From 01b5a0fe25131d585eb06f870cfaede8f3df5467 Mon Sep 17 00:00:00 2001
From: Jeltz <jeltz@federez.net>
Date: Wed, 2 Apr 2025 15:46:38 +0200
Subject: [PATCH] Bump version + minor cleanups

Signed-off-by: jeltz@federez.net
---
 hive.nix                       |  51 ++++++++++++++++-----------------
 npins/sources.json             |   6 ++++
 profiles/irc-bot.nix           |   2 +-
 profiles/matrix-server.nix     |   2 +-
 profiles/vogon.nix             |  13 +++++++--
 secrets/secrets.nix            |   4 +--
 secrets/vogon-wg-infra-key.age | Bin 1775 -> 1775 bytes
 7 files changed, 44 insertions(+), 34 deletions(-)

diff --git a/hive.nix b/hive.nix
index be56c3a..7f0c8d7 100644
--- a/hive.nix
+++ b/hive.nix
@@ -1,6 +1,8 @@
 let
   src = import ./npins;
-  pkgs = import src.nixpkgs { };
+  pkgs = import src.nixpkgs {
+    config.permittedInsecurePackages = [ "olm-3.2.16" ];
+  };
   disko = (import src.disko { inherit (pkgs) lib; });
   diskConfig = import ./disks/ext4.nix {
     inherit (pkgs) lib;
@@ -8,7 +10,11 @@ let
 in
 {
   meta = {
-    nixpkgs = src.nixpkgs;
+    nixpkgs = pkgs;
+    nodeNixpkgs = {
+      # FIXME discourse est cassé en unstable
+      pendragon = src."nixpkgs-24.11";
+    };
   };
 
   # FIXME
@@ -21,6 +27,9 @@ in
       "${src.agenix}/modules/age.nix"
     ];
 
+    deployment.targetHost = "${name}.federez.net";
+    networking.hostName = name;
+
     security.acme.defaults.email = "monitoring@federez.net";
     security.acme.acceptTerms = true;
 
@@ -45,10 +54,8 @@ in
     time.timeZone = "Europe/Paris";
   };
 
-  vogon = { name, nodes, ... }: {
+  vogon = { ... }: {
     deployment.tags = [ "hypervisor" ];
-    deployment.targetHost = "vogon.federez.net";
-    networking.hostName = name;
     networking.hostId = "1751e2a7";
 
     imports = [
@@ -57,12 +64,8 @@ in
     ];
   };
 
-  estragon = { name, nodes, pkgs, ... }: {
+  estragon = { pkgs, ... }: {
     deployment.tags = [ "matrix" ];
-    deployment.targetHost = "estragon.federez.net";
-    networking.hostName = name;
-
-    environment.systemPackages = [ pkgs.tcpdump pkgs.openssl ];
 
     glucagon.networking = {
       nibble = 227;
@@ -88,10 +91,8 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  wagon = { name, nodes, ... }: {
+  wagon = { pkgs, ... }: {
     deployment.tags = [ "vaultwarden" "pass" "passwords" ];
-    deployment.targetHost = "wagon.federez.net";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 228;
@@ -114,10 +115,8 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  lagon = { name, nodes, ... }: {
+  lagon = { pkgs, ... }: {
     deployment.tags = [ "keycloak" "wayf" ];
-    deployment.targetHost = "lagon.federez.net";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 229;
@@ -140,10 +139,8 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  aragon = { name, nodes, ... }: {
+  aragon = { pkgs, ... }: {
     deployment.tags = [ "gitlab" ];
-    deployment.targetHost = "aragon.federez.net";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 231;
@@ -166,11 +163,8 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  # FIXME can't update: discourse pkg is broken
-  pendragon = { name, nodes, ... }: {
+  pendragon = { pkgs, ... }: {
     deployment.tags = [ "discourse" ];
-    deployment.targetHost = "pendragon.federez.net";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 233;
@@ -193,18 +187,21 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  perdrigon = { name, nodes, ... }: {
+  perdrigon = { pkgs, ... }: {
     deployment.tags = [ "indico" ];
-    deployment.targetHost = "perdrigon.federez.net";
-    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 234;
       wan-mac = "BC:24:11:04:9B:51";
     };
 
+    infra-net.leaf = {
+      mac = "BC:24:11:09:B8:76";
+      id = 17;
+    };
+
     imports = [
+      (disko.config diskConfig)
       ./profiles/vm.nix
       ./profiles/indico.nix
     ];
diff --git a/npins/sources.json b/npins/sources.json
index a76001a..9ded7b3 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -39,6 +39,12 @@
       "url": "https://github.com/fossar/nix-phps/archive/87aa57df1dffc535756256efbd141c735852145f.tar.gz",
       "hash": "0i8bp50hm55jxlgfmcfjql3lz8la0cipmdh1m73i8jag7p8mmrnl"
     },
+    "nixpkgs-24.11": {
+      "type": "Channel",
+      "name": "nixos-24.11",
+      "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.716438.7ffe0edc685f/nixexprs.tar.xz",
+      "hash": "1i99256170lllhdy8z1agvb4hgim20zs7i2qvikw5x9ldzh4q7zv"
+    },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixos-unstable-small",
diff --git a/profiles/irc-bot.nix b/profiles/irc-bot.nix
index f594b84..09d56f2 100644
--- a/profiles/irc-bot.nix
+++ b/profiles/irc-bot.nix
@@ -2,7 +2,7 @@
 let
   cfg = config.services.matrix-appservice-irc;
   bindPort = cfg.settings.ircService.mediaProxy.bindPort;
-  upstreamUrl  = "http://127.0.0.1:${toString bindPort}";
+  upstreamUrl  = "127.0.0.1:${toString bindPort}";
 in {
   services.nginx = {
     enable = true;
diff --git a/profiles/matrix-server.nix b/profiles/matrix-server.nix
index 70aed6d..e2d4de8 100644
--- a/profiles/matrix-server.nix
+++ b/profiles/matrix-server.nix
@@ -50,7 +50,7 @@ in {
     # in client applications.
     settings.public_baseurl = baseUrl;
     settings.app_service_config_files = [
-      "/var/lib/matrix-synapse/telegram-registration.yaml"
+      #"/var/lib/matrix-synapse/telegram-registration.yaml"
       "/var/lib/matrix-synapse/irc-registration.yml"
     ];
     settings.listeners = [
diff --git a/profiles/vogon.nix b/profiles/vogon.nix
index 2785aa9..adf5ffe 100644
--- a/profiles/vogon.nix
+++ b/profiles/vogon.nix
@@ -64,6 +64,9 @@
     "sr_mod"
   ];
 
+  # FIXME
+  networking.firewall.trustedInterfaces = [ "wg-infra" "vxl-infra" "br-infra" ];
+
   systemd.network.links = {
     "10-phy1" = {
       matchConfig.MACAddress = "18:66:da:75:da:04";
@@ -114,19 +117,22 @@
       };
       wireguardPeers = [
         {
-          PublicKey = "A+tXWigWNzrj0zAyg0MCSgP53ngH3kNsP5m8E+JbDmA=";
+          PublicKey = "JfTsY3+jPTDgLDrECoSvoYs+6+GpjII0ookjhFhd5SY=";
           Endpoint = "89.234.162.224:51039";
           AllowedIPs = [ "fd0a:66d3:1c19:1000::2" ];
+          PersistentKeepalive = 10;
         }
         {
-          PublicKey = "77IPc//p+mSl1yeapuDd4tIZDRp5acOTmBF5V7dG4BA=";
+          PublicKey = "nOeLgmE1U6nY3UNxltQKwlID9lD7fvpEwij2XUvEGgg=";
           Endpoint = "137.194.12.129:51039";
           AllowedIPs = [ "fd0a:66d3:1c19:1000::3" ];
+          PersistentKeepalive = 10;
         }
         {
-          PublicKey = "tUonMgyYxE5l1aee7iSBR6AwmuhITk3ystPhouUAMBc=";
+          PublicKey = "9pGyE4+CQl+f8sFJ/Mkvp14yxDQJ0SJmGnher5Tgzjc=";
           Endpoint = "193.48.225.201:51039";
           AllowedIPs = [ "fd0a:66d3:1c19:1000::4" ];
+          PersistentKeepalive = 10;
         }
       ];
     };
@@ -156,6 +162,7 @@
     };
     "10-br-infra" = {
       matchConfig.Name = "br-infra";
+      linkConfig.MACAddress = "9E:D8:78:A1:CE:22";
       address = [
         "fd0a:66d3:1c19:42::1/64"
         "10.42.0.1/16"
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c5836a2..c360af2 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,10 +22,10 @@ let
   keycloak-admins = active-admins;
   ldap-bind-admins = active-admins;
   discourse-admins = active-admins;
+  wg-admins = active-admins;
   indico-admins = active-admins;
   grafana-admins = active-admins;
-  wg-admins = active-admins;
-  servers = [ estragon wagon lagon klingon aragon pendragon perdrigon martagon ];
+  servers = [ estragon wagon lagon klingon aragon pendragon vogon perdrigon martagon ];
 in
   {
     "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins;
diff --git a/secrets/vogon-wg-infra-key.age b/secrets/vogon-wg-infra-key.age
index db5c8a3e503909d028501bedc3a128d5be9abb43..2cd6517f3d3d507816771efc1d90755a14032bf8 100644
GIT binary patch
literal 1775
zcmZ9Lxz6ke6@&v2ftd_}gaoK_^W&x6UL-){we7au-rGws(BAib?TCnk2Ox!sAVP=`
zG6Weg5>GHO5)e&@xCEErN|k?Ar%pYy<Sl8V@#yEGYrofx8MGq6+Ye9El)oi0dbuFf
zDN>^1X`FImI$nn*NN3cP^)-KR=Y?4@H7`O8rBI<OBEx<jQgO}ztPkqLpt%Oj;C2L;
zrIvZNYp~LeJ7;lwHwcqfJFCSrdrupu=cyW9Rxtn<z2=B*%*x`sG3k=oD}Zzo>~+qt
z2V?XC*+J<Y)j*<PCo4r7JQo-8Xuw=$s!kgKGg{<IFH#K0p#~$RsIsP7^e~UWCnTrp
z^L!&Xh|6%(>!6NZK}jkwt(;yQaRybv0n}Ckd+*V5gUB*=Gi$hM^iu=bIbrkLn6l4J
z0H3uJV}VD;#LX<G+k{_J-n%7S43&VT(@pK;todMqVd@ivFA6EU*-uyH1|38nPA{8#
zLKKTk)D&qReSw6y(;ttxompE2+<aScvDG<bqBvud95@SzYDb+h?$4?EBD2HPNnh+r
z4~_>;6Ct!ckiP9HF%%9v0orksYI-XkrX}y}Fvuy>$lLpCzwZ`WHzP7mi+<!hgSWmA
zMaC<l$XeZ?J0F@$vW%z+=H3M}0$A3p3dpdyl<h&!t5hPBi-RbM^)wipG*yCU44hG7
zI*=!^jOh<)ut^a*eY)JUcul4{@7aVSK}w}zG`%h4&g9~S<~TTb5{82joLd2PZj9B&
z+FFVpZf59qXJwI2*2NfazS$p&TfS4xHs1fU{qK`X1?1}um~!*6+FVA@&aCQlg@&`k
z;-o?wC`3E@k|C)*WzN|N5w9=b*}7Hd5oXPrUW!niQGm9(vc)!5qxvPyC4NK(l@jk2
zaYwHO<oeQ};u@xyWH)oE(1xPU1?d>EPDltib?pF7kjq2Z@W$uPL+eL)BwXm{cm=t1
zGuCI^h`I2ZnTbkAT@KZ#rybm|Tn3?P`L50uz~XttJ1Tki`cadRc($DKKqHDhHqgA6
zw^1R$Ytr7?G%YT>;dN_uWOq>scAsu;Obqaex%%h4oZKT43o_7FGLd0bz^5(0O|pQ5
zGg7<CPCd-{9Jc5d($N`}p(kykcTOmQ=6VM+TTjno^cXlrD}~YWnyT|Nig}&2L)Eb4
z7|^n=;_&H0D>Ri%7|0zbgrstT4M4-^yfsIZs3cDH;ra$ES??6+EZxfhicm&!h~iaT
zve9QTNYUKG=Ap7lg<@HEv*Li7U1Co}$CY8NjJ>lE!ud;$KeicFJjlwLhs8}p?KaqB
z9d@UdXkL9W(?%YV%Z*bD2x}?P7dyxT0Sxujul(7V?g@`MRhyz5gs1656)m!=DOwZR
z<=nU33pPU+714F(bf9ry$x>L5xx=UmE3cg4C=@-^`%93Oc2+GRFj>U|{e_PqNMQW%
zvBM1BkIPonEJ*>OOJ!qVZ+Y?La@olt2FKU#0iKi0a;_V{6|LA{J;l}2hpQ<iFMYR~
z=cGqPe#MQe^JFDI#OPodu5qwe2cJ^=ibp;;;YS#W6#$ZVcwd~m8ye>#7IO#-=t`iN
zZAv7x6H}uow9sELb?ZK)Ee)}|^a;OkPF_lxu0fO#+Aq50sQzh@hjnSz45x3@xXa_a
z+FvlR!?X|}nZYpAZKo<U%dKo@+ygbhSiKGAU1K2~@h*=c0^Z)<PBi2k7K)+gTVA8p
zUafp*MG{RCd`#M4=iCHX_6C<9co=wn^ttetf2`z}|MipKOxf2y{_Kmd{NNjZ`{hUB
zKlRU-k3IND(f937Kl#tUzhM6UTQmQbApYrRKmAnwx%0_qU;onSSHJ)2@BaAL?|$<S
OKmPVFsy~0{*Z&2Ci%I<e

literal 1775
zcmZ9MImrBY9mW@IG=-(5ysUyne9bYFOj7J(lF2cdWG449U9QRfOES6B+APa9x-4j^
zh*-$K5i1ew#A0ncuoA&~J3B!fi?`Y0TYunrKF>Eulh*`9kF_2027Ir1q{xIpuOGhj
zefFBfI6+|aOQb}3pub>3BZqsgugcCWV!mhOBsOVE>c=WWkLrAq#3X389Km`hj0o)R
zO<P8d-8Jo;jt233>A{K$#;)Mn2cj<GO#|8<eWN}4;H7-HoT5X{{i=Jx_(1(eT$20X
zWaZ&@1Xh4|*ZYz!BdgYMY*}ZwmrcNRMM&Lnk5$5s1gwk8P~R17XT}RCO{x}Vk$>Q7
zDGrWiUX4^)eE!DV4K~W^?kwr~l-s3uK6`z4#d^fD7YriF+vqmAViCIB(u`xX8b<Zi
zT_>DPaiT`sbOh;oF)^C6pU;(~GgRD2BSzN|2-pV7MH;WAPMNO5Ghai>Nep#0-tp3g
z20dQKnKy*fjI;*ds0Z3T;KnEoUe%b$LN2QX-L;m&_GygS*+j8)<aP>cw3HQI=KTT)
z(4Izm^Oc)a+<SoR{i-%LSWR-3zEZ=(Od$Kf6UW}$=`OPfQ=Y+dFHQPe+Hc(=)2v7O
z3%-R2yiR(6RD6ALLyJrw{UvZTuNYn7+_(OA#Dqdoiy7Kn=8_OVW12*OVLSBYOL~D5
z4#3QHxjE%f8;>x{GX~+mOhXO&pfNAHjZX0`V>$yXcBSd)_yz6^K}LA@gx0{-tzg~i
z$|qI|^4vL35<_Z5!bh2&hFyw56fFn*Ew_4xA&$k&ln1=8_HVTRn^Y(;U(HbGC#=+q
z-M*khD+@q_J`Nt$AL;>Q2%Vz0jogQ93zFNA`U{&(;pwR2GQSeuJ;*Bnf#L+(Guhc<
zG_?J=Ej6+aP<oa37V!E|I4L#D<bHn~m$SmQbf<tKW9}>9{EOzuB9vF>aZ;RTw5L<#
z*pY{1+(gO^J|UEcDhV0&Y*~dlRa)n}Z}S7yOf~A3o8l^=PMJ_QSXHUZFe7#Yp=J?x
z?Y4ODk^L-_6IWP!<|2UnX2;EF8M9{Yisc$VCFnJg6vnE70AQJGWUQ@Q(__ECW6#{z
zvJZ=uR%{*K$li4izPo0IYvRN0z}PjrBX3rUDfhL8E9l-1{9{wi@Ulb=mO3dPN6CE5
zlx^~EPTqC8SjSb6H#0J6CU2(%Pa<mGu!vjW#=M8TDEE)#2r9P=I*dS8CqTFv-vSbM
z5pu_xD%Vl`bswnXuEa3h;S@X2b}om^6l`23NM@Etf-B3WTAa1w;toNwdm`}^?q@)9
zw<~5!XowI?a3pt*)e7oU9T*K;f<(9ACPQ$5!h40>Egk5Q^(=BgDu*=4{3{hdymd*`
zs&P|;w!#)kAKsMKQhUC~g)%A^3C{zl%|~^@{Po#aRI|ejNYuse4ojk|w-m&Vno(p$
zZNf%yuPn*cw9?&WX92=X3MpQ0P|+`<=b;|EmMz1Fuy?2qY?9G}YZgcQ41~lxHf2Kk
zr2ppe+eV9%cYm%1g$uYFacjpchxRO7lhxEaA6rRg&2BcyQ+^)qT#$)r136DGqtnB7
z2XpQC{(5;n1I!o#m^Ilr!XJxt*0K{u*?IqE+E^bJmwCBtA?-h}@=or_8HNtMmHYBI
z99DbBld!SiRyY-%hb|~In3@N0YU5-z(dBVjxzHCA!8}fddQq(c<`3106;?`_q1V^f
z7Z8b7P#S0nPx-b{#w=*!UXDPu+t~RmsMwj0xf7;H0}uW8-Jk!(#ee!q^bzst@Woet
z__N<HKltwY;Ro%v*S~q6z5Ct!@3!y!^SvK`?caZW?^~b$`thS*?YXc1;twzGUw-~a
c@{^DM^Znm`UH-=}fAh`H|Ne~+zWC|?0BSr`x&QzG