feat: format and fix noisebell config

2026-03-23 00:04:46 -07:00 · 2026-03-23 00:04:46 -07:00 · d0b29c1244
commit d0b29c1244
parent 3e78c835cc
10 changed files with 211 additions and 101 deletions
--- a/agenix.nix
+++ b/agenix.nix
@ -1,13 +1,38 @@
 let
  server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAING219cDKTDLaZefmqvOHfXvYloA/ErsCGE0pM022vlB";
  jet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu";
-in {
-  "secrets/forgejo-db.age".publicKeys = [ server jet ];
-  "secrets/stalwart-admin.age".publicKeys = [ server jet ];
-  "secrets/searx-env.age".publicKeys = [ server jet ];
-  "secrets/tailscale-key.age".publicKeys = [ server jet ];
-  "secrets/grafana-secret.age".publicKeys = [ server jet ];
-  "secrets/matrix-macaroon.age".publicKeys = [ server jet ];
-  "secrets/ntfy-admin-hash.age".publicKeys = [ server jet ];
-  "secrets/mymx-webhook.age".publicKeys = [ server jet ];
+in
+{
+  "secrets/forgejo-db.age".publicKeys = [
+    server
+    jet
+  ];
+  "secrets/stalwart-admin.age".publicKeys = [
+    server
+    jet
+  ];
+  "secrets/searx-env.age".publicKeys = [
+    server
+    jet
+  ];
+  "secrets/tailscale-key.age".publicKeys = [
+    server
+    jet
+  ];
+  "secrets/grafana-secret.age".publicKeys = [
+    server
+    jet
+  ];
+  "secrets/matrix-macaroon.age".publicKeys = [
+    server
+    jet
+  ];
+  "secrets/ntfy-admin-hash.age".publicKeys = [
+    server
+    jet
+  ];
+  "secrets/mymx-webhook.age".publicKeys = [
+    server
+    jet
+  ];
 }
--- a/configuration.nix
+++ b/configuration.nix
@ -1,4 +1,9 @@
-{ config, pkgs, modulesPath, ... }:
+{
+  config,
+  pkgs,
+  modulesPath,
+  ...
+}:

 {
  imports = [
@ -19,13 +24,25 @@
  # Agenix secrets
  age.secrets = {
    forgejo-db.file = ./secrets/forgejo-db.age;
-    stalwart-admin = { file = ./secrets/stalwart-admin.age; owner = "stalwart-mail"; };
+    stalwart-admin = {
+      file = ./secrets/stalwart-admin.age;
+      owner = "stalwart-mail";
+    };
    searx-env.file = ./secrets/searx-env.age;
    tailscale-key.file = ./secrets/tailscale-key.age;
-    grafana-secret = { file = ./secrets/grafana-secret.age; owner = "grafana"; };
-    matrix-macaroon = { file = ./secrets/matrix-macaroon.age; owner = "matrix-synapse"; };
+    grafana-secret = {
+      file = ./secrets/grafana-secret.age;
+      owner = "grafana";
+    };
+    matrix-macaroon = {
+      file = ./secrets/matrix-macaroon.age;
+      owner = "matrix-synapse";
+    };
    ntfy-admin-hash.file = ./secrets/ntfy-admin-hash.age;
-    mymx-webhook = { file = ./secrets/mymx-webhook.age; owner = "mymx"; };
+    mymx-webhook = {
+      file = ./secrets/mymx-webhook.age;
+      owner = "mymx";
+    };
  };

  # Bootloader
@ -35,8 +52,11 @@

  # Networking
  networking.hostName = "extremist-software";
-  networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS
-  
+  networking.firewall.allowedTCPPorts = [
+    22
+    80
+    443
+  ]; # SSH, HTTP, HTTPS
  # Tailscale
  services.tailscale.enable = true;
  # We assume the user will authenticate manually or via a one-time key service
@ -52,10 +72,12 @@
    enable = true;
    settings.PasswordAuthentication = false;
    settings.PermitRootLogin = "prohibit-password";
-    hostKeys = [{
-      path = "/etc/ssh/ssh_host_ed25519_key";
-      type = "ed25519";
-    }];
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
  };

  # Fail2ban
@ -94,7 +116,10 @@

  # System
  system.stateVersion = "24.05";
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
  nix.settings.max-jobs = "auto";
  nix.settings.cores = 0;
  services.postgresql.package = pkgs.postgresql_15;
@ -110,8 +135,8 @@
  services.tailscale.authKeyFile = config.age.secrets.tailscale-key.path;

  # MyMX
-  services.jetpham-website.enable = true;
-  services.jetpham-website.tor.enable = true;
+  services.jetpham-website.enable = false;
+  services.jetpham-website.tor.enable = false;

  services.mymx = {
    enable = true;
--- a/flake.nix
+++ b/flake.nix
@ -23,50 +23,59 @@
    agenix.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, disko, ... }@inputs: {
-    nixosConfigurations.extremist-software = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = { inherit inputs; };
-      modules = [
-        disko.nixosModules.disko
-        inputs.mymx.nixosModules.default
-        inputs.website.nixosModules.default
-        inputs.agenix.nixosModules.default
-        inputs.noisebell.nixosModules.default
-        inputs.noisepics.nixosModules.default
+  outputs =
+    {
+      self,
+      nixpkgs,
+      disko,
+      ...
+    }@inputs:
+    {
+      nixosConfigurations.extremist-software = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
+        modules = [
+          disko.nixosModules.disko
+          inputs.mymx.nixosModules.default
+          inputs.website.nixosModules.default
+          inputs.agenix.nixosModules.default
+          inputs.noisebell.nixosModules.default
+          inputs.noisepics.nixosModules.default

-        ./disk-config.nix
-        ./configuration.nix
-      ];
-    };
+          ./disk-config.nix
+          ./configuration.nix
+        ];
+      };

-    devShells.x86_64-linux.default = let
-      pkgs = nixpkgs.legacyPackages.x86_64-linux;
-      deploy = pkgs.writeShellScriptBin "nhs" ''
-        nh os switch --hostname extremist-software --target-host root@extremist-software path:. "$@"
-      '';
-      check-secrets = pkgs.writeShellScriptBin "check-secrets" ''
-        set -euo pipefail
-        failed=0
-        for f in secrets/*.age; do
-          last=$(agenix -d "$f" | tail -c 1 | od -An -tx1 | tr -d ' \n')
-          if [ "$last" = "0a" ]; then
-            echo "FAIL: $f has trailing newline"
-            failed=1
-          fi
-        done
-        if [ "$failed" -eq 0 ]; then
-          echo "All secrets OK: no trailing newlines"
-        fi
-        exit $failed
-      '';
-    in pkgs.mkShell {
-      packages = [
-        pkgs.nh
-        inputs.agenix.packages.x86_64-linux.default
-        deploy
-        check-secrets
-      ];
+      devShells.x86_64-linux.default =
+        let
+          pkgs = nixpkgs.legacyPackages.x86_64-linux;
+          deploy = pkgs.writeShellScriptBin "nhs" ''
+            nh os switch --hostname extremist-software --target-host root@extremist-software path:. "$@"
+          '';
+          check-secrets = pkgs.writeShellScriptBin "check-secrets" ''
+            set -euo pipefail
+            failed=0
+            for f in secrets/*.age; do
+              last=$(agenix -d "$f" | tail -c 1 | od -An -tx1 | tr -d ' \n')
+              if [ "$last" = "0a" ]; then
+                echo "FAIL: $f has trailing newline"
+                failed=1
+              fi
+            done
+            if [ "$failed" -eq 0 ]; then
+              echo "All secrets OK: no trailing newlines"
+            fi
+            exit $failed
+          '';
+        in
+        pkgs.mkShell {
+          packages = [
+            pkgs.nh
+            inputs.agenix.packages.x86_64-linux.default
+            deploy
+            check-secrets
+          ];
+        };
    };
-  };
 }
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@ -129,7 +129,6 @@
        '';
      };

-
      "matrix.extremist.software" = {
        extraConfig = ''
          rate_limit {
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@ -17,7 +17,10 @@
          x_forwarded = true;
          resources = [
            {
-              names = [ "client" "federation" ];
+              names = [
+                "client"
+                "federation"
+              ];
              compress = false;
            }
          ];
@ -42,10 +45,11 @@
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "matrix-synapse" ];
-    ensureUsers = [{
-      name = "matrix-synapse";
-      ensureDBOwnership = true;
-    }];
+    ensureUsers = [
+      {
+        name = "matrix-synapse";
+        ensureDBOwnership = true;
+      }
+    ];
  };
 }
-
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@ -15,9 +15,11 @@
    scrapeConfigs = [
      {
        job_name = "node";
-        static_configs = [{
-          targets = [ "127.0.0.1:9100" ];
-        }];
+        static_configs = [
+          {
+            targets = [ "127.0.0.1:9100" ];
+          }
+        ];
      }
    ];
  };
--- a/modules/noisebell.nix
+++ b/modules/noisebell.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:

 {
  services.noisebell-cache = {
@ -6,6 +6,12 @@
    port = 3005;
    domain = "noisebell.extremist.software";
    piAddress = "http://noisebell-pi";
+    outboundWebhooks = [
+      {
+        url = "http://127.0.0.1:3004/webhook";
+        secretFile = config.age.secrets.noisebell-discord-webhook-secret.path;
+      }
+    ];
  };

  services.noisebell-discord = {
--- a/modules/ntfy.nix
+++ b/modules/ntfy.nix
@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:

 {
  services.ntfy-sh = {
@ -19,13 +24,15 @@
  # Patch the generated config at runtime to inject the admin bcrypt hash
  systemd.services.ntfy-sh = {
    serviceConfig.RuntimeDirectory = "ntfy-sh";
-    serviceConfig.ExecStartPre = let
-      script = pkgs.writeShellScript "ntfy-patch-config" ''
-        cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml
-        HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path})
-        printf '\nauth-users:\n  - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml
-      '';
-    in [ "+${script}" ];
+    serviceConfig.ExecStartPre =
+      let
+        script = pkgs.writeShellScript "ntfy-patch-config" ''
+          cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml
+          HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path})
+          printf '\nauth-users:\n  - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml
+        '';
+      in
+      [ "+${script}" ];
    serviceConfig.ExecStart = lib.mkForce "${pkgs.ntfy-sh}/bin/ntfy serve --config /run/ntfy-sh/server.yml";
  };
 }
--- a/modules/searx.nix
+++ b/modules/searx.nix
@ -16,15 +16,48 @@
        request_timeout = 1.5;
      };
      ui = {
-        categories_as_tabs = [ "general" "images" ];
+        categories_as_tabs = [
+          "general"
+          "images"
+        ];
      };
      engines = [
-        { name = "google"; engine = "google"; categories = "general"; disabled = false; }
-        { name = "wikipedia"; engine = "wikipedia"; categories = "general"; disabled = false; }
-        { name = "google images"; engine = "google_images"; categories = "images"; disabled = false; }
-        { name = "duckduckgo images"; engine = "duckduckgo_images"; categories = "images"; disabled = false; }
-        { name = "bing images"; engine = "bing_images"; categories = "images"; disabled = false; }
-        { name = "qwant images"; engine = "qwant_images"; categories = "images"; disabled = false; }
+        {
+          name = "google";
+          engine = "google";
+          categories = "general";
+          disabled = false;
+        }
+        {
+          name = "wikipedia";
+          engine = "wikipedia";
+          categories = "general";
+          disabled = false;
+        }
+        {
+          name = "google images";
+          engine = "google_images";
+          categories = "images";
+          disabled = false;
+        }
+        {
+          name = "duckduckgo images";
+          engine = "duckduckgo_images";
+          categories = "images";
+          disabled = false;
+        }
+        {
+          name = "bing images";
+          engine = "bing_images";
+          categories = "images";
+          disabled = false;
+        }
+        {
+          name = "qwant images";
+          engine = "qwant_images";
+          categories = "images";
+          disabled = false;
+        }
      ];
    };
  };