26 changed files with 176 additions and 357 deletions
--- a/checks/default.nix
+++ b/checks/default.nix
@ -6,8 +6,6 @@ let
 in
 {
  x86_64-linux = lib.mergeAttrsList [
    flake-inputs.self.nixosConfigurations.hetzner-1.config.serviceTests
    {
      nix = checkLib.mkLint {
        name = "nix-lints";
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -1,5 +1,5 @@
 {
-  lib,
+  config,
  modulesPath,
  flake-inputs,
  ...
@ -9,13 +9,30 @@
    flake-inputs.disko.nixosModules.disko
    flake-inputs.sops-nix.nixosModules.sops
    flake-inputs.tlaternet-webserver.nixosModules.default
    "${modulesPath}/profiles/minimal.nix"
-    ../modules
+    "${modulesPath}/profiles/minimal.nix"
    (import ../modules)
    ./services/backups.nix
    ./services/battery-manager.nix
    ./services/conduit
    ./services/crowdsec.nix
    ./services/foundryvtt.nix
    ./services/gitea.nix
    ./services/immich.nix
    ./services/metrics
    ./services/minecraft.nix
    ./services/nextcloud.nix
    ./services/webserver.nix
    ./services/wireguard.nix
    # ./services/starbound.nix -- Not currently used
    ./services/postgres.nix
    ./nginx
-    ./services
+    ./sops.nix
  ];
  nixpkgs.overlays = [ (_: prev: { local = import ../pkgs { pkgs = prev; }; }) ];
  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
@ -25,9 +42,49 @@
    settings.trusted-users = [ "@wheel" ];
  };
  # Optimization for minecraft servers, see:
  # https://bugs.mojang.com/browse/MC-183518
  boot.kernelParams = [
    "highres=off"
    "nohz=off"
  ];
  networking = {
    usePredictableInterfaceNames = false;
    useDHCP = false;
    firewall = {
      allowedTCPPorts = [
        # http
        80
        443
        # ssh
        2222
        # matrix
        8448
        # starbound
        21025
        config.services.coturn.listening-port
        config.services.coturn.tls-listening-port
        config.services.coturn.alt-listening-port
        config.services.coturn.alt-tls-listening-port
      ];
      allowedUDPPorts = [
        config.services.coturn.listening-port
        config.services.coturn.tls-listening-port
        config.services.coturn.alt-listening-port
        config.services.coturn.alt-tls-listening-port
      ];
      allowedUDPPortRanges = [
        {
          from = config.services.coturn.min-port;
          to = config.services.coturn.max-port;
        }
      ];
    };
  };
  systemd.network.enable = true;
@ -67,10 +124,9 @@
      services.sudo.rssh = true;
    };
  };
  sops.defaultSopsFile = ../keys/production.yaml;
  # Remove some unneeded packages
-  environment.defaultPackages = lib.mkForce [ ];
+  environment.defaultPackages = [ ];
  system.stateVersion = "20.09";
 }
--- a/configuration/nginx/logging.nix
+++ b/configuration/nginx/logging.nix
@ -1,10 +1,4 @@
-{
+{ config, lib, ... }:
  flake-inputs,
  pkgs,
  config,
  lib,
  ...
 }:
 let
  hostNames = lib.attrNames config.services.nginx.virtualHosts;
  logPath = name: "/var/log/nginx/${name}/access.log";
@ -86,55 +80,5 @@ in
        };
      };
    };
    serviceTests =
      let
        testHostConfig =
          { config, ... }:
          {
            imports = [
              ./.
              ../../modules/serviceTests/mocks.nix
            ];
            networking.firewall.allowedTCPPorts = [ 80 ];
            services.nginx = {
              domain = "testHost";
              virtualHosts."${config.services.nginx.domain}".locations."/".return = "200 ok";
            };
          };
      in
      {
        nginxMetricsWork = pkgs.testers.runNixOSTest {
          name = "nginx-metrics-work";
          node.specialArgs = { inherit flake-inputs; };
          nodes = {
            testHost = testHostConfig;
            client =
              { pkgs, ... }:
              {
                environment.systemPackages = [ pkgs.curl ];
              };
          };
          testScript = ''
            import time
            start_all()
            testHost.wait_for_unit("nginx.service")
            client.succeed("curl --max-time 10 http://testHost")
            # Wait a bit for the prometheus exporter to scrape our logs
            time.sleep(5)
            res = testHost.succeed("curl localhost:${builtins.toString config.services.prometheus.exporters.nginxlog.port}/metrics")
            assert 'nginxlog_http_response_count_total{method="GET",status="200",vhost="testHost"} 1' in res, res
          '';
        };
      };
  };
 }
--- a/configuration/nginx/ssl.nix
+++ b/configuration/nginx/ssl.nix
@ -1,5 +1,4 @@
 {
  flake-inputs,
  pkgs,
  config,
  lib,
@ -65,73 +64,5 @@
        in
        ''${pkgs.runtimeShell} -c '${confirm}' '';
    };
    sops.secrets = {
      "porkbun/api-key".owner = "acme";
      "porkbun/secret-api-key".owner = "acme";
    };
    serviceTests =
      let
        testHostConfig =
          { config, ... }:
          {
            imports = [
              ./.
              ../../modules/serviceTests/mocks.nix
            ];
            networking.firewall.allowedTCPPorts = [ 443 ];
            security.acme.certs."tlater.net".extraDomainNames = [ config.services.nginx.domain ];
            services.nginx = {
              domain = "testHost";
              virtualHosts."${config.services.nginx.domain}" = {
                useACMEHost = "tlater.net";
                onlySSL = true;
                enableHSTS = true;
                locations."/".return = "200 ok";
              };
            };
          };
      in
      {
        testNginxSSL = pkgs.testers.runNixOSTest {
          name = "test-nginx-ssl";
          node.specialArgs = { inherit flake-inputs; };
          nodes = {
            testHost = testHostConfig;
            client =
              { pkgs, ... }:
              {
                environment.systemPackages = [ pkgs.curl ];
              };
          };
          testScript = ''
            start_all()
            testHost.wait_for_unit("nginx.service")
            testHost.copy_from_vm("/var/lib/acme/tlater.net/", "certs")
            client.copy_from_host(f"{testHost.out_dir}/certs", "/certs")
            res = client.succeed(" ".join([
                "curl",
                "--show-error",
                "--silent",
                "--dump-header -",
                "--cacert /certs/tlater.net/fullchain.pem",
                "https://testHost",
                "-o /dev/null"
            ]))
            assert "strict-transport-security: max-age=15552000; includeSubDomains" in res
          '';
        };
      };
  };
 }
--- a/configuration/services/backups.nix
+++ b/configuration/services/backups.nix
@ -265,18 +265,5 @@ in
      };
      groups.backup = { };
    };
    sops.secrets = {
      "restic/storagebox-backups" = {
        owner = "root";
        group = "backup";
        mode = "0440";
      };
      "restic/storagebox-ssh-key" = {
        owner = "backup";
        group = "backup";
        mode = "0040";
      };
    };
  };
 }
--- a/configuration/services/battery-manager.nix
+++ b/configuration/services/battery-manager.nix
@ -13,9 +13,4 @@
      log_level = "DEBUG";
    };
  };
  sops.secrets = {
    "battery-manager/email" = { };
    "battery-manager/password" = { };
  };
 }
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@ -17,36 +17,6 @@ in
    ./matrix-hookshot.nix
  ];
  networking.firewall = {
    allowedTCPPorts = [
      # These are for "normal" clients
      80
      443
      # Federation happens on 8448
      8448
      config.services.coturn.listening-port
      config.services.coturn.tls-listening-port
      config.services.coturn.alt-listening-port
      config.services.coturn.alt-tls-listening-port
    ];
    allowedUDPPorts = [
      config.services.coturn.listening-port
      config.services.coturn.tls-listening-port
      config.services.coturn.alt-listening-port
      config.services.coturn.alt-tls-listening-port
    ];
    allowedUDPPortRanges = [
      {
        from = config.services.coturn.min-port;
        to = config.services.coturn.max-port;
      }
    ];
  };
  services = {
    matrix-conduit = {
      enable = true;
@ -209,11 +179,4 @@ in
  systemd.services.coturn.serviceConfig.SupplementaryGroups = [
    config.security.acme.certs."tlater.net".group
  ];
  sops.secrets = {
    "turn/env" = { };
    "turn/secret" = {
      owner = "turnserver";
    };
  };
 }
--- a/configuration/services/conduit/heisenbridge.nix
+++ b/configuration/services/conduit/heisenbridge.nix
@ -75,10 +75,4 @@ in
        # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
      };
    };
  sops.secrets = {
    # Accessed via systemd cred through /run/secrets/heisebridge
    "heisenbridge/as-token" = { };
    "heisenbridge/hs-token" = { };
  };
 }
--- a/configuration/services/conduit/matrix-hookshot.nix
+++ b/configuration/services/conduit/matrix-hookshot.nix
@ -163,10 +163,4 @@ in
      metrics.enabled = true;
    };
  };
  sops.secrets = {
    # Accessed via systemd cred through /run/secrets/matrix-hookshot
    "matrix-hookshot/as-token" = { };
    "matrix-hookshot/hs-token" = { };
  };
 }
--- a/configuration/services/default.nix
+++ b/configuration/services/default.nix
@ -1,18 +0,0 @@
 {
  imports = [
    ./backups.nix
    ./battery-manager.nix
    ./conduit
    ./crowdsec.nix
    ./foundryvtt.nix
    ./gitea.nix
    ./immich.nix
    ./metrics
    ./minecraft.nix
    ./nextcloud.nix
    ./postgres.nix
    # ./starbound.nix -- Not currently used
    ./webserver.nix
    ./wireguard.nix
  ];
 }
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@ -11,11 +11,6 @@ in
 {
  imports = [ flake-inputs.foundryvtt.nixosModules.foundryvtt ];
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  services = {
    foundryvtt = {
      enable = true;
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@ -8,11 +8,6 @@ let
  domain = "gitea.${config.services.nginx.domain}";
 in
 {
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  services = {
    forgejo = {
      enable = true;
--- a/configuration/services/immich.nix
+++ b/configuration/services/immich.nix
@ -8,11 +8,6 @@ let
  hostName = "immich.${config.services.nginx.domain}";
 in
 {
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  services = {
    immich = {
      enable = true;
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@ -3,11 +3,6 @@ let
  domain = "metrics.${config.services.nginx.domain}";
 in
 {
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  services.grafana = {
    enable = true;
    settings = {
@ -72,15 +67,4 @@ in
      };
    };
  };
  sops.secrets = {
    "grafana/adminPassword" = {
      owner = "grafana";
      group = "grafana";
    };
    "grafana/secretKey" = {
      owner = "grafana";
      group = "grafana";
    };
  };
 }
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@ -4,7 +4,7 @@ let
  blackbox_port = config.services.prometheus.exporters.blackbox.port;
 in
 {
-  services.victoriametrics = {
+  config.services.victoriametrics = {
    enable = true;
    extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
@ -96,10 +96,4 @@ in
      victorialogs.targets = [ config.services.victorialogs.bindAddress ];
    };
  };
  sops.secrets."forgejo/metrics-token" = {
    owner = "forgejo";
    group = "metrics";
    mode = "0440";
  };
 }
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -9,11 +9,6 @@ let
  hostName = "nextcloud.${config.services.nginx.domain}";
 in
 {
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  services = {
    nextcloud = {
      inherit hostName;
@ -105,9 +100,4 @@ in
  # Ensure that this service doesn't start before postgres is ready
  systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
  sops.secrets."nextcloud/tlater" = {
    owner = "nextcloud";
    group = "nextcloud";
  };
 }
--- a/configuration/services/starbound.nix
+++ b/configuration/services/starbound.nix
@ -1,15 +1,8 @@
-{
+{ pkgs, lib, ... }:
  flake-inputs,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (lib) concatStringsSep;
 in
 {
  networking.firewall.allowedTCPPorts = [ 21025 ];
  # Sadly, steam-run requires some X libs
  environment.noXlibs = false;
@ -18,9 +11,7 @@ in
    after = [ "network.target" ];
    serviceConfig = {
-      ExecStart = "${
+      ExecStart = "${pkgs.local.starbound}/bin/launch-starbound ${./configs/starbound.json}";
        flake-inputs.self.packages.${pkgs.system}.starbound
      }/bin/launch-starbound ${./configs/starbound.json}";
      Type = "simple";
@ -123,7 +114,4 @@ in
    paths = [ "/var/lib/private/starbound/storage/universe/" ];
    pauseServices = [ "starbound.service" ];
  };
  # Accessed via systemd cred through /run/secrets/steam
  sops.secrets."steam/tlater" = { };
 }
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@ -3,11 +3,6 @@ let
  inherit (config.services.nginx) domain;
 in
 {
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  services.tlaternet-webserver = {
    enable = true;
    listen = {
--- a/configuration/services/wireguard.nix
+++ b/configuration/services/wireguard.nix
@ -62,10 +62,4 @@
      };
    };
  };
  sops.secrets."wireguard/server-key" = {
    owner = "root";
    group = "systemd-network";
    mode = "0440";
  };
 }
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@ -0,0 +1,89 @@
 {
  sops = {
    defaultSopsFile = ../keys/production.yaml;
    secrets = {
      "battery-manager/email" = { };
      "battery-manager/password" = { };
      # Gitea
      "forgejo/metrics-token" = {
        owner = "forgejo";
        group = "metrics";
        mode = "0440";
      };
      # Grafana
      "grafana/adminPassword" = {
        owner = "grafana";
        group = "grafana";
      };
      "grafana/secretKey" = {
        owner = "grafana";
        group = "grafana";
      };
      # Heisenbridge
      "heisenbridge/as-token" = { };
      "heisenbridge/hs-token" = { };
      # Matrix-hookshot
      "matrix-hookshot/as-token" = { };
      "matrix-hookshot/hs-token" = { };
      # Nextcloud
      "nextcloud/tlater" = {
        owner = "nextcloud";
        group = "nextcloud";
      };
      # Porkbub/ACME
      "porkbun/api-key" = {
        owner = "acme";
      };
      "porkbun/secret-api-key" = {
        owner = "acme";
      };
      # Restic
      "restic/local-backups" = {
        owner = "root";
        group = "backup";
        mode = "0440";
      };
      "restic/storagebox-backups" = {
        owner = "root";
        group = "backup";
        mode = "0440";
      };
      "restic/storagebox-ssh-key" = {
        owner = "backup";
        group = "backup";
        mode = "0040";
      };
      # Steam
      "steam/tlater" = { };
      # Turn
      "turn/env" = { };
      "turn/secret" = {
        owner = "turnserver";
      };
      "turn/ssl-key" = {
        owner = "turnserver";
      };
      "turn/ssl-cert" = {
        owner = "turnserver";
      };
      # Wireguard
      "wireguard/server-key" = {
        owner = "root";
        group = "systemd-network";
        mode = "0440";
      };
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -136,11 +136,11 @@
        "pyproject-nix": "pyproject-nix"
      },
      "locked": {
-        "lastModified": 1763413832,
+        "lastModified": 1754978539,
-        "narHash": "sha256-dkqBwDXiv8MPoFyIvOuC4bVubAP+TlVZUkVMB78TTSg=",
+        "narHash": "sha256-nrDovydywSKRbWim9Ynmgj8SBm8LK3DI2WuhIqzOHYI=",
        "owner": "nix-community",
        "repo": "dream2nix",
-        "rev": "5658fba3a0b6b7d5cb0460b949651f64f644a743",
+        "rev": "fbec3263cb4895ac86ee9506cdc4e6919a1a2214",
        "type": "github"
      },
      "original": {
@ -356,11 +356,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1763319842,
+        "lastModified": 1762868777,
-        "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
+        "narHash": "sha256-QqS72GvguP56oKDNUckWUPNJHjsdeuXh5RyoKz0wJ+E=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
+        "rev": "c5c3147730384576196fb5da048a6e45dee10d56",
        "type": "github"
      },
      "original": {
--- a/keys/production.yaml
+++ b/keys/production.yaml
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@ -22,14 +22,18 @@ matrix-hookshot:
 wireguard:
    server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str]
 restic:
    local-backups: ENC[AES256_GCM,data:3QjEv03t7wE=,iv:y/6Lv4eUbZZfGPwUONykz8VNL62cAJuWaJy9yk3aAmk=,tag:wMlGsepuG9JjwtUKGWSibw==,type:str]
    storagebox-backups: ENC[AES256_GCM,data:NEHk57B3YtI=,iv:0/qnqMVK0662sgfDQoLxcW7L09SKF8E5liCnjaQ2+2k=,tag:RU0BPwGgvI9bgOPr8VItmA==,type:str]
    storagebox-ssh-key: ENC[AES256_GCM,data:65+kbJPO90y+rRh3Q5cqLDtQa3VFfbaDPPo1nJLqxgAB7Wm3J7K4qUYAKPcYnkWV4/xFz63R2uCNaq5xv+vuZA==,iv:O7AeE/ujp5p1P7nff7PpghQfN2tQUYBSWL+EHRbE5yA=,tag:Pu/+bEAQuqwmD1Rc//t0cA==,type:str]
 turn:
    env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
    secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
    ssl-key: ENC[AES256_GCM,data:RYfwHjBvwFXgXxXIEuWUzaycTdrCvmPivsNvvUIwDRynS5G2Dl6RCVp1w9zuLvoNun5ncUPGGuLMmVqN2wkJlw==,iv:UKI3bVTY7iTDNvp5UqrZ3QlQkMZ5p2bjgODEc6DCBfQ=,tag:sz7VTyRWyZxAsP4nE48DnA==,type:str]
    #ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
    ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
 sops:
-    lastmodified: "2025-11-19T16:42:43Z"
+    lastmodified: "2025-02-07T17:43:24Z"
-    mac: ENC[AES256_GCM,data:4YivckDS+jBX3Bkon0bTAm3SXya4v2ieZyqeBXjBUYZeCmelIng7bn2dP7791O6RK6RvSXAGhiykWgGRW/boG3QM8VLxDMSRTKovJo5k6oxtFJC8OLDJoh1EC5BQLznJDKl4So6FgYPEtdQ6rx+Q6Ah7JSMtQilxRoe/hYapT90=,iv:9BGtS585gVbvH6l96/YYZiY1DrwB565vPaNNtFC9vbk=,tag:HsZuDMqPFHTMPxQsD36LNQ==,type:str]
+    mac: ENC[AES256_GCM,data:akmD/bfgeTyFzW1quvM16cdj0fC6+CbJ8WyX9173H11yKGxvE1USQYcErpl1SHOx9Jk8LVb7f+MsUm2fjQF1MEq6xaWI74jem12lZ9CGXFaTL7e87JvfbK7pV+aKpxSBBNFyJgbYm30ibdUwxwKmNVfPb1e0HT9qwenvoV7RobM=,iv:mKqOW0ULXL711uczUbRf9NPo6uPTQoS/IbR46S+JID4=,tag:vE6NYzYLbQHDImov1XGTcg==,type:str]
    pgp:
        - created_at: "2025-10-03T21:38:26Z"
          enc: |-
@ -63,4 +67,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
    unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.9.2
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,6 +1 @@
-{
+{ imports = [ ./crowdsec ]; }
  imports = [
    ./crowdsec
    ./serviceTests/stub.nix
  ];
 }
--- a/modules/serviceTests/mocks.nix
+++ b/modules/serviceTests/mocks.nix
@ -1,27 +0,0 @@
 /**
  Module containing mock definitions for service test runners.
 */
 { flake-inputs, lib, ... }:
 {
  imports = [
    flake-inputs.sops-nix.nixosModules.sops
    ../.
    ../../configuration/services/backups.nix
  ];
  sops.defaultSopsFile = ../../keys/staging.yaml;
  environment.etc."staging.key" = {
    mode = "0400";
    source = ../../keys/hosts/staging.key;
  };
  services.openssh = {
    enable = true;
    hostKeys = lib.mkForce [
      {
        type = "rsa";
        bits = 4096;
        path = "/etc/staging.key";
      }
    ];
  };
 }
--- a/modules/serviceTests/stub.nix
+++ b/modules/serviceTests/stub.nix
@ -1,20 +0,0 @@
 /**
  Module to make writing service-specific tests easy.
 */
 { lib, ... }:
 let
  inherit (lib) mkOption types;
 in
 {
  options = {
    serviceTests = mkOption {
      type = types.attrsOf types.package;
      description = ''
        NixOS tests to run.
      '';
      default = { };
    };
  };
 }