From c81d2f00caf94d0521c6e3677fbc17a7dc7393cb Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Sun, 8 Feb 2026 12:36:03 +0100
Subject: [PATCH 1/6] remove powerdns

---
 hosts/powerdns/default.nix | 35 ------------------
 services/powerdns.nix      | 72 --------------------------------------
 2 files changed, 107 deletions(-)
 delete mode 100644 hosts/powerdns/default.nix
 delete mode 100644 services/powerdns.nix

diff --git a/hosts/powerdns/default.nix b/hosts/powerdns/default.nix
deleted file mode 100644
index 270ce81..0000000
--- a/hosts/powerdns/default.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ../common.nix
-    ../../services/openssh.nix
-    ../../services/powerdns.nix
-  ];
-
-  networking = {
-    hostName = "powerdns";
-    firewall = {
-      allowedTCPPorts = [
-        53 # DNS
-      ];
-      allowedUDPPorts = [
-        53 # DNS
-      ];
-    };
-  };
-
-  services = {
-    openssh.banner = ''
-                                       __                             __
-                                      /\ \__                         /\ \
-        ___     ____      ___     ____\ \ ,_\       ___    ___    ___\ \ \____
-      /' _ `\  /',__\    / __`\  /',__\\ \ \/      /'___\ /'___\ /'___\ \ '__`\
-      /\ \/\ \/\__, `\__/\ \L\ \/\__, `\\ \ \_  __/\ \__//\ \__//\ \__/\ \ \L\ \
-      \ \_\ \_\/\____/\_\ \____/\/\____/ \ \__\/\_\ \____\ \____\ \____\\ \_,__/
-       \/_/\/_/\/___/\/_/\/___/  \/___/   \/__/\/_/\/____/\/____/\/____/ \/___/
-    '';
-  };
-
-  system.stateVersion = "25.11";
-}
diff --git a/services/powerdns.nix b/services/powerdns.nix
deleted file mode 100644
index 209a978..0000000
--- a/services/powerdns.nix
+++ /dev/null
@@ -1,72 +0,0 @@
-{ config, ... }:
-
-{
-  # exposes prometheus metrics at http://127.0.0.1:8081/metrics
-  services = {
-    powerdns = {
-      enable = true;
-      secretFile = config.age.secrets.powerdns.path;
-      # API_KEY=supersecret123!
-      # WEBSERVER_PASSWORD=supersecre123!
-      extraConfig = ''
-        api=yes
-        api-key=$API_KEY
-        local-address=0.0.0.0, ::
-        local-port=53
-        log-timestamp=no  # journald already does this
-        resolver=127.0.0.54:5300  # Used for ALIAS lookup
-        secondary=yes
-        version-string=anonymous
-        webserver-password=$WEBSERVER_PASSWORD
-        webserver-port=8081
-
-        launch=bind
-      '';
-    };
-    powerdns-admin = {
-      enable = true;
-      secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path;
-      saltFile = config.age.secrets.powerdns-admin-salt.path;
-      extraArgs = [];
-      config = ''
-        # PDA
-        SIGNUP_ENABLED = True
-        LOCAL_DB_ENABLED = True
-
-        # Flask
-        BIND_ADDRESS = '127.0.0.1'
-        PORT = 8000
-        #SESSION_COOKIE_SECURE = True
-
-        # Flask-Session
-        import cachelib
-        SESSION_TYPE = 'cachelib'
-        SESSION_CACHELIB = cachelib.simple.SimpleCache()
-
-        # Flask-SQLAlchemy
-        SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql'
-        SQLALCHEMY_TRACK_MODIFICATIONS = True
-
-        # FLask-SeaSurf
-        #CSRF_COOKIE_SECURE = True
-      '';
-    };
-    postgresql = {
-      enable = true;
-      package = pkgs.postgresql_18;
-      ensureUsers = [
-        {
-          name = "pda";
-          ensureDBOwnership = true;
-        }
-      ];
-      ensureDatabases = [ "pda" ];
-    };
-    postgresqlBackup = {
-      enable = true;
-      compression = "zstd";
-      startAt = "@midnight";
-    };
-  };
-}
-

From 4c9e01e7547942e6d21df1a483ae85ac95c1b07f Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Sun, 8 Feb 2026 12:36:38 +0100
Subject: [PATCH 2/6] improve postgres

---
 hosts/sql/{postgres.nix => postgresql.nix} |  19 +++++++++++++++++++
 secrets/postgres-grafana.age               | Bin 0 -> 937 bytes
 services/postgres.nix                      |  21 ---------------------
 3 files changed, 19 insertions(+), 21 deletions(-)
 rename hosts/sql/{postgres.nix => postgresql.nix} (81%)
 create mode 100644 secrets/postgres-grafana.age
 delete mode 100644 services/postgres.nix

diff --git a/hosts/sql/postgres.nix b/hosts/sql/postgresql.nix
similarity index 81%
rename from hosts/sql/postgres.nix
rename to hosts/sql/postgresql.nix
index 61f3af8..0060db2 100644
--- a/hosts/sql/postgres.nix
+++ b/hosts/sql/postgresql.nix
@@ -7,6 +7,7 @@ let
   entries = [
     (mkEntry "matrix-synapse" 25) # matrix.berlin.ccc.de
     (mkEntry "hedgedoc" 26) # md.berlin.ccc.de
+    (mkEntry "grafana" 255) # mon.berlin.ccc.de
   ];
   mkEntry = name: octet: {
     user = {
@@ -47,6 +48,14 @@ in
     #  };
     #};
     postgresql = {
+      enable = true;
+      package = pkgs.postgresql_18;
+      enableJIT = true;
+      initdbArgs = [
+        "--locale=C"
+        "--encoding=UTF8"
+      ];
+      settings.listen_addresses = "*";
       enableTCPIP = true;
       #settings = {
       #  ssl = "on";
@@ -58,6 +67,16 @@ in
       ensureDatabases = map (e: e.database) entries;
       authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}";
     };
+    postgresqlBackup = {
+      enable = true;
+      startAt = "@daily";
+      compression = "zstd";
+    };
+    prometheus.exporters.postgres = {
+      enable = true;
+      openFirewall = true;
+      firewallRules = services.prometheus.exporters.node.firewallRules;
+    }:
   };
   systemd.services.postgresql.postStart = ''
     ${config.services.postgresql.package}/bin/psql \
diff --git a/secrets/postgres-grafana.age b/secrets/postgres-grafana.age
new file mode 100644
index 0000000000000000000000000000000000000000..874dca2484851d8afdd738eefb0a5e242a774328
GIT binary patch
literal 937
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH_0Y~UELTYPtSSg7
z@%A>&3oLNTO7U<tcQ*|8DD%#8cg#=qOmWXhG%zR$GRiQmvfwhZEGe$A%=D@9G0`@2
zG%<=wPcw6MON=TAbkDVLEG;!Qw=B(e@%Bv#^hCGKwah0eyj-CwHNrE;rNqzF(<L-Z
zKiAPYyg1w-$;;i<Kf=<>GqSL>D%&k1yxgQbBbzJO!Xqlw%+<u)D8n<^Eyq77tjIX3
zxU9m}&&|c9s-&bOUpv&>&m+($ITGEr6kqK$pFjnlvdk=($bfwPT#qO>mx4;ma?|XH
z?0jECqr|MrvP8qgFy|cCa{mkumu#-|qIBahBbN-9<Un8NVtv;v$3kZlGsnoh0JD_D
zFgMGJg52~Rqio|qb60fRvMR!TjRF<IE3?gljq`oA)BFk|10(e_T?#|POHwR7B7H1^
zk_@~;%yYu^{UW`?U9!0>4Ye&R0*hS}!~9ZBe2mS@$^%Su^pnF<^bIXMid@6}Tufba
z3ln{_0|L=))30<6bxv0Zi!?LSkMj0S@ySi~$TxIJ@yslaa4Ywy2=zBIG>`Cbbg%Ra
z&2+L%2`T4tF7pm8%MI5~%<wk%v8c2N^C-x4a?40|Ns0{2@$<?`G%s_{Om$B5$nZtC
z&CR{Q)G%G4JR`|Jz%frd&!Vaz)XXU(JjdHHxzZ=h)z`(d&{@0GFx9hEzof!2Dx#b#
zz$hmqu{hGjBQVs|JtfS;*dx=!ps>g<I6T+6!aKtwx!j^6H9Mr-$if8OHcunBWT!xd
zY-9iYq}<3%%c9a`OAl|~(y-(bzi@-dDDA9Z=Q4}riWI*P({f+SpzJ^{ZKpJ+q|~Ui
zWH%2Bi|}06#BhsjFJJv23&-4?%8VfGd_xNl<07*(XP<N~U0q!TZ6jaHLN||OZ(px8
zcem2CDpymtP~UuQ<C4<Ee2-%P2=9#WOvl_{Z$}d@w<WxrToNaVnSVLs)bCOB;^wM%
z99gqI+?#yZchA-@p)Cuv6-A9Ey@=Kh@;v9-af;!<IzCQ@+crynef}RO7$Omodr`}I
j5m&$B;T4{TzVCU|&wO}qMdrMTlFXi^OTRPTJJk&U0SY%7

literal 0
HcmV?d00001

diff --git a/services/postgres.nix b/services/postgres.nix
deleted file mode 100644
index e50f232..0000000
--- a/services/postgres.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services = {
-    postgresql = {
-      enable = true;
-      package = pkgs.postgresql_18;
-      enableJIT = true;
-      initdbArgs = [
-        "--locale=C"
-        "--encoding=UTF8"
-      ];
-      settings.listen_addresses = "*";
-    };
-    postgresqlBackup = {
-      enable = true;
-      startAt = "@daily";
-      compression = "zstd";
-    };
-  };
-}

From 0b041cc94976fdacad7e22afa08d51b6f6927426 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Sun, 8 Feb 2026 12:37:17 +0100
Subject: [PATCH 3/6] improve synapse

---
 hosts/matrix/default.nix                |  5 ++-
 {services => hosts/matrix}/draupnir.nix |  0
 hosts/matrix/nginx.nix                  | 24 +++++++++++
 {services => hosts/matrix}/synapse.nix  |  7 +++-
 services/nginx.nix                      | 56 +++++++++----------------
 5 files changed, 53 insertions(+), 39 deletions(-)
 rename {services => hosts/matrix}/draupnir.nix (100%)
 create mode 100644 hosts/matrix/nginx.nix
 rename {services => hosts/matrix}/synapse.nix (91%)

diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix
index 9d30fb4..9362d37 100644
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@@ -5,9 +5,10 @@
     ../common.nix
     ../../services/openssh.nix
     ../../services/nginx.nix
+    ./nginx.nix
+    ./synapse.nix
+    ./draupnir.nix
     ../../services/postgres.nix
-    ../../services/synapse.nix
-    ../../services/draupnir.nix
     ../../services/prometheus.nix
     ../../services/grafana.nix
   ];
diff --git a/services/draupnir.nix b/hosts/matrix/draupnir.nix
similarity index 100%
rename from services/draupnir.nix
rename to hosts/matrix/draupnir.nix
diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix
new file mode 100644
index 0000000..7fd4abc
--- /dev/null
+++ b/hosts/matrix/nginx.nix
@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."matrix.berlin.ccc.de" = {
+    default = true;
+    quic = true;
+    kTLS = true;
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
+      "/".return = "418 \"🫖\"";
+      "~ ^(/_matrix|/_synapse/client)" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://[::1]:8008";
+        extraConfig = ''
+          client_max_body_size 64M;
+          proxy_set_header X-Request-ID $request_id;
+          proxy_http_version 1.1;
+        '';
+      };
+    };
+  };
+}
diff --git a/services/synapse.nix b/hosts/matrix/synapse.nix
similarity index 91%
rename from services/synapse.nix
rename to hosts/matrix/synapse.nix
index e0fa15e..97242b0 100644
--- a/services/synapse.nix
+++ b/hosts/matrix/synapse.nix
@@ -4,6 +4,11 @@ let
   domain = "berlin.ccc.de";
 in
 {
+  networking.firewall.extraInputRules = ''
+    ip saddr 195.160.173.14 tcp dport 9009 accept
+    ip6 saddr 2001:678:760:cccb::14 tcp dport 9009 accept
+  '';
+
   services = {
     matrix-synapse = {
       enable = true;
@@ -42,7 +47,7 @@ in
             type = "metrics";
             tls = false;
             port = 9009;
-            bind_addresses = [ "::1" ];
+            bind_addresses = ["::" "0.0.0.0"];
             resources = [
               {
                 compress = false;
diff --git a/services/nginx.nix b/services/nginx.nix
index eff02e6..b7a4bd4 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -1,44 +1,28 @@
 { config, pkgs, ... }:
 
-let
-  fqdn = "matrix.berlin.ccc.de";
-in
 {
   users.users.nginx.extraGroups = [ "acme" ];
 
-  services.nginx = {
-    enable = true;
-    resolver.addresses = [
-      "[2606:4700:4700::1111]"
-      "[2620:fe::fe]"
-      "1.1.1.1"
-      "9.9.9.9"
-    ];
-    statusPage = true; # http://127.0.0.1/nginx_status
-    sslProtocols = "TLSv1.3";
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-    virtualHosts."${fqdn}" = {
-      default = true;
-      quic = true;
-      kTLS = true;
-      forceSSL = true;
-      enableACME = true;
-      locations = {
-        #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
-        "/".return = "418 \"🫖\"";
-        "~ ^(/_matrix|/_synapse/client)" = {
-          recommendedProxySettings = true;
-          proxyPass = "http://[::1]:8008";
-          extraConfig = ''
-            client_max_body_size 64M;
-            proxy_set_header X-Request-ID $request_id;
-            proxy_http_version 1.1;
-          '';
-        };
-      };
+  services = {
+    nginx = {
+      enable = true;
+      resolver.addresses = [
+        "[2606:4700:4700::1111]"
+        "[2620:fe::fe]"
+        "1.1.1.1"
+        "9.9.9.9"
+      ];
+      statusPage = true; # http://127.0.0.1/nginx_status
+      sslProtocols = "TLSv1.3";
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedBrotliSettings = true;
+    };
+    prometheus.exporters.nginx = {
+      enable = true;
+      firewallRules = config.services.prometheus.exporters.node.firewallRules;
+      openFirewall = true;
     };
   };
 }

From 7cbd49fe4215c2fbf5637017cd669ae27698121c Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Sun, 8 Feb 2026 12:38:03 +0100
Subject: [PATCH 4/6] improve hedhedoc

---
 hosts/md/default.nix     |  2 +-
 hosts/md/hedgedoc.nix    | 24 +++++++++++
 hosts/md/nginx.nix       | 44 ++++++++++++++++++++
 secrets/hedgedoc-env.age | 19 +++++++++
 services/hedgedoc.nix    | 89 ----------------------------------------
 5 files changed, 88 insertions(+), 90 deletions(-)
 create mode 100644 hosts/md/hedgedoc.nix
 create mode 100644 hosts/md/nginx.nix
 create mode 100644 secrets/hedgedoc-env.age
 delete mode 100644 services/hedgedoc.nix

diff --git a/hosts/md/default.nix b/hosts/md/default.nix
index 9c7bc32..cf07d26 100644
--- a/hosts/md/default.nix
+++ b/hosts/md/default.nix
@@ -4,7 +4,7 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
-    ../../services/hedgedoc.nix
+    ./hedgedoc.nix
   ];
 
   networking = {
diff --git a/hosts/md/hedgedoc.nix b/hosts/md/hedgedoc.nix
new file mode 100644
index 0000000..137c91a
--- /dev/null
+++ b/hosts/md/hedgedoc.nix
@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+let
+  db = {
+    host = "sql.berlin.ccc.de";
+    port = 5432;
+    username = "hedgedoc";
+    database = "hedgedoc";
+  };
+in
+{
+  services.hedgedoc = {
+    enable = true;
+    settings = {
+      domain = "${config.networking.hostName}.${config.networking.domain}";
+      dbURL = "postgres://${db.username}:\${DB_PASSWORD}@${db.host}:${toString db.port}/${db.name}";
+      # sync with config.age.secrets.postgres-hedgedoc.path
+      environmentFile = config.age.secrets.hedgedoc-env.path;
+      protocolUseSSL = true;
+      enableStatsApi = true;
+    };
+  };
+}
+
diff --git a/hosts/md/nginx.nix b/hosts/md/nginx.nix
new file mode 100644
index 0000000..c0cf2ac
--- /dev/null
+++ b/hosts/md/nginx.nix
@@ -0,0 +1,44 @@
+{ config, pkgs, ... }:
+
+let
+  cfg = config.services.hedgedoc.settings;
+in
+{
+  services.nginx.virtualHosts."${config.networking.hostName}.${config.networking.domain}" = {
+    default = true;
+    quic = true;
+    kTLS = true;
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://${cfg.host}:${toString cfg.port}";
+      };
+      "/socket.io/" = {
+        recommendedProxySettings = true;
+        proxyWebsockets = true;
+        proxyPass = "http://${cfg.host}:${toString cfg.port}";
+      };
+      "/metrics" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://${cfg.host}:${toString cfg.port}";
+        extraConfig = ''
+          allow 195.160.173.14;
+          allow 2001:678:760:cccb::14;
+          deny all;
+        '';
+      };
+      "/status" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://${cfg.host}:${toString cfg.port}";
+        extraConfig = ''
+          allow 195.160.173.14;
+          allow 2001:678:760:cccb::14;
+          deny all;
+        '';
+      };
+    };
+  };
+}
+
diff --git a/secrets/hedgedoc-env.age b/secrets/hedgedoc-env.age
new file mode 100644
index 0000000..a462570
--- /dev/null
+++ b/secrets/hedgedoc-env.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 uH+n1w Hl5GuG/K5bKRhYLwG3z1pUfRPPs/O0T9ELWTAMT/DG8
+9nX8jNHmCQXa5Wv7huCTEk5kz3Me9QVSxJYPdrH5udw
+-> ssh-ed25519 EvLbWw T+0rljpwVOktHR21v5JvBPe1nog0TVN1erGtIyRMbQ4
+tpNz5eRC8vFFbdtXA6Vp+7X1VDq5doJi4hM1K/FOyVE
+-> ssh-ed25519 dM+fLQ R9t+cS4ye0jOaubNcMaqu8/APLkzAopkZh76tM0jQgM
+DL4DykdFXXQONPqDGv5LKTrlg9+4BPHdXNPMGwPF7a4
+-> ssh-ed25519 jxWM2Q PTEewNsybqn/4gejSGy5BNucQ5izKtqUGp6mGroYizg
+HEaBhzmp+0ymUUbzCgb4KpyZJ2lKYKNlaI9zMY58CJg
+-> ssh-ed25519 /yCUCg 6wdCIPRGgPnPxzCdUDnDOl5lI2Fsl9DoA4QmM3DWfEs
+ZdQ1sHtAsYrlaWNDZmf2+Gu9vIIp7adD6MI1oJyPPdU
+-> ssh-ed25519 FGp51g 1Lvo3hKE72UUKJaN4U1XlXoP8j7EAHN0UPIP11FurCI
+csB1x/PYsQgQ0gPHJAD8EcHHVo1JJ8NCtx45KpreqaE
+-> ssh-ed25519 fEJY/A LlmksK8HR5YNpMwcqJUN5sgAM8jXCuanTNU+A53UMhY
+kntfp+IUE1OLq03WLyuynyqSeUlrhy5piYKcqg9/DAg
+--- NxH5yKP69Pq4DQx2Ziad7ECw6BdlbSfo7+vm9V3YWm8
+��
+Ч�i�m�����萮v0���_d��$Z#[.v��أX�����j���ZH's��y4Q������m���
+�Z��]^Œ� nE�>w��f7���%~��D��V�
\ No newline at end of file
diff --git a/services/hedgedoc.nix b/services/hedgedoc.nix
deleted file mode 100644
index 9650ced..0000000
--- a/services/hedgedoc.nix
+++ /dev/null
@@ -1,89 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  fqdn = "hedgedoc.berlin.ccc.de";
-  cfg = config.services.hedgedoc.settings;
-in
-{
-  services = {
-    hedgedoc = {
-      enable = true;
-      settings = {
-        domain = fqdn;
-        #environmentFile = config.age.secrets.hedgedoc_settings.path;
-        protocolUseSSL = true;
-        db = {
-          dialect = "postgresql";
-          host = "/run/postgresql";
-          username = "hedgedoc";
-          database = "hedgedoc";
-        };
-        enableStatsApi = true;
-      };
-    };
-    nginx = {
-      enable = true;
-      resolver.addresses = [
-        "[2606:4700:4700::1111]"
-        "[2620:fe::fe]"
-        "1.1.1.1"
-        "9.9.9.9"
-      ];
-      statusPage = true; # http://127.0.0.1/nginx_status
-      sslProtocols = "TLSv1.3";
-      recommendedTlsSettings = true;
-      recommendedOptimisation = true;
-      recommendedGzipSettings = true;
-      recommendedBrotliSettings = true;
-      virtualHosts."${fqdn}" = {
-        default = true;
-        quic = true;
-        kTLS = true;
-        forceSSL = true;
-        enableACME = true;
-        locations = {
-          "/" = {
-            proxyPass = "http://${cfg.host}:${toString cfg.port}";
-            recommendedProxySettings = true;
-          };
-          "/socket.io/" = {
-            proxyPass = "http://${cfg.host}:${toString cfg.port}";
-            proxyWebsockets = true;
-            recommendedProxySettings = true;
-          };
-          "/metrics" = {
-            proxyPass = "http://${cfg.host}:${toString cfg.port}";
-            recommendedProxySettings = true;
-            #allow 195.160.173.255;
-            #allow 2001:678:760:cccb::ffff;
-            #deny all;
-          };
-          "/status" = {
-            proxyPass = "http://${cfg.host}:${toString cfg.port}";
-            recommendedProxySettings = true;
-            #allow 195.160.173.255;
-            #allow 2001:678:760:cccb::ffff;
-            #deny all;
-          };
-        };
-      };
-    };
-    postgresql = {
-      enable = true;
-      package = pkgs.postgresql_18;
-      enableJIT = true;
-      initdbArgs = [
-        "--locale=C"
-        "--encoding=UTF8"
-      ];
-      ensureUsers = [{ name = cfg.db.username; ensureDBOwnership = true; }];
-      ensureDatabases = [ cfg.db.database ];
-    };
-    postgresqlBackup = {
-      enable = true;
-      startAt = "*-*-* 09:00:00";
-      compression = "zstd";
-    };
-  };
-}
-

From 0357003655509b7577cfc42739fcbcb1d7eb88dc Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Sun, 8 Feb 2026 12:38:34 +0100
Subject: [PATCH 5/6] improve all the things

---
 README.md                                     | 15 +++++--
 README.monitoring.md                          | 10 +++++
 flake.nix                                     | 36 ++++++++++++++++
 hosts/common.nix                              |  1 +
 hosts/monitoring/default.nix                  | 41 ++++++++++++++++++
 {services => hosts/monitoring}/grafana.nix    | 15 +------
 hosts/monitoring/nginx.nix                    | 29 +++++++++++++
 {services => hosts/monitoring}/prometheus.nix | 43 +++++++++----------
 secrets/secrets.nix                           |  9 +++-
 services/node-exporter.nix                    | 13 ++++++
 10 files changed, 171 insertions(+), 41 deletions(-)
 create mode 100644 README.monitoring.md
 create mode 100644 hosts/monitoring/default.nix
 rename {services => hosts/monitoring}/grafana.nix (79%)
 create mode 100644 hosts/monitoring/nginx.nix
 rename {services => hosts/monitoring}/prometheus.nix (70%)
 create mode 100644 services/node-exporter.nix

diff --git a/README.md b/README.md
index 4410e01..fb55bd4 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,11 @@
 # Nix based CCCB infra
 
+## Folder structure
+
+- `./services` holds generic service configuration that is shared between hosts
+- `./hosts` holds host specific configuration
+- `./secrets` holds age encrypted secrets using [agenix](https://github.com/ryantm/agenix)
+
 ## Admin handbook
 
 ### Update a container
@@ -7,7 +13,7 @@
 ```shell
 ssh <container>
 cd /etc/nixos
-nix run .#apps.nixos-diff   # Show what changes would be applied
+nix run .#apps.nixos-diff   # git pull + build + diff wth running config
 nixos-rebuild switch        # Apply changes
 ```
 
@@ -15,12 +21,13 @@ nixos-rebuild switch        # Apply changes
 
 Production:
 
-- [Matrix](./README.matrix.md)
+- [Matrix (matrix.berlin.ccc.de)](./README.matrix.md)
 
 Testing:
 
-- [Hedgedoc](./README.hedgedoc.md)
-- [Postgres](./README.postgres.md)
+- [Hedgedoc (md.berlin.ccc.de)](./README.hedgedoc.md)
+- [Postgres (sql.berlin.ccc.de)](./README.postgres.md)
+- [Grafana/Prometheus (monitoring.berlin.ccc.de)](./README.monitoring.md)
 
 ---
 
diff --git a/README.monitoring.md b/README.monitoring.md
new file mode 100644
index 0000000..cc0224f
--- /dev/null
+++ b/README.monitoring.md
@@ -0,0 +1,10 @@
+# Monitoring
+
+## Grafana
+
+## Prometheus
+
+---
+
+Build with ❤️ and ❄️.
+
diff --git a/flake.nix b/flake.nix
index 6d6c0f4..b22ae31 100644
--- a/flake.nix
+++ b/flake.nix
@@ -100,6 +100,16 @@
         modules = [
           agenix.nixosModules.default
           { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
+          {
+            age.secrets = {
+              hedgedoc-env = {
+                file = ./secrets/hedgedoc-env.age;
+                mode = "440";
+                owner = "hedgedoc";
+                group = "hedgedoc";
+              };
+            };
+          }
           ./hosts/md
         ];
       };
@@ -124,11 +134,37 @@
                 group = "postgres";
                 mode = "0400";
               };
+              postgres-grafana = {
+                file = ./secrets/postgres-grafana.age;
+                owner = "postgres";
+                group = "postgres";
+                mode = "0400";
+              };
             };
           }
           ./hosts/sql
         ];
       };
+      nixosConfigurations."monitoring" = nixpkgs.lib.nixosSystem {
+        #system = "x86_64-linux";
+        #pkgs = import nixpkgs { inherit system; };
+        inherit system;
+        modules = [
+          agenix.nixosModules.default
+          { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
+          {
+            age.secrets = {
+              postgres-grafana = {
+                file = ./secrets/postgres-grafana.age;
+                owner = "postgres";
+                group = "postgres";
+                mode = "0400";
+              };
+            };
+          }
+          ./hosts/monitoring
+        ];
+      };
     };
   #);
 }
diff --git a/hosts/common.nix b/hosts/common.nix
index e795c64..42d42e9 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -8,6 +8,7 @@
 {
   imports = [
     (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    ../../services/node-exporter.nix
   ];
 
   systemd.suppressedSystemUnits = [
diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/default.nix
new file mode 100644
index 0000000..10f7e18
--- /dev/null
+++ b/hosts/monitoring/default.nix
@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  imports = [
+    ../common.nix
+    ../../services/openssh.nix
+    ../../services/nginx.nix
+    ./nginx.nix
+    ./prometheus.nix
+    ./grafana.nix
+  ];
+
+  networking = {
+    hostName = "monitoring";
+    firewall = {
+      allowedTCPPorts = [
+        80 # HTTP/1
+        443 # HTTP/2
+      ];
+      allowedUDPPorts = [
+        443 # HTTP/3
+      ];
+    };
+  };
+
+  services = {
+    openssh.banner = ''
+                                    __
+                                 __/\ \__                __
+        ___ ___     ___     ___ /\_\ \ ,_\   ___   _ __ /\_\    ___      __
+      /' __` __`\  / __`\ /' _ `\/\ \ \ \/  / __`\/\`'__\/\ \ /' _ `\  /'_ `\
+      /\ \/\ \/\ \/\ \L\ \/\ \/\ \ \ \ \ \_/\ \L\ \ \ \/ \ \ \/\ \/\ \/\ \L\ \
+      \ \_\ \_\ \_\ \____/\ \_\ \_\ \_\ \__\ \____/\ \_\  \ \_\ \_\ \_\ \____ \
+       \/_/\/_/\/_/\/___/  \/_/\/_/\/_/\/__/\/___/  \/_/   \/_/\/_/\/_/\/___L\ \
+                                                                         /\____/
+                                                                         \_/__/
+    '';
+  };
+
+  system.stateVersion = "25.11";
+}
diff --git a/services/grafana.nix b/hosts/monitoring/grafana.nix
similarity index 79%
rename from services/grafana.nix
rename to hosts/monitoring/grafana.nix
index b14e43c..e64080e 100644
--- a/services/grafana.nix
+++ b/hosts/monitoring/grafana.nix
@@ -11,9 +11,10 @@
         server.http_addr = "::1";
         database = {
           type = "postgres";
+          host = "sql.berlin.ccc.de";
           name = "grafana";
           user = "grafana";
-          host = "/run/postgresql";
+          password = "$__file{${config.age.secrets.postgres_grafana.path}}";
         };
         security = {
           secret_key = "$__file{${config.age.secrets.grafana_secret_key.path}}";
@@ -42,17 +43,5 @@
         ];
       };
     };
-
-    postgresql = {
-      ensureUsers = [
-        {
-          name = config.services.grafana.settings.database.user;
-          ensureDBOwnership = true;
-        }
-      ];
-      ensureDatabases = [
-        config.services.grafana.settings.database.name
-      ];
-    };
   };
 }
diff --git a/hosts/monitoring/nginx.nix b/hosts/monitoring/nginx.nix
new file mode 100644
index 0000000..31dddfe
--- /dev/null
+++ b/hosts/monitoring/nginx.nix
@@ -0,0 +1,29 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx = {
+    upstreams.grafana.servers."localhost:3000" = {};
+    virtualHosts."${config.networking.hostName}.${config.networking.domain}" = {
+      default = true;
+      quic = true;
+      kTLS = true;
+      forceSSL = true;
+      enableACME = true;
+      #auth_basic "Administrator’s Area";
+      #auth_basic_user_file ${config.age.secrets.grafana-basic-auth.path};
+      locations = {
+        #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
+        "/" = {
+          recommendedProxySettings = true;
+          proxyPass = "http://grafana";
+        };
+        "/api/live/" = {
+          recommendedProxySettings = true;
+          proxyWebsockets = true;
+          proxyPass = "http://grafana";
+        };
+      };
+    };
+  };
+}
+
diff --git a/services/prometheus.nix b/hosts/monitoring/prometheus.nix
similarity index 70%
rename from services/prometheus.nix
rename to hosts/monitoring/prometheus.nix
index d8c18b8..efb3e1f 100644
--- a/services/prometheus.nix
+++ b/hosts/monitoring/prometheus.nix
@@ -5,43 +5,42 @@
     enable = true;
     retentionTime = "14d";
     listenAddress = "[::1]";
-    exporters = {
-      node = {
-        enable = true;
-        listenAddress = config.services.prometheus.listenAddress;
-      };
-      nginx = {
-        enable = true;
-        listenAddress = config.services.prometheus.listenAddress;
-      };
-      #postgres = {};
-    };
     scrapeConfigs = [
+      {
+        job_name = "hedgedoc";
+        scrape_interval = "15s";
+        scheme = "https";
+        static_configs = [{ targets = ["md.berlin.ccc.de:443"]; }];
+      }
       {
         job_name = "synapse";
         scrape_interval = "15s";
-        static_configs = [
-          {
-            targets = lib.pipe config.services.matrix-synapse.settings.listeners [
-              (lib.filter (l: l.type == "metrics"))
-              builtins.head
-              (l: [ "[${builtins.head l.bind_addresses}]:${toString l.port}" ])
-            ];
-          }
-        ];
+        static_configs = [{ targets = ["matrix.berlin.ccc.de:9009"]; }];
       }
       {
         job_name = "node";
         scrape_interval = "15s";
         static_configs = [
-          { targets = [ "${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}" ]; }
+          {
+            targets = [
+              "matrix.${config.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
+              "md.${config.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
+              "postgres.${config.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
+              "monitoring:${toString config.services.prometheus.exporters.node.port}"
+            ];
+          }
         ];
       }
       {
         job_name = "nginx";
         scrape_interval = "15s";
         static_configs = [
-          { targets = [ "${config.services.prometheus.exporters.nginx.listenAddress}:${toString config.services.prometheus.exporters.nginx.port}" ]; }
+          {
+            targets = [
+              "monitoring:${toString config.services.prometheus.exporters.nginx.port}"
+              "matrix:${toString config.services.prometheus.exporters.nginx.port}"
+            ];
+          }
         ];
       }
     ];
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e8853ac..38abf38 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,17 +17,22 @@ let
   _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix";
   _md = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdFkdEEDXo8+k5YZpI1O2GqZlxcpCDtxqVun35duITm root@md";
   _sql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcSXjDSyVVVdJbpheOhT0fIuOGFk+jsHhjrAVnBNLQV root@sql";
+  _mon = "";
 in
 {
+  "pushover_app_token.age".publicKeys = users ++ [ _matrix ];
+  "pushover_user_key.age".publicKeys = users ++ [ _matrix ];
   "matrix_admin_password.age".publicKeys = users;
   "draupnir_access_token.age".publicKeys = users ++ [ _matrix ];
   "matrix_signing_key.age".publicKeys = users ++ [ _matrix ];
   "matrix_registration_shared_secret.age".publicKeys = users ++ [ _matrix ];
-  "pushover_app_token.age".publicKeys = users ++ [ _matrix ];
-  "pushover_user_key.age".publicKeys = users ++ [ _matrix ];
   "grafana_admin_password.age".publicKeys = users ++ [ _matrix ];
   "grafana_secret_key.age".publicKeys = users ++ [ _matrix ];
+
+  "hedgedoc-env.age".publicKeys = users ++ [ _md ];
+
   "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
   "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
+  "postgres-grafana.age".publicKeys = users ++ [ _sql _mon ];
 }
 
diff --git a/services/node-exporter.nix b/services/node-exporter.nix
new file mode 100644
index 0000000..a29114c
--- /dev/null
+++ b/services/node-exporter.nix
@@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  services.prometheus.exporters.node = {
+    enable = true;
+    openFirewall = true;
+    firewallRules = ''
+      ip saddr 195.160.173.14 tcp dport 9187 counter accept
+      ip6 saddr 2001:678:760:cccb::14 tcp dport 9187 counter accept
+    '';
+  };
+}
+

From cd2b61f1fb73c109acb025f1ec01f1e1f5f20f42 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Fri, 13 Feb 2026 17:33:12 +0100
Subject: [PATCH 6/6] matrix foo

---
 flake.nix                | 16 ++++++++++++++++
 hosts/common.nix         |  2 +-
 hosts/matrix/default.nix |  3 ---
 hosts/matrix/synapse.nix | 21 +++------------------
 4 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/flake.nix b/flake.nix
index b22ae31..a81fd91 100644
--- a/flake.nix
+++ b/flake.nix
@@ -165,6 +165,22 @@
           ./hosts/monitoring
         ];
       };
+      nixosConfigurations."www" = nixpkgs.lib.nixosSystem {
+        #system = "x86_64-linux";
+        #pkgs = import nixpkgs { inherit system; };
+        inherit system;
+        modules = [
+          ./hosts/www
+        ];
+      };
+      nixosConfigurations."git-run" = nixpkgs.lib.nixosSystem {
+        #system = "x86_64-linux";
+        #pkgs = import nixpkgs { inherit system; };
+        inherit system;
+        modules = [
+          ./hosts/git-run
+        ];
+      };
     };
   #);
 }
diff --git a/hosts/common.nix b/hosts/common.nix
index 42d42e9..7397864 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -8,7 +8,7 @@
 {
   imports = [
     (modulesPath + "/virtualisation/proxmox-lxc.nix")
-    ../../services/node-exporter.nix
+    ../services/node-exporter.nix
   ];
 
   systemd.suppressedSystemUnits = [
diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix
index 9362d37..f502edf 100644
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@@ -8,9 +8,6 @@
     ./nginx.nix
     ./synapse.nix
     ./draupnir.nix
-    ../../services/postgres.nix
-    ../../services/prometheus.nix
-    ../../services/grafana.nix
   ];
 
   networking = {
diff --git a/hosts/matrix/synapse.nix b/hosts/matrix/synapse.nix
index 97242b0..445f7ff 100644
--- a/hosts/matrix/synapse.nix
+++ b/hosts/matrix/synapse.nix
@@ -1,8 +1,5 @@
 { config, ... }:
 
-let
-  domain = "berlin.ccc.de";
-in
 {
   networking.firewall.extraInputRules = ''
     ip saddr 195.160.173.14 tcp dport 9009 accept
@@ -13,9 +10,9 @@ in
     matrix-synapse = {
       enable = true;
       settings = {
-        server_name = domain;
-        public_baseurl = "https://matrix.${domain}:443/";
-        # "/var/lib/matrix-synapse/homeserver.signing.key"
+        server_name = config.networking.domain;
+        public_baseurl = "https://${config.networking.hostName}.${config.networking.domain}:443/";
+        # Creates "/var/lib/matrix-synapse/homeserver.signing.key" on first launch
         signing_key_path = config.age.secrets.matrix_signing_key.path;
         registration_shared_secret_path = config.age.secrets.matrix_registration_shared_secret.path;
         database = {
@@ -73,17 +70,5 @@ in
       };
       enableRegistrationScript = true;
     };
-
-    postgresql = {
-      ensureUsers = [
-        {
-          name = config.services.matrix-synapse.settings.database.args.user;
-          ensureDBOwnership = true;
-        }
-      ];
-      ensureDatabases = [
-        config.services.matrix-synapse.settings.database.args.database
-      ];
-    };
   };
 }