hippocampus: dawarich fix

machines/hippocampus/secrets/pass.yaml

@@ -16,6 +16,9 @@ restic:
 oinkapi: ENC[AES256_GCM,data:bk4tLEYGpPnTgiSz9KAAwykjIFRMOL+GK9/VP/C/WGXSYyGq245w+EJuC/4+XNyic0dniGFtJOOGy9reIWj1ZIDXZY4=,iv:a85CCgy27ByGnMS/0ForMY25xkU1kgahyis0yLs5hTs=,tag:AsXxzQgyvBmpP/I0f0wApQ==,type:str]
 oinkSapi: ENC[AES256_GCM,data:SXfowRHpuhDMVoeqWPkfbnj/9+uGlBCg3MwUHCADeuLgaZImSnEiYLyjQfruhzoul9E+F1Uj4QxG8KeOY7nAFqkl/Ns=,iv:GYEiAQDylHxu9CW5DB0so9QY8Ou4fZT3+wk7ZrgoP+o=,tag:W/Q+tSfDsEcSYcI+oLuxxA==,type:str]
 tuwunelreg: ENC[AES256_GCM,data:5NJL1W6iVEwLwAUGlmCOHgVzV+9aLMrp8OXu8uVUw3SpCR5ffUuPsFtEHvJ2UkV1DPtJ2mz+EmqgWYOt7aY2xdtT5CTQJVlFcxQOOhJ2IYy5OpPHNtHLTWtKR1p0a3V38aBq98hZRL1JgdY1lrTtQPtV9u13zH+A2TZVmYxdG8Y=,iv:cltmxwdE0A7EYqdtaPXs2FALmO8YPydIOrNHfv7Pu9Q=,tag:ppnBVeL+t8sHhCXWOzLtjw==,type:str]
+coturn-secret: ENC[AES256_GCM,data:9lPM14VVk/VlmYPy4XgIaKDQgRKcoaCaszcaETCBQMmMIGSuq+G2aHqa8dtXf6Tg/Llcza+VROZYBuC9bsFwoEDtcbhFoE9S7OKrJ8bWDDI1AGTwP3j9tgExvmd0HMyqkNrb3l1cPj4/CLcSlZxxWcYVWZL2sSzKpqhKNXGeYCM=,iv:zckUJK+F95lVKZz/XoD4nmuC14FiIU1gIxe5U4abvrg=,tag:nSPxlCMS4QXBvkb6jn4EQg==,type:str]
+lk-jwt: ENC[AES256_GCM,data:6EXQbXUWsXzYwHU+KYh8FfVKoMScrbX/ITx/x128UdU1r0PmqEZ39TewmDUSlNlMsaWYRffNd8lmfF3sPZDOZzL/jNJNaTSqUKy8cPX8XF+LJqq08ZDWihvgKjcyHy6BORpe07fGp6v/otJW9XE9qujJ2QC/0MA+dJpckpfibaswfWwkL2BfmDfcq2H8Tudohg==,iv:Rm5uWOKGBKlnivGkxWokpG1YR1dxeTV+cVrDZ/3i8yE=,tag:bSeOZ7SEelDIeSGTdzRVng==,type:str]
+dawarich_smtp: ENC[AES256_GCM,data:v4VU5XGGR2rLfQZsMvbXCA==,iv:jD3EFKab7/oxxqX6O1Mfz5tA/xUOGEaBtMsHnENouBQ=,tag:JWyrensx9v97blQv49jsLQ==,type:str]
 sops:
     age:
         - recipient: age1crymppz88etsdjpckmtdhr397x5xg5wv8jt6tcj23gt2snq73pzs04fuve
@@ -27,7 +30,7 @@ sops:
             RVUzMlFya3Z0amdTUTJ5YjFRck5kZzQKoWZzExqzPRpQPL4CdqBalc1/dYtjBH6J
             LGR0oImfOWlIJwcaJLv/fc470UvXHHwIji9v/pbV7xMkgMjlJthaYg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-12T06:05:20Z"
-    mac: ENC[AES256_GCM,data:6qaXmS4dOczW2hIvwL1QFgURL+t6R8umzI7lslz2aRXV5zOpZ/IVC/4EJBUGd+2X+Q1g7TLlRtVACiZ1k7e4BfP5eOq4XGCV4YFb0YxWtWMA3v2g020E6/AOkZvO2sGGnZfPEwFpWmC1XfPTNQ1YUFlH0lntEqlMGHueSmczorY=,iv:wTKnAoaZPKerh1POnxcMAKUEW18darOzY09S74y6kOE=,tag:7fC7Bbxb01FW5BxbOz7P9w==,type:str]
+    lastmodified: "2026-02-16T00:04:12Z"
+    mac: ENC[AES256_GCM,data:W17ieIGhzDXcjT8xJn72K0274QN9FcMOXdB4YWeSAyxSwRmwUkuF9NzbAWZ8rH/Yva8mUgOh+OC1x4xavHI5UGBsSoUk+q9vevRd13qVE328o3JW0ZRsi3PunpmmzEYoz//z3UUxpepgcBKGTui8Fj1z5tOoNtXfEtxnHv/JY0w=,iv:8TSc+cMa+bbFqoPObnBE5KUhysmZnr1iTksc4tvUcDw=,tag:6LxuWGLQv7fSpJN0spuQ5Q==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

machines/hippocampus/servers/public.nix

@@ -53,5 +53,11 @@
 
     # Matrix services
     ./public/matrix.nix
+
+    # Immich Photo Backups
+    ./public/immich.nix
+
+    # Dawarich location tracking
+    ./public/dawarich.nix
   ];
 }

machines/hippocampus/servers/public/dawarich.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }: {
+  sops.secrets.dawarich_smtp = {
+    owner = config.services.dawarich.user;
+    group = config.services.dawarich.group;
+  };
+  services.dawarich = {
+    enable = true;
+    package = (pkgs.callPackage ./dawarich/package.nix { }).overrideAttrs (old: {
+      # https://github.com/Freika/dawarich/issues/1469
+      postInstall = (old.postInstall or "") + ''
+        cp ${./dawarich_smtp_config.rb} $out/config/initializers/smtp_settings.rb
+      '';
+    });
+    webPort = 7392;
+    configureNginx = false;
+    localDomain = "location.crompton.cc";
+    smtp = {
+      fromAddress = "automated@syzygial.cc";
+      user = "automated@syzygial.cc";
+      passwordFile = config.sops.secrets.dawarich_smtp.path;
+      host = "smtp.protonmail.ch";
+      port = 587;
+    };
+  };
+
+  services.caddy.virtualHosts = {
+    ${config.services.dawarich.localDomain} = {
+      extraConfig = ''
+        reverse_proxy localhost:${toString config.services.dawarich.webPort}
+	encode brotli {
+          match {
+	    content_type text/css text/plain text/xml text/x-component text/javascript application/x-javascript application/javascript application/json application/manifest+json application/vnd.api+json application/xml application/xhtml+xml application/rss+xml application/atom+xml application/vnd.ms-fontobject application/x-font-ttf application/x-font-opentype application/x-font-truetype image/svg+xml image/x-icon image/vnd.microsoft.icon font/ttf font/eot font/otf font/opentype
+	  }
+	}
+      '';
+    };
+  };  
+}

machines/hippocampus/servers/public/dawarich/0001-build-ffi-gem.diff

@@ -0,0 +1,18 @@
+diff --git a/Gemfile.lock b/Gemfile.lock
+index d45a7657..d0a7b750 100644
+--- a/Gemfile.lock
++++ b/Gemfile.lock
+@@ -172,12 +172,7 @@ GEM
+       railties (>= 6.1.0)
+     fakeredis (0.1.4)
+     ffaker (2.25.0)
+-    ffi (1.17.2-aarch64-linux-gnu)
+-    ffi (1.17.2-arm-linux-gnu)
+-    ffi (1.17.2-arm64-darwin)
+-    ffi (1.17.2-x86-linux-gnu)
+-    ffi (1.17.2-x86_64-darwin)
+-    ffi (1.17.2-x86_64-linux-gnu)
++    ffi (1.17.2)
+     foreman (0.90.0)
+       thor (~> 1.4)
+     fugit (1.11.1)

machines/hippocampus/servers/public/dawarich/0002-openssl-hotfix.diff

@@ -0,0 +1,32 @@
+diff --git a/Gemfile b/Gemfile
+index 36cf0d9c..fc914849 100644
+--- a/Gemfile
++++ b/Gemfile
+@@ -28,6 +28,7 @@ gem 'omniauth-github', '~> 2.0.0'
+ gem 'omniauth-google-oauth2'
+ gem 'omniauth_openid_connect'
+ gem 'omniauth-rails_csrf_protection'
++gem 'openssl'
+ gem 'parallel'
+ gem 'pg'
+ gem 'prometheus_exporter'
+diff --git a/Gemfile.lock b/Gemfile.lock
+index a32eb801..b2fc45bc 100644
+--- a/Gemfile.lock
++++ b/Gemfile.lock
+@@ -348,6 +348,7 @@ GEM
+       tzinfo
+       validate_url
+       webfinger (~> 2.0)
++    openssl (3.3.1)
+     optimist (3.2.1)
+     orm_adapter (0.5.0)
+     ostruct (0.6.1)
+@@ -665,6 +666,7 @@ DEPENDENCIES
+   omniauth-google-oauth2
+   omniauth-rails_csrf_protection
+   omniauth_openid_connect
++  openssl
+   parallel
+   pg
+   prometheus_exporter

machines/hippocampus/servers/public/dawarich/package.nix

@@ -0,0 +1,142 @@
+{
+  lib,
+  applyPatches,
+  bundlerEnv,
+  fetchFromGitHub,
+  fetchNpmDeps,
+  nixosTests,
+  nodejs,
+  npmHooks,
+  ruby_3_4,
+  stdenv,
+  tailwindcss_3,
+  gemset ? import ./gemset.nix,
+  sources ? lib.importJSON ./sources.json,
+  unpatchedSource ? fetchFromGitHub {
+    owner = "Freika";
+    repo = "dawarich";
+    tag = sources.version;
+    inherit (sources) hash;
+  },
+}:
+let
+  ruby = ruby_3_4;
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "dawarich";
+  inherit (sources) version;
+
+  # Use `applyPatches` here because bundix in the update script (see ./update.sh)
+  # needs to run on the already patched Gemfile and Gemfile.lock.
+  # Only patches changing these two files should be here;
+  # patches for other parts of the application should go directly into mkDerivation.
+  src = applyPatches {
+    src = unpatchedSource;
+    patches = [
+      # bundix and bundlerEnv fail with system-specific gems
+      ./0001-build-ffi-gem.diff
+      # openssl 3.6.0 breaks ruby openssl gem
+      # See https://github.com/NixOS/nixpkgs/issues/456753
+      # and https://github.com/ruby/openssl/issues/949#issuecomment-3370358680
+      ./0002-openssl-hotfix.diff
+    ];
+    postPatch = ''
+      substituteInPlace ./Gemfile \
+        --replace-fail "ruby File.read('.ruby-version').strip" "ruby '>= 3.4.0'"
+    '';
+  };
+
+  postPatch = ''
+    # move import directory to a more convenient place, otherwise its behind systemd private tmp
+    substituteInPlace ./app/services/imports/watcher.rb \
+      --replace-fail 'tmp/imports/watched' 'storage/imports/watched'
+  '';
+
+  dawarichGems = bundlerEnv {
+    name = "${finalAttrs.pname}-gems-${finalAttrs.version}";
+    inherit gemset ruby;
+    inherit (finalAttrs) version;
+    gemdir = finalAttrs.src;
+  };
+
+  npmDeps = fetchNpmDeps {
+    inherit (finalAttrs) src;
+    hash = sources.npmHash;
+  };
+
+  RAILS_ENV = "production";
+  NODE_ENV = "production";
+  REDIS_URL = ""; # build error if not defined
+  TAILWINDCSS_INSTALL_DIR = "${tailwindcss_3}/bin";
+
+  nativeBuildInputs = [
+    nodejs
+    npmHooks.npmConfigHook
+    finalAttrs.dawarichGems
+    finalAttrs.dawarichGems.wrappedRuby
+  ];
+  propagatedBuildInputs = [
+    finalAttrs.dawarichGems.wrappedRuby
+  ];
+  buildInputs = [
+    finalAttrs.dawarichGems
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    patchShebangs bin/
+    for b in $(ls $dawarichGems/bin/)
+    do
+      if [ ! -f bin/$b ]; then
+        ln -s $dawarichGems/bin/$b bin/$b
+      fi
+    done
+
+    SECRET_KEY_BASE_DUMMY=1 bundle exec rake assets:precompile
+
+    rm -rf node_modules tmp log storage
+    ln -s /var/log/dawarich log
+    ln -s /var/lib/dawarich storage
+    ln -s /tmp tmp
+
+    # delete more files unneeded at runtime
+    rm -rf docker docs screenshots package.json package-lock.json *.md *.example
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    # tests are not needed at runtime
+    rm -rf spec e2e
+    # delete artifacts from patching
+    rm *.orig
+
+    mkdir -p $out
+    mv .{ruby*,app_version} $out/
+    mv * $out/
+
+    runHook postInstall
+  '';
+
+  passthru = {
+    tests = {
+      inherit (nixosTests) dawarich;
+    };
+    # run with: nix-shell ./maintainers/scripts/update.nix --argstr package dawarich
+    updateScript = ./update.sh;
+  };
+
+  meta = {
+    changelog = "https://github.com/Freika/dawarich/blob/${finalAttrs.version}/CHANGELOG.md";
+    description = "Self-hostable alternative to Google Location History (Google Maps Timeline)";
+    homepage = "https://dawarich.app/";
+    license = lib.licenses.agpl3Only;
+    maintainers = with lib.maintainers; [
+      diogotcorreia
+    ];
+    platforms = lib.platforms.linux;
+  };
+})

machines/hippocampus/servers/public/dawarich/sources.json

@@ -0,0 +1,5 @@
+{
+  "version": "1.1.0",
+  "hash": "sha256-oL1XLBaSYCeP+Fn+6BlGMEgCTkwZhT1VZNamrcRXrgI=",
+  "npmHash": "sha256-doBsDBsO7npHs/jyeg4xWzdauWoK6dPe8z+97IP2zxI="
+}

machines/hippocampus/servers/public/dawarich_smtp_config.rb

@@ -0,0 +1,5 @@
+Rails.application.config.action_mailer.smtp_settings.merge!(
+  authentication:  ENV.fetch('SMTP_AUTHENTICATION', 'login').to_sym,
+  open_timeout:    ENV.fetch('SMTP_OPEN_TIMEOUT', '25').to_i,
+  read_timeout:    ENV.fetch('SMTP_READ_TIMEOUT', '25').to_i
+)

machines/hippocampus/servers/public/immich.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }: {
+  services.immich = {
+    enable = true;
+    mediaLocation = "/mass/immich";
+  };
+  services.caddy.virtualHosts = {
+    "photos.crompton.cc" = {
+      extraConfig = ''
+        reverse_proxy localhost:${toString config.services.immich.port}
+      '';
+    };
+  };
+}

machines/hippocampus/servers/public/matrix/client.nix

@@ -4,48 +4,92 @@
       addr = "unix:/run/nginx/cinny.sock";
     }];
     locations."/" = {
-      root = pkgs.cinny.override {
+      root = pkgs.element-web.override {
         conf = {
-          defaultHomeserver = 0;
-          homeserverList = [
-            "glia.club"
-          ];
-          allowCustomHomeservers = false;
-
-          featuredCommunities = {
-            openAsDefault = false;
-            spaces = [
-            ];
-            rooms = [
-            ];
-            servers = [
-            ];
+          default_server_name = "glia.club";
+          default_server_config = {
+            m.homeserver = {
+              base_url = "https://chat.glia.club";
+              server_name = "glia.club";
             };
-
-          hashRouter = {
-            enabled = false;
-            basename = "/";
           };
+          disable_custom_urls = false;
+          disable_guests = true;
+          disable_login_language_selector = false;
+          disable_3pid_login = false;
+          force_verification = false;
+          brand = "Element";
+          integrations_ui_url = "https://scalar.vector.im/";
+          integrations_rest_url = "https://scalar.vector.im/api";
+          integrations_widgets_urls = [
+            "https://scalar.vector.im/_matrix/integrations/v1"
+            "https://scalar.vector.im/api"
+            "https://scalar-staging.vector.im/_matrix/integrations/v1"
+            "https://scalar-staging.vector.im/api"
+          ];
+          default_widget_container_height = 280;
+          default_country_code = "GB";
+          show_labs_settings = true;
+          features = {
+            threadsActivityCentre = true;
+            feature_video_rooms = true;
+            feature_group_calls = true;
+            feature_element_call_video_rooms = true;
+          };
+          default_federate = false;
+          default_theme = "light";
+          room_directory = {
+            servers = ["glia.club"];
+          };
+          enable_presence_by_hs_url = {
+            "https://glia.club" = true;
+            "https://chat.glia.club" = true;
+            "https://matrix.org" = false;
+            "https://matrix-client.matrix.org" = false;
+          };
+          setting_defaults = {
+            breadcrumbs = false;
+          };
+          jitsi = {
+            preferred_domain = "meet.element.io";
+          };
+          element_call = {
+            url = "https://call.element.io";
+            brand = "Element Call";
+          };
+          map_style_url = "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx";
         };
       };
       extraConfig = ''
-        rewrite ^/config.json$ /config.json break;
-        rewrite ^/manifest.json$ /manifest.json break;
+        index  index.html;
 
-        rewrite ^/sw.js$ /sw.js break;
-        rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break;
+        # Set no-cache for the version, config and index.html
+        # so that browsers always check for a new copy of Element Web.
+        # NB http://your-domain/ and http://your-domain/? are also covered by this
 
-        rewrite ^/public/(.*)$ /public/$1 break;
-        rewrite ^/assets/(.*)$ /assets/$1 break;
-
-        rewrite ^(.+)$ /index.html break;
+        location = /index.html {
+            add_header Cache-Control "no-cache";
+        }
+        location = /version {
+            add_header Cache-Control "no-cache";
+        }
+        # covers config.json and config.hostname.json requests as it is prefix.
+        location /config {
+            add_header Cache-Control "no-cache";
+        }
+        location /modules/ {
+            alias /modules/;
+        }
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
       '';
     };
   };
   services.caddy.virtualHosts = {
     "glia.club, glia.club:8448" = {
       extraConfig = lib.mkAfter ''
-        redir https://chat.glia.club
+        reverse_proxy unix//run/nginx/cinny.sock
       '';           
     };
 

machines/hippocampus/servers/public/matrix/rtc.nix

@@ -18,12 +18,14 @@
     # for RTC usage, e.g. RTMP, WHIP, etc.
     ingress = { enable = false; };
     # Redis is used if we were to use ingress
-    redis = { createLocally = false; };
+    # redis = { };
     settings = {
       port = 7375;
+      bind_addresses = [""];
       rtc = {
-        port_range_end   = 50100;
-        port_range_start = 50200;
+        tcp_port = 7376;
+        port_range_start = 50100;
+        port_range_end   = 50200;
         use_external_ip  = true;
         enable_loopback_candidate = false;
       };

machines/hippocampus/servers/public/matrix/server.nix

@@ -24,6 +24,11 @@
 
         allow_registration = true;
         registration_token_file = config.sops.secrets.tuwunelreg.path;
+   
+        well_known = {
+          client = "https://glia.club";
+          server = "glia.club:443";
+        };
       };
     };
   };

machines/hippocampus/servers/public/matrix/turn.nix

@@ -1,17 +1,65 @@
 { config, pkgs, lib, ... }: {
   # TODO: Generate coturn secret
-  sops.secrets.coturn-secret = {};
+  sops.secrets.coturn-secret = {
+    owner = "turnserver";
+    group = config.services.matrix-tuwunel.group;
+    mode = "0440";
+  };
+  # TODO: patch coturn service to specify user/group
+  systemd.services.coturn.serviceConfig.Group = lib.mkForce config.services.caddy.group;
   services.coturn = {
     enable = true;
     realm = "turn.glia.club";
     listening-port = 3478;
     tls-listening-port = 5349;
     min-port = config.services.livekit.settings.rtc.port_range_start+1;
-    max-port = 65535;
+    max-port = 52000;
     use-auth-secret = true;
     static-auth-secret-file = config.sops.secrets.coturn-secret.path;
     cert = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.crt";
     pkey = "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/turn.glia.club/turn.glia.club.key";
+    extraConfig = ''
+# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
+no-tcp-relay
+
+# don't let the relay ever try to connect to private IP address ranges within your network (if any)
+# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+
+# recommended additional local peers to block, to mitigate external access to internal services.
+# https://www.enablesecurity.com/blog/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
+# https://www.enablesecurity.com/blog/cve-2020-26262-bypass-of-coturns-access-control-protection/#further-concerns-what-else
+no-multicast-peers
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+denied-peer-ip=::1
+denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+# special case the turn server itself so that client->TURN->TURN->client flows work
+# this should be one of the turn server's listening IPs
+allowed-peer-ip=10.0.0.1
+
+# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
+user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
+total-quota=1200
+    '';
   };
   services.matrix-tuwunel.settings = {
     global = {
@@ -19,7 +67,6 @@
         "turn:turn.glia.club?transport=udp"
         "turn:turn.glia.club?transport=tcp"
       ];
-      turn_secret = true;
       turn_secret_file = config.sops.secrets.coturn-secret.path;
     };
   };
@@ -31,7 +78,9 @@
       # https://github.com/element-hq/element-ios/issues/2712
       # https://bugs.chromium.org/p/webrtc/issues/detail?id=11710
       extraConfig = ''
-        acme_ca https://acme.zerossl.com/v2/DV90
+        tls {
+          ca https://acme.zerossl.com/v2/DV90
+        }
         respond "You ~~spin~~ turn me right round!"
       '';
     };