.: microvm experiments + zorigami

flake.lock

@@ -36,6 +36,22 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "crane": {
       "inputs": {
         "flake-compat": [
@@ -121,6 +137,22 @@
         "type": "github"
       }
     },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -252,11 +284,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1696410458,
-        "narHash": "sha256-ohrrFywK7WIHEGWosBVRFZF5D2q2AeIGFGp9mMZRc40=",
+        "lastModified": 1697139361,
+        "narHash": "sha256-tH+QkHeLqEUV8EedLytnDNcwKASr/nOh3V3moft+Ujg=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "ac43ac3024f814fcf3a3bab41873019109521442",
+        "rev": "c865873ff5f4372a6e4a42fb47e290db69c3cfd9",
         "type": "github"
       },
       "original": {
@@ -271,11 +303,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1696981517,
-        "narHash": "sha256-1VQt+o9hRdjiWBaN73HKchfltAHzszoIGt35ZT9JStE=",
+        "lastModified": 1697132997,
+        "narHash": "sha256-ihUImJsnszkSzxOd/iWkA/oorwsM8JaRFs6LS1831RM=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "2c28afc481d47c551ab71d96130d938cdde59933",
+        "rev": "38e15eee892e1866f483467de51025dbef473306",
         "type": "github"
       },
       "original": {
@@ -357,6 +389,36 @@
         "type": "github"
       }
     },
+    "nixpkgs-22_11": {
+      "locked": {
+        "lastModified": 1669558522,
+        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-22.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-23_05": {
+      "locked": {
+        "lastModified": 1684782344,
+        "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.05",
+        "type": "indirect"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "lastModified": 1694911725,
@@ -470,11 +532,11 @@
     },
     "nixpkgs_7": {
       "locked": {
-        "lastModified": 1696879762,
-        "narHash": "sha256-Ud6bH4DMcYHUDKavNMxAhcIpDGgHMyL/yaDEAVSImQY=",
+        "lastModified": 1697059129,
+        "narHash": "sha256-9NJcFF9CEYPvHJ5ckE8kvINvI84SZZ87PvqMbH6pro0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f99e5f03cc0aa231ab5950a15ed02afec45ed51a",
+        "rev": "5e4c2ada4fcd54b99d56d7bd62f384511a7e2593",
         "type": "github"
       },
       "original": {
@@ -557,7 +619,8 @@
         "nix-colors": "nix-colors",
         "nix-formatter-pack": "nix-formatter-pack",
         "nix-index-database": "nix-index-database",
-        "nixpkgs": "nixpkgs_7"
+        "nixpkgs": "nixpkgs_7",
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
       }
     },
     "rust-overlay": {
@@ -585,6 +648,31 @@
         "type": "github"
       }
     },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat_3",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-22_11": "nixpkgs-22_11",
+        "nixpkgs-23_05": "nixpkgs-23_05",
+        "utils": "utils_2"
+      },
+      "locked": {
+        "lastModified": 1695910380,
+        "narHash": "sha256-CyzeiXQGm8ceEOSK1dffBCfO7JNp8XhQeNkUiJ5HxgY=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "84783b661ecf33927c534b6476beb74ea3308968",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -629,6 +717,21 @@
         "repo": "flake-utils",
         "type": "github"
       }
+    },
+    "utils_2": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -17,10 +17,14 @@
       url = "github:nix-community/lanzaboote";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    simple-nixos-mailserver = {
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = { self, nixpkgs, nix-formatter-pack, nix-index-database, deploy-rs
-    , agenix, lanzaboote, microvm, ... }:
+    , agenix, lanzaboote, microvm, simple-nixos-mailserver, ... }:
     let
       forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
       pkgsForDeploy =
@@ -57,6 +61,8 @@
           };
         });
 
+      overlays = import ./overlays;
+
       nixosModules = with self.nixosModules; {
         nibylandia-boot.imports = [ ./modules/boot.nix ];
 
@@ -88,6 +94,7 @@
           nibylandia-boot
 
           ({ pkgs, ... }: {
+            nixpkgs.overlays = [ self.overlays.nibylandia ];
             environment.systemPackages =
               [ agenix.packages.${pkgs.system}.default ];
           })
@@ -104,6 +111,8 @@
         nibylandia-laptop.imports = [ ./modules/laptop.nix ];
 
         nibylandia-gaming.imports = [ ./modules/gaming.nix ];
+
+        nibylandia-monitoring.imports = [ ./modules/monitoring.nix ];
       };
 
       nixosConfigurations = with self.nixosModules; {
@@ -140,6 +149,27 @@
             nibylandia-secureboot
             nibylandia-gaming
 
+            ({ config, pkgs, lib, ... }: {
+              boot.kernelPatches = with lib.kernel; [{
+                name = "disable transparent hugepages for virtio-gpu";
+                patch = null;
+                extraStructuredConfig = {
+                  TRANSPARENT_HUGEPAGE = lib.mkForce no;
+                };
+              }];
+            })
+
+            # appears to be broken for me for some reason            
+            {
+              nixpkgs.overlays = [ microvm.overlay ];
+              microvm.vms = {
+                elementVm = {
+                  # pkgs = import nixpkgs { system = "x86_64-linux"; };
+                  config = import ./microvms/elementVm.nix;
+                };
+              };
+            }
+
             ./nixos/khas
           ];
         };
@@ -154,6 +184,18 @@
             ./nixos/microlith
           ];
         };
+
+        zorigami = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            nibylandia-common
+            nibylandia-secureboot
+            nibylandia-monitoring
+            simple-nixos-mailserver.nixosModule
+
+            ./nixos/zorigami
+          ];
+        };
       };
 
       deploy.nodes.scylla = {
@@ -192,6 +234,18 @@
         };
       };
 
+      deploy.nodes.zorigami = {
+        fastConnection = false;
+        remoteBuild = true;
+        hostname = "zorigami";
+        profiles.system = {
+          user = "root";
+          sshUser = "root";
+          path = deployPkgs.x86_64-linux.deploy-rs.lib.activate.nixos
+            self.nixosConfigurations.zorigami;
+        };
+      };
+
       checks = builtins.mapAttrs
         (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
     };

microvms/elementVm.nix

@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+{
+  microvm = {
+    hypervisor = "cloud-hypervisor";
+    graphics.enable = true;
+    interfaces = [{
+      id = "vm-element";
+      type = "tap";
+      mac = "00:00:00:00:00:02";
+    }];
+    storeDiskType = "erofs";
+    writableStoreOverlay = "/nix/.rw-store";
+    volumes = [{
+      image = "nix-store-overlay.img";
+      mountPoint = config.microvm.writableStoreOverlay;
+      size = 2048;
+    }];
+  };
+
+  networking.hostName = "graphical-microvm";
+  system.stateVersion = "23.11";
+
+  services.getty.autologinUser = "user";
+  users.users.user = {
+    password = "";
+    group = "user";
+    isNormalUser = true;
+    extraGroups = [ "wheel" "video" ];
+  };
+  users.groups.user = { };
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+
+  environment.sessionVariables = {
+    WAYLAND_DISPLAY = "wayland-1";
+    DISPLAY = ":0";
+    QT_QPA_PLATFORM = "wayland"; # Qt Applications
+    GDK_BACKEND = "wayland"; # GTK Applications
+    XDG_SESSION_TYPE = "wayland"; # Electron Applications
+    SDL_VIDEODRIVER = "wayland";
+    CLUTTER_BACKEND = "wayland";
+    MOZ_ENABLE_WAYLAND = "1";
+    _JAVA_AWT_WM_NONREPARENTING = "1";
+    ECORE_EVAS_ENGINE = "wayland-egl";
+    ELM_ENGINE = "wayland_egl";
+    NO_AT_BRIDGE = "1";
+    BEMENU_BACKEND = "wayland";
+  };
+
+  systemd.user.services.wayland-proxy = {
+    enable = true;
+    description = "Wayland Proxy";
+    serviceConfig = with pkgs; {
+      # Environment = "WAYLAND_DISPLAY=wayland-1";
+      ExecStart =
+        "${wayland-proxy-virtwl}/bin/wayland-proxy-virtwl --virtio-gpu --x-display=0 --xwayland-binary=${xwayland}/bin/Xwayland";
+      Restart = "on-failure";
+      RestartSec = 1;
+    };
+    wantedBy = [ "default.target" ];
+  };
+
+  environment.systemPackages = with pkgs;
+    [
+      xdg-utils # Required
+    ] ++ [ element-desktop ];
+
+  hardware.opengl.enable = true;
+}

modules/common.nix

@@ -40,13 +40,14 @@ in {
     extraOptions = ''
       experimental-features = nix-command flakes
     '';
+    settings.trusted-users = [ "ar" ];
   };
-
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.allowBroken = true;
 
   environment.systemPackages = with pkgs; [
     deploy-rs
+    mastodon-update-script
     file
     git
     go
@@ -128,4 +129,30 @@ in {
     ];
   };
   time.timeZone = "Europe/Warsaw";
+
+  systemd.network = {
+    enable = true;
+    netdevs.virbr0.netdevConfig = {
+      Kind = "bridge";
+      Name = "virbr0";
+    };
+    networks.virbr0 = {
+      matchConfig.Name = "virbr0";
+      # Hand out IP addresses to MicroVMs.
+      # Use `networkctl status virbr0` to see leases.
+      networkConfig = {
+        DHCPServer = true;
+        IPv6SendRA = true;
+      };
+      addresses = [
+        { addressConfig.Address = "10.0.0.1/24"; }
+        { addressConfig.Address = "fd12:3456:789a::1/64"; }
+      ];
+      ipv6Prefixes = [{ ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64"; }];
+    };
+    networks.microvm-eth0 = {
+      matchConfig.Name = "vm-*";
+      networkConfig.Bridge = "virbr0";
+    };
+  };
 }

modules/monitoring.nix

@@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.nibylandia.monitoring-server;
+  grafana = config.services.grafana.settings.server;
+  filterValidPrometheus =
+    filterAttrsListRecursive (n: v: !(n == "_module" || v == null));
+  filterAttrsListRecursive = pred: x:
+    if lib.isAttrs x then
+      lib.listToAttrs (lib.concatMap (name:
+        let v = x.${name};
+        in if pred name v then
+          [ (lib.nameValuePair name (filterAttrsListRecursive pred v)) ]
+        else
+          [ ]) (lib.attrNames x))
+    else if lib.isList x then
+      map (filterAttrsListRecursive pred) x
+    else
+      x;
+  writePrettyJSON = name: x:
+    pkgs.runCommandLocal name { } ''
+      echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out
+    '';
+  vmConfig = {
+    scrape_configs =
+      filterValidPrometheus config.services.prometheus.scrapeConfigs;
+  };
+  generatedPrometheusYml = writePrettyJSON "prometheus.yml" vmConfig;
+  getEnabled = x:
+    lib.concatMap (name:
+      let v = x.${name};
+      in if builtins.typeOf v == "set" && v.enable then [ v ] else [ ])
+    (lib.attrNames x);
+  # TODO: add some magic to configure endpoints for all the other exporters
+  localExporterEndpoints =
+    map (x: x.listenAddress + ":" + builtins.toString x.port)
+    (getEnabled config.services.prometheus.exporters);
+in {
+  options = {
+    nibylandia.monitoring-server = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+        description = "External domain for monitoring services";
+      };
+    };
+  };
+
+  config = {
+    services.victoriametrics = {
+      enable = true;
+      retentionPeriod = 12;
+      listenAddress = "127.0.0.1:8428";
+      extraOptions = [
+        "-selfScrapeInterval=10s"
+        "-promscrape.config=${generatedPrometheusYml}"
+      ];
+    };
+
+    services.grafana.enable = true;
+
+    services.grafana.settings = {
+      server = {
+        http_addr = "127.0.0.1";
+        inherit (cfg) domain;
+      };
+      database = {
+        user = "grafana";
+        type = "postgres";
+        host = "/run/postgresql";
+      };
+    };
+
+    services.postgresql.ensureDatabases = [ "grafana" ];
+    services.postgresql.ensureUsers = [{
+      name = "grafana";
+      ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES";
+    }];
+
+    services.prometheus.exporters = {
+      node = {
+        enable = true;
+        listenAddress = "127.0.0.1";
+        enabledCollectors = [ "systemd" ];
+      };
+    };
+
+    services.prometheus.scrapeConfigs = [{
+      job_name = "local_exporters";
+      scrape_interval = "10s";
+      static_configs = [{ targets = localExporterEndpoints; }];
+    }];
+    services.nginx.virtualHosts.${cfg.domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass =
+          "http://${grafana.http_addr}:${builtins.toString grafana.http_port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

nixos/zorigami/default.nix

@@ -0,0 +1,483 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [ ./hardware.nix ];
+
+  boot.kernelPackages = pkgs.linuxPackages;
+
+  age.secrets.cassAuth = {
+    file = ../../secrets/cassAuth.age;
+    group = "nginx";
+    mode = "440";
+  };
+  age.secrets.minecraftRestic.file = ../../secrets/norkclubMinecraftRestic.age;
+  age.secrets.nextCloudAdmin = {
+    file = ../../secrets/nextCloudAdmin.age;
+    group = "nextcloud";
+    mode = "440";
+  };
+  age.secrets.wgNibylandia.file = ../../secrets/wg/nibylandia_zorigami.age;
+
+  age.secrets.arMail.file = ../../secrets/mail/ar.age;
+  age.secrets.amieMail.file = ../../secrets/mail/amie.age;
+  age.secrets.apoMail.file = ../../secrets/mail/apo.age;
+  age.secrets.madargonMail.file = ../../secrets/mail/madargon.age;
+  age.secrets.enkiMail.file = ../../secrets/mail/enki.age;
+  age.secrets.matrixMail.file = ../../secrets/mail/matrix.age;
+  age.secrets.mastodonMail.file = ../../secrets/mail/mastodon.age;
+  age.secrets.mastodonPlainMail = {
+    group = "mastodon";
+    mode = "440";
+    file = ../../secrets/mail/mastodonPlain.age;
+  };
+  age.secrets.vaultwardenMail.file = ../../secrets/mail/vaultwarden.age;
+  age.secrets.vaultwardenPlainMail = {
+    group = "vaultwarden";
+    mode = "440";
+    file = ../../secrets/mail/vaultwardenPlain.age;
+  };
+
+  age.secrets.minifluxCredentials.file = ../../secrets/miniflux.age;
+  age.secrets.keycloakDatabase = {
+    file = ../../secrets/keycloakDatabase.age;
+    mode = "440";
+  };
+  age.secrets.keycloak.file = ../../secrets/mail/keycloak.age;
+
+  age.secrets.notbotEnvironment.file = ../../secrets/notbotEnvironment.age;
+
+  age.secrets.synapseExtraConfig = {
+    group = "matrix-synapse";
+    mode = "440";
+    file = ../../secrets/synapseExtraConfig.age;
+  };
+
+  nibylandia.monitoring-server = { domain = "monitoring.is-a.cat"; };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "4096m";
+    appendHttpConfig = ''
+      disable_symlinks off;
+    '';
+  };
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "ar@is-a.cat";
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ] ++ [ 25565 25566 ]
+    ++ [ 113 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 ]
+    ++ [ 19132 19133 25565 25566 ] ++ [ 51315 ];
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+  };
+  services.prometheus.exporters.postgres = {
+    enable = true;
+    runAsLocalSuperUser = true;
+    listenAddress = "127.0.0.1";
+  };
+
+  systemd.services.notbot = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    description = "Notbot irc bot service";
+    serviceConfig = {
+      Type = "simple";
+      User = "bot";
+      EnvironmentFile = config.age.secrets.notbotEnvironment.path;
+      ExecStart = ''
+        ${pkgs.notbot}/bin/notbot -nickname "notbot" -name "notbot" -user "bot" \
+          -server "irc.libera.chat:6667" -password $NICKSERV_PASSWORD \
+          -channels $CHANNELS -jitsi.channels $JITSI_CHANNELS -spaceapi.channels $SPACEAPI_CHANNELS
+      '';
+    };
+  };
+  users.users.bot = {
+    isSystemUser = true;
+    group = "bot";
+  };
+  users.groups.bot = { };
+
+  systemd.services.cass = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    description = "cass";
+    serviceConfig = {
+      Type = "simple";
+      User = "ar";
+      ExecStart = ''
+        ${pkgs.cass}/bin/cass -listen "127.0.0.1:8000" -file-store "/srv/www/arachnist.is-a.cat/c" -url-base "https://ar.is-a.cat/c/"'';
+    };
+  };
+
+  systemd.services.minecraft-overviewer = {
+    script = ''
+      ${pkgs.python3Packages.minecraft-overviewer}/bin/overviewer.py -p 8 -c "/srv/minecraft-overviewer/survival/config.py"
+      ${pkgs.python3Packages.minecraft-overviewer}/bin/overviewer.py -p 8 -c "/srv/minecraft-overviewer/survival/config.py" --genpoi
+    '';
+    serviceConfig = {
+      User = "minecraft";
+      Group = "users";
+      ProtectHome = "no";
+    };
+  };
+
+  systemd.timers.minecraft-overviewer = {
+    wantedBy = [ "multi-user.target" ];
+    timerConfig = { OnCalendar = "daily"; };
+  };
+
+  users.users.minecraft = {
+    isNormalUser = true;
+    group = "users";
+    openssh.authorizedKeys.keys =
+      config.users.users.ar.openssh.authorizedKeys.keys ++ [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOHWPbzvwXTftY1r0dXcYZxT9QBnQkwepdMn8PCAPlYvYwUObEj3rgYrYRFrtCRWZVrKAdqBxnH9/6S9w631Zs7tgqEeDHJsotZNZV3qip7qGjn9IqUHXqF95MUDJV21AeBAqQ1xalefwCkwf/vYLFn8dSnsnlfO+mtlHZOuBED+SB2U1eNrWY2e45v8m7PqSyTCbCu0F3wVcHGwRFsxWA598wf85UBRVcSWVcUydE9F+PCS9sGETkXiRUDcHWnup8uygs4xLa9RADubhdGkUbQE6m6yOjvHJWZ4ov59zJh+hmpszCwfmUw/k39T2TM7tbwUWxgc68qDyaMGQr/Wzd x10a94@Celestia"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJ+LSo3YXE6Jk6pGKL5om/VOi7XE5OvHA2U73V0pJXHa1bA4ityICeNqec2w8TSWSwTihJ4oAM7YLShkERNTcd1NWNHgUYova9nJ/nItFxrxDpTQsqK315u4d7nE+go09c85cyomHbDDcNVg9kJeCUjF+dr82N7JZfYVdQystOslOROYtl94GHuFHVOQyBRGeSztmakYvK1+3WV8dby6TfYG1l6uf6qLCg7q64zR4xDDP0KgfcrsusBQ6qYnKhop1fUTaW9NtEOQP/MhFLDp2YQmTsNJDiKAQpwwYLexWq4UcziXbnRfD56CHFHbW7Hu6Ltu35cHFKR2r9y4TBwTV crendgrim@gmx.de"
+      ];
+  };
+
+  systemd.services.minecraft-backup = {
+    script = ''
+      export PATH="/run/current-system/sw/bin"
+      /home/minecraft/minecraft-backup/backup.sh -w rcon -i /home/minecraft/survival/world -r $BACKUP_DESTINATION -s $RCON_AUTH -m -1
+    '';
+    serviceConfig = {
+      User = "minecraft";
+      Group = "users";
+      ProtectHome = "no";
+      EnvironmentFile = config.age.secrets.minecraftRestic.path;
+    };
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud27;
+    hostName = "cloud.is-a.cat";
+    autoUpdateApps.enable = true;
+    autoUpdateApps.startAt = "05:00:00";
+
+    config = {
+      overwriteProtocol = "https";
+
+      adminuser = "admin";
+      adminpassFile = config.age.secrets.nextCloudAdmin.path;
+
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbname = "nextcloud";
+      dbhost = "/run/postgresql";
+    };
+  };
+
+  services.postgresql.ensureDatabases =
+    [ "nextcloud" "matrix-synapse" "mastodon" ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "nextcloud";
+      ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+    }
+    {
+      name = "matrix-synapse";
+      ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
+    }
+    {
+      name = "mastodon";
+      ensurePermissions."DATABASE mastodon" = "ALL PRIVILEGES";
+    }
+  ];
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "is-a.cat";
+    domains = [ "is-a.cat" "i.am-a.cat" "rsg.enterprises" ];
+    certificateScheme = "acme-nginx";
+    enableManageSieve = true;
+    fullTextSearch = {
+      enable = true;
+      memoryLimit = 2000;
+    };
+    localDnsResolver = false;
+    monitoring.enable = false;
+    borgbackup.enable = false;
+    backup.enable = false;
+    messageSizeLimit = 41943040;
+    loginAccounts = {
+      "ar@is-a.cat" = {
+        aliases = [
+          "arachnist@is-a.cat"
+          "letsencrypt@is-a.cat"
+          "gustaw.weldon@is-a.cat"
+          "@rsg.enterprises"
+          "@i.am-a.cat"
+        ];
+
+        hashedPasswordFile = config.age.secrets.arMail.path;
+      };
+      "amie@is-a.cat".hashedPasswordFile = config.age.secrets.amieMail.path;
+      "apo@is-a.cat".hashedPasswordFile = config.age.secrets.apoMail.path;
+      "madargon@is-a.cat".hashedPasswordFile =
+        config.age.secrets.madargonMail.path;
+      "enkiusz@is-a.cat".hashedPasswordFile = config.age.secrets.enkiMail.path;
+      "mastodon@is-a.cat".hashedPasswordFile =
+        config.age.secrets.mastodonMail.path;
+      "matrix@is-a.cat".hashedPasswordFile = config.age.secrets.matrixMail.path;
+      "vaultwarden@is-a.cat".hashedPasswordFile =
+        config.age.secrets.vaultwardenMail.path;
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "is-a.cat";
+
+      registrations_require_3pid = [ "email" ];
+      allowed_local_3pids = [{
+        medium = "email";
+        pattern = "^[^@]+@is-a.cat$";
+      }];
+      enable_registration = true;
+      registration_requires_token = true;
+      withJemalloc = true;
+    };
+    extraConfigFiles = [ config.age.secrets.synapseExtraConfig.path ];
+  };
+
+  services.mastodon = {
+    enable = true;
+    webProcesses = 4;
+    localDomain = "is-a.cat";
+    configureNginx = true;
+    smtp = {
+      user = "mastodon@is-a.cat";
+      passwordFile = config.age.secrets.mastodonPlainMail.path;
+      fromAddress = "mastodon@is-a.cat";
+      host = "is-a.cat";
+      createLocally = false;
+      authenticate = true;
+    };
+    extraConfig = {
+      EMAIL_DOMAIN_ALLOWLIST = "is-a.cat";
+      MAX_TOOT_CHARS = "20000";
+      MAX_PINNED_TOOTS = "10";
+      MAX_BIO_CHARS = "2000";
+      MAX_PROFILE_FIELDS = "8";
+      MAX_POLL_OPTIONS = "10";
+      MAX_IMAGE_SIZE = "33554432";
+      MAX_VIDEO_SIZE = "167772160";
+      ALLOWED_PRIVATE_ADDRESSES = "127.1.33.7";
+      GITHUB_REPOSITORY = "arachnist/mastodon/tree/meow";
+    };
+    package = pkgs.glitchSoc;
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    config = {
+      DOMAIN = "https://vaultwarden.is-a.cat";
+      ROCKET_PORT = "8222";
+      ROCKET_ADDRESS = "127.0.0.1";
+      databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
+
+      smtpHost = "is-a.cat";
+      smtpFrom = "vaultwarden@is-a.cat";
+      smtpUsername = "vaultwarden@is-a.cat";
+      smtpSecurity = "force_tls";
+
+      signupsDomainsWhitelist = "is-a.cat";
+    };
+    environmentFile = config.age.secrets.vaultwardenPlainMail.path;
+  };
+
+  # need to figure out something fancy about network configuration
+  networking.hostName = "zorigami";
+  systemd.network.wait-online.enable = false;
+  networking.useDHCP = false;
+  networking.interfaces.enp36s0f1.useDHCP = false;
+  networking.interfaces.enp38s0.useDHCP = false;
+  networking.interfaces.enp39s0.useDHCP = false;
+  networking.interfaces.enp42s0f3u5u3c2.useDHCP = false;
+  networking.tempAddresses = "disabled";
+  networking.interfaces.enp36s0f0 = {
+    useDHCP = false;
+    ipv4 = {
+      addresses = [{
+        address = "185.236.240.137";
+        prefixLength = 31;
+      }];
+      routes = [{
+        address = "0.0.0.0";
+        prefixLength = 0;
+        via = "185.236.240.136";
+      }];
+    };
+    ipv6 = {
+      addresses = [{
+        address = "2a0d:eb00:8007::10";
+        prefixLength = 64;
+      }];
+      routes = [{
+        address = "::";
+        prefixLength = 0;
+        via = "2a0d:eb00:8007::1";
+      }];
+    };
+  };
+  networking.nameservers = [
+    "8.8.8.8"
+    "8.8.4.4"
+    "1.1.1.1"
+    "2606:4700:4700::1111"
+    "2606:4700:4700::1001"
+    "2001:4860:4860::8888"
+  ];
+  boot.kernel.sysctl = {
+    "net.ipv6.conf.all.accept_ra" = false;
+    "net.ipv6.conf.default.accept_ra" = false;
+    "net.ipv4.conf.all.forwarding" = true;
+  };
+  networking.wireguard.interfaces = {
+    wg-nibylandia = {
+      ips = [ "10.255.255.1/24" ];
+      privateKeyFile = config.age.secrets.wgNibylandia.path;
+      listenPort = 51315;
+
+      peers = [
+        {
+          publicKey = "g/XhdVYsegn7Pp58Y1HFNxp4jhmA8YjRDg8W8J6swCw=";
+          endpoint = "i.am-a.cat:51315";
+          allowedIPs =
+            [ "10.255.255.2/32" "192.168.20.0/24" "192.168.24.0/24" ];
+          persistentKeepalive = 15;
+        }
+        {
+          publicKey = "ubxtr3zW9F/ofjaQFnj6XpYcrOvTdOSW5wv06+VEehU=";
+          allowedIPs = [ "10.255.255.3/32" ];
+          persistentKeepalive = 15;
+        }
+        {
+          publicKey = "tVH3q1AJZKsitYmASdaogMCBwhMCd8oSuDY2POpiUiY=";
+          allowedIPs = [ "10.255.255.4/32" ];
+          persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "s.nork.club" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/srv/www/s.nork.club";
+    };
+    "ar.is-a.cat" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = { root = "/srv/www/arachnist.is-a.cat"; };
+      locations."/up" = {
+        proxyPass = "http://127.0.0.1:8000";
+        basicAuthFile = config.age.secrets.cassAuth.path;
+        extraConfig = ''
+          proxy_request_buffering off;
+          proxy_send_timeout "9000s";
+          proxy_read_timeout "9000s";
+        '';
+      };
+      locations."/down" = {
+        proxyPass = "http://127.0.0.1:8000";
+        basicAuthFile = config.age.secrets.cassAuth.path;
+        extraConfig = ''
+          proxy_request_buffering off;
+          proxy_send_timeout "9000s";
+          proxy_read_timeout "9000s";
+        '';
+      };
+    };
+    "arachnist.is-a.cat" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = { root = "/srv/www/arachnist.is-a.cat"; };
+    };
+    "brata.zajeba.li" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = { root = "/srv/www/brata.zajeba.li"; };
+    };
+    "irc.is-a.cat" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."^~ /weechat" = {
+        proxyPass = "http://127.0.0.1:9001";
+        proxyWebsockets = true;
+      };
+      locations."/" = { root = pkgs.glowing-bear; };
+    };
+    "cloud.is-a.cat" = {
+      forceSSL = true;
+      enableACME = true;
+    };
+    ${config.services.matrix-synapse.settings.server_name} = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/_matrix" = { proxyPass = "http://127.0.0.1:8008"; };
+
+      locations."/.well-known/matrix/server" = {
+        return = ''
+          200 "{\"m.server\":\"${config.services.matrix-synapse.settings.server_name}:443\",\"m.homeserver\":{\"base_url\":\"https://${config.services.matrix-synapse.settings.server_name}\"}}"'';
+      };
+    };
+    "matrix.${config.services.matrix-synapse.settings.server_name}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        root = pkgs.cinny.override {
+          conf = {
+            homeserverList = [
+              config.services.matrix-synapse.settings.server_name
+              "matrix.hackerspace.pl"
+            ];
+            allowCustomHomeservers = false;
+            defaultHomeserver = 0;
+          };
+        };
+      };
+    };
+  };
+
+  services.oidentd.enable = true;
+
+  programs.java = {
+    enable = true;
+    package = pkgs.openjdk17;
+  };
+
+  environment.systemPackages = with pkgs; [ john restic weechat ];
+
+  users.groups.erin = { gid = 1003; };
+  users.users.erin = {
+    isNormalUser = true;
+    uid = 1003;
+    group = "erin";
+    extraGroups = [ "users" ];
+    packages = with pkgs; [ borgbackup ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBebbJHzn1VmIO0GxUpERXSTvYVpGdnS4/3/JHp9NZa elia@boston-packets"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdILFDn3VgZfybppL5tbAGsv7KWgM+SoCBQHdtGR8zn elia@panzerbook"
+    ];
+  };
+}

nixos/zorigami/hardware.nix

@@ -0,0 +1,35 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.zfs.extraPools = [ "tank" ];
+  boot.zfs.enableUnstable = true;
+  boot.supportedFilesystems = [ "zfs" ];
+
+  nibylandia-boot.ryzen.enable = true;
+
+  networking.hostId = "7999af7c";
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/2c034d00-d937-498c-85af-088616b8449c";
+    fsType = "xfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/C1BA-34FE";
+    fsType = "vfat";
+  };
+
+  fileSystems."/home/minecraft/survival/world" = {
+    device = "survivalworld";
+    fsType = "tmpfs";
+    options = [ "mode=755" "uid=1001" "gid=100" "size=40G" ];
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/86fee886-bdba-4f0b-8fe6-31c32e8232fa"; }];
+
+}

overlays/default.nix

@@ -0,0 +1 @@
+{ nibylandia = final: prev: (import ./nibylandia.nix) final prev; }

overlays/nibylandia.nix

@@ -0,0 +1,16 @@
+self: super: {
+  cass = super.callPackage ../pkgs/cass.nix { };
+  notbot = super.callPackage ../pkgs/notbot.nix { };
+  glitchSoc = self.callPackage ../pkgs/glitch-soc { };
+  mastodon-update-script = self.callPackage ../pkgs/mastodonUpdate.nix { };
+
+  python3 = super.python3.override {
+    packageOverrides = self: super: {
+      pillow-with-headers =
+        self.callPackage ../pkgs/pillow-with-headers.nix { };
+      minecraft-overviewer =
+        self.callPackage ../pkgs/minecraft-overviewer.nix { };
+    };
+  };
+  python3Packages = self.python3.pkgs;
+}

pkgs/cass.nix

@@ -0,0 +1,16 @@
+{ fetchFromGitea, buildGoPackage, ... }:
+
+buildGoPackage rec {
+  pname = "cass";
+  version = "0.0.1";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "arachnist";
+    repo = pname;
+    rev = "00b3536c5b546bb5b929b2562c86fee2869885a4";
+    sha256 = "+ZGO/ZoGN+LdcPGWHjjZ/wpayFxnfKvxiVMaS0iNYr0=";
+  };
+
+  goPackagePath = "github.com/arachnist/cass";
+}

pkgs/glitch-soc/default.nix

@@ -0,0 +1,177 @@
+{ lib, stdenv, nodejs-slim, mkYarnPackage, fetchFromGitHub, bundlerEnv
+, nixosTests, yarn, callPackage, imagemagick, ffmpeg, file, ruby_3_0
+, writeShellScript, fetchYarnDeps, fixup_yarn_lock, brotli
+
+# Allow building a fork or custom version of Mastodon:
+, pname ? "mastodon", version ? import ./version.nix, srcOverride ? null
+, dependenciesDir ? ./. # Should contain gemset.nix, yarn.nix and package.json.
+}:
+
+stdenv.mkDerivation rec {
+  inherit pname version;
+
+  # Using overrideAttrs on src does not build the gems and modules with the overridden src.
+  # Putting the callPackage up in the arguments list also does not work.
+  src =
+    if srcOverride != null then srcOverride else callPackage ./source.nix { };
+
+  mastodonGems = bundlerEnv {
+    name = "${pname}-gems-${version}";
+    inherit version;
+    ruby = ruby_3_0;
+    gemdir = src;
+    gemset = dependenciesDir + "/gemset.nix";
+    # This fix (copied from https://github.com/NixOS/nixpkgs/pull/76765) replaces the gem
+    # symlinks with directories, resolving this error when running rake:
+    #   /nix/store/451rhxkggw53h7253izpbq55nrhs7iv0-mastodon-gems-3.0.1/lib/ruby/gems/2.6.0/gems/bundler-1.17.3/lib/bundler/settings.rb:6:in `<module:Bundler>': uninitialized constant Bundler::Settings (NameError)
+    postBuild = ''
+      for gem in "$out"/lib/ruby/gems/*/gems/*; do
+        cp -a "$gem/" "$gem.new"
+        rm "$gem"
+        # needed on macOS, otherwise the mv yields permission denied
+        chmod +w "$gem.new"
+        mv "$gem.new" "$gem"
+      done
+    '';
+  };
+
+  mastodonModules = stdenv.mkDerivation {
+    pname = "${pname}-modules";
+    inherit src version;
+
+    yarnOfflineCache = fetchYarnDeps {
+      yarnLock = "${src}/yarn.lock";
+      #hash = "sha256-Qw33TB3fK6KrMZqti7p/yTFAoeIatm7O/AZ0DnQ76sA=";
+      hash = "sha256-WsPNqV1PC2YjL37qnWfRTj8LaIBUI7+C0cWTfFd7HGo=";
+    };
+
+    nativeBuildInputs = [
+      fixup_yarn_lock
+      nodejs-slim
+      yarn
+      mastodonGems
+      mastodonGems.wrappedRuby
+      brotli
+    ];
+
+    RAILS_ENV = "production";
+    NODE_ENV = "production";
+
+    buildPhase = ''
+      runHook preBuild
+
+      export HOME=$PWD
+      # This option is needed for openssl-3 compatibility
+      # Otherwise we encounter this upstream issue: https://github.com/mastodon/mastodon/issues/17924
+      export NODE_OPTIONS=--openssl-legacy-provider
+      fixup_yarn_lock ~/yarn.lock
+      yarn config --offline set yarn-offline-mirror $yarnOfflineCache
+      yarn install --offline --frozen-lockfile --ignore-engines --ignore-scripts --no-progress
+
+      patchShebangs ~/bin
+      patchShebangs ~/node_modules
+
+      # skip running yarn install
+      rm -rf ~/bin/yarn
+
+      OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder \
+        rails assets:precompile
+      yarn cache clean --offline
+      rm -rf ~/node_modules/.cache
+
+      # Create missing static gzip and brotli files
+      gzip --best --keep ~/public/assets/500.html
+      gzip --best --keep ~/public/packs/report.html
+      find ~/public/assets -maxdepth 1 -type f -name '.*.json' \
+        -exec gzip --best --keep --force {} ';'
+      brotli --best --keep ~/public/packs/report.html
+      find ~/public/assets -type f -regextype posix-extended -iregex '.*\.(css|js|json|html)' \
+        -exec brotli --best --keep {} ';'
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/public
+      cp -r node_modules $out/node_modules
+      cp -r public/assets $out/public
+      cp -r public/packs $out/public
+
+      runHook postInstall
+    '';
+  };
+
+  propagatedBuildInputs = [ imagemagick ffmpeg file mastodonGems.wrappedRuby ];
+  buildInputs = [ mastodonGems nodejs-slim ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    ln -s $mastodonModules/node_modules node_modules
+    ln -s $mastodonModules/public/assets public/assets
+    ln -s $mastodonModules/public/packs public/packs
+
+    patchShebangs bin/
+    for b in $(ls $mastodonGems/bin/)
+    do
+      if [ ! -f bin/$b ]; then
+        ln -s $mastodonGems/bin/$b bin/$b
+      fi
+    done
+
+    # Remove execute permissions
+    chmod 0444 public/emoji/*.svg
+
+    # Create missing static gzip and brotli files
+    find public -maxdepth 1 -type f -regextype posix-extended -iregex '.*\.(css|js|svg|txt|xml)' \
+      -exec gzip --best --keep --force {} ';' \
+      -exec brotli --best --keep {} ';'
+    find public/emoji -type f -name '.*.svg' \
+      -exec gzip --best --keep --force {} ';' \
+      -exec brotli --best --keep {} ';'
+    ln -s assets/500.html.gz public/500.html.gz
+    ln -s assets/500.html.br public/500.html.br
+    ln -s packs/sw.js.gz public/sw.js.gz
+    ln -s packs/sw.js.br public/sw.js.br
+    ln -s packs/sw.js.map.gz public/sw.js.map.gz
+    ln -s packs/sw.js.map.br public/sw.js.map.br
+
+    rm -rf log
+    ln -s /var/log/mastodon log
+    ln -s /tmp tmp
+
+    runHook postBuild
+  '';
+
+  installPhase = let
+    run-streaming = writeShellScript "run-streaming.sh" ''
+      # NixOS helper script to consistently use the same NodeJS version the package was built with.
+      ${nodejs-slim}/bin/node ./streaming
+    '';
+  in ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp -r * $out/
+    ln -s ${run-streaming} $out/run-streaming.sh
+
+    runHook postInstall
+  '';
+
+  passthru = {
+    tests.mastodon = nixosTests.mastodon;
+    # run with: nix-shell ./maintainers/scripts/update.nix --argstr package mastodon
+    updateScript = ./update.sh;
+  };
+
+  meta = with lib; {
+    description =
+      "Self-hosted, globally interconnected microblogging software based on ActivityPub";
+    homepage = "https://joinmastodon.org";
+    license = licenses.agpl3Plus;
+    platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
+    maintainers = with maintainers; [ happy-river erictapen izorkin ghuntley ];
+  };
+}

pkgs/glitch-soc/source.nix

@@ -0,0 +1,13 @@
+# This file was generated by pkgs.mastodon.updateScript.
+{ fetchFromGitHub, applyPatches }:
+let
+  src = fetchFromGitHub {
+    owner = "arachnist";
+    repo = "mastodon";
+    rev = "e4e18e4f9fc062cd347bb2faa719ad2f62660bfd";
+    hash = "sha256-k5ZO+x7MzQaHShViBltmrCoy5wujKXIsQvPTpWgkvUk=";
+  };
+in applyPatches {
+  inherit src;
+  patches = [ ./local-new-fixes.patch ];
+}

pkgs/glitch-soc/update.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p yarn2nix bundix coreutils diffutils nix-prefetch-github gnused jq
+set -e
+
+OWNER=mastodon
+REPO=mastodon
+
+POSITIONAL=()
+while [[ $# -gt 0 ]]; do
+    key="$1"
+
+    case $key in
+        --owner)
+            OWNER="$2"
+            shift # past argument
+            shift # past value
+            ;;
+        --repo)
+            REPO="$2"
+            shift # past argument
+            shift # past value
+            ;;
+        --ver)
+            VERSION="$2"
+            shift # past argument
+            shift # past value
+            ;;
+        --rev)
+            REVISION="$2"
+            shift # past argument
+            shift # past value
+            ;;
+        --patches)
+            PATCHES="$2"
+            shift # past argument
+            shift # past value
+            ;;
+        *)  # unknown option
+            POSITIONAL+=("$1")
+            shift # past argument
+            ;;
+    esac
+done
+
+if [[ -n "$POSITIONAL" ]]; then
+    echo "Usage: update.sh [--owner OWNER] [--repo REPO] [--ver VERSION] [--rev REVISION] [--patches PATCHES]"
+    echo "OWNER and REPO must be paths on github."
+    echo "If REVISION is not provided, the latest tag from github.com/mastodon/mastodon is fetched and VERSION is calculated from it."
+    echo "If OWNER and REPO are not provided, it defaults they default to mastodon and mastodon."
+    echo "PATCHES, if provided, should be one or more Nix expressions separated by spaces."
+    exit 1
+fi
+
+if [[ -z "$REVISION" ]]; then
+    REVISION="$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} -s "https://api.github.com/repos/$OWNER/$REPO/releases" | jq -r  'map(select(.prerelease == false)) | .[0].tag_name')"
+    VERSION="$(echo "$REVISION" | cut -c2-)"
+fi
+
+rm -f gemset.nix version.nix source.nix
+cd "$(dirname "${BASH_SOURCE[0]}")" || exit 1
+
+WORK_DIR=$(mktemp -d)
+
+# Check that working directory was created.
+if [[ -z "$WORK_DIR" || ! -d "$WORK_DIR" ]]; then
+    echo "Could not create temporary directory"
+    exit 1
+fi
+
+# Delete the working directory on exit.
+function cleanup {
+    # Report errors, if any, from nix-prefetch-git
+    grep "fatal" $WORK_DIR/nix-prefetch-git.out >/dev/stderr || true
+    rm -rf "$WORK_DIR"
+}
+trap cleanup EXIT
+
+echo "Fetching source code $REVISION"
+JSON=$(nix-prefetch-github "$OWNER" "$REPO" --rev "$REVISION" 2> $WORK_DIR/nix-prefetch-git.out)
+HASH=$(echo "$JSON" | jq -r .hash)
+
+echo "Creating version.nix"
+echo "\"$VERSION\"" | sed 's/^"v/"/' > version.nix
+
+cat > source.nix << EOF
+# This file was generated by pkgs.mastodon.updateScript.
+{ fetchFromGitHub, applyPatches }: let
+  src = fetchFromGitHub {
+    owner = "$OWNER";
+    repo = "$REPO";
+    rev = "$REVISION";
+    hash = "$HASH";
+  };
+in applyPatches {
+  inherit src;
+  patches = [$PATCHES];
+}
+EOF
+SOURCE_DIR="$(nix-build --no-out-link -E '(import <nixpkgs> {}).callPackage ./source.nix {}')"
+
+echo "Creating gemset.nix"
+bundix --lockfile="$SOURCE_DIR/Gemfile.lock" --gemfile="$SOURCE_DIR/Gemfile"
+echo "" >> gemset.nix  # Create trailing newline to please EditorConfig checks

pkgs/glitch-soc/version.nix

@@ -0,0 +1 @@
+"4+glitch+meow"

pkgs/mastodonUpdate.nix

@@ -0,0 +1,13 @@
+{ runtimeShell, writeScriptBin, mastodon, symlinkJoin }:
+
+let
+  name = "mastodon-update.sh";
+  script = writeScriptBin name ''
+    #!${runtimeShell}
+    exec ${mastodon.updateScript} "$@"
+  '';
+
+in symlinkJoin {
+  inherit name;
+  paths = [ script ];
+}

pkgs/minecraft-overviewer.nix

@@ -0,0 +1,31 @@
+{ fetchFromGitHub, buildPythonPackage, python3Packages, python3, ... }:
+
+buildPythonPackage rec {
+  pname = "Minecraft-Overviewer";
+  version = "2021-12-14";
+  format = "other";
+
+  propagatedBuildInputs = with python3Packages; [
+    pillow-with-headers
+    numpy
+    networkx
+  ];
+
+  buildInputs = with python3Packages; [ setuptools ];
+
+  buildPhase = ''
+    export CFLAGS="-I${python3Packages.pillow-with-headers}/include/libImaging"
+    ${python3.interpreter} setup.py build
+  '';
+
+  installPhase = ''
+    ${python3.interpreter} setup.py install --prefix=$out --install-lib=$out/${python3.sitePackages}
+  '';
+
+  src = fetchFromGitHub {
+    owner = "overviewer";
+    repo = pname;
+    rev = "7171af587399fee9140eb83fb9b066acd251f57a";
+    sha256 = "sha256-iJv4mL1Zr6clL5iuUg1kHoIk9Kk3R4TOYsrldEVyfVo=";
+  };
+}

pkgs/notbot.nix

@@ -0,0 +1,17 @@
+{ fetchFromGitea, buildGoModule, ... }:
+
+buildGoModule rec {
+  pname = "notbot";
+  version = "0.0.3";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "arachnist";
+    repo = pname;
+    rev = "195b12bdba2d579533e00de9c9dce52ece0bc562";
+    sha256 = "cHy1TSUI2KfZyaZMXJibT4G/HwcBhPKQF6ftJpilRCQ=";
+  };
+
+  vendorSha256 = "sha256-gi6mrJW65tfWYScwRlPSvBartqfvVlGbR9GWfj9G4xE=";
+  proxyVendor = true;
+}

pkgs/pillow-with-headers.nix

@@ -0,0 +1,8 @@
+{ python3Packages, ... }:
+
+python3Packages.pillow.overrideAttrs (_: {
+  postInstall = ''
+    mkdir -p $out/include/libImaging
+    cp src/libImaging/*.h $out/include/libImaging
+  '';
+})

secrets.nix

@@ -17,14 +17,17 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDghNuH/3G+0BXwrBZWZXX0V3K0tfu/Q/AKokLXY5zTD";
 in {
 
-  "secrets/secureboot-key.age".publicKeys = ar ++ [ khas microlith ];
-  "secrets/secureboot-cert.age".publicKeys = ar ++ [ khas microlith ];
+  "secrets/secureboot-key.age".publicKeys = ar
+    ++ [ khas microlith zorigami scylla ];
+  "secrets/secureboot-cert.age".publicKeys = ar
+    ++ [ khas microlith zorigami scylla ];
   "secrets/khas-ar.age".publicKeys = ar ++ [ khas ];
   "secrets/microlith-ar.age".publicKeys = ar ++ [ microlith ];
   "secrets/wg/nibylandia_scylla.age".publicKeys = ar ++ [ scylla ];
   "secrets/wg/dn42_w1kl4s_scylla.age".publicKeys = ar ++ [ scylla ];
   "secrets/lan/nibylandia-ddns-kea.age".publicKeys = ar ++ [ scylla ];
   "secrets/lan/nibylandia-ddns-bind.age".publicKeys = ar ++ [ scylla ];
+  "secrets/notbotEnvironment.age".publicKeys = ar ++ [ zorigami ];
   "secrets/nextCloudAdmin.age".publicKeys = ar ++ [ zorigami ];
   "secrets/nextCloudExporter.age".publicKeys = ar ++ [ zorigami ];
   "secrets/norkclubMinecraftRestic.age".publicKeys = ar ++ [ zorigami ];
@@ -34,6 +37,7 @@ in {
   "secrets/wg/nibylandia_zorigami.age".publicKeys = ar ++ [ zorigami ];
   "secrets/mail/ar.age".publicKeys = ar ++ [ zorigami ];
   "secrets/mail/apo.age".publicKeys = ar ++ [ zorigami ];
+  "secrets/mail/amie.age".publicKeys = ar ++ [ zorigami ];
   "secrets/mail/mastodon.age".publicKeys = ar ++ [ zorigami ];
   "secrets/mail/mastodonPlain.age".publicKeys = ar ++ [ zorigami ];
   "secrets/mail/madargon.age".publicKeys = ar ++ [ zorigami ];
@@ -44,6 +48,7 @@ in {
   "secrets/mail/keycloak.age".publicKeys = ar ++ [ zorigami ];
   "secrets/mail/keycloakPlain.age".publicKeys = ar ++ [ zorigami ];
   "secrets/keycloakDatabase.age".publicKeys = ar ++ [ zorigami ];
+  "secrets/synapseExtraConfig.age".publicKeys = ar ++ [ zorigami ];
 
   inherit ar;
 }