2026-03-16 06:06:07 +01:00
33 changed files with 62 additions and 103 deletions
--- a/newinfra/nix/apps/upload-files/default.nix
+++ b/newinfra/nix/apps/upload-files/default.nix
@ -1,19 +0,0 @@
 { upload-files, pkgs, lib, config, ... }: {
  age.secrets.upload_files_s3_secret.file = ../../secrets/upload_files_s3_secret.age;
  systemd.services.upload-files = {
    description = "upload.files.noratrieb.dev file uploader for files.noratrieb.dev";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    environment = {
      UPLOAD_FILES_NORATRIEB_DEV_BUCKET = "files.noratrieb.dev";
      UPLOAD_FILES_NORATRIEB_DEV_ENDPOINT = "http://localhost:3900";
      UPLOAD_FILES_NORATRIEB_DEV_REGION = "garage";
    };
    serviceConfig = {
      DynamicUser = true;
      ExecStart = "${lib.getExe (upload-files {inherit pkgs;})}";
      EnvironmentFile = [ config.age.secrets.upload_files_s3_secret.path ];
    };
  };
 }
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@ -20,7 +20,6 @@
        pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz");
        quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz");
        does-it-build = import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz");
        upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz");
        inherit my-projects-versions;
@ -184,7 +183,6 @@
      ./apps/killua
      ./apps/forgejo
      ./apps/openolat
      ./apps/upload-files
    ];
    deployment.tags = [ "caddy" "eu" "apps" "website" ];
--- a/newinfra/nix/modules/caddy/base.Caddyfile
+++ b/newinfra/nix/modules/caddy/base.Caddyfile
@ -21,32 +21,6 @@
 	}
 }
 # https://gist.github.com/ryanburnette/d13575c9ced201e73f8169d3a793c1a3
 (cors) {
 	@cors_preflight{args[0]} method OPTIONS
 	@cors{args[0]} header Origin {args[0]}
 	handle @cors_preflight{args[0]} {
 		header {
 			Access-Control-Allow-Origin "{args[0]}"
 			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
 			Access-Control-Allow-Credentials "false"
 			Access-Control-Allow-Headers "${args[1]}"
 			Access-Control-Max-Age "86400"
 			defer
 		}
 		respond "" 204
 	}
 	handle @cors{args[0]} {
 		header {
 			Access-Control-Allow-Origin "{args[0]}"
 			Access-Control-Expose-Headers *
 			defer
 		}
 	}
 }
 http:// {
 	log
 	respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418
--- a/newinfra/nix/modules/caddy/default.nix
+++ b/newinfra/nix/modules/caddy/default.nix
@ -70,13 +70,6 @@ in
                    precompressed zstd gzip br
                }
            }
            files.noratrieb.dev {
              log
              encode zstd gzip
              reverse_proxy * localhost:3902
            }
            '' else ""
          }
--- a/newinfra/nix/modules/caddy/vps1.Caddyfile
+++ b/newinfra/nix/modules/caddy/vps1.Caddyfile
@ -1,3 +1,29 @@
 # https://gist.github.com/ryanburnette/d13575c9ced201e73f8169d3a793c1a3
 (cors) {
 	@cors_preflight{args[0]} method OPTIONS
 	@cors{args[0]} header Origin {args[0]}
 	handle @cors_preflight{args[0]} {
 		header {
 			Access-Control-Allow-Origin "{args[0]}"
 			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
 			Access-Control-Allow-Credentials "false"
 			Access-Control-Allow-Headers "${args[1]}"
 			Access-Control-Max-Age "86400"
 			defer
 		}
 		respond "" 204
 	}
 	handle @cors{args[0]} {
 		header {
 			Access-Control-Allow-Origin "{args[0]}"
 			Access-Control-Expose-Headers *
 			defer
 		}
 	}
 }
 www.noratrieb.dev {
 	log
 	redir https://noratrieb.dev{uri} permanent
@ -52,14 +78,6 @@ olat.noratrieb.dev:8088 {
 	reverse_proxy * localhost:5011
 }
 upload.files.noratrieb.dev {
 	log
 	encode zstd gzip
 	# we need HTTP/2 here because the server doesn't work with HTTP/1.1
 	# because it will send early 401 responses during the upload without consuming the body
 	reverse_proxy * h2c://localhost:3050
 }
 ################################################################
 # redirects
--- a/newinfra/nix/modules/dns/noratrieb.dev.nix
+++ b/newinfra/nix/modules/dns/noratrieb.dev.nix
@ -57,11 +57,6 @@ let
        # --- website stuff
        blog = vps1;
        www = vps1;
        files = combine [ vps1 vps3 vps4 ] // {
          subdomains = {
            upload = vps1;
          };
        };
        # --- legacy crap
        old-docker = vps2;
--- a/newinfra/nix/modules/garage/README.md
+++ b/newinfra/nix/modules/garage/README.md
@ -25,8 +25,6 @@
    - key `backups` RW
 - `forgejo`
    - key `forgejo` RW
 - `files.noratrieb.dev`
    - key `upload-files` RW
 ## keys
--- a/newinfra/nix/my-projects.json
+++ b/newinfra/nix/my-projects.json
@ -4,6 +4,5 @@
  "slides": "0401f35c22b124b69447655f0c537badae9e223c",
  "pretense": "270b01fc1118dfd713c1c41530d1a7d98f04527d",
  "quotdd": "e922229e1d9e055be35dabd112bafc87a0686548",
-  "does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1",
+  "does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1"
  "upload.files.noratrieb.dev": "90f6a6a82fb24c61fd19643d383ea7c8415f558a"
 }
--- a/newinfra/nix/secrets/backup_s3_secret.age
+++ b/newinfra/nix/secrets/backup_s3_secret.age
--- a/newinfra/nix/secrets/caddy_s3_key_secret.age
+++ b/newinfra/nix/secrets/caddy_s3_key_secret.age
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ b/newinfra/nix/secrets/docker_registry_password.age
@ -1,5 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg QziuzHQxmWyRdv8dUPBWTgnMxFtqR6ttP16Z3XdvD3Y
+-> ssh-ed25519 qM6TYg +BQUq++K4fbTXFQXdZwoVKaeRY75C96A1vnn5gUo5WY
-Krxmha5J+gTU0DjzPDTDIwz1mW0Q84XR2FgQyPm4bf4
+jxUb+nX0t0OIhJxgdaOwTvviVnGoPlAKcmXIRW7FhEM
--- t4Mea1Y35o5t2dhREnp8Zq1AyR4DAWMFW7Vv3CkgGKw
+--- plPYamLI4c2gzNcPkNeEdh68k3i3STrazb5sTG7txUY
-ìlTS+Æ³6y¿rîëOØné<6E>&c`Ï°Êü<>:û³7V»-tf±puw€I¥w“Âøå
+Ň	GAvÂ°ť(îĚ
 \ 9’N
 ŻťwJŮ`Yüé.ö˘–´Ăxâ.líî„q…9Şµ„3
--- a/newinfra/nix/secrets/forgejo_s3_key_secret.age
+++ b/newinfra/nix/secrets/forgejo_s3_key_secret.age
--- a/newinfra/nix/secrets/garage_secrets.age
+++ b/newinfra/nix/secrets/garage_secrets.age
@ -1,12 +1,12 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg B17o68OCsoljQLd4yLx1gZbt9zsFhQE8/QJeZ3Gx+AI
+-> ssh-ed25519 qM6TYg dSNo/WHtuVibuLghfNnznYw6+zsMJOWvi7LitHSn3AY
-ADxN8iqNN5ApzHMtIXMnMTN4qe/7ba+ZoqkpHDpq9dE
+pfZti2of1OZVOgVR+wXZrhGggtZ2W3jyUADDWVxQHfs
-> ssh-ed25519 XzACZQ Jp5WvbUVmfecvN95vM6+DQmJicVf4u94Vm0mYtBVODw
+-> ssh-ed25519 XzACZQ d5+ZaKmyb1yTZJ0mvPYl6On9XaOp8Z59zNQXVtEj6F8
-XAdVpk6bAwAU7OQxvedepr3g8HQo5sY5efy3lYhf1xA
+Ku4GwagVLPZHzOpkaFPZ1i5NoB9Z+Eyd0tuY28yS5Y
-> ssh-ed25519 51bcvA DUkgjLS805iAsnaCl3B8BOP6cdKOJCx0aK23UEDmTyw
+-> ssh-ed25519 51bcvA PxNLpJLMnUrlyzKUairI6Y+f6BYn7N9e/OURoiHcWQk
-dUZhXJiYkCZvassxSg0Cgf9c+ta2Oc2PNhLdvHBP24M
+FsXdpP0pM+Xvst93kHIG+KsDlwrRRks4jxl+Q487Msc
-> ssh-ed25519 vT7ExA 0Z2/GFY2aqO2HJJet3CRSh3yxchGt7AYTzkl0D2aoEQ
+-> ssh-ed25519 vT7ExA PE9zzE4bKcexXg6LuoQnUOJbvNlqQF//qm1fgB6sM0M
-GuMqW7tbsEl/SskgN1hPa0B/aWtet/+pHxmbwsTzPCM
+YSzgtZ+zGoTljLHrxeIY7MQV7xmLNDPFEeVrSq37QHA
--- vgf72fLRkTVRtJoxh+qfim9YYELE0W74L6ZVjpo+8vI
+--- VGV6MkGwLwYmCq73bDzIJaRRTESJ9a1fieP1AJNiAUs
-åø=ê&óŸC»íÄŸŸ#À¥ÑÒ/nÜ¤è´2Â9†ØÞøo[<5B>›S+uWÊ¶¢£4êÕf/hAÈþ#ïþOs_†RV£òEÆÆóÎûúÎVAlžTÏ/¤VÎ¨tµøJNöËUë;ññnGúQïìÝ£ÖO{Áx[ #°¿›†íÏP¨Hß9P®€:z
+‹j\ËČ_I9Îd±UK÷ Ë ďF1^Ň<08>ođ±uŔÍJŰŰo
-ê‰û²å‚yX„Ñ`]%>¨+ÙÞ~)Ø`V–ïâxÛ°€i-ƒã¬Fýªš$xHå)ÒTMcZ
+<EFBFBD>ąŁÄÉP"šltÖ±v%čőÚan›«©EëZX2’’×©«S;¤’	JĄ›$~žjcgŠ\«~5$Ö„ü*Ď	]§"˛·«
Ů ţńjS˛+qÎ—@wç·¨ËšĄ‡ôNÁ’<C381>ż1€F@ľ’k©•×$_ýaÎÂ…;Zö|ĂX‡LżKhˇ0Ŕó6®±ěż"Ń<Ů‘
--- a/newinfra/nix/secrets/grafana_admin_password.age
+++ b/newinfra/nix/secrets/grafana_admin_password.age
--- a/newinfra/nix/secrets/hugochat_db_password.age
+++ b/newinfra/nix/secrets/hugochat_db_password.age
--- a/newinfra/nix/secrets/killua_env.age
+++ b/newinfra/nix/secrets/killua_env.age
--- a/newinfra/nix/secrets/loki_env.age
+++ b/newinfra/nix/secrets/loki_env.age
--- a/newinfra/nix/secrets/minio_env_file.age
+++ b/newinfra/nix/secrets/minio_env_file.age
--- a/newinfra/nix/secrets/openolat_db_password.age
+++ b/newinfra/nix/secrets/openolat_db_password.age
--- a/newinfra/nix/secrets/registry_htpasswd.age
+++ b/newinfra/nix/secrets/registry_htpasswd.age
--- a/newinfra/nix/secrets/registry_s3_key_secret.age
+++ b/newinfra/nix/secrets/registry_s3_key_secret.age
--- a/newinfra/nix/secrets/s3_mc_admin_client.age
+++ b/newinfra/nix/secrets/s3_mc_admin_client.age
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@ -23,7 +23,6 @@ in
  "s3_mc_admin_client.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
  "killua_env.age".publicKeys = [ vps1 ];
  "forgejo_s3_key_secret.age".publicKeys = [ vps1 ];
  "upload_files_s3_secret.age".publicKeys = [ vps1 ];
  "wg_private_dns1.age".publicKeys = [ dns1 ];
  "wg_private_dns2.age".publicKeys = [ dns2 ];
  "wg_private_vps1.age".publicKeys = [ vps1 ];
--- a/newinfra/nix/secrets/upload_files_s3_secret.age
+++ b/newinfra/nix/secrets/upload_files_s3_secret.age
--- a/newinfra/nix/secrets/wg_private_dns1.age
+++ b/newinfra/nix/secrets/wg_private_dns1.age
--- a/newinfra/nix/secrets/wg_private_dns2.age
+++ b/newinfra/nix/secrets/wg_private_dns2.age
--- a/newinfra/nix/secrets/wg_private_vps1.age
+++ b/newinfra/nix/secrets/wg_private_vps1.age
@ -1,5 +1,6 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg 4aRY2+KMkGoSJtRfdkTRwIj6bYGSQJvJjq669297MHE
+-> ssh-ed25519 qM6TYg vC8XBZQGff/q/SEsiIb+pyhfE/2MCWbo1m+suXpzyhY
-Kjf7jo93e4oMRKmN5u3Xa3CUpIp9bZPoUAGqjdgOulw
+r2R02FSzrpiPyoAeiPqWNdXc0Jqd6v2rv4hxo89LqD8
--- wapYiQbpT4gfZyI5cMnB4O+LdM9PvsUxM7nTv954nNg
+--- NBCfTZYGNmAHQOABVhlcsgbJmKpmeUM15FdKLQjVazw
-õš<EFBFBD>ê÷¤eVn?Õ]¥ÁÁøÅ<C3B8>—3!l0•„†<E2809E>ÑâØ±°ñó«ëõó<¡ [œƒŸo¯¶ø[?Ý®ä<C2AE>¬í·¦ÓB'ìWò—(‡•
+,t¬}˜ <20>¨¾“| &¦“-À^uüÊU6Z_ì&Ú—Úuôe[wá—™–Ó	_ë²¢°
 £^£®\Ý(ëœ†gP‚y-j‹éš;ýùD
--- a/newinfra/nix/secrets/wg_private_vps3.age
+++ b/newinfra/nix/secrets/wg_private_vps3.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 XzACZQ J67LUjHa64q/z1K8zZpx1rsnoQ94NzhkeXEpfNr4ZVQ
+-> ssh-ed25519 XzACZQ FnGfRDdT9kQXeYzv7yzwI+1fVXmeseC6YVCCzeoeLCQ
-dy5Tre9IicxhLBHoqvQAZepG7bNg2dEXFT5iPRcWOcA
+HydL6WRBzLmqAKNmf0kzBmZiFRQ8KM3dHEdx2676Nx0
--- 9dJKhJeue6VNi0Sw05BX/t8jsxXyRIKz0K3/sy0kT7w
+--- E7+8BYiNPPm3fI6FiEii2txlbsesfSXuE2Nxvb7Zlx4
-Ýh9ÎÛËi£·ÀÍs¡ØâM
=TnÕw€W)<29>õ€Ûòêã²›îÃ\ÇÕ<2*%æ_ëå×Ü³¿«ôgÇLñõN‹5c—D5ô@áÍ»ÂØ
+™m»5q®÷ÞÁ~ú>R-¡<C2AD>·ôeŒ~ÿ+$¦˜•TÌ5öPäõr´nH:$4ðj¦kþB÷$CqRuóïˆM˜mªF`‹þA4<41>·Ñe
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 51bcvA P7ouUh98Mfi9Jsu6MDWaWH0NB2alXRIK8hxBIs0Nylg
+-> ssh-ed25519 51bcvA IVcXj0PQpO6Rj7ovi4GgoQF77sRDdumHNavSVdQXcHI
-tUZ1sWLlvPizsSWhK3fnVVhr4C9Ign5rwowxePGXFII
+O7j/05HqbjLvIYh9cT/iT8p6GMDn14vDOqU3Jh6tUIc
--- PHPizXT8GPP9mIFg1paqqc8w3qsX63XpLkeT0APybik
+--- wt0viOUTFWu9ze3CcQ4i1xMrb+RLTOg2hcVsDwbzMzA
-—´B§?*8-nËLsÍj<‘ k*.@¯ªœé6K‡Ug ‹×'8¼
Ñ#Žòíhç.l~Sà3£%¶šÀ!ŸVYK•l¿R¾ ´ÔØ˜o
+Çâ<C387>iÍ-_ñŒrË£Æ*=Öî@Ÿ“|D3éÕeå%ö´näÈYÈò'í×RŠ°h3î‡VËü%-=¡à¾W¸Óî‹;
¼icS
--- a/newinfra/nix/secrets/wg_private_vps5.age
+++ b/newinfra/nix/secrets/wg_private_vps5.age
@ -1,5 +1,6 @@
 age-encryption.org/v1
-> ssh-ed25519 vT7ExA 9+j3VYkFAW1obbLc31nv+45SyPMqH1zZPkI+PU4lVH8
+-> ssh-ed25519 vT7ExA kxCR8CbPH5GgSS/ENXQ81zPQ+n041l7yV6zzQv1smwk
-G9QkkyTNH499EWhjiXCyXt7HgHlzJTZsaLiR+yOF18E
+mhn18RlBXbpMfZAHrUam5ktlV5Z28UIg8Ufk4H/tfSA
--- vq7bT3yTioJ1UsD7hSu5jyYKhOE6UMIMsosu4f5pK1w
+--- WXmrUK2YnQQqZQgoW219LEVgBoHa+N3NqO4cqsF9Pr8
-Q±<>žž¹ýÁ˜ÅVÐé#<23>(7èýÎEYÉÛÅÌ\ú££Z¨?GÙ«ç_CÛI¦îÐ‰gNi´V¯å‘e]•¢tx@¸w+
+Ê>•0…:üh`´µÈ;¹D
+	
 æüìŽ½Å*TYÔüDà 9/<2F>9:Lw“ëQ÷çàNðßÆC³x'QHdÞcM<63>Ï£ú½úÄ8“à
--- a/newinfra/nix/secrets/widetom_bot_token.age
+++ b/newinfra/nix/secrets/widetom_bot_token.age
--- a/newinfra/nix/secrets/widetom_config_toml.age
+++ b/newinfra/nix/secrets/widetom_config_toml.age
--- a/newinfra/secrets-git-crypt/upload_files_s3_secret
+++ b/newinfra/secrets-git-crypt/upload_files_s3_secret