forked from pub-solar/infra
matrix-authentication-service: init host underground
to test mas, related to #242
This commit is contained in:
parent
4c51eda8b6
commit
d6cc9c8164
17
flake.lock
17
flake.lock
|
@ -234,6 +234,22 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"fork": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1729963002,
|
||||||
|
"narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
|
||||||
|
"owner": "teutat3s",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "teutat3s",
|
||||||
|
"ref": "init-matrix-authentication-service-module",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"home-manager": {
|
"home-manager": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -354,6 +370,7 @@
|
||||||
"element-stickers": "element-stickers",
|
"element-stickers": "element-stickers",
|
||||||
"element-themes": "element-themes",
|
"element-themes": "element-themes",
|
||||||
"flake-parts": "flake-parts",
|
"flake-parts": "flake-parts",
|
||||||
|
"fork": "fork",
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
"keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
|
"keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
|
||||||
"maunium-stickerpicker": "maunium-stickerpicker",
|
"maunium-stickerpicker": "maunium-stickerpicker",
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
# Track channels with commits tested and built by hydra
|
# Track channels with commits tested and built by hydra
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||||
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
|
fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
|
||||||
|
|
||||||
nix-darwin.url = "github:lnl7/nix-darwin/master";
|
nix-darwin.url = "github:lnl7/nix-darwin/master";
|
||||||
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
|
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
@ -152,6 +153,10 @@
|
||||||
hostname = "tankstelle.wg.pub.solar";
|
hostname = "tankstelle.wg.pub.solar";
|
||||||
sshUser = username;
|
sshUser = username;
|
||||||
};
|
};
|
||||||
|
underground = {
|
||||||
|
hostname = "80.244.242.3";
|
||||||
|
sshUser = username;
|
||||||
|
};
|
||||||
trinkgenossin = {
|
trinkgenossin = {
|
||||||
hostname = "trinkgenossin.wg.pub.solar";
|
hostname = "trinkgenossin.wg.pub.solar";
|
||||||
sshUser = username;
|
sshUser = username;
|
||||||
|
|
|
@ -178,6 +178,30 @@
|
||||||
self.nixosModules.nginx
|
self.nixosModules.nginx
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
underground = self.inputs.nixpkgs.lib.nixosSystem {
|
||||||
|
specialArgs = {
|
||||||
|
flake = {
|
||||||
|
inherit self inputs config;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
modules = [
|
||||||
|
self.inputs.agenix.nixosModules.default
|
||||||
|
self.nixosModules.home-manager
|
||||||
|
./underground
|
||||||
|
self.nixosModules.overlays
|
||||||
|
self.nixosModules.unlock-luks-on-boot
|
||||||
|
self.nixosModules.core
|
||||||
|
|
||||||
|
self.nixosModules.backups
|
||||||
|
self.nixosModules.keycloak
|
||||||
|
self.nixosModules.postgresql
|
||||||
|
self.nixosModules.matrix
|
||||||
|
self.nixosModules.matrix-irc
|
||||||
|
self.nixosModules.nginx
|
||||||
|
self.nixosModules.nginx-matrix
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -48,6 +48,7 @@
|
||||||
owner = "root";
|
owner = "root";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# keycloak
|
||||||
age.secrets.keycloak-database-password = {
|
age.secrets.keycloak-database-password = {
|
||||||
file = "${flake.self}/secrets/keycloak-database-password.age";
|
file = "${flake.self}/secrets/keycloak-database-password.age";
|
||||||
mode = "600";
|
mode = "600";
|
||||||
|
@ -59,6 +60,50 @@
|
||||||
database-password-file = config.age.secrets.keycloak-database-password.path;
|
database-password-file = config.age.secrets.keycloak-database-password.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# matrix-synapse
|
||||||
|
age.secrets."nachtigall-matrix-synapse-signing-key" = {
|
||||||
|
file = "${flake.self}/secrets/nachtigall-matrix-synapse-signing-key.age";
|
||||||
|
mode = "400";
|
||||||
|
owner = "matrix-synapse";
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets."nachtigall-matrix-synapse-secret-config.yaml" = {
|
||||||
|
file = "${flake.self}/secrets/nachtigall-matrix-synapse-secret-config.yaml.age";
|
||||||
|
mode = "400";
|
||||||
|
owner = "matrix-synapse";
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets."nachtigall-matrix-synapse-sliding-sync-secret" = {
|
||||||
|
file = "${flake.self}/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age";
|
||||||
|
mode = "400";
|
||||||
|
owner = "matrix-synapse";
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
pub-solar-os.matrix-synapse = {
|
||||||
|
enable = true;
|
||||||
|
signing_key_path = config.age.secrets."nachtigall-matrix-synapse-signing-key".path;
|
||||||
|
extra-config-files = [
|
||||||
|
config.age.secrets."nachtigall-matrix-synapse-secret-config.yaml".path
|
||||||
|
|
||||||
|
# The registration file is automatically generated after starting the
|
||||||
|
# appservice for the first time.
|
||||||
|
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
|
||||||
|
# /var/lib/matrix-synapse/
|
||||||
|
# chown matrix-synapse:matrix-synapse \
|
||||||
|
# /var/lib/matrix-synapse/telegram-registration.yaml
|
||||||
|
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||||
|
];
|
||||||
|
app-service-config-files = [
|
||||||
|
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||||
|
"/var/lib/matrix-appservice-irc/registration.yml"
|
||||||
|
# "/matrix-appservice-slack-registration.yaml"
|
||||||
|
# "/hookshot-registration.yml"
|
||||||
|
# "/matrix-mautrix-signal-registration.yaml"
|
||||||
|
# "/matrix-mautrix-telegram-registration.yaml"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.postgresql = {
|
systemd.services.postgresql = {
|
||||||
after = [ "var-lib-postgresql.mount" ];
|
after = [ "var-lib-postgresql.mount" ];
|
||||||
requisite = [ "var-lib-postgresql.mount" ];
|
requisite = [ "var-lib-postgresql.mount" ];
|
||||||
|
|
107
hosts/underground/configuration.nix
Normal file
107
hosts/underground/configuration.nix
Normal file
|
@ -0,0 +1,107 @@
|
||||||
|
{
|
||||||
|
flake,
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
# Use GRUB2 as the boot loader.
|
||||||
|
boot.loader.grub = {
|
||||||
|
enable = true;
|
||||||
|
devices = [ "/dev/vda" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
pub-solar-os.networking.domain = "test.pub.solar";
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
|
||||||
|
|
||||||
|
# keycloak
|
||||||
|
pub-solar-os.auth = {
|
||||||
|
enable = true;
|
||||||
|
database-password-file = "/tmp/dbf";
|
||||||
|
};
|
||||||
|
services.keycloak.database.createLocally = true;
|
||||||
|
|
||||||
|
# matrix-synapse
|
||||||
|
# test.pub.solar /.well-known is required for federation
|
||||||
|
services.nginx.virtualHosts."${config.pub-solar-os.networking.domain}" = {
|
||||||
|
default = true;
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets."underground-matrix-synapse-secret-config.yaml" = {
|
||||||
|
file = "${flake.self}/secrets/underground-matrix-synapse-secret-config.yaml.age";
|
||||||
|
mode = "400";
|
||||||
|
owner = "matrix-synapse";
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets."underground-matrix-authentication-service-secret-config.yml" = {
|
||||||
|
file = "${flake.self}/secrets/underground-matrix-authentication-service-secret-config.yml.age";
|
||||||
|
mode = "400";
|
||||||
|
owner = "matrix-authentication-service";
|
||||||
|
};
|
||||||
|
|
||||||
|
pub-solar-os.matrix-synapse = {
|
||||||
|
enable = true;
|
||||||
|
extra-config-files = [
|
||||||
|
config.age.secrets."underground-matrix-synapse-secret-config.yaml".path
|
||||||
|
|
||||||
|
# The registration file is automatically generated after starting the
|
||||||
|
# appservice for the first time.
|
||||||
|
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
|
||||||
|
# /var/lib/matrix-synapse/
|
||||||
|
# chown matrix-synapse:matrix-synapse \
|
||||||
|
# /var/lib/matrix-synapse/telegram-registration.yaml
|
||||||
|
#"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||||
|
];
|
||||||
|
app-service-config-files = [
|
||||||
|
"/var/lib/matrix-appservice-irc/registration.yml"
|
||||||
|
#"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.matrix-authentication-service = {
|
||||||
|
enable = true;
|
||||||
|
createDatabase = true;
|
||||||
|
extraConfigFiles = [
|
||||||
|
config.age.secrets."underground-matrix-authentication-service-secret-config.yml".path
|
||||||
|
];
|
||||||
|
settings = {
|
||||||
|
http.public_base = "https://mas.${config.pub-solar-os.networking.domain}";
|
||||||
|
http.issuer = "https://mas.${config.pub-solar-os.networking.domain}";
|
||||||
|
http.listeners = [
|
||||||
|
{
|
||||||
|
name = "web";
|
||||||
|
resources = [
|
||||||
|
{ name = "discovery"; }
|
||||||
|
{ name = "human"; }
|
||||||
|
{ name = "oauth"; }
|
||||||
|
{ name = "compat"; }
|
||||||
|
{ name = "graphql"; }
|
||||||
|
{ name = "assets"; path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; }
|
||||||
|
];
|
||||||
|
binds = [
|
||||||
|
{ host = "0.0.0.0"; port = 8090; }
|
||||||
|
];
|
||||||
|
proxy_protocol = false;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "internal";
|
||||||
|
resources = [
|
||||||
|
{ name = "health"; }
|
||||||
|
];
|
||||||
|
binds = [
|
||||||
|
{ host = "0.0.0.0"; port = 8081; }
|
||||||
|
];
|
||||||
|
proxy_protocol = false;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
passwords.enabled = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.openssh.openFirewall = true;
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
}
|
16
hosts/underground/default.nix
Normal file
16
hosts/underground/default.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{ flake, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./configuration.nix
|
||||||
|
|
||||||
|
./networking.nix
|
||||||
|
"${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
|
||||||
|
];
|
||||||
|
|
||||||
|
disabledModules = [
|
||||||
|
"services/matrix/matrix-authentication-service.nix "
|
||||||
|
];
|
||||||
|
}
|
34
hosts/underground/hardware-configuration.nix
Normal file
34
hosts/underground/hardware-configuration.nix
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
boot.initrd.luks.devices."cryptroot" = {
|
||||||
|
device = "/dev/disk/by-label/cryptroot";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-label/root";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-label/boot";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[ { device = "/dev/disk/by-label/swap"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
}
|
24
hosts/underground/networking.nix
Normal file
24
hosts/underground/networking.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
flake,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
|
||||||
|
networking.hostName = "underground";
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
defaultGateway = {
|
||||||
|
address = "80.244.242.1";
|
||||||
|
interface = "enp1s0";
|
||||||
|
};
|
||||||
|
nameservers = ["95.129.51.51" "80.244.244.244"];
|
||||||
|
interfaces.enp1s0 = {
|
||||||
|
useDHCP = false;
|
||||||
|
ipv4.addresses = [
|
||||||
|
{ address = "80.244.242.3"; prefixLength = 29; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,8 +5,8 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
age.secrets."coturn-static-auth-secret" = {
|
age.secrets."nachtigall-coturn-static-auth-secret" = {
|
||||||
file = "${flake.self}/secrets/coturn-static-auth-secret.age";
|
file = "${flake.self}/secrets/nachtigall-coturn-static-auth-secret.age";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
owner = "turnserver";
|
owner = "turnserver";
|
||||||
};
|
};
|
||||||
|
@ -18,7 +18,7 @@
|
||||||
min-port = 49000;
|
min-port = 49000;
|
||||||
max-port = 50000;
|
max-port = 50000;
|
||||||
use-auth-secret = true;
|
use-auth-secret = true;
|
||||||
static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
|
static-auth-secret-file = "/run/agenix/nachtigall-coturn-static-auth-secret";
|
||||||
realm = "turn.${config.pub-solar-os.networking.domain}";
|
realm = "turn.${config.pub-solar-os.networking.domain}";
|
||||||
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
||||||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||||
|
|
|
@ -16,11 +16,6 @@ let
|
||||||
synapseClientPort = "${toString listenerWithClient.port}";
|
synapseClientPort = "${toString listenerWithClient.port}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
|
|
||||||
"@system-service @pkey"
|
|
||||||
"~@privileged @resources"
|
|
||||||
"@chown"
|
|
||||||
];
|
|
||||||
services.matrix-appservice-irc = {
|
services.matrix-appservice-irc = {
|
||||||
enable = true;
|
enable = true;
|
||||||
localpart = "irc_bot";
|
localpart = "irc_bot";
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{
|
{
|
||||||
flake,
|
flake,
|
||||||
config,
|
config,
|
||||||
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
@ -9,304 +10,291 @@ let
|
||||||
serverDomain = "${config.pub-solar-os.networking.domain}";
|
serverDomain = "${config.pub-solar-os.networking.domain}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
age.secrets."matrix-synapse-signing-key" = {
|
options.pub-solar-os.matrix-synapse = {
|
||||||
file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
|
enable = lib.mkEnableOption "Enable matrix-synapse to run on the node";
|
||||||
mode = "400";
|
|
||||||
owner = "matrix-synapse";
|
app-service-config-files = lib.mkOption {
|
||||||
|
description = "List of app service config files";
|
||||||
|
type = lib.types.listOf lib.types.str;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
|
||||||
|
extra-config-files = lib.mkOption {
|
||||||
|
description = "List of extra synapse config files";
|
||||||
|
type = lib.types.listOf lib.types.str;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
|
||||||
|
signing_key_path = lib.mkOption {
|
||||||
|
description = "Path to file containing the signing key";
|
||||||
|
type = lib.types.str;
|
||||||
|
default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets."matrix-synapse-secret-config.yaml" = {
|
config = lib.mkIf config.pub-solar-os.matrix-synapse.enable {
|
||||||
file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
|
services.matrix-synapse = {
|
||||||
mode = "400";
|
enable = true;
|
||||||
owner = "matrix-synapse";
|
settings = {
|
||||||
};
|
server_name = serverDomain;
|
||||||
|
public_baseurl = "https://${publicDomain}/";
|
||||||
age.secrets."matrix-synapse-sliding-sync-secret" = {
|
database = {
|
||||||
file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
|
name = "psycopg2";
|
||||||
mode = "400";
|
args = {
|
||||||
owner = "matrix-synapse";
|
host = "/run/postgresql";
|
||||||
};
|
cp_max = 10;
|
||||||
|
cp_min = 5;
|
||||||
services.matrix-synapse = {
|
database = "matrix";
|
||||||
enable = true;
|
};
|
||||||
settings = {
|
allow_unsafe_locale = false;
|
||||||
server_name = serverDomain;
|
txn_limit = 0;
|
||||||
public_baseurl = "https://${publicDomain}/";
|
|
||||||
database = {
|
|
||||||
name = "psycopg2";
|
|
||||||
args = {
|
|
||||||
host = "/run/postgresql";
|
|
||||||
cp_max = 10;
|
|
||||||
cp_min = 5;
|
|
||||||
database = "matrix";
|
|
||||||
};
|
};
|
||||||
allow_unsafe_locale = false;
|
listeners = [
|
||||||
txn_limit = 0;
|
{
|
||||||
};
|
bind_addresses = [ "127.0.0.1" ];
|
||||||
listeners = [
|
port = 8008;
|
||||||
{
|
resources = [
|
||||||
bind_addresses = [ "127.0.0.1" ];
|
{
|
||||||
port = 8008;
|
compress = true;
|
||||||
resources = [
|
names = [ "client" ];
|
||||||
{
|
}
|
||||||
compress = true;
|
{
|
||||||
names = [ "client" ];
|
compress = false;
|
||||||
}
|
names = [ "federation" ];
|
||||||
{
|
}
|
||||||
compress = false;
|
];
|
||||||
names = [ "federation" ];
|
tls = false;
|
||||||
}
|
type = "http";
|
||||||
];
|
x_forwarded = true;
|
||||||
tls = false;
|
}
|
||||||
type = "http";
|
{
|
||||||
x_forwarded = true;
|
bind_addresses = [ "127.0.0.1" ];
|
||||||
}
|
port = 8012;
|
||||||
{
|
resources = [ { names = [ "metrics" ]; } ];
|
||||||
bind_addresses = [ "127.0.0.1" ];
|
tls = false;
|
||||||
port = 8012;
|
type = "metrics";
|
||||||
resources = [ { names = [ "metrics" ]; } ];
|
}
|
||||||
tls = false;
|
];
|
||||||
type = "metrics";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
account_threepid_delegates.msisdn = "";
|
account_threepid_delegates.msisdn = "";
|
||||||
alias_creation_rules = [
|
alias_creation_rules = [
|
||||||
{
|
{
|
||||||
action = "allow";
|
action = "allow";
|
||||||
alias = "*";
|
alias = "*";
|
||||||
room_id = "*";
|
room_id = "*";
|
||||||
user_id = "*";
|
user_id = "*";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
allow_guest_access = false;
|
allow_guest_access = false;
|
||||||
allow_public_rooms_over_federation = true;
|
allow_public_rooms_over_federation = true;
|
||||||
allow_public_rooms_without_auth = false;
|
allow_public_rooms_without_auth = false;
|
||||||
auto_join_rooms = [
|
auto_join_rooms = [
|
||||||
"#community:${serverDomain}"
|
"#community:${serverDomain}"
|
||||||
"#general:${serverDomain}"
|
"#general:${serverDomain}"
|
||||||
];
|
];
|
||||||
|
|
||||||
autocreate_auto_join_rooms = true;
|
autocreate_auto_join_rooms = true;
|
||||||
caches.global_factor = 0.5;
|
caches.global_factor = 0.5;
|
||||||
|
|
||||||
default_room_version = "10";
|
default_room_version = "10";
|
||||||
disable_msisdn_registration = true;
|
disable_msisdn_registration = true;
|
||||||
enable_media_repo = true;
|
enable_media_repo = true;
|
||||||
enable_metrics = true;
|
enable_metrics = true;
|
||||||
mau_stats_only = true;
|
mau_stats_only = true;
|
||||||
enable_registration = false;
|
enable_registration = false;
|
||||||
enable_registration_captcha = false;
|
enable_registration_captcha = false;
|
||||||
enable_registration_without_verification = false;
|
enable_registration_without_verification = false;
|
||||||
enable_room_list_search = true;
|
enable_room_list_search = true;
|
||||||
encryption_enabled_by_default_for_room_type = "off";
|
encryption_enabled_by_default_for_room_type = "off";
|
||||||
event_cache_size = "100K";
|
event_cache_size = "100K";
|
||||||
federation_rr_transactions_per_room_per_second = 50;
|
federation_rr_transactions_per_room_per_second = 50;
|
||||||
federation_client_minimum_tls_version = "1.2";
|
federation_client_minimum_tls_version = "1.2";
|
||||||
forget_rooms_on_leave = true;
|
forget_rooms_on_leave = true;
|
||||||
include_profile_data_on_invite = true;
|
include_profile_data_on_invite = true;
|
||||||
instance_map = { };
|
instance_map = { };
|
||||||
limit_profile_requests_to_users_who_share_rooms = false;
|
limit_profile_requests_to_users_who_share_rooms = false;
|
||||||
|
|
||||||
max_spider_size = "10M";
|
max_spider_size = "10M";
|
||||||
max_upload_size = "50M";
|
max_upload_size = "50M";
|
||||||
media_storage_providers = [ ];
|
media_storage_providers = [ ];
|
||||||
|
|
||||||
password_config = {
|
password_config = {
|
||||||
enabled = false;
|
enabled = false;
|
||||||
localdb_enabled = false;
|
localdb_enabled = false;
|
||||||
pepper = "";
|
pepper = "";
|
||||||
};
|
};
|
||||||
|
|
||||||
presence.enabled = true;
|
presence.enabled = true;
|
||||||
push.include_content = false;
|
push.include_content = false;
|
||||||
|
|
||||||
rc_admin_redaction = {
|
rc_admin_redaction = {
|
||||||
burst_count = 50;
|
burst_count = 50;
|
||||||
per_second = 1;
|
per_second = 1;
|
||||||
};
|
};
|
||||||
rc_federation = {
|
rc_federation = {
|
||||||
concurrent = 3;
|
concurrent = 3;
|
||||||
reject_limit = 50;
|
reject_limit = 50;
|
||||||
sleep_delay = 500;
|
sleep_delay = 500;
|
||||||
sleep_limit = 10;
|
sleep_limit = 10;
|
||||||
window_size = 1000;
|
window_size = 1000;
|
||||||
};
|
};
|
||||||
rc_invites = {
|
rc_invites = {
|
||||||
per_issuer = {
|
per_issuer = {
|
||||||
|
burst_count = 10;
|
||||||
|
per_second = 0.3;
|
||||||
|
};
|
||||||
|
per_room = {
|
||||||
|
burst_count = 10;
|
||||||
|
per_second = 0.3;
|
||||||
|
};
|
||||||
|
per_user = {
|
||||||
|
burst_count = 5;
|
||||||
|
per_second = 3.0e-3;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
rc_joins = {
|
||||||
|
local = {
|
||||||
|
burst_count = 10;
|
||||||
|
per_second = 0.1;
|
||||||
|
};
|
||||||
|
remote = {
|
||||||
|
burst_count = 10;
|
||||||
|
per_second = 1.0e-2;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
rc_login = {
|
||||||
|
account = {
|
||||||
|
burst_count = 3;
|
||||||
|
per_second = 0.17;
|
||||||
|
};
|
||||||
|
address = {
|
||||||
|
burst_count = 3;
|
||||||
|
per_second = 0.17;
|
||||||
|
};
|
||||||
|
failed_attempts = {
|
||||||
|
burst_count = 3;
|
||||||
|
per_second = 0.17;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
rc_message = {
|
||||||
burst_count = 10;
|
burst_count = 10;
|
||||||
per_second = 0.3;
|
per_second = 0.2;
|
||||||
};
|
};
|
||||||
per_room = {
|
rc_registration = {
|
||||||
burst_count = 10;
|
|
||||||
per_second = 0.3;
|
|
||||||
};
|
|
||||||
per_user = {
|
|
||||||
burst_count = 5;
|
|
||||||
per_second = 3.0e-3;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
rc_joins = {
|
|
||||||
local = {
|
|
||||||
burst_count = 10;
|
|
||||||
per_second = 0.1;
|
|
||||||
};
|
|
||||||
remote = {
|
|
||||||
burst_count = 10;
|
|
||||||
per_second = 1.0e-2;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
rc_login = {
|
|
||||||
account = {
|
|
||||||
burst_count = 3;
|
burst_count = 3;
|
||||||
per_second = 0.17;
|
per_second = 0.17;
|
||||||
};
|
};
|
||||||
address = {
|
redaction_retention_period = "7d";
|
||||||
burst_count = 3;
|
forgotten_room_retention_period = "7d";
|
||||||
per_second = 0.17;
|
redis.enabled = false;
|
||||||
};
|
registration_requires_token = false;
|
||||||
failed_attempts = {
|
registrations_require_3pid = [ "email" ];
|
||||||
burst_count = 3;
|
report_stats = false;
|
||||||
per_second = 0.17;
|
require_auth_for_profile_requests = false;
|
||||||
|
room_list_publication_rules = [
|
||||||
|
{
|
||||||
|
action = "allow";
|
||||||
|
alias = "*";
|
||||||
|
room_id = "*";
|
||||||
|
user_id = "*";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
signing_key_path = config.pub-solar-os.matrix-synapse.signing_key_path;
|
||||||
|
|
||||||
|
stream_writers = { };
|
||||||
|
trusted_key_servers = [ { server_name = "matrix.org"; } ];
|
||||||
|
suppress_key_server_warning = true;
|
||||||
|
|
||||||
|
turn_allow_guests = false;
|
||||||
|
turn_uris = [
|
||||||
|
"turn:${config.services.coturn.realm}:3478?transport=udp"
|
||||||
|
"turn:${config.services.coturn.realm}:3478?transport=tcp"
|
||||||
|
];
|
||||||
|
turn_user_lifetime = "1h";
|
||||||
|
|
||||||
|
url_preview_accept_language = [
|
||||||
|
"en-US"
|
||||||
|
"en"
|
||||||
|
];
|
||||||
|
url_preview_enabled = true;
|
||||||
|
url_preview_ip_range_blacklist = [
|
||||||
|
"127.0.0.0/8"
|
||||||
|
"10.0.0.0/8"
|
||||||
|
"172.16.0.0/12"
|
||||||
|
"192.168.0.0/16"
|
||||||
|
"100.64.0.0/10"
|
||||||
|
"192.0.0.0/24"
|
||||||
|
"169.254.0.0/16"
|
||||||
|
"192.88.99.0/24"
|
||||||
|
"198.18.0.0/15"
|
||||||
|
"192.0.2.0/24"
|
||||||
|
"198.51.100.0/24"
|
||||||
|
"203.0.113.0/24"
|
||||||
|
"224.0.0.0/4"
|
||||||
|
"::1/128"
|
||||||
|
"fe80::/10"
|
||||||
|
"fc00::/7"
|
||||||
|
"2001:db8::/32"
|
||||||
|
"ff00::/8"
|
||||||
|
"fec0::/10"
|
||||||
|
];
|
||||||
|
|
||||||
|
user_directory = {
|
||||||
|
prefer_local_users = false;
|
||||||
|
search_all_users = false;
|
||||||
};
|
};
|
||||||
|
user_ips_max_age = "28d";
|
||||||
|
|
||||||
|
app_service_config_files = config.pub-solar-os.matrix-synapse.app-service-config-files;
|
||||||
};
|
};
|
||||||
rc_message = {
|
|
||||||
burst_count = 10;
|
withJemalloc = true;
|
||||||
per_second = 0.2;
|
|
||||||
};
|
extraConfigFiles = config.pub-solar-os.matrix-synapse.extra-config-files;
|
||||||
rc_registration = {
|
|
||||||
burst_count = 3;
|
extras = [
|
||||||
per_second = 0.17;
|
"oidc"
|
||||||
};
|
"redis"
|
||||||
redaction_retention_period = "7d";
|
|
||||||
forgotten_room_retention_period = "7d";
|
|
||||||
redis.enabled = false;
|
|
||||||
registration_requires_token = false;
|
|
||||||
registrations_require_3pid = [ "email" ];
|
|
||||||
report_stats = false;
|
|
||||||
require_auth_for_profile_requests = false;
|
|
||||||
room_list_publication_rules = [
|
|
||||||
{
|
|
||||||
action = "allow";
|
|
||||||
alias = "*";
|
|
||||||
room_id = "*";
|
|
||||||
user_id = "*";
|
|
||||||
}
|
|
||||||
];
|
];
|
||||||
|
|
||||||
signing_key_path = "/run/agenix/matrix-synapse-signing-key";
|
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
|
||||||
|
|
||||||
stream_writers = { };
|
|
||||||
trusted_key_servers = [ { server_name = "matrix.org"; } ];
|
|
||||||
suppress_key_server_warning = true;
|
|
||||||
|
|
||||||
turn_allow_guests = false;
|
|
||||||
turn_uris = [
|
|
||||||
"turn:${config.services.coturn.realm}:3478?transport=udp"
|
|
||||||
"turn:${config.services.coturn.realm}:3478?transport=tcp"
|
|
||||||
];
|
|
||||||
turn_user_lifetime = "1h";
|
|
||||||
|
|
||||||
url_preview_accept_language = [
|
|
||||||
"en-US"
|
|
||||||
"en"
|
|
||||||
];
|
|
||||||
url_preview_enabled = true;
|
|
||||||
url_preview_ip_range_blacklist = [
|
|
||||||
"127.0.0.0/8"
|
|
||||||
"10.0.0.0/8"
|
|
||||||
"172.16.0.0/12"
|
|
||||||
"192.168.0.0/16"
|
|
||||||
"100.64.0.0/10"
|
|
||||||
"192.0.0.0/24"
|
|
||||||
"169.254.0.0/16"
|
|
||||||
"192.88.99.0/24"
|
|
||||||
"198.18.0.0/15"
|
|
||||||
"192.0.2.0/24"
|
|
||||||
"198.51.100.0/24"
|
|
||||||
"203.0.113.0/24"
|
|
||||||
"224.0.0.0/4"
|
|
||||||
"::1/128"
|
|
||||||
"fe80::/10"
|
|
||||||
"fc00::/7"
|
|
||||||
"2001:db8::/32"
|
|
||||||
"ff00::/8"
|
|
||||||
"fec0::/10"
|
|
||||||
];
|
|
||||||
|
|
||||||
user_directory = {
|
|
||||||
prefer_local_users = false;
|
|
||||||
search_all_users = false;
|
|
||||||
};
|
|
||||||
user_ips_max_age = "28d";
|
|
||||||
|
|
||||||
app_service_config_files = [
|
|
||||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
|
||||||
"/var/lib/matrix-appservice-irc/registration.yml"
|
|
||||||
# "/matrix-appservice-slack-registration.yaml"
|
|
||||||
# "/hookshot-registration.yml"
|
|
||||||
# "/matrix-mautrix-signal-registration.yaml"
|
|
||||||
# "/matrix-mautrix-telegram-registration.yaml"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
withJemalloc = true;
|
#services.matrix-sliding-sync = {
|
||||||
|
# enable = true;
|
||||||
|
# settings = {
|
||||||
|
# SYNCV3_SERVER = "https://${publicDomain}";
|
||||||
|
# SYNCV3_BINDADDR = "127.0.0.1:8011";
|
||||||
|
# # The bind addr for Prometheus metrics, which will be accessible at
|
||||||
|
# # /metrics at this address
|
||||||
|
# SYNCV3_PROM = "127.0.0.1:9100";
|
||||||
|
# };
|
||||||
|
# environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
|
||||||
|
#};
|
||||||
|
|
||||||
extraConfigFiles = [
|
pub-solar-os.backups.restic.matrix-synapse = {
|
||||||
"/run/agenix/matrix-synapse-secret-config.yaml"
|
paths = [
|
||||||
|
"/var/lib/matrix-synapse"
|
||||||
# The registration file is automatically generated after starting the
|
"/var/lib/matrix-appservice-irc"
|
||||||
# appservice for the first time.
|
"/var/lib/mautrix-telegram"
|
||||||
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
|
"/tmp/matrix-synapse-backup.sql"
|
||||||
# /var/lib/matrix-synapse/
|
];
|
||||||
# chown matrix-synapse:matrix-synapse \
|
timerConfig = {
|
||||||
# /var/lib/matrix-synapse/telegram-registration.yaml
|
OnCalendar = "*-*-* 05:00:00 Etc/UTC";
|
||||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
};
|
||||||
];
|
initialize = true;
|
||||||
|
backupPrepareCommand = ''
|
||||||
extras = [
|
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
|
||||||
"oidc"
|
'';
|
||||||
"redis"
|
backupCleanupCommand = ''
|
||||||
];
|
rm /tmp/matrix-synapse-backup.sql
|
||||||
|
'';
|
||||||
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
|
pruneOpts = [
|
||||||
};
|
"--keep-daily 7"
|
||||||
|
"--keep-weekly 4"
|
||||||
services.matrix-sliding-sync = {
|
"--keep-monthly 3"
|
||||||
enable = true;
|
];
|
||||||
settings = {
|
|
||||||
SYNCV3_SERVER = "https://${publicDomain}";
|
|
||||||
SYNCV3_BINDADDR = "127.0.0.1:8011";
|
|
||||||
# The bind addr for Prometheus metrics, which will be accessible at
|
|
||||||
# /metrics at this address
|
|
||||||
SYNCV3_PROM = "127.0.0.1:9100";
|
|
||||||
};
|
};
|
||||||
environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.restic.backups.matrix-synapse-storagebox = {
|
|
||||||
paths = [
|
|
||||||
"/var/lib/matrix-synapse"
|
|
||||||
"/var/lib/matrix-appservice-irc"
|
|
||||||
"/var/lib/mautrix-telegram"
|
|
||||||
"/tmp/matrix-synapse-backup.sql"
|
|
||||||
];
|
|
||||||
timerConfig = {
|
|
||||||
OnCalendar = "*-*-* 05:00:00 Etc/UTC";
|
|
||||||
};
|
|
||||||
initialize = true;
|
|
||||||
passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
|
|
||||||
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
|
|
||||||
backupPrepareCommand = ''
|
|
||||||
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
|
|
||||||
'';
|
|
||||||
backupCleanupCommand = ''
|
|
||||||
rm /tmp/matrix-synapse-backup.sql
|
|
||||||
'';
|
|
||||||
pruneOpts = [
|
|
||||||
"--keep-daily 7"
|
|
||||||
"--keep-weekly 4"
|
|
||||||
"--keep-monthly 3"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,11 +10,14 @@ let
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
'';
|
'';
|
||||||
clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
|
clientConfig = import ./element-client-config.nix { inherit config lib pkgs; };
|
||||||
wellKnownClient = domain: {
|
wellKnownClient = domain: {
|
||||||
"m.homeserver".base_url = "https://matrix.${domain}";
|
"m.homeserver".base_url = "https://matrix.${domain}";
|
||||||
"m.identity_server".base_url = "https://matrix.${domain}";
|
"m.identity_server".base_url = "https://matrix.${domain}";
|
||||||
"org.matrix.msc3575.proxy".url = "https://matrix.${domain}";
|
"org.matrix.msc2965.authentication" = {
|
||||||
|
issuer = "https://mas.${domain}/";
|
||||||
|
account = "https://mas.${domain}/account";
|
||||||
|
};
|
||||||
"im.vector.riot.e2ee".default = true;
|
"im.vector.riot.e2ee".default = true;
|
||||||
"io.element.e2ee" = {
|
"io.element.e2ee" = {
|
||||||
default = true;
|
default = true;
|
||||||
|
@ -85,6 +88,27 @@ in
|
||||||
root = pkgs.element-stickerpicker;
|
root = pkgs.element-stickerpicker;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"mas.${config.pub-solar-os.networking.domain}" = {
|
||||||
|
root = "/dev/null";
|
||||||
|
|
||||||
|
forceSSL = lib.mkDefault true;
|
||||||
|
enableACME = lib.mkDefault true;
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8090";
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
${commonHeaders}
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
|
# Forward the client IP address
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
"matrix.${config.pub-solar-os.networking.domain}" = {
|
"matrix.${config.pub-solar-os.networking.domain}" = {
|
||||||
root = "/dev/null";
|
root = "/dev/null";
|
||||||
|
|
||||||
|
@ -99,28 +123,41 @@ in
|
||||||
locations = {
|
locations = {
|
||||||
# For telegram
|
# For telegram
|
||||||
"/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
|
"/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
|
||||||
|
priority = 100;
|
||||||
proxyPass = "http://127.0.0.1:8009";
|
proxyPass = "http://127.0.0.1:8009";
|
||||||
extraConfig = commonHeaders;
|
extraConfig = commonHeaders;
|
||||||
};
|
};
|
||||||
|
|
||||||
# sliding-sync
|
# Forward to the auth service
|
||||||
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
|
"~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
|
||||||
proxyPass = "http://127.0.0.1:8011";
|
priority = 100;
|
||||||
extraConfig = commonHeaders;
|
proxyPass = "http://127.0.0.1:8090";
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
${commonHeaders}
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
|
# Forward the client IP address
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
"~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = {
|
# Forward to Synapse
|
||||||
|
# as per https://element-hq.github.io/synapse/latest/reverse_proxy.html#nginx
|
||||||
|
"~ ^(/_matrix|/_synapse/client)" = {
|
||||||
|
priority = 200;
|
||||||
proxyPass = "http://127.0.0.1:8008";
|
proxyPass = "http://127.0.0.1:8008";
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
${commonHeaders}
|
${commonHeaders}
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
||||||
|
|
||||||
client_body_buffer_size 25M;
|
client_body_buffer_size 25M;
|
||||||
client_max_body_size 50M;
|
client_max_body_size 50M;
|
||||||
proxy_max_temp_file_size 0;
|
proxy_max_temp_file_size 0;
|
||||||
|
proxy_http_version 1.1;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{ pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
{
|
{
|
||||||
default_server_config = {
|
default_server_config = {
|
||||||
"m.homeserver" = {
|
"m.homeserver" = {
|
||||||
base_url = "https://matrix.pub.solar";
|
base_url = "https://matrix.${config.pub-solar-os.networking.domain}";
|
||||||
server_name = "pub.solar";
|
server_name = "${config.pub-solar-os.networking.domain}";
|
||||||
};
|
};
|
||||||
"m.identity_server" = {
|
"m.identity_server" = {
|
||||||
base_url = "";
|
base_url = "";
|
||||||
|
|
|
@ -17,6 +17,7 @@
|
||||||
inherit (inputs) element-stickers maunium-stickerpicker;
|
inherit (inputs) element-stickers maunium-stickerpicker;
|
||||||
};
|
};
|
||||||
mastodon = unstable.mastodon;
|
mastodon = unstable.mastodon;
|
||||||
|
matrix-authentication-service = unstable.matrix-authentication-service;
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
];
|
];
|
||||||
|
|
|
@ -7,6 +7,7 @@ let
|
||||||
trinkgenossin-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZXRDpom/LtyoCxvRuoONARKxIT6wNUwEyUjzHRE7DG root@trinkgenossin";
|
trinkgenossin-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZXRDpom/LtyoCxvRuoONARKxIT6wNUwEyUjzHRE7DG root@trinkgenossin";
|
||||||
delite-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKo7zlfQhcJ5/okFTOoOstZtmEL1iNlHxQ4q2baEcWT root@delite";
|
delite-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKo7zlfQhcJ5/okFTOoOstZtmEL1iNlHxQ4q2baEcWT root@delite";
|
||||||
blue-shell-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9g9X0a/MaVtbh44IeLxcq+McuYec0GYAdLsseBpk5f root@blue-shell";
|
blue-shell-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9g9X0a/MaVtbh44IeLxcq+McuYec0GYAdLsseBpk5f root@blue-shell";
|
||||||
|
underground-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGF3PtA89yhVkmN7aJI6gqXK8DW9L7kI71IgiK4TAEwI root@underground";
|
||||||
|
|
||||||
adminKeys = builtins.foldl' (
|
adminKeys = builtins.foldl' (
|
||||||
keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)
|
keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)
|
||||||
|
@ -24,6 +25,8 @@ let
|
||||||
|
|
||||||
blueshellKeys = [ blue-shell-host ];
|
blueshellKeys = [ blue-shell-host ];
|
||||||
|
|
||||||
|
undergroundKeys = [ underground-host ];
|
||||||
|
|
||||||
garageKeys = [
|
garageKeys = [
|
||||||
trinkgenossin-host
|
trinkgenossin-host
|
||||||
delite-host
|
delite-host
|
||||||
|
@ -62,9 +65,12 @@ in
|
||||||
"forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"nachtigall-matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"nachtigall-matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"nachtigall-matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
|
"underground-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
|
||||||
|
"underground-matrix-authentication-service-secret-config.yml.age".publicKeys = undergroundKeys ++ adminKeys;
|
||||||
|
|
||||||
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
@ -84,7 +90,7 @@ in
|
||||||
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
"nachtigall-coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
"grafana-admin-password.age".publicKeys = trinkgenossinKeys ++ adminKeys;
|
"grafana-admin-password.age".publicKeys = trinkgenossinKeys ++ adminKeys;
|
||||||
"grafana-keycloak-client-secret.age".publicKeys = trinkgenossinKeys ++ adminKeys;
|
"grafana-keycloak-client-secret.age".publicKeys = trinkgenossinKeys ++ adminKeys;
|
||||||
|
|
Binary file not shown.
BIN
secrets/underground-matrix-synapse-secret-config.yaml.age
Normal file
BIN
secrets/underground-matrix-synapse-secret-config.yaml.age
Normal file
Binary file not shown.
|
@ -332,10 +332,40 @@ resource "namecheap_domain_records" "pub-solar" {
|
||||||
type = "AAAA"
|
type = "AAAA"
|
||||||
address = "2a01:4f8:172:1c25::1"
|
address = "2a01:4f8:172:1c25::1"
|
||||||
}
|
}
|
||||||
|
record {
|
||||||
|
hostname = "underground"
|
||||||
|
type = "A"
|
||||||
|
address = "80.244.242.3"
|
||||||
|
}
|
||||||
|
record {
|
||||||
|
hostname = "test"
|
||||||
|
type = "CNAME"
|
||||||
|
address = "underground.pub.solar."
|
||||||
|
}
|
||||||
|
record {
|
||||||
|
hostname = "mas.test"
|
||||||
|
type = "CNAME"
|
||||||
|
address = "underground.pub.solar."
|
||||||
|
}
|
||||||
record {
|
record {
|
||||||
hostname = "matrix.test"
|
hostname = "matrix.test"
|
||||||
type = "CNAME"
|
type = "CNAME"
|
||||||
address = "nachtigall.pub.solar."
|
address = "underground.pub.solar."
|
||||||
|
}
|
||||||
|
record {
|
||||||
|
hostname = "chat.test"
|
||||||
|
type = "CNAME"
|
||||||
|
address = "underground.pub.solar."
|
||||||
|
}
|
||||||
|
record {
|
||||||
|
hostname = "stickers.chat.test"
|
||||||
|
type = "CNAME"
|
||||||
|
address = "underground.pub.solar."
|
||||||
|
}
|
||||||
|
record {
|
||||||
|
hostname = "auth.test"
|
||||||
|
type = "CNAME"
|
||||||
|
address = "underground.pub.solar."
|
||||||
}
|
}
|
||||||
# SRV records can only be changed via NameCheap Web UI
|
# SRV records can only be changed via NameCheap Web UI
|
||||||
# add comment
|
# add comment
|
||||||
|
|
Loading…
Reference in a new issue