# extremist software

nixos config for the hetzner vps.

services:
- forgejo (git.extremist.software)
- stalwart (mail.extremist.software)
- searxng (search.extremist.software)
- synapse (matrix.extremist.software)
- grafana/prometheus (status.extremist.software)
- uptime-kuma (uptime.extremist.software)
- ntfy (ntfy.extremist.software)
- mymx (mymx.extremist.software)
- caddy (reverse proxy + rate limiting)
- fail2ban

## Deployment

Secrets are managed with [agenix](https://github.com/ryantm/agenix) — encrypted in git, decrypted on the server at runtime.

### 1. Setup Secrets

Key mapping is in `agenix.nix`. The `agenix` CLI and `RULES` env var are provided by the devShell via direnv.

```bash
direnv allow
agenix -e secrets/forgejo-db.age
agenix -e secrets/stalwart-admin.age
agenix -e secrets/searx-env.age            # SEARXNG_SECRET=<value>
agenix -e secrets/tailscale-key.age
agenix -e secrets/grafana-secret.age
agenix -e secrets/matrix-macaroon.age      # macaroon_secret_key: "<value>"
agenix -e secrets/ntfy-admin-hash.age
agenix -e secrets/mymx-webhook.age
```

To edit an existing secret, run the same command again.

### 2. Verify Configuration

```bash
nix flake check
```

### 3. Initial Install (Wipe & Install)

**Warning: Wipes the server disk.**

```bash
nix run github:nix-community/nixos-anywhere -- --store-paths \
  $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --print-out-paths --no-link) \
  $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --print-out-paths --no-link) \
  root@<TARGET_IP> | tee install.log
```

### 4. Update Existing Server

`nhs` and `nh` are provided via direnv.

```bash
nhs
```