nix-topology: remove postgresql icon override

flake.lock: bump
bekkalokk/well-known: reply to well-known for all domains
2026-02-20 08:57:53 +01:00 · 2026-01-21 14:56:41 +09:00 · 2026-01-21 14:49:00 +09:00 · 2026-01-21 14:47:31 +09:00 · 2026-01-21 14:34:35 +09:00 · 2026-01-21 13:46:06 +09:00
14 changed files with 2363 additions and 69 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -235,11 +235,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768068512,
-        "narHash": "sha256-pH5wkcNOiXy4MBjDTe6A1gml+7m+ULC3lYMBPMqdS1w=",
+        "lastModified": 1768955766,
+        "narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "4367a2093c5ff74fc478466aebf41d47ce0cacb4",
+        "rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
        "type": "github"
      },
      "original": {
@@ -251,11 +251,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1768555036,
-        "narHash": "sha256-qJTh3xrFsqrXDzUmjPGV0VC70vpsq/YP25Jo6Fh7PTs=",
-        "rev": "1d2851ebcd64734ef057e8c80e05dd5600323792",
+        "lastModified": 1768877948,
+        "narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
+        "rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4104.1d2851ebcd64/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
@@ -279,11 +279,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1768553552,
-        "narHash": "sha256-YeNMZDAxdQUMLcqZmoc+/WzYrJxTEg6Y7uNALUcF1dE=",
-        "rev": "a6b8b0f0ceb6d4f5da70808e26c68044099460fd",
+        "lastModified": 1768886240,
+        "narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
+        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre928681.a6b8b0f0ceb6/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
@@ -466,11 +466,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768481291,
-        "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
+        "lastModified": 1768863606,
+        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
+        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -275,7 +275,7 @@

        bluemap = pkgs.callPackage ./packages/bluemap.nix { };

-        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
+        out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
      }
      //
      # Mediawiki extensions
--- a/hosts/bekkalokk/services/well-known/default.nix
+++ b/hosts/bekkalokk/services/well-known/default.nix
@@ -1,18 +1,25 @@
-{ ... }:
+{ lib, ... }:
 {
-  services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
-    "^~ /.well-known/" = {
-      alias = (toString ./root) + "/";
-    };
+  services.nginx.virtualHosts = lib.genAttrs [
+    "pvv.ntnu.no"
+    "www.pvv.ntnu.no"
+    "pvv.org"
+    "www.pvv.org"
+  ] (_: {
+    locations = {
+      "^~ /.well-known/" = {
+        alias = (toString ./root) + "/";
+      };

-    # Proxy the matrix well-known files
-    # Host has be set before proxy_pass
-    # The header must be set so nginx on the other side routes it to the right place
-    "^~ /.well-known/matrix/" = {
-      extraConfig = ''
-        proxy_set_header Host matrix.pvv.ntnu.no;
-        proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-      '';
+      # Proxy the matrix well-known files
+      # Host has be set before proxy_pass
+      # The header must be set so nginx on the other side routes it to the right place
+      "^~ /.well-known/matrix/" = {
+        extraConfig = ''
+          proxy_set_header Host matrix.pvv.ntnu.no;
+          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+        '';
+      };
    };
-  };
+  });
 }
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -44,7 +44,6 @@

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
-  services.sshguard.enable = true;

  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -1,13 +1,6 @@
 { config, lib, fp, pkgs, secrets, values, ... }:

 {
-  sops.secrets."matrix/synapse/turnconfig" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/turnconfig";
-    owner = config.users.users.matrix-synapse.name;
-    group = config.users.users.matrix-synapse.group;
-    restartUnits = [ "coturn.service" ];
-  };
  sops.secrets."matrix/coturn/static-auth-secret" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
    key = "coturn/static-auth-secret";
@@ -16,9 +9,18 @@
    restartUnits = [ "coturn.service" ];
  };

+  sops.templates."matrix-synapse-turnconfig" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+    content = ''
+      turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
+    '';
+    restartUnits = [ "matrix-synapse.target" ];
+  };
+
  services.matrix-synapse-next = {
    extraConfigFiles = [
-      config.sops.secrets."matrix/synapse/turnconfig".path
+      config.sops.templates."matrix-synapse-turnconfig".path
    ];

    settings = {
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -1,7 +1,5 @@
 { config, ... }:
-
 {
-
  imports = [
    ./synapse.nix
    ./synapse-admin.nix
@@ -15,7 +13,4 @@
    ./out-of-your-element.nix
    ./hookshot
  ];
-
-
-
 }
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@@ -16,10 +16,10 @@ in {

    root = pkgs.element-web.override {
      conf = {
-        default_server_config."m.homeserver" = {
-          base_url = "https://matrix.pvv.ntnu.no";
-          server_name = "pvv.ntnu.no";
-        };
+        # Tries to look up well-known first, else uses bundled config.
+        default_server_name = "matrix.pvv.ntnu.no";
+        default_server_config = config.services.pvv-matrix-well-known.client;
+
        disable_3pid_login = true;
 #        integrations_ui_url = "https://dimension.dodsorf.as/riot";
 #        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -15,11 +15,16 @@ in {
    group = config.users.users.matrix-synapse.group;
  };

-  sops.secrets."matrix/synapse/user_registration" = {
+  sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
    sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/signing_key";
+    key = "synapse/user_registration/registration_shared_secret";
+  };
+  sops.templates."matrix-synapse-user-registration" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
+    content = ''
+      registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
+    '';
  };

  services.matrix-synapse-next = {
@@ -83,7 +88,7 @@ in {
      mau_stats_only = true;

      enable_registration = false;
-      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
+      registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;

      password_config.enabled = true;

@@ -95,6 +100,32 @@ in {
        }
      ];

+      experimental_features = {
+        # MSC3266: Room summary API. Used for knocking over federation
+        msc3266_enabled = true;
+        # MSC4222 needed for syncv2 state_after. This allow clients to
+        # correctly track the state of the room.
+        msc4222_enabled = true;
+      };
+
+      # The maximum allowed duration by which sent events can be delayed, as
+      # per MSC4140.
+      max_event_delay_duration = "24h";
+
+      rc_message = {
+        # This needs to match at least e2ee key sharing frequency plus a bit of headroom
+        # Note key sharing events are bursty
+        per_second = 0.5;
+        burst_count = 30;
+      };
+
+      rc_delayed_event_mgmt = {
+        # This needs to match at least the heart-beat frequency plus a bit of headroom
+        # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
+        per_second = 1;
+        burst_count = 20;
+      };
+
      trusted_key_servers = [
        { server_name = "matrix.org"; }
        { server_name = "dodsorf.as"; }
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -181,6 +181,9 @@ in
          #NoNewPrivileges = true;
          #PrivateDevices = true;
          Restart = "on-failure";
+          RestartSec = "5s";
+          StartLimitIntervalSec = "5s";
+          StartLimitBurst = "5";
          DynamicUser = true;
        };
      };
--- a/packages/ooye/fix-lockfile.patch
+++ b/packages/ooye/fix-lockfile.patch
--- a/packages/ooye/generate-lock-patch.sh
+++ b/packages/ooye/generate-lock-patch.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p bash git gnugrep gnused nodejs_24
+
+GIT_TOPLEVEL=$(git rev-parse --show-toplevel)
+PACKAGE_NIX="$GIT_TOPLEVEL/packages/ooye/package.nix"
+REV="$(grep -oP '(?<=rev = ")[a-z0-9]+(?=")' "$PACKAGE_NIX")"
+
+TMPDIR="$(mktemp -d)"
+
+cleaning() {
+  rm -rf "$TMPDIR"
+}
+
+trap 'cleaning' SIGINT
+
+git clone --depth 1 --revision="$REV" https://git.pvv.ntnu.no/Drift/delete-your-element.git "$TMPDIR/ooye"
+pushd "$TMPDIR/ooye" || exit
+  sed -i 's/\s*"glob@<11.1": "^12"//' package.json
+  git diff --quiet --exit-code package.json && {
+    echo "Sed did't do it's job, please fix" >&2
+    cleaning
+    exit 1
+  }
+
+  rm -rf package-lock.json
+  npm install --package-lock-only
+
+  export GIT_AUTHOR_NAME='Lockinator 9000'
+  export GIT_AUTHOR_EMAIL='locksmith@lockal.local'
+  export GIT_AUTHOR_DATE='Sun, 01 Jan 1984 00:00:00 +0000'
+  export GIT_COMMITTER_NAME="$GIT_AUTHOR_NAME"
+  export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL"
+  export GIT_COMMITTER_DATE="$GIT_AUTHOR_DATE"
+
+  git commit -am "package-lock.json: bomp" --no-gpg-sign
+  git format-patch HEAD~
+  mv 0001-package-lock.json-bomp.patch "$GIT_TOPLEVEL/packages/ooye/fix-lockfile.patch"
+  git reset --hard HEAD~
+popd || exit
+cleaning
--- a/packages/out-of-your-element.nix
+++ b/packages/out-of-your-element.nix
@@ -2,31 +2,28 @@
  lib,
  fetchFromGitea,
  makeWrapper,
-  nodejs,
+  nodejs_24,
  buildNpmPackage,
-  fetchpatch,
 }:
+let
+  nodejs = nodejs_24;
+in
 buildNpmPackage {
  pname = "delete-your-element";
-  version = "3.3-unstable-2025-12-09";
+  version = "3.3-unstable-2026-01-21";
  src = fetchFromGitea {
    domain = "git.pvv.ntnu.no";
    owner = "Drift";
    repo = "delete-your-element";
-    rev = "1c0c545a024ef7215a1a3483c10acce853f79765";
-    hash = "sha256-ow/PdlHfU7PCwsjJUEzoETzONs1KoKTRMRQ9ADN0tGk=";
+    rev = "04d7872acb933254c0a4703064b2e08de31cfeb4";
+    hash = "sha256-CkKt+8VYjIhNM76c3mTf7X6d4ob8tB2w8T6xYS7+LuY=";
  };

-  patches = [
-    (fetchpatch {
-      name = "ooye-fix-package-lock-0001.patch";
-      url = "https://cgit.rory.gay/nix/OOYE-module.git/plain/pl.patch?h=ee126389d997ba14be3fe3ef360ba37b3617a9b2";
-      hash = "sha256-dP6WEHb0KksDraYML+jcR5DftH9BiXvwevUg38ALOrc=";
-    })
-  ];
+  inherit nodejs;

-  npmDepsHash = "sha256-OXOyO6LxK/WYYVysSxkol0ilMUZB+osLYUE5DpJlbps=";
-  # npmDepsHash = "sha256-Y+vgp7+7pIDm64AYSs8ltoAiON0EPpJInbmgn3/LkVA=";
+  patches = [ ./fix-lockfile.patch ];
+
+  npmDepsHash = "sha256-tiGXr86x9QNAwhZcxSOox6sP9allyz9QSH3XOZOb3z8=";
  dontNpmBuild = true;
  makeCacheWritable = true;

--- a/secrets/bicep/matrix.yaml
+++ b/secrets/bicep/matrix.yaml
@@ -1,6 +1,6 @@
 synapse:
-    turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
-    user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
+    user_registration:
+        registration_shared_secret: ENC[AES256_GCM,data:Ch0JzTJ7OqZQxr+L,iv:6hSTsBwieRg6oy0feBaqJQaY/AvIUyIlcclzlK0GmVE=,tag:Z55kxXppzmU+YP5JkU0jLw==,type:str]
    signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
 coturn:
    static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
@@ -86,8 +86,8 @@ sops:
            Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
            OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-21T01:01:35Z"
-    mac: ENC[AES256_GCM,data:1f8RYVjnNs9T3DRFY+CouPUsGmfBRWEOASjB04dd89iIYC6sagk5e4JjqPDpOQjMxbAVnEKa2oX+nFSBa8xF14jqNSadl9xwlKwLJnaBhUb3grJ5d+O8Tcq+0xQ+oqIN+Awm6eaJTesiopRu68MhFQeUZwBUO+83W2YeQgFhz34=,iv:NymjPCr6/osod8liluA6Pbq1XT4KiI/qIS6lx9sM4NQ=,tag:Td3mjPaHUFeD3d/hZ3f1og==,type:str]
+    lastmodified: "2026-01-21T02:03:24Z"
+    mac: ENC[AES256_GCM,data:yVe+78V7zYgYveLFBghKdAeibg97DRafgsRRCZPYkWu8t2iadtD5UqRK0KS4Zcc55ojHJ11otgadaPHQyl8EIzt7Dwlm7ZOVEmmPAYdaweWfnPRdFhDAxcgj8Ejh03LAdLQK8WwlfTF/09Avub2ZUnN0aPwFCen/qD6dYmcGDNk=,iv:y4YE9AqlVVBBtRGoIdfIcNGE4chChBOR0Euy68xkQBA=,tag:/yopCpkvFaEzr2iXxLd3uw==,type:str]
    pgp:
        - created_at: "2026-01-16T06:34:46Z"
          enc: |-
--- a/topology/service-extractors/postgresql.nix
+++ b/topology/service-extractors/postgresql.nix
@@ -6,7 +6,6 @@ in
 {
  config.topology.self.services.postgresql = lib.mkIf cfg.enable {
    name = "PostgreSQL";
-    icon = "${unstablePkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/postgresql.svg";

    details.listen.text = lib.mkIf cfg.enableTCPIP "0.0.0.0:${toString cfg.settings.port}";
    details.socket.text = "/run/postgresql/.s.PGSQL.${toString cfg.settings.port}";
Author	SHA1	Message	Date
h7x4	2ace7b649f	nix-topology: remove postgresql icon override	2026-01-21 14:56:41 +09:00
h7x4	7703a94b19	flake.lock: bump	2026-01-21 14:49:00 +09:00
h7x4	ebd40fc2d7	bekkalokk/well-known: reply to well-known for all domains	2026-01-21 14:47:31 +09:00
h7x4	9eb5cd869a	bicep/element: fetch correct well-known file	2026-01-21 14:34:35 +09:00
h7x4	fa37f34028	packages/ooye: bump	2026-01-21 13:46:06 +09:00
h7x4	7111d00df8	modules/ooye: calm yo ass (set restart timer + counter)	2026-01-21 13:17:28 +09:00
h7x4	833a74a6fb	bicep/matrix: remove some whitespace lol	2026-01-21 13:14:41 +09:00
h7x4	d82cc2e605	update and fix `packages.out-of-your-element	2026-01-21 12:49:13 +09:00
h7x4	93cf6f4a63	bicep/sshguard: disable sshguard doesn't actually work as it currently stands, also the builtin PerSourcePenalty functionality in SSH is more aggressive than sshguard is able to catch anyway. It might've been reasonable if we were using it for anything other than SSH, but it doesn't seem like we are.	2026-01-21 11:13:27 +09:00
h7x4	0f11cca8ec	bicep/matrix: use sops templates to render structured files	2026-01-21 11:08:26 +09:00
h7x4	d892acb331	bicep/matrix: have element-web source well-known from config	2026-01-21 10:49:09 +09:00
h7x4	aa07687a94	bicep/matrix: add synapse config to help with livekit	2026-01-21 10:48:37 +09:00