Update to fix ssh vulnerability #117

Manually merged
tlater merged 6 commits from tlater/update-conduit into master 2024-07-02 23:16:33 +01:00
11 changed files with 88 additions and 94 deletions

View file

@ -24,7 +24,7 @@
./services/nextcloud.nix ./services/nextcloud.nix
./services/webserver.nix ./services/webserver.nix
./services/wireguard.nix ./services/wireguard.nix
./services/starbound.nix # ./services/starbound.nix -- Not currently used
./services/postgres.nix ./services/postgres.nix
./nginx.nix ./nginx.nix
./sops.nix ./sops.nix
@ -49,9 +49,6 @@
settings.trusted-users = [ "@wheel" ]; settings.trusted-users = [ "@wheel" ];
}; };
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [ "steam-original" "steam-runtime" "steam-run" "steamcmd" ];
# Optimization for minecraft servers, see: # Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518 # https://bugs.mojang.com/browse/MC-183518
boot.kernelParams = [ "highres=off" "nohz=off" ]; boot.kernelParams = [ "highres=off" "nohz=off" ];

View file

@ -18,6 +18,13 @@ in
server_name = domain; server_name = domain;
database_backend = "rocksdb"; database_backend = "rocksdb";
# Set up delegation: https://docs.conduit.rs/delegation.html#automatic-recommended
# This is primarily to make sliding sync work
well_known = {
client = "https://${domain}";
server = "${domain}:443";
};
turn_uris = turn_uris =
let let
address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}"; address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
@ -230,19 +237,8 @@ in
proxy_buffering off; proxy_buffering off;
''; '';
}; };
"/.well-known/matrix" = {
# Add Element X support proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
# TODO(tlater): Remove when no longer required: https://github.com/vector-im/element-x-android/issues/1085
"=/.well-known/matrix/client" = {
alias = pkgs.writeText "well-known-matrix-client" (builtins.toJSON {
"m.homeserver".base_url = "https://${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
});
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
}; };
}; };
}; };

View file

@ -1,6 +1,7 @@
{ lib { lib
, config , config
, flake-inputs , flake-inputs
, pkgs
, ... , ...
}: }:
let let
@ -15,6 +16,7 @@ in
minifyStaticFiles = true; minifyStaticFiles = true;
proxySSL = true; proxySSL = true;
proxyPort = 443; proxyPort = 443;
package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_11;
}; };
# Want to start it manually when I need it, not have it constantly # Want to start it manually when I need it, not have it constantly

View file

@ -6,7 +6,7 @@ let
# Update pending on rewrite of nextcloud news, though there is an # Update pending on rewrite of nextcloud news, though there is an
# alpha to switch to if it becomes necessary: # alpha to switch to if it becomes necessary:
# https://github.com/nextcloud/news/issues/2610 # https://github.com/nextcloud/news/issues/2610
nextcloud = pkgs.nextcloud27; nextcloud = pkgs.nextcloud28;
hostName = "nextcloud.${config.services.nginx.domain}"; hostName = "nextcloud.${config.services.nginx.domain}";
in in
{ {

View file

@ -7,11 +7,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1711973905, "lastModified": 1718194053,
"narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=", "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b", "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -27,11 +27,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1714103775, "lastModified": 1719733833,
"narHash": "sha256-kcBiIrmqzt3bNTr2GMBfAyA+on8BEKO1iKzzDFQZkjI=", "narHash": "sha256-6h2EqZU9bL9rHlXE+2LCBgnDImejzbS+4dYsNDDFlkY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "285e26465a0bae510897ca04da26ce6307c652b4", "rev": "d185770ea261fb5cf81aa5ad1791b93a7834d12c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -47,11 +47,11 @@
"pyproject-nix": "pyproject-nix" "pyproject-nix": "pyproject-nix"
}, },
"locked": { "locked": {
"lastModified": 1702457430, "lastModified": 1719685993,
"narHash": "sha256-8NQiXtYCOiC7XFayy6GPGDudCBrPROry3mfWjpdVj5g=", "narHash": "sha256-04gy1icwnGO3ZXF6r96yBm/C0PNPzeLxA/8xzzq0dBI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "dream2nix", "repo": "dream2nix",
"rev": "262198033e23e9ee832f0cc8133d38f07598f555", "rev": "1b5e01219a32324c8f6889fe1f4db933ec7932f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -69,11 +69,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1704003651, "lastModified": 1719815435,
"narHash": "sha256-bA3d4E1CX5G7TVbKwJOm9jZfVOGOPp6u5CKEUzNsE8E=", "narHash": "sha256-K2xFp142onP35jcx7li10xUxNVEVRWjAdY8DSuR7Naw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "c6d82e087ac96f24b90c5787a17e29a72566c2b4", "rev": "ebfe2c639111d7e82972a12711206afaeeda2450",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -157,11 +157,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1712623723, "lastModified": 1719541573,
"narHash": "sha256-jPD5+M+QPyMRk52zfFMIeHdv7yXYJ/yNGqwS0PhYF+E=", "narHash": "sha256-9j8Rtv5UWsD4A3jAh8MpopNGmftSAoI8htssmXLu8jU=",
"owner": "reckenrode", "owner": "reckenrode",
"repo": "nix-foundryvtt", "repo": "nix-foundryvtt",
"rev": "6025615b431170558c3c13f16b549fc0126425e1", "rev": "1176cc325e5e1d46c7a018663a8e02e699e838ec",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -210,11 +210,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1713638189, "lastModified": 1719663039,
"narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=", "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "74574c38577914733b4f7a775dd77d24245081dd", "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -226,43 +226,43 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1714253743, "lastModified": 1719824438,
"narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=", "narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994", "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-unstable", "ref": "nixos-unstable-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1718208800, "lastModified": 1719825363,
"narHash": "sha256-US1tAChvPxT52RV8GksWZS415tTS7PV42KTc2PNDBmc=", "narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cc54fb41d13736e92229c21627ea4f22199fee6b", "rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.05", "ref": "nixos-24.05-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1702272962, "lastModified": 1719468428,
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", "narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", "rev": "1e3deb3d8a86a870d925760db1a5adecc64d329d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -281,11 +281,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1713333471, "lastModified": 1718252448,
"narHash": "sha256-sIVQKOXzruxtTYiBRHZa8UQH+CSIa9K5MZlY6vavYfA=", "narHash": "sha256-xZZBdKqe1ByITzvx65pVgGQ5jeb73MybjgrcfI84lEo=",
"owner": "berberman", "owner": "berberman",
"repo": "nvfetcher", "repo": "nvfetcher",
"rev": "2a824322dc6a755ffda83a13b948d42304521e4d", "rev": "fa7609950023462c6f91c425de7610c0bb6b86ba",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -375,11 +375,11 @@
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1703965384, "lastModified": 1719760370,
"narHash": "sha256-3iyouqkBvhh/E48TkBlt4JmmcIEyfQwY7pokKBx9WNg=", "narHash": "sha256-fsxAuW6RxKZYjAP3biUC6C4vaYFhDfWv8lp1Tmx3ZCY=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "e872f5085cf5b0e44558442365c1c033d486eff2", "rev": "ea7fdada6a0940b239ddbde2048a4d7dac1efe1e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -442,11 +442,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1713892811, "lastModified": 1719716556,
"narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=", "narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd", "rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -523,11 +523,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1704840002, "lastModified": 1719851829,
"narHash": "sha256-ik2LeuRjcnRXwBLoRSOyGEMXscE+coO8G79IFhZhdJk=", "narHash": "sha256-M5miiIbiwP4uArTyeIr/RKA857rP14AEJUe11AZsKAc=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "d14f50c8dcc8ab30a5e5fa907b392ac0df6c7b52", "rev": "4a099f27a27f4107ceb14969e2158eaabebcf1d4",
"revCount": 73, "revCount": 74,
"type": "git", "type": "git",
"url": "https://gitea.tlater.net/tlaternet/tlaternet.git" "url": "https://gitea.tlater.net/tlaternet/tlaternet.git"
}, },

View file

@ -2,8 +2,8 @@
description = "tlater.net host configuration"; description = "tlater.net host configuration";
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";

View file

@ -7,11 +7,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-JXNQNnWXoii71QhtKktuEBEIqzmONVetULBhpSjM9xo=", "sha256": "sha256-wUeXcbxNCRA2brzdCHKwl0zbhmDucKv1ZCkF3KlQ8O4=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz" "url": "https://github.com/nextcloud/bookmarks/releases/download/v14.2.2/bookmarks-14.2.2.tar.gz"
}, },
"version": "13.1.3" "version": "14.2.2"
}, },
"calendar": { "calendar": {
"cargoLocks": null, "cargoLocks": null,
@ -21,11 +21,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-hZfjWAMi/0qs5xMMgOlcoSXG6kcZ2aeDaez+NqSZFKI=", "sha256": "sha256-cuAqJz1cZ+VfxttAKjWIe11DFwWGLdSSvcNJKQKidgk=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud-releases/calendar/releases/download/v4.6.7/calendar-v4.6.7.tar.gz" "url": "https://github.com/nextcloud-releases/calendar/releases/download/v4.7.8/calendar-v4.7.8.tar.gz"
}, },
"version": "v4.6.7" "version": "v4.7.8"
}, },
"contacts": { "contacts": {
"cargoLocks": null, "cargoLocks": null,
@ -49,11 +49,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-TE/w8SgyIPaGl5wZUAsG234nxoPj25QoRPF3zjbMoRk=", "sha256": "sha256-a8ekMnEzudHGiqHF53jPtgsVTOTc2QLuPg6YtTw5h68=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.10.5/Cookbook-0.10.5.tar.gz" "url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.1/Cookbook-0.11.1.tar.gz"
}, },
"version": "0.10.5" "version": "0.11.1"
}, },
"news": { "news": {
"cargoLocks": null, "cargoLocks": null,
@ -63,11 +63,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-cfJkKRNSz15L4E3w1tnEb+t4MrVwVzb8lb6vCOA4cK4=", "sha256": "sha256-XNGjf7SWgJYFdVNOh3ED0jxSG0GJwWImVQq4cJT1Lo4=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz" "url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha7/news.tar.gz"
}, },
"version": "24.0.0" "version": "25.0.0-alpha7"
}, },
"notes": { "notes": {
"cargoLocks": null, "cargoLocks": null,

View file

@ -3,18 +3,18 @@
{ {
bookmarks = { bookmarks = {
pname = "bookmarks"; pname = "bookmarks";
version = "13.1.3"; version = "14.2.2";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz"; url = "https://github.com/nextcloud/bookmarks/releases/download/v14.2.2/bookmarks-14.2.2.tar.gz";
sha256 = "sha256-JXNQNnWXoii71QhtKktuEBEIqzmONVetULBhpSjM9xo="; sha256 = "sha256-wUeXcbxNCRA2brzdCHKwl0zbhmDucKv1ZCkF3KlQ8O4=";
}; };
}; };
calendar = { calendar = {
pname = "calendar"; pname = "calendar";
version = "v4.6.7"; version = "v4.7.8";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud-releases/calendar/releases/download/v4.6.7/calendar-v4.6.7.tar.gz"; url = "https://github.com/nextcloud-releases/calendar/releases/download/v4.7.8/calendar-v4.7.8.tar.gz";
sha256 = "sha256-hZfjWAMi/0qs5xMMgOlcoSXG6kcZ2aeDaez+NqSZFKI="; sha256 = "sha256-cuAqJz1cZ+VfxttAKjWIe11DFwWGLdSSvcNJKQKidgk=";
}; };
}; };
contacts = { contacts = {
@ -27,18 +27,18 @@
}; };
cookbook = { cookbook = {
pname = "cookbook"; pname = "cookbook";
version = "0.10.5"; version = "0.11.1";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.10.5/Cookbook-0.10.5.tar.gz"; url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.1/Cookbook-0.11.1.tar.gz";
sha256 = "sha256-TE/w8SgyIPaGl5wZUAsG234nxoPj25QoRPF3zjbMoRk="; sha256 = "sha256-a8ekMnEzudHGiqHF53jPtgsVTOTc2QLuPg6YtTw5h68=";
}; };
}; };
news = { news = {
pname = "news"; pname = "news";
version = "24.0.0"; version = "25.0.0-alpha7";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz"; url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha7/news.tar.gz";
sha256 = "sha256-cfJkKRNSz15L4E3w1tnEb+t4MrVwVzb8lb6vCOA4cK4="; sha256 = "sha256-XNGjf7SWgJYFdVNOh3ED0jxSG0GJwWImVQq4cJT1Lo4=";
}; };
}; };
notes = { notes = {

View file

@ -13,6 +13,7 @@
"name": null, "name": null,
"rev": "v0.10.1", "rev": "v0.10.1",
"sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=", "sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=",
"sparseCheckout": [],
"type": "git", "type": "git",
"url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter" "url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
}, },

View file

@ -10,6 +10,7 @@
fetchSubmodules = false; fetchSubmodules = false;
deepClone = false; deepClone = false;
leaveDotGit = false; leaveDotGit = false;
sparseCheckout = [ ];
sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI="; sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=";
}; };
}; };

View file

@ -1,12 +1,10 @@
[bookmarks] [bookmarks]
# src.github = "nextcloud/bookmarks" src.github = "nextcloud/bookmarks"
src.prefix = "v" src.prefix = "v"
src.manual = "v13.1.3"
fetch.tarball = "https://github.com/nextcloud/bookmarks/releases/download/v$ver/bookmarks-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud/bookmarks/releases/download/v$ver/bookmarks-$ver.tar.gz"
[calendar] [calendar]
# src.github = "nextcloud-releases/calendar" src.github = "nextcloud-releases/calendar"
src.manual = "v4.6.7"
fetch.tarball = "https://github.com/nextcloud-releases/calendar/releases/download/$ver/calendar-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud-releases/calendar/releases/download/$ver/calendar-$ver.tar.gz"
[contacts] [contacts]
@ -15,15 +13,14 @@ src.manual = "v5.5.3"
fetch.tarball = "https://github.com/nextcloud-releases/contacts/releases/download/$ver/contacts-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud-releases/contacts/releases/download/$ver/contacts-$ver.tar.gz"
[cookbook] [cookbook]
# src.github = "christianlupus-nextcloud/cookbook-releases" src.github = "christianlupus-nextcloud/cookbook-releases"
src.prefix = "v" src.prefix = "v"
src.manual = "0.10.5"
fetch.tarball = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v$ver/Cookbook-$ver.tar.gz" fetch.tarball = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v$ver/Cookbook-$ver.tar.gz"
[news] [news]
# Update manually until angular rewrite is done
# src.github = "nextcloud/news" # src.github = "nextcloud/news"
# Update to 25 when angular rewrite is done/the alpha when I need to switch to nextcloud 28+ src.manual = "25.0.0-alpha7"
src.manual = "24.0.0"
fetch.tarball = "https://github.com/nextcloud/news/releases/download/$ver/news.tar.gz" fetch.tarball = "https://github.com/nextcloud/news/releases/download/$ver/news.tar.gz"
[notes] [notes]