hippocampus: dawarich fix

machines/hippocampus/secrets/pass.yaml

@@ -18,6 +18,7 @@ oinkSapi: ENC[AES256_GCM,data:SXfowRHpuhDMVoeqWPkfbnj/9+uGlBCg3MwUHCADeuLgaZImSn
 tuwunelreg: ENC[AES256_GCM,data:5NJL1W6iVEwLwAUGlmCOHgVzV+9aLMrp8OXu8uVUw3SpCR5ffUuPsFtEHvJ2UkV1DPtJ2mz+EmqgWYOt7aY2xdtT5CTQJVlFcxQOOhJ2IYy5OpPHNtHLTWtKR1p0a3V38aBq98hZRL1JgdY1lrTtQPtV9u13zH+A2TZVmYxdG8Y=,iv:cltmxwdE0A7EYqdtaPXs2FALmO8YPydIOrNHfv7Pu9Q=,tag:ppnBVeL+t8sHhCXWOzLtjw==,type:str]
 coturn-secret: ENC[AES256_GCM,data:9lPM14VVk/VlmYPy4XgIaKDQgRKcoaCaszcaETCBQMmMIGSuq+G2aHqa8dtXf6Tg/Llcza+VROZYBuC9bsFwoEDtcbhFoE9S7OKrJ8bWDDI1AGTwP3j9tgExvmd0HMyqkNrb3l1cPj4/CLcSlZxxWcYVWZL2sSzKpqhKNXGeYCM=,iv:zckUJK+F95lVKZz/XoD4nmuC14FiIU1gIxe5U4abvrg=,tag:nSPxlCMS4QXBvkb6jn4EQg==,type:str]
 lk-jwt: ENC[AES256_GCM,data:6EXQbXUWsXzYwHU+KYh8FfVKoMScrbX/ITx/x128UdU1r0PmqEZ39TewmDUSlNlMsaWYRffNd8lmfF3sPZDOZzL/jNJNaTSqUKy8cPX8XF+LJqq08ZDWihvgKjcyHy6BORpe07fGp6v/otJW9XE9qujJ2QC/0MA+dJpckpfibaswfWwkL2BfmDfcq2H8Tudohg==,iv:Rm5uWOKGBKlnivGkxWokpG1YR1dxeTV+cVrDZ/3i8yE=,tag:bSeOZ7SEelDIeSGTdzRVng==,type:str]
+dawarich_smtp: ENC[AES256_GCM,data:v4VU5XGGR2rLfQZsMvbXCA==,iv:jD3EFKab7/oxxqX6O1Mfz5tA/xUOGEaBtMsHnENouBQ=,tag:JWyrensx9v97blQv49jsLQ==,type:str]
 sops:
     age:
         - recipient: age1crymppz88etsdjpckmtdhr397x5xg5wv8jt6tcj23gt2snq73pzs04fuve
@@ -29,7 +30,7 @@ sops:
             RVUzMlFya3Z0amdTUTJ5YjFRck5kZzQKoWZzExqzPRpQPL4CdqBalc1/dYtjBH6J
             LGR0oImfOWlIJwcaJLv/fc470UvXHHwIji9v/pbV7xMkgMjlJthaYg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-14T20:13:02Z"
-    mac: ENC[AES256_GCM,data:xEUg35S/XKnVLlPDm1h1fFCrl0kKdccXCQzcJsX2uc/efiq92y0eqN0GbVcr3nWyNca/StXWMBuv23r1miD6zEPkLxED/YlsmvaoVJslnUt39lx5I/3TYYI/LiIvXuwcfWNAeSrHc1w7BqGWZPQsnXf34Lp76W8VdjOniMs5p+s=,iv:ew8hA8HF9gtjOihKC1K0MTv/jdL44IniuB/23vcXVNo=,tag:PbttXpEzzK5GnqqvnfUsxA==,type:str]
+    lastmodified: "2026-02-16T00:04:12Z"
+    mac: ENC[AES256_GCM,data:W17ieIGhzDXcjT8xJn72K0274QN9FcMOXdB4YWeSAyxSwRmwUkuF9NzbAWZ8rH/Yva8mUgOh+OC1x4xavHI5UGBsSoUk+q9vevRd13qVE328o3JW0ZRsi3PunpmmzEYoz//z3UUxpepgcBKGTui8Fj1z5tOoNtXfEtxnHv/JY0w=,iv:8TSc+cMa+bbFqoPObnBE5KUhysmZnr1iTksc4tvUcDw=,tag:6LxuWGLQv7fSpJN0spuQ5Q==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

machines/hippocampus/servers/public.nix

@@ -53,5 +53,11 @@
 
     # Matrix services
     ./public/matrix.nix
+
+    # Immich Photo Backups
+    ./public/immich.nix
+
+    # Dawarich location tracking
+    ./public/dawarich.nix
   ];
 }

machines/hippocampus/servers/public/dawarich.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }: {
+  sops.secrets.dawarich_smtp = {
+    owner = config.services.dawarich.user;
+    group = config.services.dawarich.group;
+  };
+  services.dawarich = {
+    enable = true;
+    package = (pkgs.callPackage ./dawarich/package.nix { }).overrideAttrs (old: {
+      # https://github.com/Freika/dawarich/issues/1469
+      postInstall = (old.postInstall or "") + ''
+        cp ${./dawarich_smtp_config.rb} $out/config/initializers/smtp_settings.rb
+      '';
+    });
+    webPort = 7392;
+    configureNginx = false;
+    localDomain = "location.crompton.cc";
+    smtp = {
+      fromAddress = "automated@syzygial.cc";
+      user = "automated@syzygial.cc";
+      passwordFile = config.sops.secrets.dawarich_smtp.path;
+      host = "smtp.protonmail.ch";
+      port = 587;
+    };
+  };
+
+  services.caddy.virtualHosts = {
+    ${config.services.dawarich.localDomain} = {
+      extraConfig = ''
+        reverse_proxy localhost:${toString config.services.dawarich.webPort}
+	encode brotli {
+          match {
+	    content_type text/css text/plain text/xml text/x-component text/javascript application/x-javascript application/javascript application/json application/manifest+json application/vnd.api+json application/xml application/xhtml+xml application/rss+xml application/atom+xml application/vnd.ms-fontobject application/x-font-ttf application/x-font-opentype application/x-font-truetype image/svg+xml image/x-icon image/vnd.microsoft.icon font/ttf font/eot font/otf font/opentype
+	  }
+	}
+      '';
+    };
+  };  
+}

machines/hippocampus/servers/public/dawarich/0001-build-ffi-gem.diff

@@ -0,0 +1,18 @@
+diff --git a/Gemfile.lock b/Gemfile.lock
+index d45a7657..d0a7b750 100644
+--- a/Gemfile.lock
++++ b/Gemfile.lock
+@@ -172,12 +172,7 @@ GEM
+       railties (>= 6.1.0)
+     fakeredis (0.1.4)
+     ffaker (2.25.0)
+-    ffi (1.17.2-aarch64-linux-gnu)
+-    ffi (1.17.2-arm-linux-gnu)
+-    ffi (1.17.2-arm64-darwin)
+-    ffi (1.17.2-x86-linux-gnu)
+-    ffi (1.17.2-x86_64-darwin)
+-    ffi (1.17.2-x86_64-linux-gnu)
++    ffi (1.17.2)
+     foreman (0.90.0)
+       thor (~> 1.4)
+     fugit (1.11.1)

machines/hippocampus/servers/public/dawarich/0002-openssl-hotfix.diff

@@ -0,0 +1,32 @@
+diff --git a/Gemfile b/Gemfile
+index 36cf0d9c..fc914849 100644
+--- a/Gemfile
++++ b/Gemfile
+@@ -28,6 +28,7 @@ gem 'omniauth-github', '~> 2.0.0'
+ gem 'omniauth-google-oauth2'
+ gem 'omniauth_openid_connect'
+ gem 'omniauth-rails_csrf_protection'
++gem 'openssl'
+ gem 'parallel'
+ gem 'pg'
+ gem 'prometheus_exporter'
+diff --git a/Gemfile.lock b/Gemfile.lock
+index a32eb801..b2fc45bc 100644
+--- a/Gemfile.lock
++++ b/Gemfile.lock
+@@ -348,6 +348,7 @@ GEM
+       tzinfo
+       validate_url
+       webfinger (~> 2.0)
++    openssl (3.3.1)
+     optimist (3.2.1)
+     orm_adapter (0.5.0)
+     ostruct (0.6.1)
+@@ -665,6 +666,7 @@ DEPENDENCIES
+   omniauth-google-oauth2
+   omniauth-rails_csrf_protection
+   omniauth_openid_connect
++  openssl
+   parallel
+   pg
+   prometheus_exporter

machines/hippocampus/servers/public/dawarich/package.nix

@@ -0,0 +1,142 @@
+{
+  lib,
+  applyPatches,
+  bundlerEnv,
+  fetchFromGitHub,
+  fetchNpmDeps,
+  nixosTests,
+  nodejs,
+  npmHooks,
+  ruby_3_4,
+  stdenv,
+  tailwindcss_3,
+  gemset ? import ./gemset.nix,
+  sources ? lib.importJSON ./sources.json,
+  unpatchedSource ? fetchFromGitHub {
+    owner = "Freika";
+    repo = "dawarich";
+    tag = sources.version;
+    inherit (sources) hash;
+  },
+}:
+let
+  ruby = ruby_3_4;
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "dawarich";
+  inherit (sources) version;
+
+  # Use `applyPatches` here because bundix in the update script (see ./update.sh)
+  # needs to run on the already patched Gemfile and Gemfile.lock.
+  # Only patches changing these two files should be here;
+  # patches for other parts of the application should go directly into mkDerivation.
+  src = applyPatches {
+    src = unpatchedSource;
+    patches = [
+      # bundix and bundlerEnv fail with system-specific gems
+      ./0001-build-ffi-gem.diff
+      # openssl 3.6.0 breaks ruby openssl gem
+      # See https://github.com/NixOS/nixpkgs/issues/456753
+      # and https://github.com/ruby/openssl/issues/949#issuecomment-3370358680
+      ./0002-openssl-hotfix.diff
+    ];
+    postPatch = ''
+      substituteInPlace ./Gemfile \
+        --replace-fail "ruby File.read('.ruby-version').strip" "ruby '>= 3.4.0'"
+    '';
+  };
+
+  postPatch = ''
+    # move import directory to a more convenient place, otherwise its behind systemd private tmp
+    substituteInPlace ./app/services/imports/watcher.rb \
+      --replace-fail 'tmp/imports/watched' 'storage/imports/watched'
+  '';
+
+  dawarichGems = bundlerEnv {
+    name = "${finalAttrs.pname}-gems-${finalAttrs.version}";
+    inherit gemset ruby;
+    inherit (finalAttrs) version;
+    gemdir = finalAttrs.src;
+  };
+
+  npmDeps = fetchNpmDeps {
+    inherit (finalAttrs) src;
+    hash = sources.npmHash;
+  };
+
+  RAILS_ENV = "production";
+  NODE_ENV = "production";
+  REDIS_URL = ""; # build error if not defined
+  TAILWINDCSS_INSTALL_DIR = "${tailwindcss_3}/bin";
+
+  nativeBuildInputs = [
+    nodejs
+    npmHooks.npmConfigHook
+    finalAttrs.dawarichGems
+    finalAttrs.dawarichGems.wrappedRuby
+  ];
+  propagatedBuildInputs = [
+    finalAttrs.dawarichGems.wrappedRuby
+  ];
+  buildInputs = [
+    finalAttrs.dawarichGems
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    patchShebangs bin/
+    for b in $(ls $dawarichGems/bin/)
+    do
+      if [ ! -f bin/$b ]; then
+        ln -s $dawarichGems/bin/$b bin/$b
+      fi
+    done
+
+    SECRET_KEY_BASE_DUMMY=1 bundle exec rake assets:precompile
+
+    rm -rf node_modules tmp log storage
+    ln -s /var/log/dawarich log
+    ln -s /var/lib/dawarich storage
+    ln -s /tmp tmp
+
+    # delete more files unneeded at runtime
+    rm -rf docker docs screenshots package.json package-lock.json *.md *.example
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    # tests are not needed at runtime
+    rm -rf spec e2e
+    # delete artifacts from patching
+    rm *.orig
+
+    mkdir -p $out
+    mv .{ruby*,app_version} $out/
+    mv * $out/
+
+    runHook postInstall
+  '';
+
+  passthru = {
+    tests = {
+      inherit (nixosTests) dawarich;
+    };
+    # run with: nix-shell ./maintainers/scripts/update.nix --argstr package dawarich
+    updateScript = ./update.sh;
+  };
+
+  meta = {
+    changelog = "https://github.com/Freika/dawarich/blob/${finalAttrs.version}/CHANGELOG.md";
+    description = "Self-hostable alternative to Google Location History (Google Maps Timeline)";
+    homepage = "https://dawarich.app/";
+    license = lib.licenses.agpl3Only;
+    maintainers = with lib.maintainers; [
+      diogotcorreia
+    ];
+    platforms = lib.platforms.linux;
+  };
+})

machines/hippocampus/servers/public/dawarich/sources.json

@@ -0,0 +1,5 @@
+{
+  "version": "1.1.0",
+  "hash": "sha256-oL1XLBaSYCeP+Fn+6BlGMEgCTkwZhT1VZNamrcRXrgI=",
+  "npmHash": "sha256-doBsDBsO7npHs/jyeg4xWzdauWoK6dPe8z+97IP2zxI="
+}

machines/hippocampus/servers/public/dawarich_smtp_config.rb

@@ -0,0 +1,5 @@
+Rails.application.config.action_mailer.smtp_settings.merge!(
+  authentication:  ENV.fetch('SMTP_AUTHENTICATION', 'login').to_sym,
+  open_timeout:    ENV.fetch('SMTP_OPEN_TIMEOUT', '25').to_i,
+  read_timeout:    ENV.fetch('SMTP_READ_TIMEOUT', '25').to_i
+)

machines/hippocampus/servers/public/immich.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }: {
+  services.immich = {
+    enable = true;
+    mediaLocation = "/mass/immich";
+  };
+  services.caddy.virtualHosts = {
+    "photos.crompton.cc" = {
+      extraConfig = ''
+        reverse_proxy localhost:${toString config.services.immich.port}
+      '';
+    };
+  };
+}

machines/hippocampus/servers/public/matrix/client.nix

@@ -6,6 +6,7 @@
     locations."/" = {
       root = pkgs.element-web.override {
         conf = {
+          default_server_name = "glia.club";
           default_server_config = {
             m.homeserver = {
               base_url = "https://chat.glia.club";
@@ -29,15 +30,22 @@
           default_widget_container_height = 280;
           default_country_code = "GB";
           show_labs_settings = true;
-          features = {};
+          features = {
+            threadsActivityCentre = true;
+            feature_video_rooms = true;
+            feature_group_calls = true;
+            feature_element_call_video_rooms = true;
+          };
           default_federate = false;
           default_theme = "light";
           room_directory = {
             servers = ["glia.club"];
           };
           enable_presence_by_hs_url = {
-            "https://glia.club" = false;
-            "https://chat.glia.club" = false;
+            "https://glia.club" = true;
+            "https://chat.glia.club" = true;
+            "https://matrix.org" = false;
+            "https://matrix-client.matrix.org" = false;
           };
           setting_defaults = {
             breadcrumbs = false;
@@ -69,8 +77,8 @@
         location /config {
             add_header Cache-Control "no-cache";
         }
-        location /modules {
-            alias /modules;
+        location /modules/ {
+            alias /modules/;
         }
         # redirect server error pages to the static page /50x.html
         #

machines/hippocampus/servers/public/matrix/server.nix

@@ -24,6 +24,11 @@
 
         allow_registration = true;
         registration_token_file = config.sops.secrets.tuwunelreg.path;
+   
+        well_known = {
+          client = "https://glia.club";
+          server = "glia.club:443";
+        };
       };
     };
   };

machines/hippocampus/servers/public/matrix/turn.nix

@@ -18,6 +18,48 @@
     static-auth-secret-file = config.sops.secrets.coturn-secret.path;
     cert = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.crt";
     pkey = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.key";
+    extraConfig = ''
+# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
+no-tcp-relay
+
+# don't let the relay ever try to connect to private IP address ranges within your network (if any)
+# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+
+# recommended additional local peers to block, to mitigate external access to internal services.
+# https://www.enablesecurity.com/blog/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
+# https://www.enablesecurity.com/blog/cve-2020-26262-bypass-of-coturns-access-control-protection/#further-concerns-what-else
+no-multicast-peers
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+denied-peer-ip=::1
+denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+# special case the turn server itself so that client->TURN->TURN->client flows work
+# this should be one of the turn server's listening IPs
+allowed-peer-ip=10.0.0.1
+
+# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
+user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
+total-quota=1200
+    '';
   };
   services.matrix-tuwunel.settings = {
     global = {