From 316bd3e9a20743f2574210be818a5b1b5e2825cd Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Tue, 30 Jul 2024 20:49:46 -0700 Subject: [PATCH 01/69] flake update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 2f18b39..895f734 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", + "lastModified": 1722221733, + "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", + "rev": "12bf09802d77264e441f48e25459c10c93eada2e", "type": "github" }, "original": { @@ -24,11 +24,11 @@ }, "unstable": { "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "lastModified": 1722185531, + "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d", "type": "github" }, "original": { From dfc43c0ed4fc4632f7d84a76814cd772fc653bdd Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Tue, 30 Jul 2024 20:58:14 -0700 Subject: [PATCH 02/69] serve local files --- misskey-service.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/misskey-service.nix b/misskey-service.nix index 465f8e9..3c91f3e 100644 --- a/misskey-service.nix +++ b/misskey-service.nix @@ -142,6 +142,11 @@ in { rewrite .* $path_full break; proxy_pass https://s3.us-west-1.wasabisys.com; ''; + + locations."/localfiles/" = { + root = "/srv/www"; + tryFiles = "$uri =404"; + }; }; virtualHosts."egirls.gay" = { From a0556795442d86331df955fa7b5254295f65b6cd Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sat, 3 Aug 2024 01:37:36 -0700 Subject: [PATCH 03/69] Make egirls.gay the default --- misskey-service.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/misskey-service.nix b/misskey-service.nix index 3c91f3e..9d0c01e 100644 --- a/misskey-service.nix +++ b/misskey-service.nix @@ -152,6 +152,7 @@ in { virtualHosts."egirls.gay" = { inherit listen; + default = true; forceSSL = true; useACMEHost = "egirls.gay"; locations."/" = { From 7d6c9faba2b249d3659aaf9de77b2c1c2ff148eb Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sat, 3 Aug 2024 01:38:19 -0700 Subject: [PATCH 04/69] flake update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 895f734..8c6c782 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1722221733, - "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=", + "lastModified": 1722519197, + "narHash": "sha256-VEdJmVU2eLFtLqCjTYJd1J7+Go8idAcZoT11IewFiRg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "12bf09802d77264e441f48e25459c10c93eada2e", + "rev": "05405724efa137a0b899cce5ab4dde463b4fd30b", "type": "github" }, "original": { @@ -24,11 +24,11 @@ }, "unstable": { "locked": { - "lastModified": 1722185531, - "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=", + "lastModified": 1722421184, + "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d", + "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", "type": "github" }, "original": { From cc2613451837024188246bcf99d1784f4aac45b4 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 7 Aug 2024 18:23:01 -0700 Subject: [PATCH 05/69] flake update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 8c6c782..606f4d1 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1722519197, - "narHash": "sha256-VEdJmVU2eLFtLqCjTYJd1J7+Go8idAcZoT11IewFiRg=", + "lastModified": 1722869614, + "narHash": "sha256-7ojM1KSk3mzutD7SkrdSflHXEujPvW1u7QuqWoTLXQU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "05405724efa137a0b899cce5ab4dde463b4fd30b", + "rev": "883180e6550c1723395a3a342f830bfc5c371f6b", "type": "github" }, "original": { @@ -24,11 +24,11 @@ }, "unstable": { "locked": { - "lastModified": 1722421184, - "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", + "lastModified": 1722813957, + "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", + "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", "type": "github" }, "original": { From 13642fbbabe1d197a512f896cdb00347dcfdb1f5 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 7 Aug 2024 18:23:56 -0700 Subject: [PATCH 06/69] add nebula --- configuration.nix | 1 + nebula.nix | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 nebula.nix diff --git a/configuration.nix b/configuration.nix index 721d4f5..bd7a164 100644 --- a/configuration.nix +++ b/configuration.nix @@ -5,6 +5,7 @@ ./heartles-xyz-proxy.nix ./ogdo.nix ./postfix.nix + ./nebula.nix ]; nix.settings = { diff --git a/nebula.nix b/nebula.nix new file mode 100644 index 0000000..c293bfa --- /dev/null +++ b/nebula.nix @@ -0,0 +1,12 @@ +{ pkgs, lib, ... }: + +{ + environment.systemPackages = [ pkgs.nebula ]; + services.nebula.networks.home = { + enable = true; + isLighthouse = true; + cert = "/etc/nebula/node.crt"; + key = "/etc/nebula/node.key"; + ca = "/etc/nebula/ca.crt"; + }; +} From 24b4fa2c8e2991a6c72154e35bb4e983adb9a673 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 7 Aug 2024 18:27:29 -0700 Subject: [PATCH 07/69] move nebula certs --- nebula.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nebula.nix b/nebula.nix index c293bfa..6b0a57a 100644 --- a/nebula.nix +++ b/nebula.nix @@ -5,8 +5,8 @@ services.nebula.networks.home = { enable = true; isLighthouse = true; - cert = "/etc/nebula/node.crt"; - key = "/etc/nebula/node.key"; - ca = "/etc/nebula/ca.crt"; + cert = "/var/lib/nebula/node.crt"; + key = "/var/lib/nebula/node.key"; + ca = "/var/lib/nebula/ca.crt"; }; } From 096d89956ea8fbbcca71d28a0b034bc018ce3bd2 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 7 Aug 2024 19:58:23 -0700 Subject: [PATCH 08/69] open firewall ports --- nebula.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nebula.nix b/nebula.nix index 6b0a57a..fc9b27c 100644 --- a/nebula.nix +++ b/nebula.nix @@ -9,4 +9,7 @@ key = "/var/lib/nebula/node.key"; ca = "/var/lib/nebula/ca.crt"; }; + + networking.firewall.allowedTCPPorts = [ 4242 ]; + networking.firewall.allowedUDPPorts = [ 4242 ]; } From 1cb4864c7c3842df0d5866f793ce75699421da29 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 7 Aug 2024 20:04:43 -0700 Subject: [PATCH 09/69] open nebula firewall --- nebula.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nebula.nix b/nebula.nix index fc9b27c..06d584e 100644 --- a/nebula.nix +++ b/nebula.nix @@ -8,6 +8,17 @@ cert = "/var/lib/nebula/node.crt"; key = "/var/lib/nebula/node.key"; ca = "/var/lib/nebula/ca.crt"; + + firewall.inbound = [{ + host = "any"; + port = "any"; + proto = "any"; + }]; + firewall.outbound = [{ + host = "any"; + port = "any"; + proto = "any"; + }]; }; networking.firewall.allowedTCPPorts = [ 4242 ]; From e86c411aca66625c90401324391889e053d9a8cd Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 22 Sep 2024 18:49:00 -0400 Subject: [PATCH 10/69] flake update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 606f4d1..b048e7c 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1722869614, - "narHash": "sha256-7ojM1KSk3mzutD7SkrdSflHXEujPvW1u7QuqWoTLXQU=", + "lastModified": 1726838390, + "narHash": "sha256-NmcVhGElxDbmEWzgXsyAjlRhUus/nEqPC5So7BOJLUM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "883180e6550c1723395a3a342f830bfc5c371f6b", + "rev": "944b2aea7f0a2d7c79f72468106bc5510cbf5101", "type": "github" }, "original": { @@ -24,11 +24,11 @@ }, "unstable": { "locked": { - "lastModified": 1722813957, - "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", + "lastModified": 1726755586, + "narHash": "sha256-PmUr/2GQGvFTIJ6/Tvsins7Q43KTMvMFhvG6oaYK+Wk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", + "rev": "c04d5652cfa9742b1d519688f65d1bbccea9eb7e", "type": "github" }, "original": { From a0fb0388c82c85a3cc5eff21b543fba9cd722ec3 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 22 Sep 2024 18:49:31 -0400 Subject: [PATCH 11/69] switch to pnpm package --- misskey-service.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misskey-service.nix b/misskey-service.nix index 9d0c01e..ffb5a35 100644 --- a/misskey-service.nix +++ b/misskey-service.nix @@ -198,7 +198,7 @@ in { # # pnpm2nix does not work due to misskey using workspaces environment.systemPackages = - [ nodejs nodePackages.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ]; + [ nodejs pkgs.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ]; environment.sessionVariables = { CYPRESS_INSTALL_BINARY = "0"; CYPRESS_RUN_BINARY = "${pkgs.cypress}/bin/Cypress"; From dd41dfb7d92b41af900d29f59d5c605674eb58c0 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Thu, 10 Oct 2024 01:23:38 -0400 Subject: [PATCH 12/69] flake update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index b048e7c..1627a67 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1726838390, - "narHash": "sha256-NmcVhGElxDbmEWzgXsyAjlRhUus/nEqPC5So7BOJLUM=", + "lastModified": 1728328465, + "narHash": "sha256-a0a0M1TmXMK34y3M0cugsmpJ4FJPT/xsblhpiiX1CXo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "944b2aea7f0a2d7c79f72468106bc5510cbf5101", + "rev": "1bfbbbe5bbf888d675397c66bfdb275d0b99361c", "type": "github" }, "original": { @@ -24,11 +24,11 @@ }, "unstable": { "locked": { - "lastModified": 1726755586, - "narHash": "sha256-PmUr/2GQGvFTIJ6/Tvsins7Q43KTMvMFhvG6oaYK+Wk=", + "lastModified": 1728241625, + "narHash": "sha256-yumd4fBc/hi8a9QgA9IT8vlQuLZ2oqhkJXHPKxH/tRw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c04d5652cfa9742b1d519688f65d1bbccea9eb7e", + "rev": "c31898adf5a8ed202ce5bea9f347b1c6871f32d1", "type": "github" }, "original": { From da6919a997aa76b61d25f1c956af5e3bcb4fda7b Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Thu, 10 Oct 2024 01:24:18 -0400 Subject: [PATCH 13/69] =?UTF-8?q?add=20=EA=99=AE.run=20check?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ogdo.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ogdo.nix b/ogdo.nix index 893ba73..31ec73f 100644 --- a/ogdo.nix +++ b/ogdo.nix @@ -52,5 +52,22 @@ locations."/".return = "301 http://xn--xx8a.run$request_uri"; }; + + virtualHosts."ꙮ.run" = { + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + port = 80; + addr = "[::]"; + } + ]; + + rejectSSL = true; + + locations."/".return = "301 http://xn--xx8a.run$request_uri"; + }; }; } From 17aa3246df43d497111a7378a07611a96d7731fc Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Thu, 10 Oct 2024 01:27:26 -0400 Subject: [PATCH 14/69] intermediate redirect to ogdo.run --- ogdo.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ogdo.nix b/ogdo.nix index 31ec73f..bd207c6 100644 --- a/ogdo.nix +++ b/ogdo.nix @@ -67,7 +67,7 @@ rejectSSL = true; - locations."/".return = "301 http://xn--xx8a.run$request_uri"; + locations."/".return = "301 http://ogdo.run$request_uri"; }; }; } From 6bb66f3e21627cc3ca9487a112393260e2749882 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Thu, 10 Oct 2024 01:43:48 -0400 Subject: [PATCH 15/69] listen for ssl connections to reject --- ogdo.nix | 81 ++++++++++++++++++++++++-------------------------------- 1 file changed, 35 insertions(+), 46 deletions(-) diff --git a/ogdo.nix b/ogdo.nix index bd207c6..e937e15 100644 --- a/ogdo.nix +++ b/ogdo.nix @@ -4,7 +4,7 @@ enable = true; # ꙮ.run - virtualHosts."xn--xx8a.run" = { + virtualHosts = let listen = [ { addr = "0.0.0.0"; @@ -15,59 +15,48 @@ addr = "[::]"; } # deliberately avoid listening with https + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + port = 443; + ssl = true; + addr = "[::]"; + } ]; - rejectSSL = true; - root = "/srv/ogdo"; + in { + "xn--xx8a.run" = { + inherit listen rejectSSL; + root = "/srv/ogdo"; - extraConfig = '' - error_page 404 /; - access_log /var/log/nginx/ogdo.log combined; - add_header 'Cache-Control' 'no-cache'; - ''; - - locations."/" = { index = "/index.html"; }; - locations."~ ^/.+" = { - root = "/srv/ogdo/served-files"; - tryFiles = "$uri =404"; extraConfig = '' - default_type application/pdf; + error_page 404 /; + access_log /var/log/nginx/ogdo.log combined; + add_header 'Cache-Control' 'no-cache'; ''; + + locations."/" = { index = "/index.html"; }; + locations."~ ^/.+" = { + root = "/srv/ogdo/served-files"; + tryFiles = "$uri =404"; + extraConfig = '' + default_type application/pdf; + ''; + }; }; - }; - virtualHosts."ogdo.run" = { - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - port = 80; - addr = "[::]"; - } - ]; + "ogdo.run" = { + inherit listen rejectSSL; + locations."/".return = "301 http://xn--xx8a.run$request_uri"; + }; - rejectSSL = true; - - locations."/".return = "301 http://xn--xx8a.run$request_uri"; - }; - - virtualHosts."ꙮ.run" = { - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - port = 80; - addr = "[::]"; - } - ]; - - rejectSSL = true; - - locations."/".return = "301 http://ogdo.run$request_uri"; + "ꙮ.run" = { + inherit listen rejectSSL; + locations."/".return = "301 http://ogdo.run$request_uri"; + }; }; }; } From aff2d5ab6470481fabd6c9e6b395ec3fb2d7d438 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Thu, 19 Dec 2024 22:09:51 -0500 Subject: [PATCH 16/69] add backup job --- backup.nix | 41 +++++++++++++++++++++++++++++++++++++++++ configuration.nix | 1 + 2 files changed, 42 insertions(+) create mode 100644 backup.nix diff --git a/backup.nix b/backup.nix new file mode 100644 index 0000000..73d3084 --- /dev/null +++ b/backup.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: + +let + user = "misskey-backup"; + group = user; + + # shell script file to be sourced. must have values "MISSKEY_BACKUP_BUCKET" "MISSKEY_BACKUP_PREFIX" and "S3CFG" + backupConfigFile = "/etc/misskey-backup"; + backupScript = pkgs.writeShellApplication { + name = "misskey-backup"; + + runtimeInputs = with pkgs; [ + gzip + config.services.postgresql.package + s3cmd + coreutils + ]; + + extraShellCheckFlags = [ "-x" "/etc/misskey-backup" ]; + + text = '' + source "${backupConfigFile}" + pg_dump misskey | gzip | s3cmd put --config "$S3CFG" - "s3://$MISSKEY_BACKUP_BUCKET/$MISSKEY_BACKUP_PREFIX/misskey-pgdump-$(date --iso-8601).sql.gz" + ''; + }; +in { + users.users."${user}" = { + isSystemUser = true; + inherit group; + }; + users.groups."${group}" = { }; + services.postgresql.ensureUsers = [{ name = user; }]; + + services.cron = { + enable = true; + systemCronJobs = [ + # run every monday at ass in the morning, EST" + "0 8 0 0 1 ${user} ${backupScript}" + ]; + }; +} diff --git a/configuration.nix b/configuration.nix index bd7a164..835906f 100644 --- a/configuration.nix +++ b/configuration.nix @@ -6,6 +6,7 @@ ./ogdo.nix ./postfix.nix ./nebula.nix + ./backup.nix ]; nix.settings = { From 72a4be3c5dd52a346749392eecbdc16863f550ad Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Thu, 19 Dec 2024 22:14:07 -0500 Subject: [PATCH 17/69] flake update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 1627a67..416addd 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1728328465, - "narHash": "sha256-a0a0M1TmXMK34y3M0cugsmpJ4FJPT/xsblhpiiX1CXo=", + "lastModified": 1734529975, + "narHash": "sha256-ze3IJksru9dN0keqUxY0WNf8xrwfs8Ty/z9v/keyBbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1bfbbbe5bbf888d675397c66bfdb275d0b99361c", + "rev": "72d11d40b9878a67c38f003c240c2d2e1811e72a", "type": "github" }, "original": { @@ -24,11 +24,11 @@ }, "unstable": { "locked": { - "lastModified": 1728241625, - "narHash": "sha256-yumd4fBc/hi8a9QgA9IT8vlQuLZ2oqhkJXHPKxH/tRw=", + "lastModified": 1734424634, + "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c31898adf5a8ed202ce5bea9f347b1c6871f32d1", + "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33", "type": "github" }, "original": { From 336b840fcd89f3488cc307717f8e2bc75864b12c Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Thu, 19 Dec 2024 22:33:47 -0500 Subject: [PATCH 18/69] ignore shellcheck warning --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 73d3084..8ad5a78 100644 --- a/backup.nix +++ b/backup.nix @@ -16,7 +16,7 @@ let coreutils ]; - extraShellCheckFlags = [ "-x" "/etc/misskey-backup" ]; + excludeShellChecks = [ "SC1091" ]; text = '' source "${backupConfigFile}" From 652c1b577814767b82b111927774cf8a91df3667 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Thu, 19 Dec 2024 22:40:52 -0500 Subject: [PATCH 19/69] change config file location --- backup.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 8ad5a78..b74d6b5 100644 --- a/backup.nix +++ b/backup.nix @@ -1,11 +1,18 @@ { config, pkgs, ... }: +#necessary prep work: +# GRANT CONNECT ON DATABASE misskey TO "misskey-backup"; +# GRANT SELECT ON ALL TABLES IN SCHEMA public TO "misskey-backup"; +# GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO "misskey-backup"; +# +# TODO: automate this cause it needs to be done whenever db schema changes let user = "misskey-backup"; group = user; # shell script file to be sourced. must have values "MISSKEY_BACKUP_BUCKET" "MISSKEY_BACKUP_PREFIX" and "S3CFG" - backupConfigFile = "/etc/misskey-backup"; + # $S3CFG must be a path to a .s3cfg file compatible with s3cmd + backupConfigFile = "/etc/misskey-backup/conf"; backupScript = pkgs.writeShellApplication { name = "misskey-backup"; From 67c1f553fb618efaf87de3297e581f084d7f4895 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Thu, 19 Dec 2024 22:49:47 -0500 Subject: [PATCH 20/69] better escape prefix --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index b74d6b5..cb11c1c 100644 --- a/backup.nix +++ b/backup.nix @@ -27,7 +27,7 @@ let text = '' source "${backupConfigFile}" - pg_dump misskey | gzip | s3cmd put --config "$S3CFG" - "s3://$MISSKEY_BACKUP_BUCKET/$MISSKEY_BACKUP_PREFIX/misskey-pgdump-$(date --iso-8601).sql.gz" + pg_dump misskey | gzip | s3cmd put --config "$S3CFG" - "s3://$MISSKEY_BACKUP_BUCKET/\$\{MISSKEY_BACKUP_PREFIX}misskey-pgdump-$(date --iso-8601).sql.gz" ''; }; in { From 3aff383a2c6f1ce3b4e4ae402ff48649c1c01b3b Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 25 Dec 2024 00:40:17 -0500 Subject: [PATCH 21/69] backup redis db and config dir --- backup.nix | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index cb11c1c..6950b39 100644 --- a/backup.nix +++ b/backup.nix @@ -21,13 +21,30 @@ let config.services.postgresql.package s3cmd coreutils + mktemp ]; excludeShellChecks = [ "SC1091" ]; text = '' source "${backupConfigFile}" - pg_dump misskey | gzip | s3cmd put --config "$S3CFG" - "s3://$MISSKEY_BACKUP_BUCKET/\$\{MISSKEY_BACKUP_PREFIX}misskey-pgdump-$(date --iso-8601).sql.gz" + + dir="$(mktemp --directory)" + echo "Using temp dir '$dir'" + + trap EXIT "rm -rf '$dir'" + + echo "Copying config" + cp /srv/misskey/.config "$dir/config" -r + + echo "Dumping postgres database..." + pg_dump misskey | gzip > "$dir/postgres.sql.gz" + + echo "Copying redis database..." + cp /var/lib/redis-misskey "$dir/redis" -r + + tar -cz -C "$dir" . | \ + s3cmd put --config "$S3CFG" - "s3://$MISSKEY_BACKUP_BUCKET/\$\{MISSKEY_BACKUP_PREFIX}misskey-$(date --iso-8601).tar.gz" ''; }; in { From 983f47440f35811eb5a21273603cd26711b83473 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 25 Dec 2024 15:28:15 -0500 Subject: [PATCH 22/69] use object storage directory instead of tar --- backup.nix | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/backup.nix b/backup.nix index 6950b39..8970461 100644 --- a/backup.nix +++ b/backup.nix @@ -10,9 +10,8 @@ let user = "misskey-backup"; group = user; - # shell script file to be sourced. must have values "MISSKEY_BACKUP_BUCKET" "MISSKEY_BACKUP_PREFIX" and "S3CFG" - # $S3CFG must be a path to a .s3cfg file compatible with s3cmd backupConfigFile = "/etc/misskey-backup/conf"; + s3Cfg = "/etc/misskey-backup/s3cfg"; backupScript = pkgs.writeShellApplication { name = "misskey-backup"; @@ -27,24 +26,22 @@ let excludeShellChecks = [ "SC1091" ]; text = '' - source "${backupConfigFile}" + bucket="$(cat "${backupConfigFile}" | grep 'bucket=' | sed 's/bucket \?= \?')" + prefix="$(cat "${backupConfigFile}" | grep 'prefix=' | sed 's/prefix \?= \?')" - dir="$(mktemp --directory)" - echo "Using temp dir '$dir'" + s3Dir="s3://$bucket/\$\{prefix}misskey-$(date --iso-8601)" + echo "Uploading backups to '$s3Dir'" - trap EXIT "rm -rf '$dir'" - - echo "Copying config" - cp /srv/misskey/.config "$dir/config" -r + echo "Uploading config" + tar -cz -C /srv/misskey/.config . | s3cmd put --config "${s3Cfg}" - "$s3Dir/config.tar.gz" echo "Dumping postgres database..." - pg_dump misskey | gzip > "$dir/postgres.sql.gz" + pg_dump misskey | gzip | s3cmd put --config "${s3Cfg}" - "$s3Dir/pg_dump.sql.gz" - echo "Copying redis database..." - cp /var/lib/redis-misskey "$dir/redis" -r + echo "Uploading redis database..." + tar -cz -C /var/lib/redis-misskey . | s3cmd put --config "${s3Cfg}" - "$s3Dir/redis.tar.gz" - tar -cz -C "$dir" . | \ - s3cmd put --config "$S3CFG" - "s3://$MISSKEY_BACKUP_BUCKET/\$\{MISSKEY_BACKUP_PREFIX}misskey-$(date --iso-8601).tar.gz" + echo "Backup complete to '$s3Dir'" ''; }; in { From 24094cad316f05085494e5233a619b339d1ebd9c Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 25 Dec 2024 15:33:20 -0500 Subject: [PATCH 23/69] use bash function to upload --- backup.nix | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/backup.nix b/backup.nix index 8970461..b2ad438 100644 --- a/backup.nix +++ b/backup.nix @@ -32,14 +32,20 @@ let s3Dir="s3://$bucket/\$\{prefix}misskey-$(date --iso-8601)" echo "Uploading backups to '$s3Dir'" + function upload () { + name="$1" + + s3cmd put --config "${s3Cfg}" - "$s3Dir/$name" + } + echo "Uploading config" - tar -cz -C /srv/misskey/.config . | s3cmd put --config "${s3Cfg}" - "$s3Dir/config.tar.gz" + tar -cz -C /srv/misskey/.config . | upload "config.tar.gz" echo "Dumping postgres database..." - pg_dump misskey | gzip | s3cmd put --config "${s3Cfg}" - "$s3Dir/pg_dump.sql.gz" + pg_dump misskey | gzip | upload "pg_dump.sql.gz" echo "Uploading redis database..." - tar -cz -C /var/lib/redis-misskey . | s3cmd put --config "${s3Cfg}" - "$s3Dir/redis.tar.gz" + tar -cz -C /var/lib/redis-misskey . | upload "redis.tar.gz" echo "Backup complete to '$s3Dir'" ''; From 9606a755d0474abbd402bab7e1e0fc8be6e02359 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 25 Dec 2024 15:35:47 -0500 Subject: [PATCH 24/69] take config file via cmd line --- backup.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/backup.nix b/backup.nix index b2ad438..f4fd03e 100644 --- a/backup.nix +++ b/backup.nix @@ -23,11 +23,12 @@ let mktemp ]; - excludeShellChecks = [ "SC1091" ]; - text = '' - bucket="$(cat "${backupConfigFile}" | grep 'bucket=' | sed 's/bucket \?= \?')" - prefix="$(cat "${backupConfigFile}" | grep 'prefix=' | sed 's/prefix \?= \?')" + configFile="$1" + s3cfg="$2" + + bucket="$(cat "$configFile" | grep 'bucket=' | sed 's/bucket \?= \?')" + prefix="$(cat "$configFile" | grep 'prefix=' | sed 's/prefix \?= \?')" s3Dir="s3://$bucket/\$\{prefix}misskey-$(date --iso-8601)" echo "Uploading backups to '$s3Dir'" @@ -35,7 +36,7 @@ let function upload () { name="$1" - s3cmd put --config "${s3Cfg}" - "$s3Dir/$name" + s3cmd put --config "$s3cfg" - "$s3Dir/$name" } echo "Uploading config" @@ -62,7 +63,7 @@ in { enable = true; systemCronJobs = [ # run every monday at ass in the morning, EST" - "0 8 0 0 1 ${user} ${backupScript}" + "0 8 0 0 1 ${user} ${backupScript} ${backupConfigFile} ${s3Cfg}" ]; }; } From aa193bf4232b827eeed32670e2469b5212ee7a91 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 25 Dec 2024 15:41:55 -0500 Subject: [PATCH 25/69] encrypt backups --- backup.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/backup.nix b/backup.nix index f4fd03e..6f208da 100644 --- a/backup.nix +++ b/backup.nix @@ -20,13 +20,14 @@ let config.services.postgresql.package s3cmd coreutils - mktemp + age ]; text = '' configFile="$1" s3cfg="$2" + ageRecipient="age17ckyc69njpryytc63ynn545jswyucg28k5xg3043g3j6q38dxqwq0wzhm2" bucket="$(cat "$configFile" | grep 'bucket=' | sed 's/bucket \?= \?')" prefix="$(cat "$configFile" | grep 'prefix=' | sed 's/prefix \?= \?')" @@ -36,7 +37,7 @@ let function upload () { name="$1" - s3cmd put --config "$s3cfg" - "$s3Dir/$name" + age -r "$ageRecipient" | s3cmd put --config "$s3cfg" - "$s3Dir/$name.age" } echo "Uploading config" From 037257b5e2c2208b72be565a4ef26ac132680d67 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 25 Dec 2024 15:45:39 -0500 Subject: [PATCH 26/69] fix shellcheck --- backup.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/backup.nix b/backup.nix index 6f208da..d71b37e 100644 --- a/backup.nix +++ b/backup.nix @@ -28,10 +28,10 @@ let s3cfg="$2" ageRecipient="age17ckyc69njpryytc63ynn545jswyucg28k5xg3043g3j6q38dxqwq0wzhm2" - bucket="$(cat "$configFile" | grep 'bucket=' | sed 's/bucket \?= \?')" - prefix="$(cat "$configFile" | grep 'prefix=' | sed 's/prefix \?= \?')" + bucket="$(grep 'bucket=' < "$configFile" | sed 's/bucket \?= \?')" + prefix="$(grep 'prefix=' < "$configFile" | sed 's/prefix \?= \?')" - s3Dir="s3://$bucket/\$\{prefix}misskey-$(date --iso-8601)" + s3Dir="s3://$bucket/$\{prefix}misskey-$(date --iso-8601)" echo "Uploading backups to '$s3Dir'" function upload () { From d5b92c037f5c0f73b974c685bff08a8cb80e7683 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 25 Dec 2024 15:46:58 -0500 Subject: [PATCH 27/69] fix shellcheck 2 --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index d71b37e..bbc5e0c 100644 --- a/backup.nix +++ b/backup.nix @@ -31,7 +31,7 @@ let bucket="$(grep 'bucket=' < "$configFile" | sed 's/bucket \?= \?')" prefix="$(grep 'prefix=' < "$configFile" | sed 's/prefix \?= \?')" - s3Dir="s3://$bucket/$\{prefix}misskey-$(date --iso-8601)" + s3Dir="s3://$bucket/\${prefix}misskey-$(date --iso-8601)" echo "Uploading backups to '$s3Dir'" function upload () { From b814af9ac33d6265b71049e0455adbc3ab7cff5c Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 25 Dec 2024 15:48:17 -0500 Subject: [PATCH 28/69] fix shellcheck 3 --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index bbc5e0c..f06660e 100644 --- a/backup.nix +++ b/backup.nix @@ -31,7 +31,7 @@ let bucket="$(grep 'bucket=' < "$configFile" | sed 's/bucket \?= \?')" prefix="$(grep 'prefix=' < "$configFile" | sed 's/prefix \?= \?')" - s3Dir="s3://$bucket/\${prefix}misskey-$(date --iso-8601)" + s3Dir="s3://$bucket/$prefix""misskey-$(date --iso-8601)" echo "Uploading backups to '$s3Dir'" function upload () { From 374fb3a756ccdd952e5210b0d46bc1bd342fa67b Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 29 Dec 2024 18:29:03 -0500 Subject: [PATCH 29/69] use systemd timer --- backup.nix | 54 +++++++++++++++++++++++++++++------------------------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/backup.nix b/backup.nix index f06660e..c8d1479 100644 --- a/backup.nix +++ b/backup.nix @@ -12,10 +12,26 @@ let backupConfigFile = "/etc/misskey-backup/conf"; s3Cfg = "/etc/misskey-backup/s3cfg"; - backupScript = pkgs.writeShellApplication { - name = "misskey-backup"; +in { + users.users."${user}" = { + isSystemUser = true; + inherit group; + }; + users.groups."${group}" = { }; + services.postgresql.ensureUsers = [{ name = user; }]; - runtimeInputs = with pkgs; [ + systemd.services.misskey-backup = { + description = "Misskey backup"; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + unitConfig.User = user; + + serviceConfig.Type = "oneshot"; + + startAt = "weekly"; + + path = with pkgs; [ gzip config.services.postgresql.package s3cmd @@ -23,21 +39,18 @@ let age ]; - text = '' - configFile="$1" - s3cfg="$2" - + script = '' ageRecipient="age17ckyc69njpryytc63ynn545jswyucg28k5xg3043g3j6q38dxqwq0wzhm2" - bucket="$(grep 'bucket=' < "$configFile" | sed 's/bucket \?= \?')" - prefix="$(grep 'prefix=' < "$configFile" | sed 's/prefix \?= \?')" + bucket="$(grep 'bucket=' < "${backupConfigFile}" | sed 's/bucket \?= \?')" + prefix="$(grep 'prefix=' < "${backupConfigFile}" | sed 's/prefix \?= \?')" - s3Dir="s3://$bucket/$prefix""misskey-$(date --iso-8601)" + s3Dir="s3://$bucket/$prefix""misskey-$(date +'%d-%m-%YT%H.%M.%S')" echo "Uploading backups to '$s3Dir'" function upload () { name="$1" - age -r "$ageRecipient" | s3cmd put --config "$s3cfg" - "$s3Dir/$name.age" + age -r "$ageRecipient" | s3cmd put --config "${s3Cfg}" - "$s3Dir/$name.age" } echo "Uploading config" @@ -51,20 +64,11 @@ let echo "Backup complete to '$s3Dir'" ''; - }; -in { - users.users."${user}" = { - isSystemUser = true; - inherit group; - }; - users.groups."${group}" = { }; - services.postgresql.ensureUsers = [{ name = user; }]; - services.cron = { - enable = true; - systemCronJobs = [ - # run every monday at ass in the morning, EST" - "0 8 0 0 1 ${user} ${backupScript} ${backupConfigFile} ${s3Cfg}" - ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + requires = [ "postgresql.service" ]; }; + + systemd.timers.misskey-backup = { timerConfig.Persistent = true; }; } From 87eaff16c41efb09961006605266ac05fd34ae5d Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 29 Dec 2024 18:32:53 -0500 Subject: [PATCH 30/69] add backup user to groups --- backup.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/backup.nix b/backup.nix index c8d1479..af71197 100644 --- a/backup.nix +++ b/backup.nix @@ -16,6 +16,7 @@ in { users.users."${user}" = { isSystemUser = true; inherit group; + extraGroups = [ "misskey" "redis-misskey" ]; }; users.groups."${group}" = { }; services.postgresql.ensureUsers = [{ name = user; }]; From 975199d53545f70aaf14a84dd1c47d69689d9e22 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 29 Dec 2024 18:34:53 -0500 Subject: [PATCH 31/69] fix sed command --- backup.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backup.nix b/backup.nix index af71197..26e6d8a 100644 --- a/backup.nix +++ b/backup.nix @@ -42,8 +42,8 @@ in { script = '' ageRecipient="age17ckyc69njpryytc63ynn545jswyucg28k5xg3043g3j6q38dxqwq0wzhm2" - bucket="$(grep 'bucket=' < "${backupConfigFile}" | sed 's/bucket \?= \?')" - prefix="$(grep 'prefix=' < "${backupConfigFile}" | sed 's/prefix \?= \?')" + bucket="$(grep 'bucket=' < "${backupConfigFile}" | sed 's/bucket \?= \?//g')" + prefix="$(grep 'prefix=' < "${backupConfigFile}" | sed 's/prefix \?= \?//g')" s3Dir="s3://$bucket/$prefix""misskey-$(date +'%d-%m-%YT%H.%M.%S')" echo "Uploading backups to '$s3Dir'" From 4fac3bcb0c05e2db5c40609443d8e8f037ecbb03 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 29 Dec 2024 18:37:38 -0500 Subject: [PATCH 32/69] fix User declaration --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 26e6d8a..f7fe9f2 100644 --- a/backup.nix +++ b/backup.nix @@ -26,8 +26,8 @@ in { restartIfChanged = false; unitConfig.X-StopOnRemoval = false; - unitConfig.User = user; + serviceConfig.User = user; serviceConfig.Type = "oneshot"; startAt = "weekly"; From a11297200945009909e7aaee7069cb4cc28a66f1 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 29 Dec 2024 18:38:11 -0500 Subject: [PATCH 33/69] add gnutar to path --- backup.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/backup.nix b/backup.nix index f7fe9f2..181a1a2 100644 --- a/backup.nix +++ b/backup.nix @@ -37,6 +37,7 @@ in { config.services.postgresql.package s3cmd coreutils + gnutar age ]; From d734274b8aead392b69f89db8a4a9cbb59bea8f3 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 29 Dec 2024 18:48:16 -0500 Subject: [PATCH 34/69] increase multipart chunk size --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 181a1a2..17788a7 100644 --- a/backup.nix +++ b/backup.nix @@ -52,7 +52,7 @@ in { function upload () { name="$1" - age -r "$ageRecipient" | s3cmd put --config "${s3Cfg}" - "$s3Dir/$name.age" + age -r "$ageRecipient" | s3cmd put --config "${s3Cfg}" - "$s3Dir/$name.age" --multipart-chunk-size-mb=100 } echo "Uploading config" From c3e53a4c369f051595b61cb05a75c548c17cc90f Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 19:39:15 -0500 Subject: [PATCH 35/69] use sudo to tar redis db --- backup.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 17788a7..001dcd3 100644 --- a/backup.nix +++ b/backup.nix @@ -12,6 +12,8 @@ let backupConfigFile = "/etc/misskey-backup/conf"; s3Cfg = "/etc/misskey-backup/s3cfg"; + + tarRedisStdoutCmd = "tar -cz -C /var/lib/redis-misskey ."; in { users.users."${user}" = { isSystemUser = true; @@ -62,7 +64,7 @@ in { pg_dump misskey | gzip | upload "pg_dump.sql.gz" echo "Uploading redis database..." - tar -cz -C /var/lib/redis-misskey . | upload "redis.tar.gz" + sudo ${tarRedisStdoutCmd} | upload "redis.tar.gz" echo "Backup complete to '$s3Dir'" ''; @@ -73,4 +75,12 @@ in { }; systemd.timers.misskey-backup = { timerConfig.Persistent = true; }; + + security.sudo.extraRules = [{ + groups = [ group ]; + commands = [{ + command = tarRedisStdoutCmd; + options = [ "NOPASSWD" ]; + }]; + }]; } From 84e4d13ceda125ff7cc14fd8aa6d0ba2e5efb9bc Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 19:44:44 -0500 Subject: [PATCH 36/69] fail script if any commands fail --- backup.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/backup.nix b/backup.nix index 001dcd3..90cf87b 100644 --- a/backup.nix +++ b/backup.nix @@ -44,6 +44,8 @@ in { ]; script = '' + set -o pipefail + ageRecipient="age17ckyc69njpryytc63ynn545jswyucg28k5xg3043g3j6q38dxqwq0wzhm2" bucket="$(grep 'bucket=' < "${backupConfigFile}" | sed 's/bucket \?= \?//g')" prefix="$(grep 'prefix=' < "${backupConfigFile}" | sed 's/prefix \?= \?//g')" From 0ebd6794d7a593cdf2cc72af04351e7ef954185e Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 19:54:22 -0500 Subject: [PATCH 37/69] add admin.egirls.gay as valid email domain --- postfix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix.nix b/postfix.nix index 600a5d3..c9654b1 100644 --- a/postfix.nix +++ b/postfix.nix @@ -18,6 +18,6 @@ enable = true; selector = "default"; socket = "inet:8891@127.0.0.1"; - domains = "csl:${config.networking.fqdn}"; + domains = "csl:${config.networking.fqdn},admin.${config.networking.fqdn}"; }; } From 53b87fd40a0fa64b7874c1b0c52a9447c4060bff Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 19:55:36 -0500 Subject: [PATCH 38/69] flake update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 416addd..3e219fa 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1734529975, - "narHash": "sha256-ze3IJksru9dN0keqUxY0WNf8xrwfs8Ty/z9v/keyBbg=", + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "72d11d40b9878a67c38f003c240c2d2e1811e72a", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "type": "github" }, "original": { @@ -24,11 +24,11 @@ }, "unstable": { "locked": { - "lastModified": 1734424634, - "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=", + "lastModified": 1735471104, + "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33", + "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", "type": "github" }, "original": { From d486bf3144e78889879d82dc87568af7bf88a08c Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 20:00:52 -0500 Subject: [PATCH 39/69] fix redis script --- backup.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/backup.nix b/backup.nix index 90cf87b..81677e3 100644 --- a/backup.nix +++ b/backup.nix @@ -13,7 +13,9 @@ let backupConfigFile = "/etc/misskey-backup/conf"; s3Cfg = "/etc/misskey-backup/s3cfg"; - tarRedisStdoutCmd = "tar -cz -C /var/lib/redis-misskey ."; + tarRedisStdoutCmd = pkgs.writeScript "backup-misskey-redis" '' + tar -cz -C /var/lib/redis-misskey . + ''; in { users.users."${user}" = { isSystemUser = true; @@ -81,7 +83,7 @@ in { security.sudo.extraRules = [{ groups = [ group ]; commands = [{ - command = tarRedisStdoutCmd; + command = "${tarRedisStdoutCmd}"; options = [ "NOPASSWD" ]; }]; }]; From ca6cb3e9da87fe3cf1e37c8e6400d36c2f26a22c Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 20:24:08 -0500 Subject: [PATCH 40/69] add backup failure notification --- backup.nix | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/backup.nix b/backup.nix index 81677e3..32a053e 100644 --- a/backup.nix +++ b/backup.nix @@ -16,6 +16,27 @@ let tarRedisStdoutCmd = pkgs.writeScript "backup-misskey-redis" '' tar -cz -C /var/lib/redis-misskey . ''; + + notifyError = pkgs.writeShellApplication { + name = "notify-error"; + + runtimeInputs = [ pkgs.sendmail ]; + + text = '' + from="$1" + subject="$2" + text="$3" + + sendmail < Date: Wed, 1 Jan 2025 20:25:10 -0500 Subject: [PATCH 41/69] fix sendmail --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 32a053e..b542aff 100644 --- a/backup.nix +++ b/backup.nix @@ -20,7 +20,7 @@ let notifyError = pkgs.writeShellApplication { name = "notify-error"; - runtimeInputs = [ pkgs.sendmail ]; + runtimeInputs = [ pkgs.system-sendmail ]; text = '' from="$1" From 2b4b5b9176f9306542ba2385d5c57c82ee020d76 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 20:27:53 -0500 Subject: [PATCH 42/69] fix email notification --- backup.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/backup.nix b/backup.nix index b542aff..c10c2cd 100644 --- a/backup.nix +++ b/backup.nix @@ -98,11 +98,14 @@ in { wants = [ "network-online.target" ]; requires = [ "postgresql.service" ]; - unitConfig.onFailure = '' + unitConfig.OnFailure = '' + invocationId="$(systemctl show --value -p InvocationID misskey-backup.service)" + logs="$(journalctl _SYSTEMD_INVOCATION_ID= -u misskey-backup.service)" + ${notifyError} "backup" "Misskey Backup Failure Notification" "$(< Date: Wed, 1 Jan 2025 20:30:33 -0500 Subject: [PATCH 43/69] fix email notification, again --- backup.nix | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/backup.nix b/backup.nix index c10c2cd..1b11f75 100644 --- a/backup.nix +++ b/backup.nix @@ -98,19 +98,21 @@ in { wants = [ "network-online.target" ]; requires = [ "postgresql.service" ]; - unitConfig.OnFailure = '' - invocationId="$(systemctl show --value -p InvocationID misskey-backup.service)" - logs="$(journalctl _SYSTEMD_INVOCATION_ID= -u misskey-backup.service)" + unitConfig.OnFailure = let + script = pkgs.writeScript "misskey-backup-failure" '' + invocationId="$(systemctl show --value -p InvocationID misskey-backup.service)" + logs="$(journalctl _SYSTEMD_INVOCATION_ID= -u misskey-backup.service)" - ${notifyError} "backup" "Misskey Backup Failure Notification" "$(< Date: Wed, 1 Jan 2025 20:37:04 -0500 Subject: [PATCH 44/69] fix email notification, again, again --- backup.nix | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/backup.nix b/backup.nix index 1b11f75..b6a7972 100644 --- a/backup.nix +++ b/backup.nix @@ -98,21 +98,30 @@ in { wants = [ "network-online.target" ]; requires = [ "postgresql.service" ]; - unitConfig.OnFailure = let - script = pkgs.writeScript "misskey-backup-failure" '' - invocationId="$(systemctl show --value -p InvocationID misskey-backup.service)" - logs="$(journalctl _SYSTEMD_INVOCATION_ID= -u misskey-backup.service)" + unitConfig.OnFailure = "misskey-backup-failure.service"; + }; - ${notifyError} "backup" "Misskey Backup Failure Notification" "$(< Date: Wed, 1 Jan 2025 20:49:18 -0500 Subject: [PATCH 45/69] run notify script with journal permissions --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index b6a7972..cc045cf 100644 --- a/backup.nix +++ b/backup.nix @@ -41,7 +41,7 @@ in { users.users."${user}" = { isSystemUser = true; inherit group; - extraGroups = [ "misskey" "redis-misskey" ]; + extraGroups = [ "misskey" "redis-misskey" "systemd-journal" ]; }; users.groups."${group}" = { }; services.postgresql.ensureUsers = [{ name = user; }]; From 99f329f82be33d19e340aaf9e296d48a4220f076 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 20:54:01 -0500 Subject: [PATCH 46/69] fuck shit --- backup.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backup.nix b/backup.nix index cc045cf..38ec82a 100644 --- a/backup.nix +++ b/backup.nix @@ -17,7 +17,7 @@ let tar -cz -C /var/lib/redis-misskey . ''; - notifyError = pkgs.writeShellApplication { + notifyErrorPkg = pkgs.writeShellApplication { name = "notify-error"; runtimeInputs = [ pkgs.system-sendmail ]; @@ -111,7 +111,7 @@ in { invocationId="$(systemctl show --value -p InvocationID misskey-backup.service)" logs="$(journalctl _SYSTEMD_INVOCATION_ID= -u misskey-backup.service)" - ${notifyError} "backup" "Misskey Backup Failure Notification" "$(< Date: Wed, 1 Jan 2025 20:56:22 -0500 Subject: [PATCH 47/69] fuck fuck fuck --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 38ec82a..8d369ff 100644 --- a/backup.nix +++ b/backup.nix @@ -27,7 +27,7 @@ let subject="$2" text="$3" - sendmail < Date: Wed, 1 Jan 2025 20:58:32 -0500 Subject: [PATCH 48/69] lksdjflksdjfl --- backup.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/backup.nix b/backup.nix index 8d369ff..2a35a09 100644 --- a/backup.nix +++ b/backup.nix @@ -23,13 +23,15 @@ let runtimeInputs = [ pkgs.system-sendmail ]; text = '' - from="$1" + from="noreply+$1@admin.egirls.gay" subject="$2" text="$3" - sendmail admin@heartles.xyz < Date: Wed, 1 Jan 2025 20:59:14 -0500 Subject: [PATCH 49/69] lksdjflksdjflfsdfsdf --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 2a35a09..135a942 100644 --- a/backup.nix +++ b/backup.nix @@ -29,7 +29,7 @@ let to="admin@heartles.xyz" - sendmail -f $from $to < Date: Wed, 1 Jan 2025 21:03:39 -0500 Subject: [PATCH 50/69] testing something --- backup.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 135a942..be2a102 100644 --- a/backup.nix +++ b/backup.nix @@ -29,7 +29,7 @@ let to="admin@heartles.xyz" - sendmail -f "$from" "$to" < Date: Wed, 1 Jan 2025 21:12:26 -0500 Subject: [PATCH 51/69] test again --- backup.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/backup.nix b/backup.nix index be2a102..88c588a 100644 --- a/backup.nix +++ b/backup.nix @@ -29,7 +29,7 @@ let to="admin@heartles.xyz" - email="$(< Date: Wed, 1 Jan 2025 21:16:57 -0500 Subject: [PATCH 52/69] fix notify --- backup.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/backup.nix b/backup.nix index 88c588a..4009b3f 100644 --- a/backup.nix +++ b/backup.nix @@ -20,7 +20,7 @@ let notifyErrorPkg = pkgs.writeShellApplication { name = "notify-error"; - runtimeInputs = [ pkgs.system-sendmail ]; + runtimeInputs = [ pkgs.system-sendmail pkgs.coreutils ]; text = '' from="noreply+$1@admin.egirls.gay" @@ -119,14 +119,13 @@ in { invocationId="$(systemctl show --value -p InvocationID misskey-backup.service)" logs="$(journalctl _SYSTEMD_INVOCATION_ID= -u misskey-backup.service)" - ${notifyErrorPkg}/bin/notify-error "backup" "Misskey Backup Failure Notification" "$(< Date: Wed, 1 Jan 2025 21:19:25 -0500 Subject: [PATCH 53/69] fix log collection --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 4009b3f..6e136e5 100644 --- a/backup.nix +++ b/backup.nix @@ -117,7 +117,7 @@ in { script = '' invocationId="$(systemctl show --value -p InvocationID misskey-backup.service)" - logs="$(journalctl _SYSTEMD_INVOCATION_ID= -u misskey-backup.service)" + logs="$(journalctl _SYSTEMD_INVOCATION_ID="$invocationId" -u misskey-backup.service)" ${notifyErrorPkg}/bin/notify-error "backup" "Misskey Backup Failure Notification" "$(cat < Date: Wed, 1 Jan 2025 21:28:20 -0500 Subject: [PATCH 54/69] send notification on success or failure --- backup.nix | 60 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 26 deletions(-) diff --git a/backup.nix b/backup.nix index 6e136e5..79649a0 100644 --- a/backup.nix +++ b/backup.nix @@ -17,8 +17,8 @@ let tar -cz -C /var/lib/redis-misskey . ''; - notifyErrorPkg = pkgs.writeShellApplication { - name = "notify-error"; + notifyEmailPkg = pkgs.writeShellApplication { + name = "notify-email"; runtimeInputs = [ pkgs.system-sendmail pkgs.coreutils ]; @@ -29,10 +29,15 @@ let to="admin@heartles.xyz" - email="$(cat < Date: Wed, 1 Jan 2025 21:29:32 -0500 Subject: [PATCH 55/69] reverse date format --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 79649a0..4da814e 100644 --- a/backup.nix +++ b/backup.nix @@ -86,7 +86,7 @@ in { bucket="$(grep 'bucket=' < "${backupConfigFile}" | sed 's/bucket \?= \?//g')" prefix="$(grep 'prefix=' < "${backupConfigFile}" | sed 's/prefix \?= \?//g')" - s3Dir="s3://$bucket/$prefix""misskey-$(date +'%d-%m-%YT%H.%M.%S')" + s3Dir="s3://$bucket/$prefix""misskey-$(date +'%Y-%m-%dT%H.%M.%S')" echo "Uploading backups to '$s3Dir'" function upload () { From ce6d1fe9f43e304e916b71753793589a82fa6c58 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 21:31:50 -0500 Subject: [PATCH 56/69] add sudo to dependencies --- backup.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/backup.nix b/backup.nix index 4da814e..2f3d44d 100644 --- a/backup.nix +++ b/backup.nix @@ -77,6 +77,7 @@ in { coreutils gnutar age + sudo ]; script = '' From 26b20e9c5d2f3bbf33d279753a6e0245978713df Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 21:32:01 -0500 Subject: [PATCH 57/69] change order that backup is taken --- backup.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/backup.nix b/backup.nix index 2f3d44d..cde8d02 100644 --- a/backup.nix +++ b/backup.nix @@ -99,12 +99,12 @@ in { echo "Uploading config" tar -cz -C /srv/misskey/.config . | upload "config.tar.gz" - echo "Dumping postgres database..." - pg_dump misskey | gzip | upload "pg_dump.sql.gz" - echo "Uploading redis database..." sudo ${tarRedisStdoutCmd} | upload "redis.tar.gz" + echo "Dumping postgres database..." + pg_dump misskey | gzip | upload "pg_dump.sql.gz" + echo "Backup complete to '$s3Dir'" ''; From 389c76650567bcc84fbb90e0a4d6dece230b6628 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 21:37:27 -0500 Subject: [PATCH 58/69] use writeShellScript --- backup.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backup.nix b/backup.nix index cde8d02..b2a742c 100644 --- a/backup.nix +++ b/backup.nix @@ -13,7 +13,7 @@ let backupConfigFile = "/etc/misskey-backup/conf"; s3Cfg = "/etc/misskey-backup/s3cfg"; - tarRedisStdoutCmd = pkgs.writeScript "backup-misskey-redis" '' + tarRedisStdoutCmd = pkgs.writeShellScript "backup-misskey-redis" '' tar -cz -C /var/lib/redis-misskey . ''; @@ -109,7 +109,7 @@ in { ''; serviceConfig.ExecStopPost = let - script = pkgs.writeScript "backup-notify" '' + script = pkgs.writeShellScript "backup-notify" '' invocationId="$(systemctl show --value -p InvocationID misskey-backup.service)" logs="$(journalctl _SYSTEMD_INVOCATION_ID="$invocationId" -u misskey-backup.service)" From 410be50be391163c26dc1aad09a09213887e2fb3 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 21:49:31 -0500 Subject: [PATCH 59/69] get sudo from /run/wrappers --- backup.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/backup.nix b/backup.nix index b2a742c..3e22687 100644 --- a/backup.nix +++ b/backup.nix @@ -77,7 +77,6 @@ in { coreutils gnutar age - sudo ]; script = '' @@ -100,7 +99,7 @@ in { tar -cz -C /srv/misskey/.config . | upload "config.tar.gz" echo "Uploading redis database..." - sudo ${tarRedisStdoutCmd} | upload "redis.tar.gz" + /run/wrappers/bin/sudo ${tarRedisStdoutCmd} | upload "redis.tar.gz" echo "Dumping postgres database..." pg_dump misskey | gzip | upload "pg_dump.sql.gz" From 67a732d3f8d4188d0f051db144961397b61f23ba Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Wed, 1 Jan 2025 21:56:55 -0500 Subject: [PATCH 60/69] fix typo --- backup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup.nix b/backup.nix index 3e22687..615c801 100644 --- a/backup.nix +++ b/backup.nix @@ -112,7 +112,7 @@ in { invocationId="$(systemctl show --value -p InvocationID misskey-backup.service)" logs="$(journalctl _SYSTEMD_INVOCATION_ID="$invocationId" -u misskey-backup.service)" - if [ "$SERVICE_RESULT" = "success"]; then + if [ "$SERVICE_RESULT" = "success" ]; then ${notifyEmailPkg}/bin/notify-email "backup" "SUCCESS: Misskey Backup Notification" "$(cat < Date: Wed, 1 Jan 2025 21:57:39 -0500 Subject: [PATCH 61/69] remove orphaned OnFailure hook --- backup.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/backup.nix b/backup.nix index 615c801..ea7889b 100644 --- a/backup.nix +++ b/backup.nix @@ -135,8 +135,6 @@ in { after = [ "network-online.target" ]; wants = [ "network-online.target" ]; requires = [ "postgresql.service" ]; - - unitConfig.OnFailure = "misskey-backup-failure.service"; }; systemd.timers.misskey-backup = { timerConfig.Persistent = true; }; From 2de1c70a932aff85e27fc358ee4f1bb8de6cfc15 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 20:20:05 -0400 Subject: [PATCH 62/69] flake update --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 3e219fa..e0e914b 100644 --- a/flake.lock +++ b/flake.lock @@ -24,11 +24,11 @@ }, "unstable": { "locked": { - "lastModified": 1735471104, - "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", + "lastModified": 1741379970, + "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", + "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f", "type": "github" }, "original": { From 2c9ccff84b365c617c42da9ecbf42d32c43221eb Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 20:20:43 -0400 Subject: [PATCH 63/69] 24.11 update --- configuration.nix | 2 +- flake.lock | 8 ++++---- flake.nix | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/configuration.nix b/configuration.nix index 835906f..e35471a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -56,7 +56,7 @@ matchConfig.Name = "enp1s0"; networkConfig.DHCP = "ipv4"; address = [ "2a01:4ff:1f0:e4bd::/64" ]; - routes = [{ routeConfig.Gateway = "fe80::1"; }]; + routes = [{ Gateway = "fe80::1"; }]; }; networking.interfaces."enp1s0".useDHCP = true; diff --git a/flake.lock b/flake.lock index e0e914b..0098b16 100644 --- a/flake.lock +++ b/flake.lock @@ -2,16 +2,16 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", + "lastModified": 1741445498, + "narHash": "sha256-F5Em0iv/CxkN5mZ9hRn3vPknpoWdcdCyR0e4WklHwiE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", + "rev": "52e3095f6d812b91b22fb7ad0bfc1ab416453634", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index ebb65de..63dcbfd 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; }; From 11afd23d99fa6ac930b65f472455b83baca91045 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 22:22:33 -0400 Subject: [PATCH 64/69] Add firewall rules that mitigate spam --- postfix.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/postfix.nix b/postfix.nix index c9654b1..e7a1f5c 100644 --- a/postfix.nix +++ b/postfix.nix @@ -1,6 +1,12 @@ { pkgs, config, ... }: { + networking.firewall.extraCommands = let user = config.services.postfix.user; + in '' + iptables -I OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited + ip6tables -I OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited + ''; + services.postfix = { enable = true; enableSubmission = true; From a88c13b4f662f867f0475151531a6ba89737847f Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 22:58:15 -0400 Subject: [PATCH 65/69] add telnet to packages --- configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/configuration.nix b/configuration.nix index e35471a..6496f03 100644 --- a/configuration.nix +++ b/configuration.nix @@ -43,6 +43,7 @@ less killall screen + inetutils ]; users.users.jaina = { From 264d64526c949b40a18d671d73b0858c4470d207 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 22:58:22 -0400 Subject: [PATCH 66/69] allow sending email through postfix --- postfix.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/postfix.nix b/postfix.nix index e7a1f5c..787aba5 100644 --- a/postfix.nix +++ b/postfix.nix @@ -3,8 +3,11 @@ { networking.firewall.extraCommands = let user = config.services.postfix.user; in '' - iptables -I OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited - ip6tables -I OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited + iptables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited + ip6tables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited + + iptables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT + ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT ''; services.postfix = { From c1d318ba6741c8524f831aab542013f1114d2463 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 23:15:14 -0400 Subject: [PATCH 67/69] fix ipv6 block --- postfix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix.nix b/postfix.nix index 787aba5..7521826 100644 --- a/postfix.nix +++ b/postfix.nix @@ -7,7 +7,7 @@ ip6tables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited iptables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT - ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT + ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d ::1 -j ACCEPT ''; services.postfix = { From c9e55d49f1e94c26180e7b8d69f4110f668293b1 Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 23:15:44 -0400 Subject: [PATCH 68/69] flush rules on firewall teardown --- postfix.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/postfix.nix b/postfix.nix index 7521826..b014f06 100644 --- a/postfix.nix +++ b/postfix.nix @@ -9,6 +9,14 @@ iptables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d ::1 -j ACCEPT ''; + # The following is necessary to prevent the above rules from being added at every nixos-rebuild switch. + # See link for more info + # https://github.com/NixOS/nixpkgs/issues/201614 + # Flush the firewall rules + networking.firewall.extraStopCommands = '' + iptables -F + ip6tables -F + ''; services.postfix = { enable = true; From 38d2798bc65ac9afb802972a1291c6c4aa0ae6cd Mon Sep 17 00:00:00 2001 From: jaina heartles Date: Sun, 9 Mar 2025 23:23:10 -0400 Subject: [PATCH 69/69] block all email ports --- postfix.nix | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/postfix.nix b/postfix.nix index b014f06..62117bd 100644 --- a/postfix.nix +++ b/postfix.nix @@ -1,14 +1,21 @@ { pkgs, config, ... }: { - networking.firewall.extraCommands = let user = config.services.postfix.user; - in '' - iptables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited - ip6tables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited + # Prevent outgoing connections to email ports from users other than postfix + # unless the destination is localhost + networking.firewall.extraCommands = let + user = config.services.postfix.user; + makeRules = port: + let p = builtins.toString port; + in '' + iptables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport ${p} -j REJECT --reject-with icmp-admin-prohibited + ip6tables -A OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport ${p} -j REJECT --reject-with icmp6-adm-prohibited - iptables -I OUTPUT -m tcp -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT - ip6tables -I OUTPUT -m tcp -p tcp --dport 25 -d ::1 -j ACCEPT - ''; + iptables -I OUTPUT -m tcp -p tcp --dport ${p} -d 127.0.0.1 -j ACCEPT + ip6tables -I OUTPUT -m tcp -p tcp --dport ${p} -d ::1 -j ACCEPT + ''; + in builtins.concatStringsSep "\n" + (builtins.map makeRules [ 25 587 465 2525 ]); # The following is necessary to prevent the above rules from being added at every nixos-rebuild switch. # See link for more info # https://github.com/NixOS/nixpkgs/issues/201614