fix gitea actions runner

fix ovmf
setup synapse vm on nixos-vps
2024-01-18 21:47:43 +03:00 · 2024-01-18 21:47:13 +03:00 · 2024-01-18 21:46:51 +03:00
13 changed files with 534 additions and 106 deletions
--- a/machines/Home-Hypervisor/dns-headscale.nix
+++ b/machines/Home-Hypervisor/dns-headscale.nix
@ -9,23 +9,23 @@
    { name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "cocalc.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "dimension.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "dimension.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
    { name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
    { name = "fb.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "fsync.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "goneb.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "goneb.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
    { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "jitsi.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "jitsi.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
    { name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    # { name = "mail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
    { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "microbin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "nzbhydra.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@ -40,9 +40,9 @@
    { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "sonarrtv.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "startpage.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
    { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
    { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    # { name = "webmail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@ -56,23 +56,23 @@
    { name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "cocalc.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "dimension.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "dimension.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
    { name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
    { name = "fb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "fsync.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "goneb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "goneb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
    { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "jitsi.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "jitsi.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
    { name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    # { name = "mail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
    { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "microbin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "nzbhydra.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
@ -87,11 +87,41 @@
    { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "sonarrtv.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "startpage.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
    { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
    { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    # { name = "webmail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+
+    # block hoyoverse logs
+    { name = "overseauspider.yuanshen.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "overseauspider.yuanshen.com"; type = "AAAA"; value = "::"; }
+    { name = "log-upload-os.hoyoverse.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "log-upload-os.hoyoverse.com"; type = "AAAA"; value = "::"; }
+    { name = "log-upload-os.mihoyo.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "log-upload-os.mihoyo.com"; type = "AAAA"; value = "::"; }
+    { name = "dump.gamesafe.qq.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "dump.gamesafe.qq.com"; type = "AAAA"; value = "::"; }
+    { name = "log-upload.mihoyo.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "log-upload.mihoyo.com"; type = "AAAA"; value = "::"; }
+    { name = "devlog-upload.mihoyo.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "devlog-upload.mihoyo.com"; type = "AAAA"; value = "::"; }
+    { name = "uspider.yuanshen.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "uspider.yuanshen.com"; type = "AAAA"; value = "::"; }
+    { name = "sg-public-data-api.hoyoverse.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "sg-public-data-api.hoyoverse.com"; type = "AAAA"; value = "::"; }
+    { name = "public-data-api.mihoyo.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "public-data-api.mihoyo.com"; type = "AAAA"; value = "::"; }
+    { name = "prd-lender.cdp.internal.unity3d.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "prd-lender.cdp.internal.unity3d.com"; type = "AAAA"; value = "::"; }
+    { name = "thind-prd-knob.data.ie.unity3d.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "thind-prd-knob.data.ie.unity3d.com"; type = "AAAA"; value = "::"; }
+    { name = "thind-gke-usc.prd.data.corp.unity3d.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "thind-gke-usc.prd.data.corp.unity3d.com"; type = "AAAA"; value = "::"; }
+    { name = "cdp.cloud.unity3d.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "cdp.cloud.unity3d.com"; type = "AAAA"; value = "::"; }
+    { name = "remote-config-proxy-prd.uca.cloud.unity3d.com"; type = "A"; value = "0.0.0.0"; }
+    { name = "remote-config-proxy-prd.uca.cloud.unity3d.com"; type = "AAAA"; value = "::"; }
  ];
 }
--- a/machines/Home-Hypervisor/dns-mapping.nix
+++ b/machines/Home-Hypervisor/dns-mapping.nix
@ -9,21 +9,21 @@
    "/cocalc.ataraxiadev.com/192.168.0.10"
    "/code.ataraxiadev.com/192.168.0.10"
    "/docs.ataraxiadev.com/192.168.0.10"
-    "/dimension.ataraxiadev.com/192.168.0.10"
-    "/element.ataraxiadev.com/192.168.0.10"
+    # "/dimension.ataraxiadev.com/192.168.0.10"
+    # "/element.ataraxiadev.com/192.168.0.10"
    "/fb.ataraxiadev.com/192.168.0.10"
    "/file.ataraxiadev.com/192.168.0.10"
    "/fsync.ataraxiadev.com/192.168.0.10"
-    "/goneb.ataraxiadev.com/192.168.0.10"
+    # "/goneb.ataraxiadev.com/192.168.0.10"
    "/home.ataraxiadev.com/192.168.0.10"
    "/jackett.ataraxiadev.com/192.168.0.10"
    "/jellyfin.ataraxiadev.com/192.168.0.10"
-    "/jitsi.ataraxiadev.com/192.168.0.10"
+    # "/jitsi.ataraxiadev.com/192.168.0.10"
    "/joplin.ataraxiadev.com/192.168.0.10"
    "/kavita.ataraxiadev.com/192.168.0.10"
    "/ldap.ataraxiadev.com/192.168.0.10"
    "/lib.ataraxiadev.com/192.168.0.10"
-    "/matrix.ataraxiadev.com/192.168.0.10"
+    # "/matrix.ataraxiadev.com/192.168.0.10"
    "/medusa.ataraxiadev.com/192.168.0.10"
    "/microbin.ataraxiadev.com/192.168.0.10"
    "/nzbhydra.ataraxiadev.com/192.168.0.10"
@ -38,12 +38,28 @@
    "/sonarr.ataraxiadev.com/192.168.0.10"
    "/sonarrtv.ataraxiadev.com/192.168.0.10"
    "/startpage.ataraxiadev.com/192.168.0.10"
-    "/stats.ataraxiadev.com/192.168.0.10"
+    # "/stats.ataraxiadev.com/192.168.0.10"
    "/tools.ataraxiadev.com/192.168.0.10"
-    "/turn.ataraxiadev.com/192.168.0.10"
+    # "/turn.ataraxiadev.com/192.168.0.10"
    "/vw.ataraxiadev.com/192.168.0.10"
    "/wg.ataraxiadev.com/192.168.0.10"
    "/wiki.ataraxiadev.com/192.168.0.10"
    "/www.ataraxiadev.com/192.168.0.10"
+
+    # block hoyoverse logs
+    "/overseauspider.yuanshen.com/0.0.0.0"
+    "/log-upload-os.hoyoverse.com/0.0.0.0"
+    "/log-upload-os.mihoyo.com/0.0.0.0"
+    "/dump.gamesafe.qq.com/0.0.0.0"
+    "/log-upload.mihoyo.com/0.0.0.0"
+    "/devlog-upload.mihoyo.com/0.0.0.0"
+    "/uspider.yuanshen.com/0.0.0.0"
+    "/sg-public-data-api.hoyoverse.com/0.0.0.0"
+    "/public-data-api.mihoyo.com/0.0.0.0"
+    "/prd-lender.cdp.internal.unity3d.com/0.0.0.0"
+    "/thind-prd-knob.data.ie.unity3d.com/0.0.0.0"
+    "/thind-gke-usc.prd.data.corp.unity3d.com/0.0.0.0"
+    "/cdp.cloud.unity3d.com/0.0.0.0"
+    "/remote-config-proxy-prd.uca.cloud.unity3d.com/0.0.0.0"
  ];
 }
--- a/machines/NixOS-VPS/default.nix
+++ b/machines/NixOS-VPS/default.nix
@ -9,6 +9,7 @@
    ./network.nix
    ./nix.nix
    customModules.devices
+    customModules.libvirt-guests
    customModules.persist
    customModules.rustic
    customModules.users
@ -16,6 +17,7 @@
    customProfiles.hardened
    ./services/backups.nix
    ./services/dns.nix
+    ./services/synapse.nix
    ./services/tailscale.nix
    ./services/tor-bridge.nix
    ./services/wireguard.nix
@ -243,7 +245,7 @@
    };
  };
  programs.virt-manager.enable = true;
-  networking.firewall.trustedInterfaces = [ "podman+" "vnet+" "virbr+" ];
+  networking.firewall.trustedInterfaces = [ "podman*" "vnet*" "virbr*" ];
  networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
  security.unprivilegedUsernsClone = true;

--- a/machines/NixOS-VPS/network.nix
+++ b/machines/NixOS-VPS/network.nix
@ -44,20 +44,12 @@ in {
        } {
          routeConfig.Gateway = IPv6.gateway;
          routeConfig.GatewayOnLink = true;
-        } {
-          routeConfig.Destination = "192.168.0.1/24";
        }];
        dhcpServerConfig = {
          ServerAddress = "192.168.0.1/24";
          PoolOffset = 100;
          PoolSize = 100;
        };
-        dhcpServerStaticLeases = [{
-          dhcpServerStaticLeaseConfig = {
-            MACAddress = "52:54:00:5b:49:bf";
-            Address = "192.168.0.11";
-          };
-        }];
      };
    };
    netdevs = {
--- a/machines/NixOS-VPS/services/synapse.nix
+++ b/machines/NixOS-VPS/services/synapse.nix
@ -0,0 +1,118 @@
+{ config, lib, pkgs, inputs, ... }:
+let
+  bridge = (import ../hardware/networks.nix).interfaces.main';
+  external-ip = "83.138.55.118";
+  coturn-denied-ips = [
+    "0.0.0.0-0.255.255.255"
+    "10.0.0.0-10.255.255.255"
+    "100.64.0.0-100.127.255.255"
+    "127.0.0.0-127.255.255.255"
+    "169.254.0.0-169.254.255.255"
+    "172.16.0.0-172.31.255.255"
+    "192.0.0.0-192.0.0.255"
+    "192.0.2.0-192.0.2.255"
+    "192.88.99.0-192.88.99.255"
+    "192.168.0.0-192.168.255.255"
+    "198.18.0.0-198.19.255.255"
+    "198.51.100.0-198.51.100.255"
+    "203.0.113.0-203.0.113.255"
+    "240.0.0.0-255.255.255.255"
+    "::1"
+    "64:ff9b::-64:ff9b::ffff:ffff"
+    "::ffff:0.0.0.0-::ffff:255.255.255.255"
+    "100::-100::ffff:ffff:ffff:ffff"
+    "2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff"
+    "2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
+    "fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
+    "fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
+  ];
+  cert-fqdn = "matrix.ataraxiadev.com";
+in {
+  imports = with inputs.self; [ customProfiles.acme ];
+  security.acme.certs = {
+    ${cert-fqdn} = {
+      webroot = "/var/lib/acme/acme-challenge";
+      extraDomainNames = [
+        "element.ataraxiadev.com"
+        "turn.ataraxiadev.com"
+      ];
+    };
+  };
+
+  sops.secrets.auth-secret = {
+    sopsFile = inputs.self.secretsDir + /nixos-vps/coturn.yaml;
+    restartUnits = [ "coturn.service" ];
+    owner = config.users.users.turnserver.name;
+    mode = "0400";
+  };
+
+  virtualisation.libvirt.guests.debian-matrix = {
+    autoStart = true;
+    user = config.mainuser;
+    group = "libvirtd";
+    xmlFile = ../vm/debian-matrix.xml;
+  };
+
+  services.coturn = {
+    enable = true;
+    use-auth-secret = true;
+    static-auth-secret-file = config.sops.secrets.auth-secret.path;
+    realm = "turn.ataraxiadev.com";
+    min-port = 49152;
+    max-port = 49262;
+    no-cli = true;
+    cert = "${config.security.acme.certs.${cert-fqdn}.directory}/fullchain.pem";
+    pkey = "${config.security.acme.certs.${cert-fqdn}.directory}/key.pem";
+    no-tcp-relay = true;
+    extraConfig = ''
+      external-ip=${external-ip}
+      userdb=/var/lib/coturn/turnserver.db
+      no-tlsv1
+      no-tlsv1_1
+      no-rfc5780
+      no-stun-backward-compatibility
+      response-origin-only-with-rfc5780
+      no-multicast-peers
+    '' + lib.strings.concatMapStringsSep "\n" (x: "denied-peer-ip=${x}")
+      coturn-denied-ips;
+  };
+  systemd.services.coturn.serviceConfig.StateDirectory = "coturn";
+  systemd.services.coturn.serviceConfig.Group = lib.mkForce "acme";
+
+  networking = let
+    libvirt-ifname = "virbr0";
+    guest-ip = "192.168.122.11";
+    synapse-ports = [ 8081 8448 8766 ];
+    turn-ports = with config.services.coturn; [
+      listening-port tls-listening-port
+      alt-listening-port alt-tls-listening-port
+    ];
+  in {
+    firewall = {
+      allowedUDPPortRanges = with config.services.coturn; [{
+        from = min-port;
+        to = max-port;
+      }];
+      allowedUDPPorts = turn-ports;
+      allowedTCPPorts = turn-ports ++ synapse-ports;
+    };
+    nat = {
+      enable = true;
+      internalInterfaces = [ bridge.bridgeName ];
+      externalInterface = libvirt-ifname;
+      forwardPorts = [{
+        sourcePort = 8081;
+        proto = "tcp";
+        destination = "${guest-ip}:8081";
+      } {
+        sourcePort = 8448;
+        proto = "tcp";
+        destination = "${guest-ip}:8448";
+      } {
+        sourcePort = 8766;
+        proto = "tcp";
+        destination = "${guest-ip}:8766";
+      }];
+    };
+  };
+}
--- a/machines/NixOS-VPS/services/xtls.nix
+++ b/machines/NixOS-VPS/services/xtls.nix
@ -52,6 +52,7 @@ in {
        "${cert-key}:/etc/ssl/certs/cert.key:ro"
        "${cert-pem}:/etc/ssl/certs/cert.pem:ro"
        "${nginx-conf}:/etc/nginx/nginx.conf:ro"
+        "/var/lib/acme:/var/lib/acme"
      ];
    };
  };
--- a/machines/NixOS-VPS/vm/debian-matrix.xml
+++ b/machines/NixOS-VPS/vm/debian-matrix.xml
@ -0,0 +1,219 @@
+<domain type='kvm' id='13'>
+  <name>debian-matrix</name>
+  <uuid>b51ed804-ee83-4658-9634-5ed3d67443df</uuid>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://debian.org/debian/12"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory unit='KiB'>1048576</memory>
+  <currentMemory unit='KiB'>1048576</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os>
+    <type arch='x86_64' machine='pc-q35-8.1'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+  </features>
+  <cpu mode='host-passthrough' check='none' migratable='on'/>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' discard='unmap'/>
+      <source file='/var/lib/libvirt/images/debian-12-root.qcow2' index='4'/>
+      <backingStore/>
+      <target dev='vda' bus='virtio'/>
+      <alias name='virtio-disk0'/>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+    </disk>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' discard='unmap'/>
+      <source file='/var/lib/libvirt/images/debian-12-synapse.qcow2' index='3'/>
+      <backingStore/>
+      <target dev='vdb' bus='virtio'/>
+      <alias name='virtio-disk1'/>
+      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+    </disk>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' discard='unmap'/>
+      <source file='/var/lib/libvirt/images/debian-12-swap.qcow2' index='2'/>
+      <backingStore/>
+      <target dev='vdc' bus='virtio'/>
+      <alias name='virtio-disk2'/>
+      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
+    </disk>
+    <disk type='file' device='cdrom'>
+      <driver name='qemu'/>
+      <target dev='sda' bus='sata'/>
+      <readonly/>
+      <alias name='sata0-0-0'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
+      <alias name='usb'/>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'>
+      <alias name='pcie.0'/>
+    </controller>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x8'/>
+      <alias name='pci.1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x9'/>
+      <alias name='pci.2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0xa'/>
+      <alias name='pci.3'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0xb'/>
+      <alias name='pci.4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
+    </controller>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0xc'/>
+      <alias name='pci.5'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
+    </controller>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0xd'/>
+      <alias name='pci.6'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
+    </controller>
+    <controller type='pci' index='7' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='7' port='0xe'/>
+      <alias name='pci.7'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x6'/>
+    </controller>
+    <controller type='pci' index='8' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='8' port='0xf'/>
+      <alias name='pci.8'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x7'/>
+    </controller>
+    <controller type='pci' index='9' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='9' port='0x10'/>
+      <alias name='pci.9'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='10' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='10' port='0x11'/>
+      <alias name='pci.10'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+    </controller>
+    <controller type='pci' index='11' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='11' port='0x12'/>
+      <alias name='pci.11'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+    </controller>
+    <controller type='pci' index='12' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='12' port='0x13'/>
+      <alias name='pci.12'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
+    </controller>
+    <controller type='pci' index='13' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='13' port='0x14'/>
+      <alias name='pci.13'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
+    </controller>
+    <controller type='pci' index='14' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='14' port='0x15'/>
+      <alias name='pci.14'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <alias name='ide'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='virtio-serial' index='0'>
+      <alias name='virtio-serial0'/>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+    </controller>
+    <interface type='network'>
+      <mac address='52:54:00:5b:49:bf'/>
+      <source network='default' portid='9ecb6294-20a5-4ee8-ab55-bf8a94fdb029' bridge='virbr0'/>
+      <target dev='vnet12'/>
+      <model type='virtio'/>
+      <alias name='net0'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <source path='/dev/pts/2'/>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+      <alias name='serial0'/>
+    </serial>
+    <console type='pty' tty='/dev/pts/2'>
+      <source path='/dev/pts/2'/>
+      <target type='serial' port='0'/>
+      <alias name='serial0'/>
+    </console>
+    <channel type='unix'>
+      <source mode='bind' path='/run/libvirt/qemu/channel/13-debian-matrix/org.qemu.guest_agent.0'/>
+      <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
+      <alias name='channel0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+    </channel>
+    <input type='mouse' bus='ps2'>
+      <alias name='input0'/>
+    </input>
+    <input type='keyboard' bus='ps2'>
+      <alias name='input1'/>
+    </input>
+    <audio id='1' type='none'/>
+    <watchdog model='itco' action='reset'>
+      <alias name='watchdog0'/>
+    </watchdog>
+    <memballoon model='virtio'>
+      <alias name='balloon0'/>
+      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
+    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+      <alias name='rng0'/>
+      <address type='pci' domain='0x0000' bus='0x08' slot='0x00' function='0x0'/>
+    </rng>
+  </devices>
+  <seclabel type='dynamic' model='dac' relabel='yes'>
+    <label>+301:+301</label>
+    <imagelabel>+301:+301</imagelabel>
+  </seclabel>
+</domain>
+
--- a/modules/libvirt-guests/default.nix
+++ b/modules/libvirt-guests/default.nix
@ -439,7 +439,7 @@ in {
          "${pkgs.libvirt}/bin/virsh net-start ${guest.devices.network.sourceDev} || true"}
        '';
      };
-      "libvirtd-guest-${name}" = {
+      "libvirt-guest-${name}" = {
        after = [ "libvirt-guest-define-${name}.service" ];
        requires = [ "libvirt-guest-define-${name}.service" ];
        wantedBy = lib.mkIf guest.autoStart [ "multi-user.target" ];
--- a/profiles/servers/gitea.nix
+++ b/profiles/servers/gitea.nix
@ -17,7 +17,7 @@ in {
  secrets.gitea-mailer = gitea-secret;
  secrets.gitea-secretkey = gitea-secret;
  secrets.gitea-internaltoken = gitea-secret;
-  secrets.gitea-hypervisor-native = runner-secret [ "gitea-runner-native.service" ];
+  secrets.gitea-runner-hypervisor = runner-secret [ "gitea-runner-hypervisor.service" ];

  persist.state.directories = [
    "/var/lib/gitea-runner"
@ -122,12 +122,15 @@ in {
    isSystemUser = true;
    group = runner-group;
  };
-  services.gitea-actions-runner.instances.native = {
+  services.gitea-actions-runner.instances.hypervisor = {
    enable = true;
-    name = "hypervisor-native";
+    name = "hypervisor";
    url = config.services.gitea.settings.server.ROOT_URL;
-    tokenFile = config.secrets.gitea-hypervisor-native.decrypted;
-    labels = [ "native:host" ];
+    tokenFile = config.secrets.gitea-runner-hypervisor.decrypted;
+    labels = [
+      "native:host"
+      "debian-latest:docker://debian:12-slim"
+    ];
    hostPackages = with pkgs; [
      bash
      curl
@ -139,7 +142,7 @@ in {
    # TODO: fix cache server
    # settings = {};
  };
-  systemd.services.gitea-runner-native = {
+  systemd.services.gitea-runner-hypervisor = {
    serviceConfig.DynamicUser = lib.mkForce false;
    serviceConfig.User = lib.mkForce runner-user;
    serviceConfig.Group = lib.mkForce runner-group;
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -59,43 +59,43 @@ in {
    "ataraxiadev.com" = {
      webroot = "/var/lib/acme/acme-challenge";
      extraDomainNames = [
-        "startpage.ataraxiadev.com"
-        "vw.ataraxiadev.com"
-        "code.ataraxiadev.com"
-        "fb.ataraxiadev.com"
-        "browser.ataraxiadev.com"
-        # "webmail.ataraxiadev.com"
-        "jellyfin.ataraxiadev.com"
-        "medusa.ataraxiadev.com"
-        "qbit.ataraxiadev.com"
-        "jackett.ataraxiadev.com"
-        "ldap.ataraxiadev.com"
-        "bathist.ataraxiadev.com"
-        "joplin.ataraxiadev.com"
        "api.ataraxiadev.com"
-        "fsync.ataraxiadev.com"
        "auth.ataraxiadev.com"
-        "sonarr.ataraxiadev.com"
-        "radarr.ataraxiadev.com"
-        "file.ataraxiadev.com"
-        "lidarr.ataraxiadev.com"
-        "cocalc.ataraxiadev.com"
-        "kavita.ataraxiadev.com"
-        "tools.ataraxiadev.com"
-        "home.ataraxiadev.com"
-        "openbooks.ataraxiadev.com"
+        "bathist.ataraxiadev.com"
+        "browser.ataraxiadev.com"
        "cache.ataraxiadev.com"
-        "docs.ataraxiadev.com"
        "cal.ataraxiadev.com"
+        "cocalc.ataraxiadev.com"
+        "code.ataraxiadev.com"
+        "docs.ataraxiadev.com"
+        "fb.ataraxiadev.com"
+        "file.ataraxiadev.com"
+        "fsync.ataraxiadev.com"
+        "home.ataraxiadev.com"
+        "jackett.ataraxiadev.com"
+        "jellyfin.ataraxiadev.com"
+        "joplin.ataraxiadev.com"
+        "kavita.ataraxiadev.com"
+        "ldap.ataraxiadev.com"
+        "lib.ataraxiadev.com"
+        "lidarr.ataraxiadev.com"
+        "medusa.ataraxiadev.com"
+        "openbooks.ataraxiadev.com"
+        "pdf.ataraxiadev.com"
+        "qbit.ataraxiadev.com"
+        "radarr.ataraxiadev.com"
+        "sonarr.ataraxiadev.com"
+        "startpage.ataraxiadev.com"
+        "tools.ataraxiadev.com"
+        "vw.ataraxiadev.com"
        "wg.ataraxiadev.com"
        "wiki.ataraxiadev.com"
-        "pdf.ataraxiadev.com"
-        "lib.ataraxiadev.com"
+        # "webmail.ataraxiadev.com"

-        "matrix.ataraxiadev.com"
-        "dimension.ataraxiadev.com"
-        "stats.ataraxiadev.com"
-        "element.ataraxiadev.com"
+        # "matrix.ataraxiadev.com"
+        # "dimension.ataraxiadev.com"
+        # "stats.ataraxiadev.com"
+        # "element.ataraxiadev.com"
      ];
    };
  };
@ -160,39 +160,39 @@ in {
          '';
        };
      } // default;
-      "matrix:443" = {
-        serverAliases = [
-          "matrix.ataraxiadev.com"
-          "dimension.ataraxiadev.com"
-          "element.ataraxiadev.com"
-          "stats.ataraxiadev.com"
-        ];
-        listen = [{
-          addr = "0.0.0.0";
-          port = 443;
-          ssl = true;
-        }];
-        locations."/" = {
-          proxyPass = "http://matrix.pve:81";
-          extraConfig = ''
-            client_max_body_size 50M;
-          '' + proxySettings;
-        };
-      } // default;
-      "matrix:8448" = {
-        serverAliases = [ "matrix.ataraxiadev.com" ];
-        listen = [{
-          addr = "0.0.0.0";
-          port = 8448;
-          ssl = true;
-        }];
-        locations."/" = {
-          proxyPass = "http://matrix.pve:8448";
-          extraConfig = ''
-            client_max_body_size 50M;
-          '' + proxySettings;
-        };
-      } // default;
+      # "matrix:443" = {
+      #   serverAliases = [
+      #     "matrix.ataraxiadev.com"
+      #     "dimension.ataraxiadev.com"
+      #     "element.ataraxiadev.com"
+      #     "stats.ataraxiadev.com"
+      #   ];
+      #   listen = [{
+      #     addr = "0.0.0.0";
+      #     port = 443;
+      #     ssl = true;
+      #   }];
+      #   locations."/" = {
+      #     proxyPass = "http://matrix.pve:81";
+      #     extraConfig = ''
+      #       client_max_body_size 50M;
+      #     '' + proxySettings;
+      #   };
+      # } // default;
+      # "matrix:8448" = {
+      #   serverAliases = [ "matrix.ataraxiadev.com" ];
+      #   listen = [{
+      #     addr = "0.0.0.0";
+      #     port = 8448;
+      #     ssl = true;
+      #   }];
+      #   locations."/" = {
+      #     proxyPass = "http://matrix.pve:8448";
+      #     extraConfig = ''
+      #       client_max_body_size 50M;
+      #     '' + proxySettings;
+      #   };
+      # } // default;
      "home.ataraxiadev.com" = default // authentik {
        proxyPass = "http://127.0.0.1:3000";
      };
--- a/profiles/virtualisation.nix
+++ b/profiles/virtualisation.nix
@ -99,9 +99,9 @@ with config.deviceSpecific; {
    # link existing extracted from fedora package
    system.activationScripts.aarch64-ovmf.text = ''
      rm -f /run/libvirt/nix-ovmf/AAVMF_*
-      mkdir -p /run/libvirt/nix-ovmf/
-      ln -s ${../misc/AAVMF_CODE.fd} /run/libvirt/nix-ovmf/AAVMF_CODE.fd
-      ln -s ${../misc/AAVMF_VARS.fd} /run/libvirt/nix-ovmf/AAVMF_VARS.fd
+      mkdir -p /run/libvirt/nix-ovmf || true
+      ${pkgs.zstd}/bin/zstd -d ${../misc/AAVMF_CODE.fd.zst} -o /run/libvirt/nix-ovmf/AAVMF_CODE.fd
+      ${pkgs.zstd}/bin/zstd -d ${../misc/AAVMF_VARS.fd.zst} -o /run/libvirt/nix-ovmf/AAVMF_VARS.fd
    '';
  };
 }
--- a/secrets/nixos-vps/coturn.yaml
+++ b/secrets/nixos-vps/coturn.yaml
@ -0,0 +1,47 @@
+auth-secret: ENC[AES256_GCM,data:5Zn4k/4vKgdO4W/Fq3n4w//FpxC2aVc/BVMLZ3W7gQz6Ja6ZNUJk1HoRxGC3QxnCGtfIOJVNT5G02oZ7jFgxAQ==,iv:GxEk0PHpoQp6HPtbvA+4eTWmoSZ03JGXHW8Y3bDJizE=,tag:gc+LilrRQ3xp61W5QDYMrw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-18T14:37:39Z"
+    mac: ENC[AES256_GCM,data:xy7VzZ7xL4p+uTeOp1biDOpiiLEraZIdsgpAQSsMv2GyuUaomUMe3GNADFWq7ht1NaMwYzKCIMd1/mVfq8VEULDKep+6mTxeA6vrx2jlQoK01U2EdjCONrGYdU4Px/R04WZ+SM9hHtKxe8W/4KhwZFyYqrcg4/4vKTbQjbkowtI=,iv:J8VaBYZksU8kOEqSXQKSWKqe8IdNKBkkhHxLukNMjHw=,tag:gjBdlATLfGrYDz1Iycs7tw==,type:str]
+    pgp:
+        - created_at: "2024-01-18T14:35:52Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAwcagTG/Fm6AAQf8DygLD9fZKyfPIrGERhC9MufuSYNrlv9fQ++fFGDO2rVH
+            APUgnevzG02AZ6Z4rSWc+pPFithBwnz9sBFWVZ8z7zPs1TyjrBwvj9xJHPSoLADz
+            lJRE5bOgok/IFCECrpmKYsxJki6BmNfSf+VKa/M67OFzyp9TKxCCTMMh+hJw7AiQ
+            fUWCMWpjVTR7rGduavidzOz2hHxo/sDuM5yvrhS/v9M8vM+gn+AgcQ2j/nHeTZD8
+            mUlmYbQghc3k2ar+gcjEv4xA1rz0lYkMDmo3ixFgdWLCQb2+CsG7o6zlpmzTJQwq
+            c00Ptf1t+s0c33QSM7ZyGkm1TTF6Xwu5zu+qHd9pOtJYAZyfdYHXmNfjk6HZSKqF
+            PmJBzouYbt5H6yDiEVn5unETIMCH0At1CnIfamZTMkwcsyD7pjvgiEu07h29Ksln
+            JPZ/T+lTp+kp5GsYVqlAxxuaOlw29dgaHw==
+            =V94x
+            -----END PGP MESSAGE-----
+          fp: ad382d058c964607b7bbf01b071a8131bf166e80
+        - created_at: "2024-01-18T14:35:52Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzTK+524Lx1AAQ//ZTlr+ftqM40ZrxR4nDRPmtHEZ+EGD3Hyvtr4JgEJh+iO
+            yXJUWOyEw9VRhEW5b8e494ZTNpfqFBN8Z6ij/2QR2IayC45mi9fBC/rlE9j3BW4Q
+            1Cqtmt4vH2voarNo4PoQh2lZnuOyMkASTe5vkSUUHVj59JDQ5RRVQtGfTYwiVKqj
+            W0/y5RgBjh609EhQ/fZFdPn+UqJftx/gfXm6UrGRdojkK8J33SxljNyQLV804oyB
+            6mAYd5O2aMi3z3Fi43ENzd/1b+3PeZRjdX8mlaYIllUNjDqyMFzKxDzyMM4URvaV
+            M1cooizedgU4S2FDpDZwLWxVXIUyPaM0bxdHYCExBa9MDU/KRk4MXl+UnERanNgM
+            TYpMS57/MAcu/0noWYHJcIpb2j+56W1LNpIOpbAmZi8fwnZm7xJglLc6YHGqxSRW
+            vA+CUmWUfGreW+M/XIEepUKSwlH4n8LnRLgx/NIV3NFcBBBduHubIz19KX8QEnyg
+            bDWCTokPnsRBkf0wVW9npIksw2pDzzecb4jJM1zW21LnPB6dqYnM80GnLxgXewTU
+            2GBJ2z7P5/0KWd1ae2Nvm/0W3JqQp8IVJc0Quz73kwRISyjZZ+KmNo/sJEj441qL
+            JQSIS5LsKsvCCJ/I3oBK9RnfB75NOeuSVirudETd1jX4yZ+hVZI5VbB+9S6orHrS
+            WAGjjsu1a38GJ8lBSZK7JDyJhD+xpqEFqAyNispANMNjoFD+B30/mvAuAH/H30gh
+            kKembMcMv/p9jp3S9xhp9BfqJZs1mVADGdG1VfkXl6ybVB4HWLo5JII=
+            =QX30
+            -----END PGP MESSAGE-----
+          fp: 20d2e2b90c6aa179585b6b6b34cafb9db82f1d40
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/secrets/nixos-vps/nginx.yaml
+++ b/secrets/nixos-vps/nginx.yaml
Author	SHA1	Message	Date
Dmitriy Kholkin	6bce54184d	fix gitea actions runner Some checks failed Update flake.lock / build (push) Failing after 12s	2024-01-18 21:47:43 +03:00
Dmitriy Kholkin	ef81a8eeb8	fix ovmf	2024-01-18 21:47:13 +03:00
Dmitriy Kholkin	8ce7f46086	setup synapse vm on nixos-vps	2024-01-18 21:46:51 +03:00