Update to fix ssh vulnerability #117

Manually merged
tlater merged 6 commits from tlater/update-conduit into master 2024-07-02 23:16:33 +01:00
11 changed files with 88 additions and 94 deletions

View file

@ -24,7 +24,7 @@
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
./services/starbound.nix
# ./services/starbound.nix -- Not currently used
./services/postgres.nix
./nginx.nix
./sops.nix
@ -49,9 +49,6 @@
settings.trusted-users = [ "@wheel" ];
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [ "steam-original" "steam-runtime" "steam-run" "steamcmd" ];
# Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518
boot.kernelParams = [ "highres=off" "nohz=off" ];

View file

@ -18,6 +18,13 @@ in
server_name = domain;
database_backend = "rocksdb";
# Set up delegation: https://docs.conduit.rs/delegation.html#automatic-recommended
# This is primarily to make sliding sync work
well_known = {
client = "https://${domain}";
server = "${domain}:443";
};
turn_uris =
let
address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
@ -230,19 +237,8 @@ in
proxy_buffering off;
'';
};
# Add Element X support
# TODO(tlater): Remove when no longer required: https://github.com/vector-im/element-x-android/issues/1085
"=/.well-known/matrix/client" = {
alias = pkgs.writeText "well-known-matrix-client" (builtins.toJSON {
"m.homeserver".base_url = "https://${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
});
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
"/.well-known/matrix" = {
proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
};
};
};

View file

@ -1,6 +1,7 @@
{ lib
, config
, flake-inputs
, pkgs
, ...
}:
let
@ -15,6 +16,7 @@ in
minifyStaticFiles = true;
proxySSL = true;
proxyPort = 443;
package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_11;
};
# Want to start it manually when I need it, not have it constantly

View file

@ -6,7 +6,7 @@ let
# Update pending on rewrite of nextcloud news, though there is an
# alpha to switch to if it becomes necessary:
# https://github.com/nextcloud/news/issues/2610
nextcloud = pkgs.nextcloud27;
nextcloud = pkgs.nextcloud28;
hostName = "nextcloud.${config.services.nginx.domain}";
in
{

View file

@ -7,11 +7,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1711973905,
"narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=",
"lastModified": 1718194053,
"narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b",
"rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github"
},
"original": {
@ -27,11 +27,11 @@
]
},
"locked": {
"lastModified": 1714103775,
"narHash": "sha256-kcBiIrmqzt3bNTr2GMBfAyA+on8BEKO1iKzzDFQZkjI=",
"lastModified": 1719733833,
"narHash": "sha256-6h2EqZU9bL9rHlXE+2LCBgnDImejzbS+4dYsNDDFlkY=",
"owner": "nix-community",
"repo": "disko",
"rev": "285e26465a0bae510897ca04da26ce6307c652b4",
"rev": "d185770ea261fb5cf81aa5ad1791b93a7834d12c",
"type": "github"
},
"original": {
@ -47,11 +47,11 @@
"pyproject-nix": "pyproject-nix"
},
"locked": {
"lastModified": 1702457430,
"narHash": "sha256-8NQiXtYCOiC7XFayy6GPGDudCBrPROry3mfWjpdVj5g=",
"lastModified": 1719685993,
"narHash": "sha256-04gy1icwnGO3ZXF6r96yBm/C0PNPzeLxA/8xzzq0dBI=",
"owner": "nix-community",
"repo": "dream2nix",
"rev": "262198033e23e9ee832f0cc8133d38f07598f555",
"rev": "1b5e01219a32324c8f6889fe1f4db933ec7932f6",
"type": "github"
},
"original": {
@ -69,11 +69,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1704003651,
"narHash": "sha256-bA3d4E1CX5G7TVbKwJOm9jZfVOGOPp6u5CKEUzNsE8E=",
"lastModified": 1719815435,
"narHash": "sha256-K2xFp142onP35jcx7li10xUxNVEVRWjAdY8DSuR7Naw=",
"owner": "nix-community",
"repo": "fenix",
"rev": "c6d82e087ac96f24b90c5787a17e29a72566c2b4",
"rev": "ebfe2c639111d7e82972a12711206afaeeda2450",
"type": "github"
},
"original": {
@ -157,11 +157,11 @@
]
},
"locked": {
"lastModified": 1712623723,
"narHash": "sha256-jPD5+M+QPyMRk52zfFMIeHdv7yXYJ/yNGqwS0PhYF+E=",
"lastModified": 1719541573,
"narHash": "sha256-9j8Rtv5UWsD4A3jAh8MpopNGmftSAoI8htssmXLu8jU=",
"owner": "reckenrode",
"repo": "nix-foundryvtt",
"rev": "6025615b431170558c3c13f16b549fc0126425e1",
"rev": "1176cc325e5e1d46c7a018663a8e02e699e838ec",
"type": "github"
},
"original": {
@ -210,11 +210,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1713638189,
"narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=",
"lastModified": 1719663039,
"narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "74574c38577914733b4f7a775dd77d24245081dd",
"rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
"type": "github"
},
"original": {
@ -226,43 +226,43 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1714253743,
"narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=",
"lastModified": 1719824438,
"narHash": "sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t+Je1zc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994",
"rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1718208800,
"narHash": "sha256-US1tAChvPxT52RV8GksWZS415tTS7PV42KTc2PNDBmc=",
"lastModified": 1719825363,
"narHash": "sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cc54fb41d13736e92229c21627ea4f22199fee6b",
"rev": "10c832d0548e9e3a6df7eb51e68c2783212a303e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"ref": "nixos-24.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1702272962,
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
"lastModified": 1719468428,
"narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
"rev": "1e3deb3d8a86a870d925760db1a5adecc64d329d",
"type": "github"
},
"original": {
@ -281,11 +281,11 @@
]
},
"locked": {
"lastModified": 1713333471,
"narHash": "sha256-sIVQKOXzruxtTYiBRHZa8UQH+CSIa9K5MZlY6vavYfA=",
"lastModified": 1718252448,
"narHash": "sha256-xZZBdKqe1ByITzvx65pVgGQ5jeb73MybjgrcfI84lEo=",
"owner": "berberman",
"repo": "nvfetcher",
"rev": "2a824322dc6a755ffda83a13b948d42304521e4d",
"rev": "fa7609950023462c6f91c425de7610c0bb6b86ba",
"type": "github"
},
"original": {
@ -375,11 +375,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1703965384,
"narHash": "sha256-3iyouqkBvhh/E48TkBlt4JmmcIEyfQwY7pokKBx9WNg=",
"lastModified": 1719760370,
"narHash": "sha256-fsxAuW6RxKZYjAP3biUC6C4vaYFhDfWv8lp1Tmx3ZCY=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "e872f5085cf5b0e44558442365c1c033d486eff2",
"rev": "ea7fdada6a0940b239ddbde2048a4d7dac1efe1e",
"type": "github"
},
"original": {
@ -442,11 +442,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1713892811,
"narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
"lastModified": 1719716556,
"narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
"rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6",
"type": "github"
},
"original": {
@ -523,11 +523,11 @@
]
},
"locked": {
"lastModified": 1704840002,
"narHash": "sha256-ik2LeuRjcnRXwBLoRSOyGEMXscE+coO8G79IFhZhdJk=",
"lastModified": 1719851829,
"narHash": "sha256-M5miiIbiwP4uArTyeIr/RKA857rP14AEJUe11AZsKAc=",
"ref": "refs/heads/master",
"rev": "d14f50c8dcc8ab30a5e5fa907b392ac0df6c7b52",
"revCount": 73,
"rev": "4a099f27a27f4107ceb14969e2158eaabebcf1d4",
"revCount": 74,
"type": "git",
"url": "https://gitea.tlater.net/tlaternet/tlaternet.git"
},

View file

@ -2,8 +2,8 @@
description = "tlater.net host configuration";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";

View file

@ -7,11 +7,11 @@
"passthru": null,
"pinned": false,
"src": {
"sha256": "sha256-JXNQNnWXoii71QhtKktuEBEIqzmONVetULBhpSjM9xo=",
"sha256": "sha256-wUeXcbxNCRA2brzdCHKwl0zbhmDucKv1ZCkF3KlQ8O4=",
"type": "tarball",
"url": "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz"
"url": "https://github.com/nextcloud/bookmarks/releases/download/v14.2.2/bookmarks-14.2.2.tar.gz"
},
"version": "13.1.3"
"version": "14.2.2"
},
"calendar": {
"cargoLocks": null,
@ -21,11 +21,11 @@
"passthru": null,
"pinned": false,
"src": {
"sha256": "sha256-hZfjWAMi/0qs5xMMgOlcoSXG6kcZ2aeDaez+NqSZFKI=",
"sha256": "sha256-cuAqJz1cZ+VfxttAKjWIe11DFwWGLdSSvcNJKQKidgk=",
"type": "tarball",
"url": "https://github.com/nextcloud-releases/calendar/releases/download/v4.6.7/calendar-v4.6.7.tar.gz"
"url": "https://github.com/nextcloud-releases/calendar/releases/download/v4.7.8/calendar-v4.7.8.tar.gz"
},
"version": "v4.6.7"
"version": "v4.7.8"
},
"contacts": {
"cargoLocks": null,
@ -49,11 +49,11 @@
"passthru": null,
"pinned": false,
"src": {
"sha256": "sha256-TE/w8SgyIPaGl5wZUAsG234nxoPj25QoRPF3zjbMoRk=",
"sha256": "sha256-a8ekMnEzudHGiqHF53jPtgsVTOTc2QLuPg6YtTw5h68=",
"type": "tarball",
"url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.10.5/Cookbook-0.10.5.tar.gz"
"url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.1/Cookbook-0.11.1.tar.gz"
},
"version": "0.10.5"
"version": "0.11.1"
},
"news": {
"cargoLocks": null,
@ -63,11 +63,11 @@
"passthru": null,
"pinned": false,
"src": {
"sha256": "sha256-cfJkKRNSz15L4E3w1tnEb+t4MrVwVzb8lb6vCOA4cK4=",
"sha256": "sha256-XNGjf7SWgJYFdVNOh3ED0jxSG0GJwWImVQq4cJT1Lo4=",
"type": "tarball",
"url": "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz"
"url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha7/news.tar.gz"
},
"version": "24.0.0"
"version": "25.0.0-alpha7"
},
"notes": {
"cargoLocks": null,

View file

@ -3,18 +3,18 @@
{
bookmarks = {
pname = "bookmarks";
version = "13.1.3";
version = "14.2.2";
src = fetchTarball {
url = "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz";
sha256 = "sha256-JXNQNnWXoii71QhtKktuEBEIqzmONVetULBhpSjM9xo=";
url = "https://github.com/nextcloud/bookmarks/releases/download/v14.2.2/bookmarks-14.2.2.tar.gz";
sha256 = "sha256-wUeXcbxNCRA2brzdCHKwl0zbhmDucKv1ZCkF3KlQ8O4=";
};
};
calendar = {
pname = "calendar";
version = "v4.6.7";
version = "v4.7.8";
src = fetchTarball {
url = "https://github.com/nextcloud-releases/calendar/releases/download/v4.6.7/calendar-v4.6.7.tar.gz";
sha256 = "sha256-hZfjWAMi/0qs5xMMgOlcoSXG6kcZ2aeDaez+NqSZFKI=";
url = "https://github.com/nextcloud-releases/calendar/releases/download/v4.7.8/calendar-v4.7.8.tar.gz";
sha256 = "sha256-cuAqJz1cZ+VfxttAKjWIe11DFwWGLdSSvcNJKQKidgk=";
};
};
contacts = {
@ -27,18 +27,18 @@
};
cookbook = {
pname = "cookbook";
version = "0.10.5";
version = "0.11.1";
src = fetchTarball {
url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.10.5/Cookbook-0.10.5.tar.gz";
sha256 = "sha256-TE/w8SgyIPaGl5wZUAsG234nxoPj25QoRPF3zjbMoRk=";
url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.1/Cookbook-0.11.1.tar.gz";
sha256 = "sha256-a8ekMnEzudHGiqHF53jPtgsVTOTc2QLuPg6YtTw5h68=";
};
};
news = {
pname = "news";
version = "24.0.0";
version = "25.0.0-alpha7";
src = fetchTarball {
url = "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz";
sha256 = "sha256-cfJkKRNSz15L4E3w1tnEb+t4MrVwVzb8lb6vCOA4cK4=";
url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha7/news.tar.gz";
sha256 = "sha256-XNGjf7SWgJYFdVNOh3ED0jxSG0GJwWImVQq4cJT1Lo4=";
};
};
notes = {

View file

@ -13,6 +13,7 @@
"name": null,
"rev": "v0.10.1",
"sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=",
"sparseCheckout": [],
"type": "git",
"url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
},

View file

@ -10,6 +10,7 @@
fetchSubmodules = false;
deepClone = false;
leaveDotGit = false;
sparseCheckout = [ ];
sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=";
};
};

View file

@ -1,12 +1,10 @@
[bookmarks]
# src.github = "nextcloud/bookmarks"
src.github = "nextcloud/bookmarks"
src.prefix = "v"
src.manual = "v13.1.3"
fetch.tarball = "https://github.com/nextcloud/bookmarks/releases/download/v$ver/bookmarks-$ver.tar.gz"
[calendar]
# src.github = "nextcloud-releases/calendar"
src.manual = "v4.6.7"
src.github = "nextcloud-releases/calendar"
fetch.tarball = "https://github.com/nextcloud-releases/calendar/releases/download/$ver/calendar-$ver.tar.gz"
[contacts]
@ -15,15 +13,14 @@ src.manual = "v5.5.3"
fetch.tarball = "https://github.com/nextcloud-releases/contacts/releases/download/$ver/contacts-$ver.tar.gz"
[cookbook]
# src.github = "christianlupus-nextcloud/cookbook-releases"
src.github = "christianlupus-nextcloud/cookbook-releases"
src.prefix = "v"
src.manual = "0.10.5"
fetch.tarball = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v$ver/Cookbook-$ver.tar.gz"
[news]
# Update manually until angular rewrite is done
# src.github = "nextcloud/news"
# Update to 25 when angular rewrite is done/the alpha when I need to switch to nextcloud 28+
src.manual = "24.0.0"
src.manual = "25.0.0-alpha7"
fetch.tarball = "https://github.com/nextcloud/news/releases/download/$ver/news.tar.gz"
[notes]