feat: format and fix noisebell config

2026-03-23 00:04:46 -07:00 · 2026-03-23 00:04:46 -07:00 · d0b29c1244
commit d0b29c1244
parent 3e78c835cc
10 changed files with 211 additions and 101 deletions
--- a/agenix.nix
+++ b/agenix.nix
@ -1,13 +1,38 @@
 let
  server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAING219cDKTDLaZefmqvOHfXvYloA/ErsCGE0pM022vlB";
  jet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu";
-in {
+in
-  "secrets/forgejo-db.age".publicKeys = [ server jet ];
+{
-  "secrets/stalwart-admin.age".publicKeys = [ server jet ];
+  "secrets/forgejo-db.age".publicKeys = [
-  "secrets/searx-env.age".publicKeys = [ server jet ];
+    server
-  "secrets/tailscale-key.age".publicKeys = [ server jet ];
+    jet
-  "secrets/grafana-secret.age".publicKeys = [ server jet ];
+  ];
-  "secrets/matrix-macaroon.age".publicKeys = [ server jet ];
+  "secrets/stalwart-admin.age".publicKeys = [
-  "secrets/ntfy-admin-hash.age".publicKeys = [ server jet ];
+    server
-  "secrets/mymx-webhook.age".publicKeys = [ server jet ];
+    jet
  ];
  "secrets/searx-env.age".publicKeys = [
    server
    jet
  ];
  "secrets/tailscale-key.age".publicKeys = [
    server
    jet
  ];
  "secrets/grafana-secret.age".publicKeys = [
    server
    jet
  ];
  "secrets/matrix-macaroon.age".publicKeys = [
    server
    jet
  ];
  "secrets/ntfy-admin-hash.age".publicKeys = [
    server
    jet
  ];
  "secrets/mymx-webhook.age".publicKeys = [
    server
    jet
  ];
 }
--- a/configuration.nix
+++ b/configuration.nix
@ -1,4 +1,9 @@
-{ config, pkgs, modulesPath, ... }:
+{
  config,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
@ -19,13 +24,25 @@
  # Agenix secrets
  age.secrets = {
    forgejo-db.file = ./secrets/forgejo-db.age;
-    stalwart-admin = { file = ./secrets/stalwart-admin.age; owner = "stalwart-mail"; };
+    stalwart-admin = {
      file = ./secrets/stalwart-admin.age;
      owner = "stalwart-mail";
    };
    searx-env.file = ./secrets/searx-env.age;
    tailscale-key.file = ./secrets/tailscale-key.age;
-    grafana-secret = { file = ./secrets/grafana-secret.age; owner = "grafana"; };
+    grafana-secret = {
-    matrix-macaroon = { file = ./secrets/matrix-macaroon.age; owner = "matrix-synapse"; };
+      file = ./secrets/grafana-secret.age;
      owner = "grafana";
    };
    matrix-macaroon = {
      file = ./secrets/matrix-macaroon.age;
      owner = "matrix-synapse";
    };
    ntfy-admin-hash.file = ./secrets/ntfy-admin-hash.age;
-    mymx-webhook = { file = ./secrets/mymx-webhook.age; owner = "mymx"; };
+    mymx-webhook = {
      file = ./secrets/mymx-webhook.age;
      owner = "mymx";
    };
  };
  # Bootloader
@ -35,13 +52,16 @@
  # Networking
  networking.hostName = "extremist-software";
-  networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS
+  networking.firewall.allowedTCPPorts = [
-  
+    22
    80
    443
  ]; # SSH, HTTP, HTTPS
  # Tailscale
  services.tailscale.enable = true;
  # We assume the user will authenticate manually or via a one-time key service
  # For now, let's enable it and allow the user to run `tailscale up` or provision via key
-  
+
  # Users
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"
@ -52,10 +72,12 @@
    enable = true;
    settings.PasswordAuthentication = false;
    settings.PermitRootLogin = "prohibit-password";
-    hostKeys = [{
+    hostKeys = [
-      path = "/etc/ssh/ssh_host_ed25519_key";
+      {
-      type = "ed25519";
+        path = "/etc/ssh/ssh_host_ed25519_key";
-    }];
+        type = "ed25519";
      }
    ];
  };
  # Fail2ban
@ -94,7 +116,10 @@
  # System
  system.stateVersion = "24.05";
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.max-jobs = "auto";
  nix.settings.cores = 0;
  services.postgresql.package = pkgs.postgresql_15;
@ -105,19 +130,19 @@
  # ZRAM for limited RAM
  zramSwap.enable = true;
-  zramSwap.memoryPercent = 50; 
+  zramSwap.memoryPercent = 50;
  services.tailscale.authKeyFile = config.age.secrets.tailscale-key.path;
  # MyMX
-  services.jetpham-website.enable = true;
+  services.jetpham-website.enable = false;
-  services.jetpham-website.tor.enable = true;
+  services.jetpham-website.tor.enable = false;
  services.mymx = {
    enable = true;
    webhookSecretFile = config.age.secrets.mymx-webhook.path;
  };
-  
+
  # Allow Tailscale traffic
  networking.firewall.trustedInterfaces = [ "tailscale0" ];
  # Required for Tailscale subnet routing and exit nodes, and often helpful for connectivity
--- a/flake.nix
+++ b/flake.nix
@ -23,50 +23,59 @@
    agenix.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = { self, nixpkgs, disko, ... }@inputs: {
+  outputs =
-    nixosConfigurations.extremist-software = nixpkgs.lib.nixosSystem {
+    {
-      system = "x86_64-linux";
+      self,
-      specialArgs = { inherit inputs; };
+      nixpkgs,
-      modules = [
+      disko,
-        disko.nixosModules.disko
+      ...
-        inputs.mymx.nixosModules.default
+    }@inputs:
-        inputs.website.nixosModules.default
+    {
-        inputs.agenix.nixosModules.default
+      nixosConfigurations.extremist-software = nixpkgs.lib.nixosSystem {
-        inputs.noisebell.nixosModules.default
+        system = "x86_64-linux";
-        inputs.noisepics.nixosModules.default
+        specialArgs = { inherit inputs; };
        modules = [
          disko.nixosModules.disko
          inputs.mymx.nixosModules.default
          inputs.website.nixosModules.default
          inputs.agenix.nixosModules.default
          inputs.noisebell.nixosModules.default
          inputs.noisepics.nixosModules.default
-        ./disk-config.nix
+          ./disk-config.nix
-        ./configuration.nix
+          ./configuration.nix
-      ];
+        ];
-    };
+      };
-    devShells.x86_64-linux.default = let
+      devShells.x86_64-linux.default =
-      pkgs = nixpkgs.legacyPackages.x86_64-linux;
+        let
-      deploy = pkgs.writeShellScriptBin "nhs" ''
+          pkgs = nixpkgs.legacyPackages.x86_64-linux;
-        nh os switch --hostname extremist-software --target-host root@extremist-software path:. "$@"
+          deploy = pkgs.writeShellScriptBin "nhs" ''
-      '';
+            nh os switch --hostname extremist-software --target-host root@extremist-software path:. "$@"
-      check-secrets = pkgs.writeShellScriptBin "check-secrets" ''
+          '';
-        set -euo pipefail
+          check-secrets = pkgs.writeShellScriptBin "check-secrets" ''
-        failed=0
+            set -euo pipefail
-        for f in secrets/*.age; do
+            failed=0
-          last=$(agenix -d "$f" | tail -c 1 | od -An -tx1 | tr -d ' \n')
+            for f in secrets/*.age; do
-          if [ "$last" = "0a" ]; then
+              last=$(agenix -d "$f" | tail -c 1 | od -An -tx1 | tr -d ' \n')
-            echo "FAIL: $f has trailing newline"
+              if [ "$last" = "0a" ]; then
-            failed=1
+                echo "FAIL: $f has trailing newline"
-          fi
+                failed=1
-        done
+              fi
-        if [ "$failed" -eq 0 ]; then
+            done
-          echo "All secrets OK: no trailing newlines"
+            if [ "$failed" -eq 0 ]; then
-        fi
+              echo "All secrets OK: no trailing newlines"
-        exit $failed
+            fi
-      '';
+            exit $failed
-    in pkgs.mkShell {
+          '';
-      packages = [
+        in
-        pkgs.nh
+        pkgs.mkShell {
-        inputs.agenix.packages.x86_64-linux.default
+          packages = [
-        deploy
+            pkgs.nh
-        check-secrets
+            inputs.agenix.packages.x86_64-linux.default
-      ];
+            deploy
            check-secrets
          ];
        };
    };
  };
 }
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@ -43,7 +43,7 @@
          }
        '';
      };
-      
+
      "git.extremist.software" = {
        extraConfig = ''
          rate_limit {
@ -102,7 +102,7 @@
          reverse_proxy localhost:3001 # Grafana
        '';
      };
- 
+
      "uptime.extremist.software" = {
        extraConfig = ''
          rate_limit {
@ -129,7 +129,6 @@
        '';
      };
      "matrix.extremist.software" = {
        extraConfig = ''
          rate_limit {
--- a/modules/mail.nix
+++ b/modules/mail.nix
@ -5,7 +5,7 @@
    enable = true;
    # Let stalwart open its own ports if needed for the main services
    openFirewall = true;
-    
+
    settings = {
      server = {
        hostname = "extremist.software";
@ -40,7 +40,7 @@
        cert = "%{file:/var/lib/acme/extremist.software/fullchain.pem}%";
        private-key = "%{file:/var/lib/acme/extremist.software/key.pem}%";
      };
-      
+
      authentication.fallback-admin = {
        user = "admin";
        secret = "%{file:/run/agenix/stalwart-admin}%";
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@ -7,7 +7,7 @@
    settings = {
      server_name = "extremist.software";
      public_baseurl = "https://matrix.extremist.software";
-      
+
      listeners = [
        {
          port = 8008;
@ -17,13 +17,16 @@
          x_forwarded = true;
          resources = [
            {
-              names = [ "client" "federation" ];
+              names = [
                "client"
                "federation"
              ];
              compress = false;
            }
          ];
        }
      ];
-      
+
      enable_registration = false;
      database = {
        name = "psycopg2";
@ -42,10 +45,11 @@
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "matrix-synapse" ];
-    ensureUsers = [{
+    ensureUsers = [
-      name = "matrix-synapse";
+      {
-      ensureDBOwnership = true;
+        name = "matrix-synapse";
-    }];
+        ensureDBOwnership = true;
      }
    ];
  };
 }
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@ -15,9 +15,11 @@
    scrapeConfigs = [
      {
        job_name = "node";
-        static_configs = [{
+        static_configs = [
-          targets = [ "127.0.0.1:9100" ];
+          {
-        }];
+            targets = [ "127.0.0.1:9100" ];
          }
        ];
      }
    ];
  };
--- a/modules/noisebell.nix
+++ b/modules/noisebell.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
  services.noisebell-cache = {
@ -6,6 +6,12 @@
    port = 3005;
    domain = "noisebell.extremist.software";
    piAddress = "http://noisebell-pi";
    outboundWebhooks = [
      {
        url = "http://127.0.0.1:3004/webhook";
        secretFile = config.age.secrets.noisebell-discord-webhook-secret.path;
      }
    ];
  };
  services.noisebell-discord = {
--- a/modules/ntfy.nix
+++ b/modules/ntfy.nix
@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
  config,
  pkgs,
  lib,
  ...
 }:
 {
  services.ntfy-sh = {
@ -19,13 +24,15 @@
  # Patch the generated config at runtime to inject the admin bcrypt hash
  systemd.services.ntfy-sh = {
    serviceConfig.RuntimeDirectory = "ntfy-sh";
-    serviceConfig.ExecStartPre = let
+    serviceConfig.ExecStartPre =
-      script = pkgs.writeShellScript "ntfy-patch-config" ''
+      let
-        cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml
+        script = pkgs.writeShellScript "ntfy-patch-config" ''
-        HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path})
+          cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml
-        printf '\nauth-users:\n  - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml
+          HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path})
-      '';
+          printf '\nauth-users:\n  - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml
-    in [ "+${script}" ];
+        '';
      in
      [ "+${script}" ];
    serviceConfig.ExecStart = lib.mkForce "${pkgs.ntfy-sh}/bin/ntfy serve --config /run/ntfy-sh/server.yml";
  };
 }
--- a/modules/searx.nix
+++ b/modules/searx.nix
@ -16,15 +16,48 @@
        request_timeout = 1.5;
      };
      ui = {
-        categories_as_tabs = [ "general" "images" ];
+        categories_as_tabs = [
          "general"
          "images"
        ];
      };
      engines = [
-        { name = "google"; engine = "google"; categories = "general"; disabled = false; }
+        {
-        { name = "wikipedia"; engine = "wikipedia"; categories = "general"; disabled = false; }
+          name = "google";
-        { name = "google images"; engine = "google_images"; categories = "images"; disabled = false; }
+          engine = "google";
-        { name = "duckduckgo images"; engine = "duckduckgo_images"; categories = "images"; disabled = false; }
+          categories = "general";
-        { name = "bing images"; engine = "bing_images"; categories = "images"; disabled = false; }
+          disabled = false;
-        { name = "qwant images"; engine = "qwant_images"; categories = "images"; disabled = false; }
+        }
        {
          name = "wikipedia";
          engine = "wikipedia";
          categories = "general";
          disabled = false;
        }
        {
          name = "google images";
          engine = "google_images";
          categories = "images";
          disabled = false;
        }
        {
          name = "duckduckgo images";
          engine = "duckduckgo_images";
          categories = "images";
          disabled = false;
        }
        {
          name = "bing images";
          engine = "bing_images";
          categories = "images";
          disabled = false;
        }
        {
          name = "qwant images";
          engine = "qwant_images";
          categories = "images";
          disabled = false;
        }
      ];
    };
  };