108,9 @@
              nvfetcher
              shellcheck
              shfmt
-              treefmt2
+              inputs.unstable.legacyPackages.${system}.treefmt2
              nixos-generators
-              opentofu
+              inputs.unstable.legacyPackages.${system}.opentofu
              terraform-backend-git
              terraform-ls
              jq
@ -138,7 +120,13 @@
          devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; };
        };

-      flake = {
+      flake =
+        let
+          username = "barkeeper";
+        in
+        {
+          inherit username;
+
          nixosModules = builtins.listToAttrs (
            map (x: {
              name = x;
@ -150,29 +138,36 @@
            system: deployLib: deployLib.deployChecks self.deploy
          ) inputs.deploy-rs.lib;

-        formatter."x86_64-linux" = inputs.nixpkgs.legacyPackages."x86_64-linux".nixfmt-rfc-style;
+          formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;

          deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
            nachtigall = {
              hostname = "nachtigall.wg.pub.solar";
+              sshUser = username;
            };
            metronom = {
              hostname = "metronom.wg.pub.solar";
+              sshUser = username;
            };
            tankstelle = {
              hostname = "tankstelle.wg.pub.solar";
+              sshUser = username;
            };
            underground = {
              hostname = "80.244.242.3";
+              sshUser = username;
            };
            trinkgenossin = {
              hostname = "trinkgenossin.wg.pub.solar";
+              sshUser = username;
            };
            delite = {
              hostname = "delite.wg.pub.solar";
+              sshUser = username;
            };
            blue-shell = {
              hostname = "blue-shell.wg.pub.solar";
+              sshUser = username;
            };
          };
        };
--- a/hosts/blue-shell/wireguard.nix
+++ b/hosts/blue-shell/wireguard.nix
@ -22,7 +22,7 @@ in
        "${wireguardIPv6}/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.wireguardDevices ++ [
+      peers = flake.self.logins.admins.wireguardDevices ++ [
        {
          # trinkgenossin.pub.solar
          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
--- a/hosts/delite/wireguard.nix
+++ b/hosts/delite/wireguard.nix
@ -22,7 +22,7 @@ in
        "${wireguardIPv6}/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.wireguardDevices ++ [
+      peers = flake.self.logins.admins.wireguardDevices ++ [
        {
          # trinkgenossin.pub.solar
          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
--- a/hosts/metronom/wireguard.nix
+++ b/hosts/metronom/wireguard.nix
@ -18,7 +18,7 @@
        "fd00:fae:fae:fae:fae:3::/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.wireguardDevices ++ [
+      peers = flake.self.logins.admins.wireguardDevices ++ [
        {
          # nachtigall.pub.solar
          endpoint = "138.201.80.102:51820";
--- a/hosts/nachtigall/configuration.nix
+++ b/hosts/nachtigall/configuration.nix
@ -73,24 +73,22 @@
    owner = "matrix-synapse";
  };

+  age.secrets."matrix-synapse-sliding-sync-secret" = {
+    file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
+    mode = "400";
+    owner = "matrix-synapse";
+  };
+
  age.secrets."matrix-authentication-service-secret-config.yml" = {
    file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
    mode = "400";
    owner = "matrix-authentication-service";
  };

-  # matrix-appservice-irc
-  age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
-    file = "${flake.self}/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
-    mode = "400";
-    owner = "matrix-appservice-irc";
-  };
-
  pub-solar-os.matrix = {
    enable = true;
-    appservice-irc.mediaproxy.signingKeyPath =
-      config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
    synapse = {
+      sliding-sync.enable = false;
      signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
      extra-config-files = [
        config.age.secrets."matrix-synapse-secret-config.yaml".path
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@ -9,10 +9,12 @@
    ./networking.nix
    ./wireguard.nix
    ./backups.nix
-    "${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
+    "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
+    "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
  ];

  disabledModules = [
    "services/matrix/matrix-authentication-service.nix "
+    "services/web-apps/mastodon.nix"
  ];
 }
--- a/hosts/nachtigall/wireguard.nix
+++ b/hosts/nachtigall/wireguard.nix
@ -18,7 +18,7 @@
        "fd00:fae:fae:fae:fae:1::/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.wireguardDevices ++ [
+      peers = flake.self.logins.admins.wireguardDevices ++ [
        {
          # tankstelle.pub.solar
          endpoint = "80.244.242.5:51820";
--- a/hosts/tankstelle/configuration.nix
+++ b/hosts/tankstelle/configuration.nix
@ -10,9 +10,6 @@
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

-  # kernel same-page merging
-  hardware.ksm.enable = true;
-
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

  system.stateVersion = "23.11";
--- a/hosts/tankstelle/wireguard.nix
+++ b/hosts/tankstelle/wireguard.nix
@ -18,7 +18,7 @@
        "fd00:fae:fae:fae:fae:4::/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.wireguardDevices ++ [
+      peers = flake.self.logins.admins.wireguardDevices ++ [
        {
          # nachtigall.pub.solar
          endpoint = "138.201.80.102:51820";
--- a/hosts/trinkgenossin/wireguard.nix
+++ b/hosts/trinkgenossin/wireguard.nix
@ -22,7 +22,7 @@ in
        "${wireguardIPv6}/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.wireguardDevices ++ [
+      peers = flake.self.logins.admins.wireguardDevices ++ [
        {
          # nachtigall.pub.solar
          endpoint = "138.201.80.102:51820";
--- a/hosts/underground/configuration.nix
+++ b/hosts/underground/configuration.nix
@ -42,17 +42,8 @@
    owner = "matrix-authentication-service";
  };

-  # matrix-appservice-irc
-  age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
-    file = "${flake.self}/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
-    mode = "400";
-    owner = "matrix-appservice-irc";
-  };
-
  pub-solar-os.matrix = {
    enable = true;
-    appservice-irc.mediaproxy.signingKeyPath =
-      config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
    synapse = {
      extra-config-files = [
        config.age.secrets."staging-matrix-synapse-secret-config.yaml".path
--- a/hosts/underground/default.nix
+++ b/hosts/underground/default.nix
@ -7,7 +7,7 @@
    ./configuration.nix

    ./networking.nix
-    "${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
+    "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
  ];

  disabledModules = [
--- a/logins/admins.nix
+++ b/logins/admins.nix
@ -38,22 +38,6 @@
          "fd00:fae:fae:fae:fae:200::/96"
        ];
      }
-      {
-        # chocolatebar
-        publicKey = "AS9w0zDUFLcH6IiF6T1vsyZPWPJ3p5fKsjIsM2AoZz8=";
-        allowedIPs = [
-          "10.7.6.205/32"
-          "fd00:fae:fae:fae:fae:205::/96"
-        ];
-      }
-      {
-        # biolimo
-        publicKey = "gnLq6KikFVVGxLxPW+3ZnreokEKLDoso+cUepPOZsBA=";
-        allowedIPs = [
-          "10.7.6.206/32"
-          "fd00:fae:fae:fae:fae:206::/96"
-        ];
-      }
    ];
  };

--- a/logins/default.nix
+++ b/logins/default.nix
@ -6,16 +6,19 @@ in
 {
  flake = {
    logins = {
-      admins = admins;
-      wireguardDevices = lib.lists.foldl (
-        wireguardDevices: adminConfig:
-        wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
-      ) [ ] (lib.attrsets.attrValues admins);
-      sshPubKeys = lib.lists.foldl (
-        sshPubKeys: adminConfig:
-        sshPubKeys
-        ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
-      ) [ ] (lib.attrsets.attrValues admins);
+      admins =
+        lib.lists.foldl
+          (logins: adminConfig: {
+            sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
+            wireguardDevices =
+              logins.wireguardDevices
+              ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
+          })
+          {
+            sshPubKeys = [ ];
+            wireguardDevices = [ ];
+          }
+          (lib.attrsets.attrValues admins);
      robots.sshPubKeys = lib.attrsets.attrValues robots;
    };
  };
--- a/logins/robots.nix
+++ b/logins/robots.nix
@ -1,8 +1,6 @@
 {
  # Used for restic backups to droppie, a server run by @b12f
-  "root@droppie" =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
+  "root@droppie" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";

-  "hakkonaut" =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut";
+  "hakkonaut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut";
 }
--- a/modules/backups/default.nix
+++ b/modules/backups/default.nix
@ -283,10 +283,8 @@ in

    # Used for pub-solar-os.backups.repos.storagebox
    programs.ssh.knownHosts = {
-      "u377325.your-storagebox.de".publicKey =
-        "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
-      "[u377325.your-storagebox.de]:23".publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+      "u377325.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
+      "[u377325.your-storagebox.de]:23".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
    };
  };
 }
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -54,5 +54,9 @@
    };

    time.timeZone = "Etc/UTC";
+
+    home-manager.users.${config.pub-solar-os.authentication.username} = {
+      home.stateVersion = "23.05";
+    };
  };
 }
--- a/modules/core/terminal-tooling.nix
+++ b/modules/core/terminal-tooling.nix
@ -1,20 +1,9 @@
-{ flake, lib, ... }:
+{ flake, config, ... }:
 {
-  home-manager.users = (
-    lib.attrsets.foldlAttrs (
-      acc: name: value:
-      acc
-      // {
-        ${name} = {
+  home-manager.users.${config.pub-solar-os.authentication.username} = {
    programs.git.enable = true;
    programs.starship.enable = true;
-          programs.bash = {
-            enable = true;
-            historyControl = [
-              "ignoredups"
-              "ignorespace"
-            ];
-          };
+    programs.bash.enable = true;
    programs.neovim = {
      enable = true;
      vimAlias = true;
@ -28,6 +17,3 @@
    };
  };
 }
-    ) { } flake.self.logins.admins
-  );
-}
--- a/modules/core/users.nix
+++ b/modules/core/users.nix
@ -11,6 +11,18 @@
      inherit (lib) mkOption types;
    in
    {
+      username = mkOption {
+        description = "Username for the adminstrative user";
+        type = types.str;
+        default = flake.self.username;
+      };
+
+      sshPubKeys = mkOption {
+        description = "SSH Keys that should have administrative root access";
+        type = types.listOf types.str;
+        default = flake.self.logins.admins.sshPubKeys;
+      };
+
      root.initialHashedPassword = mkOption {
        description = "Hashed password of the root account";
        type = types.str;
@ -31,29 +43,22 @@
    };

  config = {
-    users.users =
-      (lib.attrsets.foldlAttrs (
-        acc: name: value:
-        acc
-        // {
-          ${name} = {
-            name = name;
-            group = name;
+    users.users.${config.pub-solar-os.authentication.username} = {
+      name = config.pub-solar-os.authentication.username;
+      group = config.pub-solar-os.authentication.username;
      extraGroups = [
        "wheel"
        "docker"
      ];
      isNormalUser = true;
-            openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
+      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
    };
-        }
-      ) { } flake.self.logins.admins)
-      // {
-        # TODO: Remove when we stop locking ourselves out.
-        root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
-        root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
+    users.groups.${config.pub-solar-os.authentication.username} = { };

-        ${config.pub-solar-os.authentication.robot.username} = {
+    # TODO: Remove when we stop locking ourselves out.
+    users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+
+    users.users.${config.pub-solar-os.authentication.robot.username} = {
      description = "CI and automation user";
      home = "/home/${config.pub-solar-os.authentication.robot.username}";
      createHome = true;
@ -63,28 +68,11 @@
      isSystemUser = true;
      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
    };
-      };

-    home-manager.users = (
-      lib.attrsets.foldlAttrs (
-        acc: name: value:
-        acc
-        // {
-          ${name} = {
-            home.stateVersion = "23.05";
-          };
-        }
-      ) { } flake.self.logins.admins
-    );
+    users.groups.${config.pub-solar-os.authentication.robot.username} = { };

-    users.groups =
-      (lib.attrsets.foldlAttrs (
-        acc: name: value:
-        acc // { "${name}" = { }; }
-      ) { } flake.self.logins.admins)
-      // {
-        ${config.pub-solar-os.authentication.robot.username} = { };
-      };
+    users.users.root.initialHashedPassword =
+      config.pub-solar-os.authentication.root.initialHashedPassword;

    security.sudo.wheelNeedsPassword = false;
  };
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@ -65,7 +65,6 @@

  services.forgejo = {
    enable = true;
-    package = pkgs.forgejo;
    user = "gitea";
    group = "gitea";
    database = {
@ -76,7 +75,7 @@
    };
    stateDir = "/var/lib/forgejo";
    lfs.enable = true;
-    secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
+    mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
    settings = {
      DEFAULT.APP_NAME = "pub.solar git server";

--- a/modules/grafana/default.nix
+++ b/modules/grafana/default.nix
@ -43,8 +43,7 @@
  services.nginx.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
    enableACME = true;
    forceSSL = true;
-    locations."/".proxyPass =
-      "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+    locations."/".proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
  };

  services.grafana = {
--- a/modules/keycloak/default.nix
+++ b/modules/keycloak/default.nix
@ -50,8 +50,7 @@
        hostname = "auth.${config.pub-solar-os.networking.domain}";
        http-host = "127.0.0.1";
        http-port = 8080;
-        proxy-headers = "xforwarded";
-        http-enabled = true;
+        proxy = "edge";
      };
      themes = {
        "pub.solar" =
--- a/modules/matrix-irc/default.nix
+++ b/modules/matrix-irc/default.nix
@ -16,16 +16,6 @@ let
  synapseClientPort = "${toString listenerWithClient.port}";
 in
 {
-  options.pub-solar-os = {
-    matrix.appservice-irc.mediaproxy = {
-      signingKeyPath = lib.mkOption {
-        description = "Path to file containing the IRC appservice mediaproxy signing key";
-        type = lib.types.str;
-        default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
-      };
-    };
-  };
-  config = {
  services.matrix-appservice-irc = {
    enable = true;
    localpart = "irc_bot";
@ -35,6 +25,7 @@ in
      homeserver = {
        domain = "${config.pub-solar-os.networking.domain}";
        url = "http://127.0.0.1:${synapseClientPort}";
+        media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
        enablePresence = false;
      };
      ircService = {
@ -52,13 +43,6 @@ in
        matrixHandler = {
          eventCacheSize = 4096;
        };
-          mediaProxy = {
-            signingKeyPath = config.pub-solar-os.matrix.appservice-irc.mediaproxy.signingKeyPath;
-            # keep media for 2 weeks
-            ttlSeconds = 1209600;
-            bindPort = 11111;
-            publicUrl = "https:///matrix.${config.pub-solar-os.networking.domain}/media";
-          };
        metrics = {
          enabled = true;
          remoteUserAgeBuckets = [
@ -140,5 +124,4 @@ in
      };
    };
  };
-  };
 }
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -32,6 +32,11 @@ in
          type = lib.types.str;
          default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
        };
+
+        sliding-sync.enable = lib.mkEnableOption {
+          description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+";
+          default = false;
+        };
      };

      matrix-authentication-service = {
@ -119,17 +124,6 @@ in
        enable_room_list_search = true;
        encryption_enabled_by_default_for_room_type = "off";
        event_cache_size = "100K";
-
-        # https://github.com/element-hq/synapse/issues/11203
-        # No YAML deep-merge, so this needs to be in secret extraConfigFiles
-        # together with msc3861
-        #experimental_features = {
-        #  # Room summary API
-        #  msc3266_enabled = true;
-        #  # Rendezvous server for QR Code generation
-        #  msc4108_enabled = true;
-        #};
-
        federation_rr_transactions_per_room_per_second = 50;
        federation_client_minimum_tls_version = "1.2";
        forget_rooms_on_leave = true;
@ -270,6 +264,19 @@ in
        user_ips_max_age = "28d";

        app_service_config_files = config.pub-solar-os.matrix.synapse.app-service-config-files;
+
+        modules = [
+          {
+            module = "matrix_http_rendezvous_synapse.SynapseRendezvousModule";
+            config = {
+              prefix = "/_synapse/client/org.matrix.msc3886/rendezvous";
+            };
+          }
+        ];
+
+        experimental_features = {
+          msc3886_endpoint = "/_synapse/client/org.matrix.msc3886/rendezvous";
+        };
      };

      withJemalloc = true;
@ -281,9 +288,14 @@ in
        "redis"
      ];

-      plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
+      plugins = with config.services.matrix-synapse.package.plugins; [
+        matrix-synapse-shared-secret-auth
+        matrix-http-rendezvous-synapse
+      ];
    };

+    systemd.services.matrix-synapse.environment.SYNAPSE_ASYNC_IO_REACTOR = "1";
+
    services.matrix-authentication-service = {
      enable = true;
      createDatabase = true;
@ -334,13 +346,24 @@ in
      };
    };

+    services.matrix-sliding-sync = {
+      enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable;
+      settings = {
+        SYNCV3_SERVER = "https://${publicDomain}";
+        SYNCV3_BINDADDR = "127.0.0.1:8011";
+        # The bind addr for Prometheus metrics, which will be accessible at
+        # /metrics at this address
+        SYNCV3_PROM = "127.0.0.1:9100";
+      };
+      environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
+    };
+
    pub-solar-os.backups.restic.matrix-synapse = {
      paths = [
        "/var/lib/matrix-synapse"
        "/var/lib/matrix-appservice-irc"
        "/var/lib/mautrix-telegram"
        "/tmp/matrix-synapse-backup.sql"
-        "/tmp/matrix-authentication-service-backup.sql"
      ];
      timerConfig = {
        OnCalendar = "*-*-* 05:00:00 Etc/UTC";
@ -348,11 +371,9 @@ in
      initialize = true;
      backupPrepareCommand = ''
        ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
-        ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix-authentication-service > /tmp/matrix-authentication-service-backup.sql
      '';
      backupCleanupCommand = ''
        rm /tmp/matrix-synapse-backup.sql
-        rm /tmp/matrix-authentication-service-backup.sql
      '';
      pruneOpts = [
        "--keep-daily 7"
--- a/modules/mediawiki/default.nix
+++ b/modules/mediawiki/default.nix
@ -139,10 +139,6 @@ let
      // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
      $wgPluggableAuth_EnableAutoLogin = false;
      $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
-      // Avoid getting logged out after 30 minutes
-      // https://www.mediawiki.org/wiki/Topic:W4be4h6t63vf3y8p
-      // https://www.mediawiki.org/wiki/Manual:$wgRememberMe
-      $wgRememberMe = 'always';

      // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
      $wgPluggableAuth_Config[] = [
@ -215,7 +211,7 @@ in
      backend = "docker";

      containers."mediawiki" = {
-        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.43.0";
+        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.42.1";
        user = "1000:${builtins.toString gid}";
        autoStart = true;

--- a/modules/nextcloud/default.nix
+++ b/modules/nextcloud/default.nix
@ -2,7 +2,6 @@
  config,
  pkgs,
  flake,
-  lib,
  ...
 }:
 {
@ -23,32 +22,12 @@
    forceSSL = true;
  };

-  services.nextcloud =
-    let
-      exiftool_1270 = pkgs.perlPackages.buildPerlPackage rec {
-        # NOTE nextcloud-memories needs this specific version of exiftool
-        pname = "Image-ExifTool";
-        version = "12.70";
-        src = pkgs.fetchFromGitHub {
-          owner = "exiftool";
-          repo = "exiftool";
-          rev = version;
-          hash = "sha256-YMWYPI2SDi3s4KCpSNwovemS5MDj5W9ai0sOkvMa8Zg=";
-        };
-        nativeBuildInputs = lib.optional pkgs.stdenv.hostPlatform.isDarwin pkgs.shortenPerlShebang;
-        postInstall = lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
-          shortenPerlShebang $out/bin/exiftool
-        '';
-      };
-    in
-    {
+  services.nextcloud = {
    hostName = "cloud.${config.pub-solar-os.networking.domain}";
    home = "/var/lib/nextcloud";

    enable = true;
-      # When updating package, remember to update nextcloud30Packages in
-      # services.nextcloud.extraApps
-      package = pkgs.nextcloud30;
+    package = pkgs.nextcloud29;
    https = true;
    secretFile = config.age.secrets."nextcloud-secrets".path; # secret
    maxUploadSize = "1G";
@ -66,6 +45,7 @@
      dbuser = "nextcloud";
      dbtype = "pgsql";
      dbname = "nextcloud";
+      dbtableprefix = "oc_";
    };

    settings = {
@ -93,39 +73,21 @@
      allow_local_remote_servers = true;

      enable_previews = true;
-        jpeg_quality = 60;
      enabledPreviewProviders = [
        "OC\\Preview\\PNG"
        "OC\\Preview\\JPEG"
        "OC\\Preview\\GIF"
        "OC\\Preview\\BMP"
-          "OC\\Preview\\HEIC"
-          "OC\\Preview\\TIFF"
        "OC\\Preview\\XBitmap"
-          "OC\\Preview\\SVG"
-          "OC\\Preview\\WebP"
-          "OC\\Preview\\Font"
        "OC\\Preview\\Movie"
-          "OC\\Preview\\ImaginaryPDF"
+        "OC\\Preview\\PDF"
        "OC\\Preview\\MP3"
-          "OC\\Preview\\OpenDocument"
-          "OC\\Preview\\Krita"
        "OC\\Preview\\TXT"
        "OC\\Preview\\MarkDown"
-          "OC\\Preview\\Imaginary"
      ];
-        preview_imaginary_url = "http://127.0.0.1:${toString config.services.imaginary.port}/";
-        preview_max_filesize_image = 128; # MB
-        preview_max_memory = 512; # MB
-        preview_max_x = 2048; # px
-        preview_max_y = 2048; # px
-        preview_max_scale_factor = 1;
-        "preview_ffmpeg_path" = lib.getExe pkgs.ffmpeg-headless;
-
-        "memories.exiftool_no_local" = false;
-        "memories.exiftool" = "${exiftool_1270}/bin/exiftool";
-        "memories.vod.ffmpeg" = lib.getExe pkgs.ffmpeg;
-        "memories.vod.ffprobe" = lib.getExe' pkgs.ffmpeg-headless "ffprobe";
+      preview_max_x = "1024";
+      preview_max_y = "768";
+      preview_max_scale_factor = "1";

      auth.bruteforce.protection.enabled = true;
      trashbin_retention_obligation = "auto,7";
@ -170,81 +132,10 @@
    };

    caching.redis = true;
-      appstoreEnable = true;
    autoUpdateApps.enable = true;
-      extraApps = {
-        inherit (pkgs.nextcloud30Packages.apps) memories previewgenerator recognize;
-      };
    database.createLocally = true;
  };

-  # https://docs.nextcloud.com/server/30/admin_manual/installation/server_tuning.html#previews
-  services.imaginary = {
-    enable = true;
-    address = "127.0.0.1";
-    settings.return-size = true;
-  };
-
-  systemd = {
-    services =
-      let
-        occ = "/run/current-system/sw/bin/nextcloud-occ";
-      in
-      {
-        nextcloud-cron-preview-generator = {
-          environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.home}/config";
-          serviceConfig = {
-            ExecStart = "${occ} preview:pre-generate";
-            Type = "oneshot";
-            User = "nextcloud";
-          };
-        };
-
-        nextcloud-preview-generator-setup = {
-          wantedBy = [ "multi-user.target" ];
-          requires = [ "phpfpm-nextcloud.service" ];
-          after = [ "phpfpm-nextcloud.service" ];
-          environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.home}/config";
-          script = # bash
-            ''
-              # check with:
-              # for size in squareSizes widthSizes heightSizes; do echo -n "$size: "; nextcloud-occ config:app:get previewgenerator $size; done
-
-              # extra commands run for preview generator:
-              # 32   icon file list
-              # 64   icon file list android app, photos app
-              # 96   nextcloud client VFS windows file preview
-              # 256  file app grid view, many requests
-              # 512  photos app tags
-              ${occ} config:app:set --value="32 64 96 256 512" previewgenerator squareSizes
-
-              # 341 hover in maps app
-              # 1920 files/photos app when viewing picture
-              ${occ} config:app:set --value="341 1920" previewgenerator widthSizes
-
-              # 256 hover in maps app
-              # 1080 files/photos app when viewing picture
-              ${occ} config:app:set --value="256 1080" previewgenerator heightSizes
-            '';
-          serviceConfig = {
-            Type = "oneshot";
-            User = "nextcloud";
-          };
-        };
-      };
-    timers.nextcloud-cron-preview-generator = {
-      after = [ "nextcloud-setup.service" ];
-      timerConfig = {
-        OnCalendar = "*:0/10";
-        OnUnitActiveSec = "9m";
-        Persistent = true;
-        RandomizedDelaySec = 60;
-        Unit = "nextcloud-cron-preview-generator.service";
-      };
-      wantedBy = [ "timers.target" ];
-    };
-  };
-
  services.restic.backups.nextcloud-storagebox = {
    paths = [
      "/var/lib/nextcloud/data"
--- a/modules/nginx-matrix/default.nix
+++ b/modules/nginx-matrix/default.nix
@ -24,6 +24,14 @@ let
      secure_backup_required = false;
      secure_backup_setup_methods = [ ];
    };
+    "m.integrations" = {
+      managers = [
+        {
+          api_url = "https://dimension.${domain}/api/v1/scalar";
+          ui_url = "https://dimension.${domain}/element";
+        }
+      ];
+    };
  };
  wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; };
  wellKnownSupport = {
@ -120,13 +128,6 @@ in
          extraConfig = commonHeaders;
        };

-        # For IRC appservice media proxy
-        "/media" = {
-          priority = 100;
-          proxyPass = "http://127.0.0.1:${toString (config.services.matrix-appservice-irc.settings.ircService.mediaProxy.bindPort)}";
-          extraConfig = commonHeaders;
-        };
-
        # Forward to the auth service
        "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
          priority = 100;
--- a/modules/nginx-matrix/element-client-config.nix
+++ b/modules/nginx-matrix/element-client-config.nix
@ -50,15 +50,4 @@
    # FUTUREWORK: Replace with pub.solar logo
    auth_header_logo_url = "themes/element/img/logos/element-logo.svg";
  };
-  # Enable Element Call Beta
-  features = {
-    feature_video_rooms = true;
-    feature_group_calls = true;
-    feature_element_call_video_rooms = true;
-  };
-  element_call = {
-    url = "https://call.element.io";
-    participant_limit = 50;
-    brand = "Element Call";
-  };
 }
--- a/modules/unlock-luks-on-boot/default.nix
+++ b/modules/unlock-luks-on-boot/default.nix
@ -10,7 +10,7 @@

      # Please create this manually the first time.
      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = flake.self.logins.sshPubKeys;
+      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
    };
    postCommands = ''
      # Automatically ask for the password on SSH login
--- a/modules/unlock-zfs-on-boot/default.nix
+++ b/modules/unlock-zfs-on-boot/default.nix
@ -11,7 +11,7 @@

      # Please create this manually the first time.
      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = flake.self.logins.sshPubKeys;
+      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
    };
    # this will automatically load the zfs password prompt on login
    # and kill the other prompt so boot can continue
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,7 +1,7 @@
-{ inputs, ... }:
+{ self, inputs, ... }:
 {
  flake = {
-    nixosModules = {
+    nixosModules = rec {
      overlays = (
        { ... }:
        {
@ -12,11 +12,12 @@
                unstable = import inputs.unstable { system = prev.system; };
              in
              {
-                matrix-authentication-service = unstable.matrix-authentication-service;
                element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
                element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
                  inherit (inputs) element-stickers maunium-stickerpicker;
                };
+                mastodon = unstable.mastodon;
+                matrix-authentication-service = unstable.matrix-authentication-service;
              }
            )
          ];
--- a/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age
+++ b/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age
--- a/secrets/matrix-synapse-secret-config.yaml.age
+++ b/secrets/matrix-synapse-secret-config.yaml.age
--- a/secrets/matrix-synapse-sliding-sync-secret.age
+++ b/secrets/matrix-synapse-sliding-sync-secret.age
@ -0,0 +1,45 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg GPTqfaZZC6ze7BUkT1uF4VslvE29BFKm0+AlJk+DKQQ
+GxI7erqw8p3GrCArh5vZOiTmYh40DVisCphNyFhNTqM
+-> ssh-ed25519 uYcDNw oo52Nh9BCO5NNF0YyzracKfvMifSiREsxyQqiRZ6WTs
+JvqwRX5yOMtEYgWyc7dIQs85wDghMRHQCIi6t5QxIwo
+-> ssh-rsa f5THog
+w+B5hc0E9u1fFWNNPaTtPmJfPJWUBbRwHYK/T69g2ORNfaBYynl0LL4vSUs8o9Gw
+rwBY+cLpth6e4tS819H5C7HtvT47KR3KF8JLxVjA2mbVO83+BnWFjThjYB452CdI
+KZvQQPhkSH/43YF6pjxnQjNWB/wroScyjGVtUamcij7YHxt71z0AAnyqE5PgWEc6
+6/ao5gLfTKhcWpxkTTz8LHn05s9IppXywDrvpwtJaU8LKgJT2H6Epsaci348lG+I
+tAZYODhQqP+yKl92DZbuQQCjxH5CJfhdBs2ZR63hQPj9OrIFRjLg4V+1gdcxzAuz
+9FwwIeLq3uxWXPdwTRR8RUsHEGhKMcVty4PkW0vlt+VwZrZBhdz3k+ApVG7Jvclz
+MPZYLzKC0DiODqPuA23ye6suFRCHXYfq3ZyCIIN6wOci0X0crSr9ZXW4M8R7aWaZ
+XDeZRaUgvd54WI0HZhVWBvJQyswgUXf+/RkS4aI8IgnNV801x12h+mTdWX9BC/cD
+YRIWBnGkfTX4WM4OEE2VEgqSDuKl/90o2LFIquIIJULVd2Vs5C2S8FhJcsT7+HmL
+TFWnLeIfGbw7RDUeH0c/Bbg9NK11SZF0/VdRZcBQ/zIXBMBlL1EZsH1HfIfhKISN
+PyHFB5kfmuVIBhDXgtDdgjKfDmQL9/9Aq1U4ZMBcUKA
+-> ssh-rsa kFDS0A
+KysKtr7wrKKJ8w+Dj7qjJstyXtKIw9weFi9oVwJkMvy2utn+JARs7puh7KC27TXC
+slZJrHf4vx+y8qSjRS0W4z8CPl8/auiYOilepT9JoxwGUP7J/nTr5SCofgWcdZm5
+FtgHoCcABjzcF+mrKUofuqrx6oYSDCS0JkV2tClQI6ybXnjRwIIicLmBN9UDHCuU
+9ZOesYp5XrJyBoD3Zv51b19xJyOfuWAUQvlNPRH2TpgvisutpESU/o869z5AMn4Z
+BfDD/0oR1ALbk/sB3r13Xi6oJZAB2AbggoQRlwvPeWc3MdS+bFNV2o2ue0ov6Fkd
+U5C/GnJVlyE0cv9I+YvxtLT6T/Gf/yoUZGfB7xD5QkHpMIEmKxUYqGNBB/NcnFMY
+Tal8jMDtZDEk+uk0MahE7GsL6Z3xrkKTevG+Rr3j+beFYie2RJbNwwUyQ1lL3EoA
+Rx1AMk+nYlvxVHiciYJNh9nffgAXXwO255IkWvYzmuPBEP1LmqadA4fQPf5Rgj3u
+DuOX3hJ+rIyRIoDXOZio3SDf+bb380xCxF+7efJ27Ep0sFviAq5qKeptbyt51Dp8
+tlbeYAylhVbV9Zgd+EozwE7Btlfqt3sbUij/0Iy+BdOYSPLmvx3oKybpipZ0i3fo
+KR/bZHlMKF1Ipd5L7zEwh5aTjImuomoyRyZG3NWdv44
+-> piv-p256 vRzPNw A7FwWUuml/VyHcOmha3R/DOg1RvnRXcwjaJJH/sgmsBR
+CP1/qY8sHbR7nkFl1T5HPsjYLRPDCSR01DEJaim96o
+-> piv-p256 zqq/iw AgYhaJWqe+QbVCHkXsU7AQhWhte/fjwVbOgmHVRPHsEE
+7jNmDI62i/9RakJhbo3MP0qMgXYGlhAW9BKo8HLWQYc
+-> ssh-ed25519 YFSOsg cGPMyhqcd20TDBeMkSDJ8hQ/vE9cuDgVi1hfcwAKVjw
+U9GRSr607w5oUGr0rC6XqdWMD65JidY/Ri3Ex1dmGXI
+-> ssh-ed25519 iHV63A cW7bblsvL1TwI6lp8KjPfUwB5EzWilLhc6Z2geE3SQw
+PzBdZ/LXA7iGI7ZjErredqC7ehHsr5MCY3qENv0nZI8
+-> ssh-ed25519 BVsyTA AGDqp6Rrp2vStBU9+eJMGf5O4SZQIASE63n8vbf8PEs
+SFakjoivQrFkSUBGZ9sISKVhAxNOpc2RxugiBTSK9/k
+-> ssh-ed25519 +3V2lQ MmMv45CQFAdgkV/B7InOY22iXzvIU8TY41SV5Jxx7RQ
+vNIRE5wSXVzy4miZLV90T1TEOhOjYQT12GWtZpsTxJ8
+--- EBBXvYr1OpETpgXOsUfJn6h1e4rXF+olz6DbhDUWCcw
+.Œ
+ösÊ~¦—åHÍ¯k‘	2 ¦À9<C380>¶§Bz¤¨?°3ëþTÇJ`§gº¦P°çioÙÜr<C39C>Š€" ØÝöwÒs-K€6©òšfÝ
+ß0XÎŒvù‘Xª&£8
š¶gÐ=ÄzrH¥jh>
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -67,14 +67,12 @@ in
  "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
  "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
  "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
  "matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys;
-  "matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys = nachtigallKeys ++ adminKeys;

  "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
  "staging-matrix-authentication-service-secret-config.yml.age".publicKeys =
    undergroundKeys ++ adminKeys;
-  "staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys =
-    undergroundKeys ++ adminKeys;

  "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
  "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
--- a/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age
+++ b/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age
--- a/secrets/staging-matrix-synapse-secret-config.yaml.age
+++ b/secrets/staging-matrix-synapse-secret-config.yaml.age
--- a/tests/keycloak.nix
+++ b/tests/keycloak.nix
@ -46,7 +46,6 @@ in

      systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];

-      virtualisation.cores = 1;
      virtualisation.memorySize = 4096;

      pub-solar-os.auth = {
@ -67,7 +66,7 @@ in
  testScript =
    { nodes, ... }:
    let
-      user = nodes.client.users.users.b12f;
+      user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
      #uid = toString user.uid;
      bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
      gdbus = "${bus} gdbus";
@ -82,8 +81,6 @@ in
      nachtigall.succeed("ping 127.0.0.1 -c 2")
      nachtigall.wait_for_unit("nginx.service")
      nachtigall.wait_for_unit("keycloak.service")
-      nachtigall.wait_for_open_port(8080)
-      nachtigall.wait_for_open_port(443)
      nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/")
      nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/")

--- a/tests/support/client.nix
+++ b/tests/support/client.nix
@ -11,7 +11,7 @@
  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.displayManager.autoLogin.enable = true;
-  services.xserver.displayManager.autoLogin.user = "b12f";
+  services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;

  systemd.user.services = {
    "org.gnome.Shell@wayland" = {
--- a/tests/website.nix
+++ b/tests/website.nix
@ -31,7 +31,6 @@
        ./support/global.nix
      ];

-      virtualisation.cores = 1;
      virtualisation.memorySize = 4096;

      networking.interfaces.eth0.ipv4.addresses = [
@ -49,14 +48,12 @@
    acme_server.wait_for_unit("system.slice")
    acme_server.wait_for_unit("step-ca.service")
    acme_server.succeed("ping ca.test.pub.solar -c 2")
-    acme_server.wait_for_open_port(443)
    acme_server.wait_until_succeeds("curl 127.0.0.1:443")

    nachtigall.wait_for_unit("system.slice")
    nachtigall.succeed("ping test.pub.solar -c 2")
    nachtigall.succeed("ping ca.test.pub.solar -c 2")
    nachtigall.wait_for_unit("nginx.service")
-    nachtigall.wait_for_open_port(443, "test.pub.solar")
    nachtigall.wait_until_succeeds("curl https://test.pub.solar/")
  '';
 }
Author	SHA1	Message	Date
teutat3s	a59e57c532	style: format using nixfmt-rfc-style All checks were successful Flake checks / Check (pull_request) Successful in 25m28s Details	2024-11-20 15:49:31 +01:00
Akshay Mankar	56f987e424	matrix: Enable rendezvous server Some checks failed Flake checks / Check (pull_request) Failing after 32s Details This will allow sign-in and device verification using QR codes	2024-11-20 17:15:41 +05:30