From 9d9bcf9a15eecb342201be1eeed0224e3c35efa3 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 30 Oct 2024 17:57:33 +0100 Subject: [PATCH] mas: move to module, add secrets for prod --- hosts/nachtigall/configuration.nix | 53 +++++---- hosts/nachtigall/default.nix | 2 + hosts/underground/configuration.nix | 80 +++----------- modules/matrix/default.nix | 103 ++++++++++++++---- ...thentication-service-secret-config.yml.age | Bin 0 -> 6276 bytes secrets/secrets.nix | 1 + 6 files changed, 135 insertions(+), 104 deletions(-) create mode 100644 secrets/matrix-authentication-service-secret-config.yml.age diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index dac4fc62..8bfba8de 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -82,28 +82,39 @@ owner = "matrix-synapse"; }; - pub-solar-os.matrix-synapse = { - enable = true; - sliding-sync.enable = true; - signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; - extra-config-files = [ - config.age.secrets."matrix-synapse-secret-config.yaml".path + age.secrets."matrix-authentication-service-secret-config.yml" = { + file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age"; + mode = "400"; + owner = "matrix-authentication-service"; + }; - # The registration file is automatically generated after starting the - # appservice for the first time. - # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ - # /var/lib/matrix-synapse/ - # chown matrix-synapse:matrix-synapse \ - # /var/lib/matrix-synapse/telegram-registration.yaml - "/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - app-service-config-files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-appservice-irc/registration.yml" - # "/matrix-appservice-slack-registration.yaml" - # "/hookshot-registration.yml" - # "/matrix-mautrix-signal-registration.yaml" - # "/matrix-mautrix-telegram-registration.yaml" + pub-solar-os.matrix = { + enable = true; + synapse = { + sliding-sync.enable = true; + signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; + extra-config-files = [ + config.age.secrets."matrix-synapse-secret-config.yaml".path + + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + "/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-synapse/telegram-registration.yaml" + "/var/lib/matrix-appservice-irc/registration.yml" + # "/matrix-appservice-slack-registration.yaml" + # "/hookshot-registration.yml" + # "/matrix-mautrix-signal-registration.yaml" + # "/matrix-mautrix-telegram-registration.yaml" + ]; + }; + matrix-authentication-service.extra-config-files = [ + config.age.secrets."matrix-authentication-service-secret-config.yml".path ]; }; diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 9a69c4f2..100759a6 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -9,10 +9,12 @@ ./networking.nix ./wireguard.nix ./backups.nix + "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix" "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix" ]; disabledModules = [ + "services/matrix/matrix-authentication-service.nix " "services/web-apps/mastodon.nix" ]; } diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix index 74b1d79d..ff1c8096 100644 --- a/hosts/underground/configuration.nix +++ b/hosts/underground/configuration.nix @@ -42,72 +42,28 @@ owner = "matrix-authentication-service"; }; - pub-solar-os.matrix-synapse = { + pub-solar-os.matrix = { enable = true; - extra-config-files = [ - config.age.secrets."staging-matrix-synapse-secret-config.yaml".path + synapse = { + extra-config-files = [ + config.age.secrets."staging-matrix-synapse-secret-config.yaml".path - # The registration file is automatically generated after starting the - # appservice for the first time. - # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ - # /var/lib/matrix-synapse/ - # chown matrix-synapse:matrix-synapse \ - # /var/lib/matrix-synapse/telegram-registration.yaml - #"/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - app-service-config-files = [ - "/var/lib/matrix-appservice-irc/registration.yml" - #"/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - }; - - services.matrix-authentication-service = { - enable = true; - createDatabase = true; - extraConfigFiles = [ + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-appservice-irc/registration.yml" + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + }; + matrix-authentication-service.extra-config-files = [ config.age.secrets."staging-matrix-authentication-service-secret-config.yml".path ]; - settings = { - http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; - http.issuer = "https://mas.${config.pub-solar-os.networking.domain}"; - http.listeners = [ - { - name = "web"; - resources = [ - { name = "discovery"; } - { name = "human"; } - { name = "oauth"; } - { name = "compat"; } - { name = "graphql"; } - { - name = "assets"; - path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; - } - ]; - binds = [ - { - host = "0.0.0.0"; - port = 8090; - } - ]; - proxy_protocol = false; - } - { - name = "internal"; - resources = [ - { name = "health"; } - ]; - binds = [ - { - host = "0.0.0.0"; - port = 8081; - } - ]; - proxy_protocol = false; - } - ]; - passwords.enabled = false; - }; }; services.openssh.openFirewall = true; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 1d955979..0f6963c9 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -10,33 +10,46 @@ let serverDomain = "${config.pub-solar-os.networking.domain}"; in { - options.pub-solar-os.matrix-synapse = { - enable = lib.mkEnableOption "Enable matrix-synapse to run on the node"; + options.pub-solar-os = { + matrix = { + enable = lib.mkEnableOption "Enable matrix-synapse and matrix-authentication-service to run on the node"; - app-service-config-files = lib.mkOption { - description = "List of app service config files"; - type = lib.types.listOf lib.types.str; - default = [ ]; - }; + synapse = { + app-service-config-files = lib.mkOption { + description = "List of app service config files"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; - extra-config-files = lib.mkOption { - description = "List of extra synapse config files"; - type = lib.types.listOf lib.types.str; - default = [ ]; - }; + extra-config-files = lib.mkOption { + description = "List of extra synapse config files"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; - signing_key_path = lib.mkOption { - description = "Path to file containing the signing key"; - type = lib.types.str; - default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; - }; - sliding-sync.enable = lib.mkEnableOption { - description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+"; - default = false; + signing_key_path = lib.mkOption { + description = "Path to file containing the signing key"; + type = lib.types.str; + default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; + }; + + sliding-sync.enable = lib.mkEnableOption { + description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+"; + default = false; + }; + }; + + matrix-authentication-service = { + extra-config-files = lib.mkOption { + description = "List of extra mas config files"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; }; }; - config = lib.mkIf config.pub-solar-os.matrix-synapse.enable { + config = lib.mkIf config.pub-solar-os.matrix.enable { services.matrix-synapse = { enable = true; settings = { @@ -265,6 +278,54 @@ in plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; }; + services.matrix-authentication-service = { + enable = true; + createDatabase = true; + extraConfigFiles = config.pub-solar-os.matrix.matrix-authentication-service.extra-config-files; + + settings = { + http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; + http.issuer = "https://mas.${config.pub-solar-os.networking.domain}"; + http.listeners = [ + { + name = "web"; + resources = [ + { name = "discovery"; } + { name = "human"; } + { name = "oauth"; } + { name = "compat"; } + { name = "graphql"; } + { + name = "assets"; + path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; + } + ]; + binds = [ + { + host = "0.0.0.0"; + port = 8090; + } + ]; + proxy_protocol = false; + } + { + name = "internal"; + resources = [ + { name = "health"; } + ]; + binds = [ + { + host = "0.0.0.0"; + port = 8081; + } + ]; + proxy_protocol = false; + } + ]; + passwords.enabled = false; + }; + }; + services.matrix-sliding-sync = { enable = config.pub-solar-os.matrix-synapse.sliding-sync.enable; settings = { diff --git a/secrets/matrix-authentication-service-secret-config.yml.age b/secrets/matrix-authentication-service-secret-config.yml.age new file mode 100644 index 0000000000000000000000000000000000000000..50cd3f21e6b0388f7639d20121f218efe5c20fa7 GIT binary patch literal 6276 zcmZ9O_g@W)|HqB$)^TrUC{kvZBWJH9&fcT5&#CC_z4vJ;Nk%9nWF%ZNDp^H@O0JQF zP|3Bf9V#p1>-)p!@%Vl}f5G$demq{U*YhpYsA5%Sh23X$>MZ7Y7P|)Ih5%v{q8$!x ztV#(*ARw4%9f7X*XriG&DhMv${-lu~4n$b8$)|+zlg=y)2Vh05B1O3bIa{Xw{=lIIaoC(y9}A zIyBg#RFha#hDRx6nQUwU+z9dfhh}%kqSXjK#i9W??RFoXk7nppT8RQART2brILfYp zqNo-V6~l!|sBXE=M#1|X7(5$ncGGMaKZ%)0^I-G}goKC#z~Cex5TnM6KzcV;X+^RK zI8R=j;&ji;aznxr1~y7TP!fy) zhubs&u@`N(fPo|_#vyk2)DoQoMy6SrL?W82<~u-mJ&_1yI@DqcQ)gw7Kr|>(U?NFu zI66g!Q8IY~02hx{n>|n|l!%a9pgu2{&vUEU9G6rCx2xoOKG=ldQD8VBUXCW4^a?AU z?86(~9G!rwlnOZ_GJwoV#JGSerNtxk8vJ?*o&^S>4Ni!Pi_vPWay3$GMY*X4K2&Ow zcs+2h00;51%>$Vn#SgEooB%CZSj&R5onDAtsv!Cl5)>7nH*0(@i3_a6sl9xdpUM_#ITo`~tT*sX1fL#k; zU@?|$04d>0o!+fuD=hyv#|9FC2gU+)P^wn~)6h*)7bsB;bo#_ny5A*-nQeX=2Z!X) z5p0|XO6NO77@Ay4*TS$eztYQ5yZj!vO6BnZNbE!%ScL?+!9Fs`CgVs%O1~S!S0I=Y zxsZxOQ1vb`9Yp8BeOL+DNEWli94niIRap%%pArex18fMb!%MP@KnRvzz>!#8bR$(K zv2mR~2@_8v_#L=JFoU8t0BLxRlqxpcS!AtL%AiOXKn>CDrvacO6kKA`(!E%xR|0m} zY#ViMyV}nH$<1&))kstfqoBmUri8`i zl6)Ws0fRO}@Lru9Y&OX3C?rvD0lL&G4MB+Gu#Gqp)T39D?0%$!W^zhxRIVDv_E@cA z02XAh;N^CjU#~*RWKa#AX#`UE3MfM^#u8w36$|7xVnq^@ljWoE{Q^GO$0HG>SQi`0 zgPVnPH9#PCda-n?nPvjA4W3^EfT#0GE+bG3@=ys#xQwoGqo_VP1EFE)u`U>wq5!g` z2#Slt(D8v@eIh`k;u6GQ1{F>wnlTa&f(;fcjRFxDq4l#piC`zpL}uIg3WAKI1w*}w zSSrO1v4d$QJi|m6LA-c?4^L1z$T}=SEl)%cv?Pz z<@d92B%%On=j){=g%qe0A}nwafbGQMJaibw{7V%!w@c{q>$y5R%mfC}NiZ@(=Y^Q@ zAicy5fhYcNj;%U(tQCqtM!UIw&adgmLKSir$P7jaeNdJP$AM}=Ks?1slNo3_o`<8h z5?L&!6zp+={B{6TCk4T=YBwGt(R)!MMpxkhiNaS>jj83iH2V%2L3<}Gn2f>|aGx|UM{EtH=Bp%zLiG~?aMi?eb~x6csU%#&Qu9n&ZD|I*Jep!$wn(bP^Lu$5Lo63Q?kmyBI<-2PF_=DR8z)3`N;= zWHJk^Gm>#|0P|Oih-fPYC}J_xpkG?z;Cb+0I_3GPT)DwQMw8_lBG`mOkTw5J!wDTe zJ~mpA2+`_zOc4n!Vtd#sFh|Ss*knFBkiY=iur{+6A)^r0V23A>2ms3&ax9DE2N8jC zFqgvxt8fk}iz7?4s1s=tw3u&)I=C3V!A%tWHw_3ALXC;hI3ffjb`m`(xnBi18wG*vWrad26qmrb`tL`8ew z&Q_nQZEr~Rv=*^`fBta8g;R|;j*W(cSAVSh5JnIT*@xJ5tt#S1R?i+dWc||6WnYp2 z7YyM~_n_gG`6K2?7tAi-W)Sl6|CaBWQc-O>`g>4v0)SN8Sy&i#;h&oYkAbL6Ue!y{ z4VyN5li}p`h&z%`(2(luHLzw__OJu;fdT_#zO{6G^2Pb5lleEgj>nZ$q)yrs6ml(e zLBSDa^Xu&uw5`a58An}bPO=dbg4-^Pe}9s%&jhkQt2w^M>zjKWnkvk^opV0L&s(0@ zc}nwQtnU7PoZ?OV^xB3>=Z&>>gZUSLIkpv#uaK_Ym$)XB;Tuz8GSpC_mDnq&Y=2CuW;M$#Y$1OD zZ}uxzwFNW3MH2p*@>fHLr9m_@@p)viWz^>V7hcZ=zOOxc{?6x_3s*+01}1;kM_N^H zGDJxGMNJuC?>K%KEI>EWjLNKdv9!@1eu)6J5Pr-wdl401mTcfD9@1RY+T zRt=n${Ff?er`LT|^*z-i`4KaDTR`I{?DC9=w}=sIHaGowwdU%SL&7PhdtUg95Xauy5e{$>s`}@ zM}IbcGe3M3Y>GqI7WpS_DacjECNXF1ZH}J&uywGE5yEeVpTyrmpOpA}OzpI^`oHI3OSaElHT@9pv zXVPDVvqM`eTV5Q4e_9?l@$lBD^V1l8%OBiG@s<)TCtKfc-o5udW8=h+VSkslt}g9+ z`C1iF)>1w4a&XM8VHFDisZ|Ff&$RI_vaLa7&UN~&CxfO=A9w#wWq1B1z`OFpsN3rO zQI)c)j<7#{fw`YOs;WbBb+OCn_pV9)2rKI~v>D#hiF(Zfma`_^iObaLmLw+4{Qqd6I5Wt~O|CbxLgP zmfqLHhp=~rFa5ikDte6xeY4V&mGF!mHFngTIB?His5&roEB9uDt0&-N|EkQ}SB{7{ zL#CWcnfoqWHHN%+=T*tQMPmjn(?48#B#nxirHaei-PX>4Z#t3wbqA*22T5<89e zn7=S3@79CGn6rxs9#O-JJmj)bGa*H@7`yjQn7X^J;mO|E5%Y?Iz&YBp2T$xev1!fn zg$I`{O}yfq(_V6iQg=B#vS!UO*3N&{4^J-X{~FTXk%&;%9zy08X4@@>Xy^Fms5bnt z6Bm1UyCNO+wQt&sx{BWf7c|P#rlM9v9kA##!r~yadGQIO=5w!L$nq~I9bY~>N``Np zwU!crT-MRn3z>oX0$_cjgwZ2qDRNc*Ps`l9V;lL73a;n@O8*lvpIx$4;!{V8+rb1?hWSMy~eGFo?d&a#@KE% zbXA12M_GqLdtW_av~B2J)6m#_SS30gr%DZdk7qWqrIk>4I>MD`>~#i#rzEx!K+1K^bu{(4;t<;gHK%x&q7q@_9YF@ zZz7J!eWhJ7tnKo(Dp3qXgEG;H^@3K0?>9vd>rlA`k?Y|Wluom50 zrXPL$hU;$7;cV{e2^PL&#@m6$*4ZA{Lh?oU(4fN&irlcpf8(x^&Q<&cKkzQ=K;hOK zgXNXbxLfnTZ+iA>szD{5_s{YH7~)X@w{JTOx$mhdod3gJT|Fn2_bK!YcO(3Gia7Jm zKwkPfc-Q0Tf93n~G(S6E`_ScCO@*5`En()Eu?I;san&lk+=|Csw#J%9Mp@ne|q`uw%?&}}mg-PpbT+oEg%pnN9eBS;W=;rs18WOMS(l76!? zD|6Gsr`%3dr;tP!{(K*vb^K(`&jYeA9nJXr6ILwxe$q9WSqPuj^QaWpI>lfPZTY;e zzd3i)p4sMYw?l{h`pGSa7F&2HbWiWTZ_f{mANe5X{N*cwZyR{F7atkhyuZO0|NDX# zn_4(}(mGwmAL7XUTa?816M!o*JL-477k{jb??O{IO=POaCoM3)-jjVIq+-jv&M&cd zV@~F#VC(U}2gr1{7E%u!Sz~x_-mAks+*tLXd>`h}xP}Z<{JE}S^P_TVA11x~YIx8X z;4GW~GcVkDxo`I3Ra@blzgo}kyE+I{lyp*@cWxGh>GF?#$(RsfUCD@v;!k^icb+e$ za^{~LIpz2C!tO_rIRluy-{&+>H5t>xynuVt*JvhYO)&<9_<)9IYu6>784{A9{@Gf$ zao7FUo%`PH{)w-<6}Yh?=iAANlqBLTAb`768_VASBJ7S7@l(9?P9a-yS z0C!P>B4F^r&w)vwkMN@-C!7yIy|M7`>~rJH`JsxR^Z0dV^{aK6p&^;&_n+yiW8U>A zY&&#UIDg|yWn4{hKr(LTyHxs;s!`Cj&! z4-Lhzor1U2FI9GR*uIh5hh_yYsdXguwRK-z`_c@4X4;&*DdaS2kaII__Y7u)q!-}) zxNm838@oA?Rwy50hsrF!_$l$j~J>{)W$-7*HMu z-+Gd{|3O#d@12uN4d2ph?=I3C{vG^KFzqS8F-m@<>x0%guK99)i9G-DuKm2r5h*RB zM|`WiuaXf~)CB~Ne*E~>9^&jqzV{5J@E zp=fpYF?V0vfr-2NIGZ8LF^@OqU3z}v@$D;Zhih?XN3BH&AH2|{3CG6oQ^#b7{8zkpNg_;R+c8fqx&a930jD^48s&T{|CKz1`$-Gdt4uT)Z)f&*Fp( s`v@BEmGx%k)KAt5?$z`wi;9zK_~AvHq)$ literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6eaede2a..88a632aa 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -68,6 +68,7 @@ in "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys; "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; "staging-matrix-authentication-service-secret-config.yml.age".publicKeys =