chore: merge remote-tracking branch 'refs/remotes/origin/master'

.gitignore

@@ -1,2 +1 @@
-modules/services/matrix/default.nix
 result

.sops.yaml

@@ -3,6 +3,10 @@ keys:
   - &violet age1zegau3chyn53tqvkwud6tuyggpkazc88pdkqv8cknavaudu49enqm2f0h3
 creation_rules:
   - path_regex: secrets/secrets.yaml
+    key_groups:
+      - age:
+          - *sakura
+  - path_regex: secrets/violet/secrets.yaml
     key_groups:
       - age:
           - *sakura

modules/core/sops.nix

@@ -2,18 +2,32 @@
   pkgs,
   inputs,
   username,
+  host,
+  config,
   ...
 }:
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
 
   sops = {
-    defaultSopsFile = ../../secrets/secrets.yaml;
+    defaultSopsFile = ../../secrets/${host}/secrets.yaml;
     defaultSopsFormat = "yaml";
     age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
-    secrets = {
+    secrets =
-      "systemMailerPassword" = { };
+      if (host == "violet") then
-    };
+        {
+          "systemMailerPassword" = { };
+          "forgejoWorkerSecret" = { };
+          "matrixRegistrationSecret" = {
+            owner = "matrix-synapse";
+          };
+        }
+      else if (host == "sakura") then
+        {
+          "systemMailerPassword" = { };
+        }
+      else
+        { };
   };
 
   environment.systemPackages = with pkgs; [

modules/services/forgejo.nix

@@ -9,57 +9,64 @@ let
   srv = cfg.settings.server;
 in
 {
-  services.forgejo = {
-    enable = true;
-    # database.type = "postgres";
-    # Enable support for Git Large File Storage
-    lfs.enable = true;
-    settings = {
-      server = {
-        DOMAIN = "code.liv.town";
-        # You need to specify this to remove the port from URLs in the web UI.
-        ROOT_URL = "https://${srv.DOMAIN}/";
-        HTTP_PORT = 3050;
-      };
-      # You can temporarily allow registration to create an admin user.
-      service.DISABLE_REGISTRATION = true;
-      # Add support for actions, based on act: https://github.com/nektos/act
-      actions = {
-        ENABLED = true;
-        DEFAULT_ACTIONS_URL = "github";
-      };
-      # Sending emails is completely optional
-      # You can send a test email from the web UI at:
-      # Profile Picture > Site Administration > Configuration >  Mailer Configuration
-      # mailer = {
-      #   ENABLED = true;
-      #   SMTP_ADDR = "mail.example.com";
-      #   FROM = "noreply@${srv.DOMAIN}";
-      #   USER = "noreply@${srv.DOMAIN}";
-      # };
-    };
-    # mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
-  };
-  # gitea-actions-runner = {
-  #   package = pkgs.forgejo-runner;
-  #   instances.my-forgejo-instance = {
-  #     enable = true;
-  #     name = "forgejo-01";
-  #     token = ""; # TODO: fill in tokens etc
-  #     url = "https://code.liv.town";
-  #     labels = [
-  #       "node-22:docker://node:22-bookworm"
-  #       "nixos-latest:docker://nixos/nix"
-  #     ];
-  #   };
-  # };
   services = {
+    forgejo = {
+      enable = true;
+      # database.type = "postgres";
+      # Enable support for Git Large File Storage
+      lfs.enable = true;
+      settings = {
+        server = {
+          DOMAIN = "code.liv.town";
+          # You need to specify this to remove the port from URLs in the web UI.
+          ROOT_URL = "https://${srv.DOMAIN}/";
+          HTTP_PORT = 3050;
+        };
+        # You can temporarily allow registration to create an admin user.
+        service.DISABLE_REGISTRATION = true;
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        # TODO: run own email server that sends users emails!
+        # You can send a test email from the web UI at:
+        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+        mailer = {
+          ENABLED = true;
+          SMTP_ADDR = "smtp.migadu.com";
+          FROM = config.liv.variables.senderEmail;
+          USER = config.liv.variables.senderEmail;
+        };
+      };
+      mailerPasswordFile = config.sops.secrets.systemMailerPassword.path;
+    };
+    gitea-actions-runner = {
+      package = pkgs.forgejo-runner;
+      instances.code-liv-town = {
+        enable = true;
+        name = "forgejo-01";
+        tokenFile = "${config.sops.secrets.forgejoWorkerSecret.path}";
+        url = "https://code.liv.town";
+        labels = [
+          "node-22:docker://node:22-bookworm"
+          "nixos-latest:docker://nixos/nix"
+        ];
+      };
+    };
+    anubis.instances.forgejo = {
+      settings = {
+        TARGET = "http://localhost:3050";
+        BIND = ":3051";
+        BIND_NETWORK = "tcp";
+      };
+    };
     nginx.virtualHosts."code.liv.town" = {
       forceSSL = true;
       sslCertificate = "/var/lib/acme/liv.town/cert.pem";
       sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
       locations."/" = {
-        proxyPass = "http://localhost:3050";
+        proxyPass = "http://localhost${toString config.services.anubis.instances.forgejo.settings.BIND}";
         proxyWebsockets = true;
       };
     };

modules/services/matrix/secrets.yaml

@@ -1,3 +0,0 @@
-registration_shared_secret: ""
-
-report_stats: false

modules/services/monitoring.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, host, ... }:
 {
   services = {
     prometheus = {
@@ -10,6 +10,15 @@
           enabledCollectors = [ "systemd" ];
           port = 9002;
         };
+        smokeping = {
+          enable = true;
+          hosts = [
+            "172.16.10.1"
+            "172.16.10.2"
+            "9.9.9.9"
+            "149.112.112.112"
+          ];
+        };
       };
       scrapeConfigs = [
         {
@@ -20,6 +29,14 @@
             }
           ];
         }
+        {
+          job_name = "${host} - smokeping";
+          static_configs = [
+            {
+              targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.smokeping.port}" ];
+            }
+          ];
+        }
       ];
     };
   };

modules/services/vaultwarden.nix

@@ -0,0 +1,34 @@
+{ config, ... }:
+{
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    config = {
+      SIGNUPS_ALLOWED = false;
+      ENABLE_WEBSOCKET = true;
+      SENDS_ALLOWED = true;
+      INVITATIONS_ENABLED = true;
+      EMERGENCY_ACCESS_ALLOWED = true;
+      EMAIL_ACCESS_ALLOWED = true;
+      DOMAIN = "https://passwords.liv.town";
+      ROCKET_ADDRESS = "0.0.0.0";
+      ROCKET_PORT = 8003;
+    };
+  };
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "passwords.liv.town" = {
+        forceSSL = true;
+        sslCertificate = "/var/lib/acme/liv.town/cert.pem";
+        sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}

modules/services/violet.nix

@@ -19,7 +19,9 @@
     ++ [ (import ./monitoring.nix) ]
     ++ [ (import ./ntfy.nix) ]
     ++ [ (import ./nginx.nix) ]
+    ++ [ (import ./nix-serve.nix) ]
     ++ [ (import ./radicale.nix) ]
+    ++ [ (import ./remote-build.nix) ]
     ++ [ (import ./readarr.nix) ]
     ++ [ (import ./sharkey-proxy.nix) ]
     # ++ [ (import ./komga.nix) ]

secrets/violet/secrets.yaml

@@ -0,0 +1,27 @@
+systemMailerPassword: ENC[AES256_GCM,data:b1fvCLZMiA9xDu/9BKQGnCTbwj46uixlo37qer66DK09U7CEB8ZBqe+Y+DqjcOJUHHHSo8Qk1XGvGQWypkGICxmxNP8KWvmY42Woh3677APvotUdjW5fVKTgB+Y1m/6/cvXKicJFjbw5LOzZ2/JcXP01KPSkRxWb/X4xzvawSMY=,iv:vbchTqHaH2PB9Mll/s8q4zLhN6ThAsCVvhoggOhj7H4=,tag:6b+TiV1YYHWOn0P9qJZ/bQ==,type:str]
+forgejoWorkerSecret: ENC[AES256_GCM,data:kmUjukTJ9SP6nJvfhIMFVTu5vAc9TIfZidUgejC7FSNBDJiP/lVlHw==,iv:jF9LpWLxtBi5i5NCC5nkLeLqJQzOAIY7H1z2NfHqUQI=,tag:3mtTcn+LQEbCESlt34nf9g==,type:str]
+matrixRegistrationSecret: ENC[AES256_GCM,data:xDFYVpBJa+FHWjmLlZspJAzJcoav53nWPoctQ5+gAnDYMurtSCkmoQn8r5j6fOmiy56KQyk8AD2/kT1HeFFNKA==,iv:82eIoh1ePc0VxfTbBPxpwGhYrcdRMI6WjFhlUJhxuHk=,tag:FAYUXUy0lEQU56ni2dxvbg==,type:str]
+sops:
+    age:
+        - recipient: age1yzapmznelujajfyrpw5mxmy86ckg377494w5ap4yej39jatewursfxls9w
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeG8vNWltdmJGcHhpMFVv
+            L2loTVRWeUVQMjdFbXlLdDZ4NWd2czlMa1JVClErdlhXdlJKSDFrakhqVjRQMlBx
+            RStBKzI3bHkzWlZrdkFTZFZvRjN0eFUKLS0tIGJFaTRkVGhSbmZSbEdYZEFWV2Fz
+            bytGVUhvL1dKNk41cytPajJMUFdXQmMKbJZ7RDB5MXqotaLrWABIKFs2wEZtIAVm
+            +k+ykISzj/XhhCt2J4IWbhPqRDlivsOLvQF1srNgk02/laE+0Nz5Pg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zegau3chyn53tqvkwud6tuyggpkazc88pdkqv8cknavaudu49enqm2f0h3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMWV2NkVGSWR3UzBPWmFQ
+            S2lQRm9zZENGc29mN1VxT3hsb2c5d3k3ZGw4Ck5JWlpXQUU0WnhXT2ZocFZFSlkr
+            WjhZM214YVBDR3UzcU9SQ09ucWJDSUUKLS0tIE00aXVkeTQ5eG1TTTA2UnBuVnVB
+            S3pjSjlhZjZiSDBNakhLVzNKMjd3bWsKC2geLVXFp190lkjxtmZKq8aLN0XMNeAI
+            VqbwIY3a30iuWAaxqf8h1ZuCGJvbAZZBevFZraj9yktRHc54JV3Aww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-30T12:37:11Z"
+    mac: ENC[AES256_GCM,data:pGnJaFRqa3sjouALSjy8+ClhqE+RNR4b5SMLKB356WtnHtALrGnd/RzPTMyLLTOht1td1Fk5jY8WoUy225qqfI1yy0Mne+qtnFqd9++XTmiY1b7ARBeNvvM/mMuZyp34Mz8WLx+imrLcX6TAlpRZ/SWtv5BE9nleHCwpNvFpqfc=,iv:q8bKIFQd6dRSDBk3qhipOK0E/4NZgIcVCo4Mwu9Ddf8=,tag:JjL3sFxSMx4dp1Swt2lbvg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2