mattermost: switch to postgresql

this depends on a whole lot of imperative nonsense being done at the same time, which i have done. of special interest to anyone attempting to understand this is https://docs.mattermost.com/deploy/postgres-migration.html for the general shape of incompetence at work, https://docs.mattermost.com/install/setting-up-socket-based-mattermost-database.html#with-unix-socket for yet another interesting syntax for database connection strings, and https://github.com/dimitri/pgloader/issues/782#issuecomment-502323324 for a truly astonishing take on how to do database migrations, which unfortunately i have followed. As far as I can tell, everything has kept working. Downtime was mostly spent understanding connection string syntax and their horribly buggy parsers. Note for people with server access: - i have kept the temporary files (including logs) around in /persist/migration inside the container should we ever need them again - there's a zfs snapshot @pre-postgres with the old state
mattermost: packages required for migration
2024-05-19 23:26:53 +02:00 · 2024-05-19 23:24:26 +02:00 · 2024-05-19 23:23:30 +02:00 · 2024-05-19 18:08:16 +02:00 · 2024-05-17 21:08:24 +02:00 · 2024-05-16 22:17:09 +02:00
27 changed files with 630 additions and 331 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -15,6 +15,7 @@
    SystemMaxUse=512M
    MaxRetentionSec=48h
  '';
+  nix.package = pkgs.lix;
  nix.gc.automatic = lib.mkDefault true;
  nix.gc.options = lib.mkDefault "--delete-older-than 7d";
  nix.settings.trusted-users = [ "root" "@wheel" ];
@ -74,6 +75,7 @@
    ffmpeg-full
    bat 
    niv
+    sqlite-interactive
  ];

  security.acme.defaults.email = "info+acme@hacc.space";
--- a/flake.lock
+++ b/flake.lock
@ -25,11 +25,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1708091384,
-        "narHash": "sha256-dTGGw2y8wvfjr+J9CjQbfdulOq72hUG17HXVNxpH1yE=",
+        "lastModified": 1711973905,
+        "narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "0a0187794ac7f7a1e62cda3dabf8dc041f868790",
+        "rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b",
        "type": "github"
      },
      "original": {
@ -134,41 +134,41 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1709479366,
-        "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=",
+        "lastModified": 1715571466,
+        "narHash": "sha256-7o7OwQ7D35K7fsBaDjEqHfpbbg+EKhAtz93cHg3LXBw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973",
+        "rev": "adc44ac0ee8454f4f51ef5dd1bdcc60080141e24",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-unstable",
+        "ref": "nixos-unstable-small",
        "type": "indirect"
      }
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1709569716,
-        "narHash": "sha256-iOR44RU4jQ+YPGrn+uQeYAp7Xo7Z/+gT+wXJoGxxLTY=",
+        "lastModified": 1715458492,
+        "narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "617579a787259b9a6419492eaac670a5f7663917",
+        "rev": "8e47858badee5594292921c2668c11004c3b0142",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-23.11",
+        "ref": "nixos-23.11-small",
        "type": "indirect"
      }
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1709356872,
-        "narHash": "sha256-mvxCirJbtkP0cZ6ABdwcgTk0u3bgLoIoEFIoYBvD6+4=",
+        "lastModified": 1715413075,
+        "narHash": "sha256-FCi3R1MeS5bVp0M0xTheveP6hhcCYfW/aghSTPebYL4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "458b097d81f90275b3fdf03796f0563844926708",
+        "rev": "e4e7a43a9db7e22613accfeb1005cca1b2b1ee0d",
        "type": "github"
      },
      "original": {
@ -197,11 +197,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1709591996,
-        "narHash": "sha256-0sQcalXSgqlO6mnxBTXkSQChBHy2GQsokB1XY8r+LpQ=",
+        "lastModified": 1715482972,
+        "narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "291aad29b59ceda517a06e59809f35cb0bb17c6b",
+        "rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
        "type": "github"
      },
      "original": {
@ -228,11 +228,11 @@
    "tracktrain": {
      "flake": false,
      "locked": {
-        "lastModified": 1688154251,
-        "narHash": "sha256-iv2xUUYhjIcKWs1+l7h43z7v/a9/OamBKXi/gcl4ppI=",
+        "lastModified": 1716134757,
+        "narHash": "sha256-/fKR7ACXCVjiHgyJw5609mPNN9116uY+Ub6BdcB4fSE=",
        "ref": "main",
-        "rev": "a995dabf07574a32c1ae62ad23b96ba7d8e076ee",
-        "revCount": 92,
+        "rev": "82355e81aa9a3fd7a38f902dc749d4835270ab21",
+        "revCount": 122,
        "type": "git",
        "url": "https://stuebinm.eu/git/tracktrain"
      },
--- a/flake.nix
+++ b/flake.nix
@ -2,8 +2,8 @@
  description = "hacc infra stuff";

  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
    nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";

    nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
@ -38,33 +38,20 @@
          system = "x86_64-linux";
          config.allowUnfree = true;
        };
-        evalConfig = config: (nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          modules = [
-            config
-            {
-              nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
-              imports = [ modules.nopersist profiles.container ];
-            }
-          ];
-          specialArgs = {
-            # some of our modules import each other, and evalConfig is used for containers
-            inherit modules evalConfig;
-            sources = inputs;
-          };
-        }).config.system.build.toplevel;
    in {
      nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./parsons/configuration.nix
+          ./modules/buildinfo.nix
+          ./modules/containers.nix
          sops-nix.nixosModules.sops
          { nixpkgs.pkgs = pkgs; }
-          { environment.etc."haccfiles".source = self.outPath; }
        ];
        specialArgs = {
          sources = inputs;
-          inherit modules evalConfig;
+          inherit modules profiles;
+          inherit (nixpkgs.lib) nixosSystem;
        };
      };

--- a/modules/buildinfo.nix
+++ b/modules/buildinfo.nix
@ -0,0 +1,29 @@
+{ config, lib, pkgs, sources, ... }:
+
+let
+  self = sources.self;
+
+  formatDate = date: with lib.strings;
+    let
+      year = substring 0 4 date;
+      month = substring 4 2 date;
+      day = substring 6 2 date;
+      hour = substring 8 2 date;
+      minute = substring 10 2 date;
+      second = substring 12 2 date;
+    in
+      "${year}-${month}-${day} ${hour}:${minute}:${second} UTC";
+in
+{
+  system.nixos.label = "${config.system.nixos.release}-haccfiles-${self.shortRev or self.dirtyShortRev}";
+  users.motd = ''
+    Welcome to ${config.networking.hostName}, running NixOS ${config.system.nixos.release}!
+    Built from haccfiles ${self.rev or self.dirtyRev}.
+    Last commit was at ${formatDate self.lastModifiedDate}.
+    ${if self ? dirtyRev then "\nPlease remember to commit your changes.\n" else ""}
+  '';
+
+  # used by monit
+  environment.etc."haccfiles-commit".text = self.rev or self.dirtyRev;
+  environment.etc."haccfiles-timestamp".text = builtins.toString self.lastModified;
+}
--- a/modules/container-profile.nix
+++ b/modules/container-profile.nix
@ -14,12 +14,5 @@
    '';
  };

-  # I /suspect/ this is not actually needed.
-  # TODO: find spoons to deal with potential breakage, test removing this
-  networking.defaultGateway = {
-    address = "192.168.100.1";
-    interface = "eth0";
-  };
-
  system.stateVersion = lib.mkDefault "21.05";
 }
--- a/modules/containers.nix
+++ b/modules/containers.nix
@ -0,0 +1,95 @@
+{ config, lib, pkgs, modules, profiles, sources, nixosSystem, ... }:
+
+let
+  mkIPv4 = index: local:
+    "192.168.${if local then "100" else "101"}.${toString index}";
+  mkIPv6 = index: local:
+    "fd00::${if local then "100" else "101"}:${toString index}";
+
+  evalConfig = nixosConfig: (nixosSystem {
+    inherit (config.nixpkgs) system;
+    modules = [
+      nixosConfig
+      modules.nopersist
+      profiles.container
+      { nixpkgs.pkgs = lib.mkForce pkgs; }
+    ];
+    specialArgs = {
+      inherit modules sources;
+    };
+  }).config.system.build.toplevel;
+
+in {
+  options.hacc.containers = with lib.options;
+    mkOption {
+      description = ''
+        hacc-specific containers. These are a thin wrapper around "normal" nixos containers:
+          - they automatically get an IPv4/IPv6 address assigned
+            (note that these are not guaranteed to be stable across config changes,
+            so please use {option}`containers.<name>.hostAddress` & friends to
+            reference them elsewhere)
+          - they set a couple default options (e.g. ephemeral, autoStart, privateNetwork)
+          - they are evaluated with our own version of {nix}`evalConfig`, which includes a
+            couple more modules by default, use our version of `nixpkgs`, and includes the
+            {nix}`profiles.containers` profile setting sane defaults for containers.
+      '';
+      default = { };
+      type = with lib.types;
+        types.attrsOf (types.submodule {
+          options = {
+            bindToPersist = mkOption {
+              default = true;
+              type = types.bool;
+              description =
+                "Wether to mount /persist/containers/<name> at /persist into this container.";
+            };
+
+            bindSecrets = mkOption {
+              default = false;
+              type = types.bool;
+              description =
+                "Whether to mount /run/secrets/<name> at /secrets into this container.";
+            };
+
+            config = mkOption {
+              type = types.unspecified;
+              description =
+                "The container's config, to be evaluated with our own {nix}`evalConfig`.";
+            };
+          };
+        });
+    };
+
+  # wrapped into imap1, which enumerates the containers; IP addresses are then
+  # simply assigned based on the order the containers are in the list.
+  config.containers = lib.mkMerge (lib.imap1
+    (index: { name, value }: let container = value; in {
+      ${name} = {
+        hostAddress = mkIPv4 index false;
+        localAddress = mkIPv4 index true;
+        hostAddress6 = mkIPv6 index false;
+        localAddress6 = mkIPv6 index true;
+
+        privateNetwork = true;
+        autoStart = true;
+        ephemeral = true;
+
+        bindMounts = lib.mkMerge [
+          (lib.mkIf container.bindToPersist {
+            "/persist" = {
+              hostPath = "/persist/containers/${name}";
+              isReadOnly = false;
+            };
+          })
+          (lib.mkIf container.bindSecrets {
+            "/secrets" = {
+              hostPath = "/run/secrets/${name}";
+              isReadOnly = true;
+            };
+          })
+        ];
+
+        path = evalConfig container.config;
+      };
+    }) (lib.attrsToList config.hacc.containers));
+}
--- a/parsons/configuration.nix
+++ b/parsons/configuration.nix
@ -19,6 +19,8 @@
    ./tracktrain.nix
    ./uffd.nix
    ./lxc.nix
+    ./monit.nix
+    ./s4f-conference.nix
  ];

  hacc.bindToPersist = [ "/var/lib/acme" ];
@ -50,13 +52,6 @@
    address = "fe80::1";
    interface = "enp35s0";
  };
-  boot = {
-    kernelModules = [ "nf_nat_ftp" ];
-    kernel.sysctl = {
-      "net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
-      "net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
-    };
-  };

  services.nginx = {
    enable = true;
--- a/parsons/forgejo.nix
+++ b/parsons/forgejo.nix
@ -1,19 +1,8 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {
-  containers.forgejo = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.10";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/forgejo";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, ... }: {
+  hacc.containers.forgejo = {
+    config = { lib, pkgs, ... }: {
      system.stateVersion = "21.11";

      environment.systemPackages = [ pkgs.forgejo ];
@ -78,16 +67,12 @@
      };
      services.openssh = {
        enable = true;
-        listenAddresses = [ {
-          addr = "192.168.100.10";
-          port = 22;
-        } ];
        settings = {
          PasswordAuthentication = false;
          AcceptEnv = "GIT_PROTOCOL";
        };
      };
-    });
+    };
  };

  services.nginx.virtualHosts."git.infra4future.de" = {
--- a/parsons/hedgedoc-hacc.nix
+++ b/parsons/hedgedoc-hacc.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {

@ -6,20 +6,11 @@
    "hedgedoc-hacc/env" = {};
  };

-  containers.pad-hacc = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.5";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/pad-hacc";
-        isReadOnly = false;
-      };
-      "/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
-    };
-    path = evalConfig ({ config, lib, ... }: {
+  containers.pad-hacc.bindMounts = {
+    "/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
+  };
+  hacc.containers.pad-hacc = {
+    config = { config, lib, ... }: {
      services.hedgedoc = {
        enable = true;
        settings = {
@ -78,7 +69,7 @@
        location = "/persist/backups/postgres";
      };
      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
-    });
+    };
  };
  services.nginx.virtualHosts."pad.hacc.earth" = {
    enableACME = true;
--- a/parsons/hedgedoc-i4f.nix
+++ b/parsons/hedgedoc-i4f.nix
@ -1,19 +1,8 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {
-  containers.pad-i4f = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.6";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/pad-i4f";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, ... }: {
+  hacc.containers.pad-i4f = {
+    config = { config, lib, ... }: {
      services.hedgedoc = {
        enable = true;
        settings = {
@ -57,7 +46,7 @@
        location = "/persist/backups/postgres";
      };
      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
-    });
+    };
  };

  services.nginx.virtualHosts."pad.infra4future.de" = {
--- a/parsons/lxc.nix
+++ b/parsons/lxc.nix
@ -8,7 +8,6 @@
      prefixLength = 24;
    }
  ];
-  networking.nat.internalInterfaces = [ "lxcbr0" ];

  virtualisation.lxc.enable = true;
  virtualisation.lxc.systemConfig = ''
--- a/parsons/mail.nix
+++ b/parsons/mail.nix
@ -20,14 +20,6 @@
    monitoring = {
      enable = true;
      alertAddress = "admin@hacc.space";
-      config = (lib.replaceStrings ["port 22"] ["port ${toString (lib.head config.services.openssh.ports)}"] options.mailserver.monitoring.config.default) + ''
-        check host onlyoffice with address onlyoffice.infra4future.de
-              if failed
-                 port 443
-                 protocol https
-                 status = 302
-              then alert
-      '';
    };
    domains = [
      "hacc.space"
--- a/parsons/mattermost.nix
+++ b/parsons/mattermost.nix
@ -1,26 +1,16 @@
-{ config, pkgs, lib, evalConfig, ...}:
+{ config, pkgs, lib, ...}:

 {
  sops.secrets = {
    "mattermost/env" = {};
  };

-  containers.mattermost = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.3";
-    ephemeral = true;
+  hacc.containers.mattermost = {
+    bindSecrets = true;

-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/mattermost";
-        isReadOnly = false;
-      };
-      "/secrets".hostPath = "/run/secrets/mattermost";
-    };
+    config = { config, lib, pkgs, ... }: {
+      environment.systemPackages = [ pkgs.morph pkgs.pgloader ];

-    path = evalConfig ({ config, lib, pkgs, ... }: {
      systemd.services.mattermost.serviceConfig.EnvironmentFile =
        lib.mkForce "/secrets/env";

@ -72,8 +62,6 @@
          };
          LogSettings = {
            EnableConsole = true;
-            # note: for some reason this doesn't work (mattermost still sets it to DEBUG);
-            # it's also set in secrets.env, where for some reason it does
            ConsoleLevel = "ERROR";
            EnableDiagnostics = false;
            EnableWebhookDebugging = false;
@ -176,6 +164,8 @@
          MetricsSettings.Enable = false;
          GuestAccountsSettings.Enable = false;
          FeatureFlags.CollapsedThreads = true;
+          SqlSettings.DriverName = "postgres";
+          SqlSettings.DataSource = "postgres:///mattermost?host=/run/postgresql";
        };

        # turn of the weirder parts of this module (which insist on passwords
@ -186,17 +176,6 @@
        localDatabaseCreate = false;
      };

-      services.mysql = {
-        enable = true;
-        ensureDatabases = [ "mattermost" ];
-        ensureUsers = [ {
-          name = "mattermost";
-          ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
-        } ];
-        package = pkgs.mysql80;
-        dataDir = "/persist/mysql";
-      };
-
      services.postgresql = {
        enable = lib.mkForce true; # mattermost sets this to false. wtf.
        package = pkgs.postgresql_15;
@ -208,17 +187,17 @@

        authentication = lib.mkForce ''
          # Generated file; do not edit!
-          local all all              trust
-          host  mattermost mattermost ::1/128      trust
+          local all all trust
        '';
      };
+
      services.postgresqlBackup = {
        enable = true;
        databases = [ "mattermost" ];
        startAt = "*-*-* 23:45:00";
        location = "/persist/backups/postgres";
      };
-    });
+    };
  };

  services.nginx.virtualHosts."mattermost.infra4future.de" = {
--- a/parsons/monit.nix
+++ b/parsons/monit.nix
@ -0,0 +1,64 @@
+{ config, options, lib, pkgs, ... }:
+
+let
+  checkHash = pkgs.writeScriptBin "check-commit-hash" ''
+    #!${lib.getExe pkgs.fish}
+    set wanted (${lib.getExe pkgs.curl} -s https://git.infra4future.de/api/v1/repos/hacc/haccfiles/branches/main \
+                -H 'accept: application/json' | jq -r .commit.id)
+
+    if test $status != 0
+      echo "could not reach git.infra4future.de"
+      exit 2
+    end
+
+    set actual (cat /etc/haccfiles-commit)
+    if test $status != 0
+      echo "/etc/haccfiles-commit does not exist??"
+      exit 2
+    end
+
+    if test $actual != $wanted
+      echo "parsons was built on $actual, but commit on main is $wanted"
+      exit 1
+    end
+  '';
+
+  checkDeployAge = pkgs.writeScriptBin "check-deploy-age" ''
+    #!${lib.getExe pkgs.fish}
+
+    set date (date +%s)
+    # we do this indirection here so monit's config won't change on each deploy
+    set deploytimestamp (cat /etc/haccfiles-timestamp)
+    set age (expr $date - $deploytimestamp)
+
+    if test $age -ge (expr 3600 \* 24 \* 10)
+      echo "${config.networking.hostName} has not been deployed since 10 days, perhaps someone should do updates?"
+      exit 1
+    end
+  '';
+in
+{
+  mailserver.monitoring = {
+    enable = true;
+    alertAddress = "admin@hacc.space";
+    config = (lib.replaceStrings ["port 22"] ["port ${toString (lib.head config.services.openssh.ports)}"] options.mailserver.monitoring.config.default);
+  };
+
+  services.monit.config = ''
+      check host onlyoffice with address onlyoffice.infra4future.de
+            start program "/run/current-system/sw/bin/lxc-start onlyoffice"
+            stop program "/run/current-system/sw/bin/lxc-stop onlyoffice"
+            if failed port 443 protocol https status = 302
+            then restart
+
+      check program deployed-commit-on-main path ${lib.getExe checkHash}
+            if status == 1 for 64 cycles then alert
+            if status == 2 for 3 cycles then alert
+
+      check program is-system-running path ${pkgs.systemd}/bin/systemctl is-system-running
+            if status != 0 then alert
+
+      check program check-deploy-age path ${lib.getExe checkDeployAge}
+            if status == 1 then alert
+  '';
+}
--- a/parsons/nextcloud.nix
+++ b/parsons/nextcloud.nix
@ -1,19 +1,8 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {
-  containers.nextcloud = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.2";
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/nextcloud";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, ... }: {
+  hacc.containers.nextcloud = {
+    config = { config, lib, pkgs, ... }: {
      environment.systemPackages = [ pkgs.htop ];

      services.nextcloud = {
@ -82,7 +71,7 @@
        requires = ["postgresql.service"];
        after = ["postgresql.service"];
      };
-    });
+    };
  };

  services.nginx.virtualHosts."cloud.infra4future.de" = {
--- a/parsons/nftables.nix
+++ b/parsons/nftables.nix
@ -1,77 +1,21 @@
 { config, lib, pkgs, ... }:

 {
-  networking.firewall.enable = false;
-  networking.nat.enable = false;
-  boot = {
-    kernelModules = [ "nf_nat_ftp" ];
-    kernel.sysctl = {
-      "net.ipv4.conf.all.forwarding" = true;
-      "net.ipv4.conf.default.forwarding" = true;
-    };
-  };
+  networking.firewall.enable = true;
+  networking.nat.enable = true;

-  networking.nftables = {
-    enable = true;
-
-    ruleset = ''
-      table inet filter {
-        chain input {
-          type filter hook input priority filter
-          policy drop
-
-          icmpv6 type {
-            echo-request,
-            echo-reply,
-            mld-listener-query,
-            mld-listener-report,
-            mld-listener-done,
-            nd-router-advert,
-            nd-neighbor-solicit,
-            nd-neighbor-advert,
-            packet-too-big
-          } accept
-
-          icmp type echo-request accept
-
-          ct state invalid drop
-          ct state established,related accept
-
-          iifname { lo } accept
-
-          tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
-
-          udp dport { 60000-61000, 64738 } accept
-
-          # DHCPv6
-          ip6 daddr fe80::/64 udp dport 546 accept
-
-          counter
-        }
-        chain output {
-          type filter hook output priority filter
-          policy accept
-
-          counter
-        }
-        chain forward {
-          type filter hook forward priority filter
-          policy accept
-
-          counter
-        }
+  networking.nftables.enable = true;
+  networking.nftables.tables.nat = {
+    family = "ip";
+    content = ''
+      chain prerouting {
+        type nat hook prerouting priority -100
+        iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
      }
-
-      table ip nat {
-        chain prerouting {
-          type nat hook prerouting priority -100
-          iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
-        }
-        chain postrouting {
-          type nat hook postrouting priority 100
-          iifname lxcbr0 oifname enp35s0 masquerade
-          iifname ve-* oifname enp35s0 masquerade
-        }
+      chain postrouting {
+        type nat hook postrouting priority 100
+        iifname lxcbr0 oifname enp35s0 masquerade
+        iifname ve-* oifname enp35s0 masquerade
      }
    '';
  };
--- a/parsons/s4f-conference.nix
+++ b/parsons/s4f-conference.nix
@ -0,0 +1,134 @@
+{ config, lib, pkgs, ... }:
+
+{
+  sops.secrets = {
+    "s4f-conference/env" = {};
+  };
+
+  hacc.containers.s4f-conference = {
+    bindSecrets = true;
+
+    config = { config, lib, pkgs, ... }: {
+      systemd.services.mattermost.serviceConfig.EnvironmentFile =
+        lib.mkForce "/secrets/env";
+
+      services.mattermost = {
+        enable = true;
+        siteUrl = "https://s4f-conference.infra4future.de";
+        siteName = "Scientists for Future Chat";
+        listenAddress = "0.0.0.0:3000";
+        mutableConfig = false;
+
+        statePath = "/persist/mattermost";
+
+        extraConfig = {
+          ServiceSettings = {
+            TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
+            EnableEmailInvitations = true;
+          };
+          TeamSettings = {
+            EnableUserCreation = true;
+            EnableUserDeactivation = true;
+            EnableOpenServer = false;
+          };
+          PasswordSettings = {
+            MinimumLength = 10;
+          };
+          FileSettings = {
+            EnableFileAttachments = true;
+            MaxFileSize = 52428800;
+            DriverName = "local";
+            Directory = "/persist/upload-storage";
+            EnablePublicLink = true;
+            PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
+          };
+          EmailSettings = {
+            EnableSignUpWithEmail = true;
+            EnableSignInWithEmail = true;
+            EnableSignInWithUsername = true;
+            SendEmailNotifications = true;
+            FeedbackName = "mattermost";
+            FeedbackEmail = "mattermost@infra4future.de";
+            ReplyToAddress = "mattermost@infra4future.de";
+            FeedbackOrganization = "∆infra4future.de";
+            EnableSMTPAuth = true;
+            SMTPUsername = "noreply@infra4future.de";
+            SMTPServer = "mail.hacc.space";
+            SMTPPort = "465";
+            SMTPServerTimeout = 10;
+            ConnectionSecurity = "TLS";
+          };
+          RateLimitSettings.Enable = false;
+          PrivacySettings = {
+            ShowEmailAddress = false;
+            ShowFullName = true;
+          };
+          # to disable the extra landing page advertising the app
+          NativeAppSettings = {
+            AppDownloadLink = "";
+            AndroidAppDownloadLink = "";
+            IosAppDownloadLink = "";
+          };
+          LogSettings = {
+            EnableConsole = true;
+            ConsoleLevel = "ERROR";
+            EnableDiagnostics = false;
+            EnableWebhookDebugging = false;
+          };
+          SupportSettings = {
+            TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
+            PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
+            AboutLink = "https://infra4future.de";
+            SupportEmail = "info@infra4future.de";
+            CustomTermsOfServiceEnabled = false;
+            EnableAskCommunityLink = true;
+          };
+          AnnouncementSettings.EnableBanner = false;
+          ComplianceSettings.Enable = false;
+          ClusterSettings.Enable = false;
+          MetricsSettings.Enable = false;
+          GuestAccountsSettings.Enable = true;
+        };
+
+        localDatabaseCreate = false;
+      };
+
+      services.postgresql = {
+        enable = lib.mkForce true; # mattermost sets this to false. wtf.
+        package = pkgs.postgresql_15;
+        ensureDatabases = [ "mattermost" ];
+        ensureUsers = [ {
+          name = "mattermost";
+          ensureDBOwnership = true;
+        } ];
+
+        authentication = lib.mkForce ''
+          # Generated file; do not edit!
+          local all all              trust
+          host  mattermost mattermost ::1/128      trust
+        '';
+      };
+      services.postgresqlBackup = {
+        enable = true;
+        databases = [ "mattermost" ];
+        startAt = "*-*-* 23:45:00";
+        location = "/persist/backups/postgres";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."s4f-conference.infra4future.de" = {
+    locations."/" = {
+      proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000";
+      proxyWebsockets = true;
+      extraConfig = ''
+        # Mattermost CSR Patch
+        proxy_hide_header Content-Security-Policy;
+        proxy_hide_header X-Frame-Options;
+        proxy_redirect off;
+      '';
+    };
+    forceSSL = true;
+    enableACME = true;
+  };
+}
--- a/parsons/tracktrain.nix
+++ b/parsons/tracktrain.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 let
  tracktrain-config = ''
@ -14,6 +14,10 @@ let
      url: https://login.infra4future.de
      clientname: tracktrain
      # clientsecret defined in env file
+
+    logging:
+      ntfytopic: ping.stuebinm.eu/monit
+      name: ilztalbahn
  '';
 in
 {
@ -25,14 +29,14 @@ in
    enableACME = true;
    forceSSL = true;
    locations."/" = {
-      proxyPass = "http://192.168.42.41:4000";
+      proxyPass = "http://${config.containers.tracktrain.localAddress}:4000";
      proxyWebsockets = true;
    };
    # note: this shadows the /metrics endpoint of tracktrain
    # in case you remove this, please consider putting something
    # else here to keep it from being publicly scrapable
    locations."/metrics/" = {
-      proxyPass = "http://192.168.42.41:2342";
+      proxyPass = "http://${config.containers.tracktrain.localAddress}:2342";
      proxyWebsockets = true;
      extraConfig = ''
        rewrite  ^/metrics/(.*)  /$1 break;
@ -40,28 +44,10 @@ in
    };
  };

-  containers.tracktrain = {
-    privateNetwork = true;
-    hostAddress = "192.168.42.40";
-    localAddress = "192.168.42.41";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/tracktrain";
-        isReadOnly = false;
-      };
-      "/secrets".hostPath = "/run/secrets/tracktrain";
-    };
+  hacc.containers.tracktrain = {
+    bindSecrets = true;

-    path = evalConfig ({ config, lib, pkgs, ... }: {
-      system.stateVersion = "21.11";
-
-      users.users.tracktrain = {
-        group = "tracktrain";
-        isSystemUser = true;
-      };
-      users.groups.tracktrain = {};
+    config = { config, lib, pkgs, ... }: {

      systemd.services.tracktrain = {
        enable = true;
@ -73,22 +59,18 @@ in
        serviceConfig = {
          Type = "simple";
          EnvironmentFile = "/secrets/env";
-          User = "tracktrain";
-          Group = "tracktrain";
+          DynamicUser = true;
        };
-        path = [ pkgs.wget ];
+        path = [ pkgs.wget pkgs.ntfy-sh ];
        script = ''
-          mkdir -p /persist/tracktrain
-          cd /persist/tracktrain
+          cd /tmp
          ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
-          wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip" || sleep 4; wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip"
          ${pkgs.tracktrain}/bin/tracktrain +RTS -T
        '';
      };

      services.postgresql = {
        enable = true;
-
        package = pkgs.postgresql_15;
        ensureDatabases = [ "tracktrain" ];
        ensureUsers = [ {
@ -96,8 +78,7 @@ in
          ensureDBOwnership = true;
        } ];
        authentication = ''
-          local   all   all                              trust
-          host    all   all        127.0.0.1/32          trust
+          local all all trust
        '';
      };

@ -112,46 +93,10 @@ in
        } ];
      };

-      services.grafana = {
-        enable = true;
-        settings.server = {
-          serve_from_sub_path = true;
-          domain = "tracktrain.ilztalbahn.eu";
-          root_url = "https://%(domain)s/metrics/";
-          http_port = 2342;
-          http_addr = "0.0.0.0";
-        };
-
-        settings."auth.generic_oauth" = {
-          name = "uffd";
-          enabled = true;
-          allow_sign_up = true;
-          empty_scopes = true;
-          client_id = "ilztalbahn-grafana";
-          client_secret = "\${GRAFANA_CLIENT_SECRET}";
-          auth_url = "https://login.infra4future.de/oauth2/authorize";
-          token_url = "https://login.infra4future.de/oauth2/token";
-          api_url = "https://login.infra4future.de/oauth2/userinfo";
-        };
-        # disables the default login screen. comment out if for some
-        # reason you do need it
-        settings.auth.oauth_auto_login = true;
-        settings.users.auto_assign_org_role = "Admin";
-
-        provision = {
-          enable = true;
-          datasources.settings.datasources = [ {
-            url = "http://localhost:9001";
-            type = "prometheus";
-            name = "prometheus";
-          } ];
-        };
-      };
-
      systemd.services.grafana.serviceConfig.EnvironmentFile =
        "/secrets/env";
      hacc.bindToPersist = [ "/var/lib/grafana" ];
-    });
+    };
  };

 }
--- a/parsons/uffd.nix
+++ b/parsons/uffd.nix
@ -1,19 +1,8 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {
-  containers.uffd = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.9";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/uffd";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, ... }: {
+  hacc.containers.uffd = {
+    config = { config, lib, pkgs, ... }: {
      services.uwsgi = {
        enable = true;
        plugins = [ "python3" ];
@ -29,7 +18,7 @@
          hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
        };
      };
-    });
+    };
  };
  services.nginx.virtualHosts."login.infra4future.de" = {
    enableACME = true;
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -13,6 +13,14 @@ let
      buildGoModule = unstable.buildGo122Module;
    };

+    morph = callPackage ./morph.nix {
+      buildGoModule = unstable.buildGo122Module;
+    };
+
+    forgejo = callPackage ./forgejo {
+      buildGoModule = unstable.buildGo122Module;
+    };
+
    tracktrain = import sources.tracktrain {
      nixpkgs = pkgs;
      compiler = "default";
@ -21,6 +29,9 @@ let
    uffd = oldstable.callPackage ./uffd { };

    inherit (oldstable) uwsgi flask;
+
+    # TODO: once on nixos 24.05, remove this inherit
+    inherit (unstable) lix;
  };

 in pkgs.extend(_: _: newpkgs)
--- a/pkgs/forgejo/default.nix
+++ b/pkgs/forgejo/default.nix
@ -0,0 +1,131 @@
+{ bash
+, brotli
+, buildGoModule
+, forgejo
+, git
+, gzip
+, lib
+, makeWrapper
+, nix-update-script
+, nixosTests
+, openssh
+, pam
+, pamSupport ? true
+, sqliteSupport ? true
+, xorg
+, runCommand
+, stdenv
+, fetchFromGitea
+, buildNpmPackage
+}:
+
+let
+  frontend = buildNpmPackage {
+    pname = "forgejo-frontend";
+    inherit (forgejo) src version;
+
+    npmDepsHash = "sha256-BffoEbIzTU61bw3ECEm5eDHcav4S27MB5jQKsMprkcw=";
+
+    patches = [
+      ./package-json-npm-build-frontend.patch
+    ];
+
+    # override npmInstallHook
+    installPhase = ''
+      mkdir $out
+      cp -R ./public $out/
+    '';
+  };
+in
+buildGoModule rec {
+  pname = "forgejo";
+  version = "7.0.2";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "forgejo";
+    repo = "forgejo";
+    rev = "v${version}";
+    hash = "sha256-YY5dHXWMqlCIPfqsDtHZLHjEdYmrFnh4yc0hfTUESww=";
+  };
+
+  vendorHash = "sha256-UcjaMi/4XYLdaJhi2j3UWqHqkpTbZBo6EwNXxdRIKLw=";
+
+  subPackages = [ "." ];
+
+  outputs = [ "out" "data" ];
+
+  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = lib.optional pamSupport pam;
+
+  patches = [
+    ./static-root-path.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace modules/setting/server.go --subst-var data
+  '';
+
+  tags = lib.optional pamSupport "pam"
+    ++ lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X main.Version=${version}"
+    "-X 'main.Tags=${lib.concatStringsSep " " tags}'"
+  ];
+
+  preConfigure = ''
+    export ldflags+=" -X main.ForgejoVersion=$(GITEA_VERSION=${version} make show-version-api)"
+  '';
+
+  preBuild = ''
+    go run build/merge-forgejo-locales.go
+  '';
+
+  postInstall = ''
+    mkdir $data
+    cp -R ./{templates,options} ${frontend}/public $data
+    mkdir -p $out
+    cp -R ./options/locale $out/locale
+    wrapProgram $out/bin/gitea \
+      --prefix PATH : ${lib.makeBinPath [ bash git gzip openssh ]}
+  '';
+
+  # $data is not available in goModules.drv and preBuild isn't needed
+  overrideModAttrs = (_: {
+    postPatch = null;
+    preBuild = null;
+  });
+
+  passthru = {
+    # allow nix-update to handle npmDepsHash
+    inherit (frontend) npmDeps;
+
+    data-compressed = runCommand "forgejo-data-compressed" {
+      nativeBuildInputs = [ brotli xorg.lndir ];
+    } ''
+      mkdir $out
+      lndir ${forgejo.data}/ $out/
+
+      # Create static gzip and brotli files
+      find -L $out -type f -regextype posix-extended -iregex '.*\.(css|html|js|svg|ttf|txt)' \
+        -exec gzip --best --keep --force {} ';' \
+        -exec brotli --best --keep --no-copy-stat {} ';'
+    '';
+
+    tests = nixosTests.forgejo;
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    description = "A self-hosted lightweight software forge";
+    homepage = "https://forgejo.org";
+    changelog = "https://codeberg.org/forgejo/forgejo/releases/tag/${src.rev}";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ emilylange urandom bendlas adamcstephens ];
+    broken = stdenv.isDarwin;
+    mainProgram = "gitea";
+  };
+}
--- a/pkgs/forgejo/package-json-npm-build-frontend.patch
+++ b/pkgs/forgejo/package-json-npm-build-frontend.patch
@ -0,0 +1,14 @@
+diff --git a/package.json b/package.json
+index b50c52cf43..d6aafb8775 100644
+--- a/package.json
+++ b/package.json
+@@ -98,5 +98,8 @@
+   },
+   "browserslist": [
+     "defaults"
+-  ]
+  ],
+  "scripts": {
+    "build": "node_modules/.bin/webpack"
+  }
+ }
--- a/pkgs/forgejo/static-root-path.patch
+++ b/pkgs/forgejo/static-root-path.patch
@ -0,0 +1,13 @@
+diff --git a/modules/setting/server.go b/modules/setting/server.go
+index c20dd1949d..c9bcdce99a 100644
+--- a/modules/setting/server.go
+++ b/modules/setting/server.go
+@@ -317,7 +317,7 @@ func loadServerFrom(rootCfg ConfigProvider) {
+ 	RedirectorUseProxyProtocol = sec.Key("REDIRECTOR_USE_PROXY_PROTOCOL").MustBool(UseProxyProtocol)
+ 	OfflineMode = sec.Key("OFFLINE_MODE").MustBool(true)
+ 	if len(StaticRootPath) == 0 {
+-		StaticRootPath = AppWorkPath
+		StaticRootPath = "@data@"
+ 	}
+ 	StaticRootPath = sec.Key("STATIC_ROOT_PATH").MustString(StaticRootPath)
+ 	StaticCacheTime = sec.Key("STATIC_CACHE_TIME").MustDuration(6 * time.Hour)
--- a/pkgs/mattermost.nix
+++ b/pkgs/mattermost.nix
@ -12,13 +12,13 @@ buildGoModule rec {
  # See https://docs.mattermost.com/upgrade/extended-support-release.html
  # When a new ESR version is available (e.g. 8.1.x -> 9.5.x), update
  # the version regex in passthru.updateScript as well.
-  version = "9.5.2";
+  version = "9.5.5";

  src = fetchFromGitHub {
    owner = "mattermost";
    repo = "mattermost";
    rev = "v${version}";
-    hash = "sha256-NYP0mhON+TCvNTSx4I4hddFGF9TWtnMAwyJvX8sEdWU=";
+    hash = "sha256-ZaFXuYm9SEE9ARN5PG8vjt9WnNfGiALilGzjfnDP7aA=";
  };

  # Needed because buildGoModule does not support go workspaces yet.
@ -34,7 +34,7 @@ buildGoModule rec {

  webapp = fetchurl {
    url = "https://releases.mattermost.com/${version}/mattermost-${version}-linux-amd64.tar.gz";
-    hash = "sha256-ogiowbNYHo9NTQLAg1OKXp8pV1Zn7kPcZR9ukaKvpKA=";
+    hash = "sha256-tgds8eTBeisuJcLgtx6zOiFUcVL1oU0LLbPqmh4SQUU=";
  };

  vendorHash = "sha256-TJCtgNf56A1U0EbV5gXjTro+YudVBRWiSZoBC3nJxnE=";
--- a/pkgs/morph.nix
+++ b/pkgs/morph.nix
@ -0,0 +1,33 @@
+{ buildGoModule
+, fetchFromGitHub
+}:
+
+buildGoModule rec {
+  pname = "mattermost-morph";
+  version = "1.1.0";
+
+  src = fetchFromGitHub {
+    owner = "mattermost";
+    repo = "morph";
+    rev = "v${version}";
+    hash = "sha256-Orh/a9OlUVIlDdLXRpDAnHUmWRiM1N2oO+dijbuJzx8=";
+  };
+
+  vendorHash = null;
+
+  subPackages = [ "cmd/morph" ];
+
+  tags = [ "production" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
+    "-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
+  ];
+
+}
--- a/secrets.yaml
+++ b/secrets.yaml
@ -1,16 +1,18 @@
 hedgedoc-hacc:
    env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
 mattermost:
-    env: ENC[AES256_GCM,data:4GcV8UOYmVUjZoYc0Nq/vEWtxtYNV81zVTEyFnZIfY1k/Ar1MU+fn5A99JLIMc8U84/QupDU7TcneiN/wqPv2jYqGS7ixSNTk+x5uUPMarzKZ04ynav6FCWEvlSF0Sz4/5s/Pvp1Qi3zdv16ZVGUHbM8/wCcaZBkSS0ofwBTIXVsVYSRPFxLehtBgwjAnD46qS+YJmszmd7V5N/adWWF34vAdfLiO6Y7KDB3jnMLOPU6Drtw9L83AW6NuOtk8crZrI1dkTD/xUC07IvMhZpZVc9ktQJqIvlk/ADs5aIp/QYrjICdYvb8xC16oV7jC/7yzXzC/UuYbCvS5gnHGMK/CsBkmM9HXmQ6mWjrfuOJEkMHSefS7O8HyrNoNDSXq0ivCr6KJmwrz7NXNAE6a6xx9LMjs5DJ8H5fda1l5TGVAdA2tg==,iv:dG4cnEtUgUxw7zS2k15p+6//Bl19WquTfFIiz5Vi/0M=,tag:cMBU8CtFBBjfcfpO709Kpg==,type:str]
+    env: ENC[AES256_GCM,data:ftWpGl6+sUMzJJKgfcPLvbFGGn16AKUPzPn8X6DNVMLrxZIkQ23Tk3ekKLKFpQEUtQfFjVlrTfFZezWKs4nVNLg2LmQqJNGMCCax5PRwAgoAsJ7pa9ewNmHT+EIXtZEjQgVfN5786Yno5n/6JJ1lz6EiGmdn7/0rF5TLGjzig17azazS1+lkIYY=,iv:SZvGGKpVRI/odHbmgY8M6t6zCk8RgM+7EQEgRiizglA=,tag:cInsVo/QD85m+LxldyRlnA==,type:str]
 tracktrain:
-    env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str]
+    env: ENC[AES256_GCM,data:W3+8qWomPgGJt5u50aAm9x/dilMpqKY11I2AdaIBTz5posc25ts0LB5S/Sxe1ROz4itpDK3QvjoFUTRhS39k4dwMr5lqXV8Ln4B+sPpvh7oBM8A5zydP8Jj1J1YqRt8++RTUmb4z41DIwb/yaZKMu6z0guXIu1yuYzcbCuk0xe/iOp6UUpfjOzzWTvxY54zY6kWcjHLiCSwD31Cd+MxMPfbUEkHt+0W+sBmYXGeEFI/6ULSB6FnGjNW6F9g=,iv:3ymah8HG+Yg6VYZZA/MRRjHDYvYJz01ezvhfQiftegg=,tag:trht+PRYfKgWJkg2wRwISQ==,type:str]
 vaultwarden:
    env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
 auamost:
-    secrets.fish: ENC[AES256_GCM,data:Dyb0Byigh4tmkmdz7KxkgvudO830x8+1qNQBOT+ohydOY3OeuJseJQ/rjaYhMTfh6tcKpu1aSarKRINbJp2u0yu+eazVV69CRzu9OlsXaMD6Rbvw4Cn0LttJhjK1za8+fXm7IZsAhErrV6WmU1/JryQkZf18hxMrO5EBmFy4ONHNj3lc4pApMUqXLiVL6xaW+Mix+jx4gT8r0/0lpAdT5oObPPBo+HIDJEGj+QPBvxNBJaURKVRX5+8fe4+hFzqBjU7QJ/LLPBo2lp2BLgo39qCeLaHogkWMXEYPb4/eaW0SZ8/Z56gh7dsO5X1r8kSAEMDoYVCC6KrXDh2M48/lYT+biid8iALCphatpZzH9CbV0FWIcZ5s0q8fApTZ1ubtiVqRNN1niGajgLGe5TSQcPAQs1yCBQ+9BJSDro9qNNXXlVpHO59Dfs2w+f2FBBQOnOIqhxQPbyhzIep3kRuIH42rowGG66uOJaC7g1W5fCwkdBNDZK8D01nj1+PA17j3xExqTT4+m1oUSlROhDRgxf+nYWkuxaAM1z+FsTswFHzdBJ8wtK56z+dpBH2f3SNW/5bwMif00uS1z+6U4yuCl0sdh0SF/yLjbIyvMwPiy7xzaBEZ+bve6ps0yh1sYvyLN7vxs7tRhtN0yLs28ZeT5BEwJAiKP1+KWhK86XbKh3fMtfl5V06xyW4aBkeYC4cg2wSNlvlDrbIrtPsJMHQt/swsHvIde4AfEyzhrTs8ezuVRbm/9glTVh1mzw==,iv:MpaFGYbcTXdFabV+vlGyGxexpfP7LUpYYBjF6GVEN7c=,tag:n8qTOhnbBT7Xxz21bU0bYQ==,type:str]
+    secrets.fish: ENC[AES256_GCM,data:QBteJdVPSWa4cmu1BVWJ3AMWWH4zIv2+G83fK0QsbA/fYoIU5jobCT3USyujNz+jQaAAxA45jmQbCWNAFLl1q8hP4i9EIikVECx0VKVXPXILBND+w7zPSLldAbOugRYt2iAt1dDADZPtulKlkz7usdafbB+2igLXdyFRLfIxDTOrBuqQ+5yeofQe5k0XWRcmQQ/1AV0JrRrmLmr69VKsR932JWD8XxmI/HFyZPzWdExBSOmvnj+m4K+DV4cVmN4t6XOY0dM3gRQ95DglEuGlp/V2o3GqwY0mXCvhM1eh81u8mPALKp6Pv2i2yU35F01Puf5t1FHGDfzp0bW0xuKEywfGjAOifFkSE/3JFir434B6G0DiJNpOIl6QJ6DA8rSKfuPdccm6Or0zX8iJGRHDJmREQ05V9l0jHAAxLNuNdbsxg+8kCWVVnW+d1YDn9KW7LbFlP+sx4Ef5leUYft/lYhF4Z5Xp3arqVrlebWjWIBEuZeJTnkE3y+TdUUCs360zzWHqsipGmo1+/88CEqL52FfUOlJ4VCR45/7nYZ3RaRBWDGFW8RvwmWSFSstEcEXQ01U8lCwyn40+blfltme3KJ1f+pWMrZAKhPlOlMHCYfjd7esWI2sYcQbTZqxH49GnW6dsW/W+eiLs3zlD/Deb2CugHe63zRdlivmVPOz4zD1PXcCVpEZHoTTiJl7Om9K2mPYq9wQN41wsDUrNL9p8m9UlhWKbjBh5UU7p6F6OhF5rKH/Fs8fIaPi6B8uamTvEmiOGTUWl3vmQjBvhM8fJWoIkRB8hgCisr9OZ,iv:8jVAImjeXbXfiLKg9G0PyLMTV8cAyDmukeittqjKFpQ=,tag:fLIcsWKbdFQ/vPCgi/W3Zw==,type:str]
 restic:
    s3creds.env: ENC[AES256_GCM,data:9WNu5S4KmdMXdshSpawEjIexAKH6vZCPwb9xyq6xmerly1lxSfFZzgg60M0L3L+I4joLTVi23YBB8Eh6Xfx9GgxNww7w7BjMCQs/X16ecDWlb346TKf+,iv:Gu4CbXXJAlQYXRqOjIAUYmn8EU4mrvcOVc2eCh1Ikzs=,tag:1xpVIonHiAGHsXTY9liPQQ==,type:str]
    system: ENC[AES256_GCM,data:RIgO0QHVjwp2D3LoU62vLzepASdsXxu0DqUTA6Voa3K1d4xFHX2u+UR8AcqR,iv:O0K8i5ivne7WU+ygDEUcrvKW6DIfXjVPY63gpfsxEFE=,tag:n/1atQ5qlyB0SMHrYiTCrA==,type:str]
+s4f-conference:
+    env: ENC[AES256_GCM,data:e4Fuurb37YQvracqLA8Z1VQL5MpiARE35NKCNdLgyxyVNRm6zSATwyH8DvkST8zuYadAv9wOwjv5q9Xlv7CWBFPyMMjkrHPZORJI,iv:36EGmqqIpeNWylinu902MFU3MZf6sPRWvUrSl5usxHI=,tag:XxoTdq10zgr6xtMn4TYDOA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -98,8 +100,8 @@ sops:
            bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
            S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-28T14:09:53Z"
-    mac: ENC[AES256_GCM,data:d0DlofJdafS2t0FLd+3wb8XC6GIhGqHjT0kc6th2axirYCiFX22okD0MCWhDT2+T8NRe0c4wLOKuS1EOgmjZYjGIVZ2Hhf/at00VMkPM2koemCpR0zLSfrBGrcY8VkBQ2s5UgU2L9O7nD0KBdPoruRo0MRbcwrCzOX+sBk24yaQ=,iv:V5C1wK9zeMcT6E9sZSUtofNpToKi5xkiG/HesozOE5c=,tag:XihqjZnOB7G3gi2FpJHpJg==,type:str]
+    lastmodified: "2024-05-19T21:17:46Z"
+    mac: ENC[AES256_GCM,data:rzxX2fl+EQbhQUcmr6lKoYcUpAb1G3IKjsJJjCrMKN5t4oevI85GtTU3Q+pLrIFLjfkgIV8yiNH4usg0ghtoahQUkrnlZxkOoCktfgM67hRcUniY8UUxY4HqFFK3KzXFqc8Q4vXrerQgJy87Xg+ret9wCQXBbM3AB+B1fsmLE9s=,iv:pm1FakBlOFibps6R5kXMUq+IEl074mEmRIQmdeDxPs4=,tag:hQsV0NZNgDGYjFOK7+SKqg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/websites/docs.hacc.space/default.nix
+++ b/websites/docs.hacc.space/default.nix
@ -1,23 +1,17 @@
-{ stdenvNoCC, zola, writeScriptBin }:
+{ copyPathToStore, stdenvNoCC, zola, writeScriptBin }:

 stdenvNoCC.mkDerivation rec {
  name = "docs.hacc.space-static";

-  # HINT: this is cursed. Nix flakes have no optimisation to deal with ${./.},
-  # so we wind up having to do this to make the symlink to content/ work.
-  # (we still need to manually adjust it — but at least this way we can find
-  # its target without further hoops)
-  #
-  # This does also mean we now copy the entire flake into the Nix store twice.
-  # Yay for flakes!
-  src = "${../../.}/websites/docs.hacc.space";
+  src = ./.;
+  content = copyPathToStore ../../docs;

  phases = [ "buildPhase" ];
  buildInputs = [ zola ];
  buildPhase = ''
    cp -r $src/* .
    rm content
-    ln -s $src/../../docs content
+    ln -s $content content
    zola build --output-dir $out
  '';
Author	SHA1	Message	Date
stuebinm	285a8e6a8e	mattermost: switch to postgresql this depends on a whole lot of imperative nonsense being done at the same time, which i have done. of special interest to anyone attempting to understand this is https://docs.mattermost.com/deploy/postgres-migration.html for the general shape of incompetence at work, https://docs.mattermost.com/install/setting-up-socket-based-mattermost-database.html#with-unix-socket for yet another interesting syntax for database connection strings, and https://github.com/dimitri/pgloader/issues/782#issuecomment-502323324 for a truly astonishing take on how to do database migrations, which unfortunately i have followed. As far as I can tell, everything has kept working. Downtime was mostly spent understanding connection string syntax and their horribly buggy parsers. Note for people with server access: - i have kept the temporary files (including logs) around in /persist/migration inside the container should we ever need them again - there's a zfs snapshot @pre-postgres with the old state	2024-05-19 23:26:53 +02:00
stuebinm	ed667e15e9	mattermost: packages required for migration	2024-05-19 23:24:26 +02:00
stuebinm	75cc371c01	pkgs: add morph, a mattermost migration tool this is preliminary work for migrating mattermost from mysql to postgresql. This tool is specific to mattermost, but at least it's easy enough to build. I'm not sure if it makes sense to upstream, but I guess we can keep it around here.	2024-05-19 23:23:30 +02:00
stuebinm	0a208223c8	update tracktrain this is a small (temporary) bugfix	2024-05-19 18:08:16 +02:00
stuebinm	8b6ce305d7	mattermost: 9.5.4 → 9.5.5 this is a security release. upstream information: https://mattermost.com/blog/mattermost-dot-releases-9-7-4-and-9-5-5-esr-released/	2024-05-17 21:08:24 +02:00
stuebinm	215bed6418	update tracktrain	2024-05-16 22:17:09 +02:00
stuebinm	147fe172d9	bundle forgejo @ v7.0.2 this bundles the current package recipe of forgejo in nixpkgs-unstable. Implies updating forgejo, since nixpkgs-stable is still on 1.20.6 (v6 in the new version scheme). This'll mean we have to manually update it same as with mattermost, and can potentially also help with upstream changes. If we get tired of that, we can always decide to just use the nixpkgs-unstable version directly.	2024-05-16 19:06:15 +02:00
stuebinm	2cd0de8eeb	common: add sqlite-interactive to systemPackages we have stuff stored in sqlite, might as well have the client available by default, given how often we use it. sqlite-interactive is an override on sqlite in nixpkgs which enables support for readline & ncurses, which are off by default.	2024-05-15 22:42:18 +02:00
stuebinm	3e40d82579	common: licks the infra Since Lix is now in nixpkgs-unstable-small, I think it's a good time to use it. This does mean that we now pull in our nix implementation from an unstable channel, but overall I'm more confident in the Lix team's ability to not break things than I am in the Nix team's ability to backport (& then actually release) security updates. (once Lix is on a stable channel, we can switch back to using it from there)	2024-05-13 14:42:39 +02:00
stuebinm	f749f4ed48	update inputs	2024-05-13 14:39:43 +02:00
stuebinm	679df4d856	mattermost: remove outdated comment this is misleading and incorrect, the option does work, and is not also set in the secrets env file.	2024-05-08 14:33:14 +02:00
stuebinm	05af3ac4f8	mattermost: don't pretend we use postgresql I have little idea what happened here, but this postgres is entirely unused. The actual database is in mysql, and always has been — the postgres does contain a mattermost database with the correct tables, but these are empty.	2024-05-08 14:33:14 +02:00
stuebinm	efadc5ada9	monit: increase delay for deployed-commit-on-main there's little point in having it alert while people are working on the config & test-deploying things; it's meant to remind later, in case we forget committing the result.	2024-05-08 14:33:14 +02:00
stuebinm	d933a6ef98	s4f-conference: another mattermost this one's not connected to our SSO and intended for short-term use only, after which it will be deleted again. I've gone through at least some of mattermost's options to see how many of these are actually relevant anymore. Some can be left out. Unlike the other mattermost it also doesn't use any mysql.	2024-05-08 14:32:52 +02:00
stuebinm	6e84a9f9f8	tracktrain: bugfix update	2024-05-04 02:30:35 +02:00
stuebinm	8c3d3bf6db	monitoring: warn if no deploy for 10 days this is not entirely accurate — the lastModified attribute of a flake's self-input gives the date of the last commit, not the last deploy. But I figure it's close enough and less obscure to check than reading in the last date via nix-env. inspired by: we did no server updates for two weeks.	2024-05-02 22:33:47 +02:00
stuebinm	972a26163a	update inputs	2024-05-02 22:33:40 +02:00
stuebinm	27b8ef6784	tracktrain: update This is the initial version for this year's run of absurd train operations. I won't dare to call it a release for at least another month or so, so no version number. Changes done in our nixfiles: - tracktrain now needs ntfy-sh so people (read: I) can get push notifications if things break or at least look a little weird - I removed the grafana instance; seems like somewhere in the last year they changed how to host it under a sub-path (ours was at /metrics), so it broke, and I'm not feeling any particular urge to fix it - last year's database contents have been yoten - also manually updated the gtfs (though I intend to implement logic for fetching it in tracktrain, I first need to drag Ilztalbahn into actually publishing up-to-date versions again first)	2024-05-02 00:33:39 +02:00
Moira	8662943183	mattermost 9.5.2 → 9.5.3	2024-04-28 10:53:52 +02:00
stuebinm	f9005dd4d0	forgejo/openssh: listen on all interfaces this doesn't help us with anything yet, but it does at least mean that this openssh now also listens on IPv6, which it didn't before. (reaching the container from the outside still does not work)	2024-04-27 23:19:20 +02:00
stuebinm	f654b33a56	modules/containers: a hacc-specific containers module this started with emily pointing out to me that it's possible to generate IP addresses for containers in Nix (hence no need to worry about ever having collisions, as we had before), but then I thought, hey, while I'm at it, I can also write a little container module so we have a little less repetition in our configs in general (and a more reasonable place for our custom evalConfig than just keeping it around in flake.nix). See the option descriptions in modules/containers.nix for further details. Apart from giving all containers a new IP address (and also shiny new IPv6 addresses), this should be a no-op for the actual built system.	2024-04-19 19:15:22 +02:00
stuebinm	3dc63acf52	modules/buildinfo: simplify implementation turns out there is a string-slicing function, I just overlooked it when writing this file (it's even a builtin). So let's use that instead.	2024-04-19 03:38:50 +02:00
stuebinm	208bcaa898	update inputs	2024-04-15 21:58:05 +02:00
Moira	d4d3f6e5d2	add m4dz	2024-04-09 20:14:29 +02:00
stuebinm	f75169ce0a	switch to nixpkgs-small channels these get more frequent updates, but we might (sometimes) wind up having to build stuff ourselves that hydra hasn't gotten to yet.	2024-04-09 01:20:24 +02:00
stuebinm	d99408486a	update inputs	2024-04-09 01:02:51 +02:00
stuebinm	d20acbfe58	monit: a couple new checks move the monit config out of mail.nix, and add two checks: - has any systemd unit failed? - is the currently deployed commit the tip of the main branch of haccfiles?	2024-04-07 16:30:57 +02:00
Moira	281745d7a6	simplify nat on parsons	2024-04-07 16:25:08 +02:00
Moira	1ad0a7751c	use networking.firewall instead of nftables.ruleset	2024-04-07 15:57:51 +02:00
stuebinm	5e51d5f252	docs: do not rebuild on each change this does slight tweaking of paths to make the docs.hacc.space derivation no longer depend on our entire flake, so we won't have to rebuild it as often.	2024-04-06 23:16:43 +02:00
stuebinm	069236027c	meta: add build info to motd / system label, remove /etc/haccfiles	2024-04-06 23:15:37 +02:00
stuebinm	283aba0c2c	update inputs	2024-03-31 00:20:51 +01:00
stuebinm	faa83b6007	mattermost 9.5.2 → 9.5.3	2024-03-30 23:38:41 +01:00
stuebinm	e81472cb87	monit: restart onlyoffice if failed this should hopefully help with our consistent onlyoffice-does-not-work-but-no-one-noticed problems (yes, monit runs as root and can do that). "then restart" will still send an alert if it restarted the unit (see monit's man page)	2024-03-26 17:06:36 +01:00
stuebinm	1cee814e04	update inputs	2024-03-23 22:42:41 +01:00
stuebinm	8da02ed645	update inputs later than usual this week	2024-03-15 16:00:58 +01:00