matrix-authentication-service: init host underground

to test mas, related to #242
This commit is contained in:
teutat3s 2024-10-26 02:03:31 +02:00
parent 4c51eda8b6
commit d6cc9c8164
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
22 changed files with 630 additions and 301 deletions

View file

@ -234,6 +234,22 @@
"type": "github" "type": "github"
} }
}, },
"fork": {
"locked": {
"lastModified": 1729963002,
"narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
"owner": "teutat3s",
"repo": "nixpkgs",
"rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
"type": "github"
},
"original": {
"owner": "teutat3s",
"ref": "init-matrix-authentication-service-module",
"repo": "nixpkgs",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -354,6 +370,7 @@
"element-stickers": "element-stickers", "element-stickers": "element-stickers",
"element-themes": "element-themes", "element-themes": "element-themes",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"fork": "fork",
"home-manager": "home-manager", "home-manager": "home-manager",
"keycloak-theme-pub-solar": "keycloak-theme-pub-solar", "keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
"maunium-stickerpicker": "maunium-stickerpicker", "maunium-stickerpicker": "maunium-stickerpicker",

View file

@ -3,6 +3,7 @@
# Track channels with commits tested and built by hydra # Track channels with commits tested and built by hydra
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
unstable.url = "github:nixos/nixpkgs/nixos-unstable"; unstable.url = "github:nixos/nixpkgs/nixos-unstable";
fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
@ -152,6 +153,10 @@
hostname = "tankstelle.wg.pub.solar"; hostname = "tankstelle.wg.pub.solar";
sshUser = username; sshUser = username;
}; };
underground = {
hostname = "80.244.242.3";
sshUser = username;
};
trinkgenossin = { trinkgenossin = {
hostname = "trinkgenossin.wg.pub.solar"; hostname = "trinkgenossin.wg.pub.solar";
sshUser = username; sshUser = username;

View file

@ -178,6 +178,30 @@
self.nixosModules.nginx self.nixosModules.nginx
]; ];
}; };
underground = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.inputs.agenix.nixosModules.default
self.nixosModules.home-manager
./underground
self.nixosModules.overlays
self.nixosModules.unlock-luks-on-boot
self.nixosModules.core
self.nixosModules.backups
self.nixosModules.keycloak
self.nixosModules.postgresql
self.nixosModules.matrix
self.nixosModules.matrix-irc
self.nixosModules.nginx
self.nixosModules.nginx-matrix
];
};
}; };
}; };
} }

View file

@ -48,6 +48,7 @@
owner = "root"; owner = "root";
}; };
# keycloak
age.secrets.keycloak-database-password = { age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age"; file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600"; mode = "600";
@ -59,6 +60,50 @@
database-password-file = config.age.secrets.keycloak-database-password.path; database-password-file = config.age.secrets.keycloak-database-password.path;
}; };
# matrix-synapse
age.secrets."nachtigall-matrix-synapse-signing-key" = {
file = "${flake.self}/secrets/nachtigall-matrix-synapse-signing-key.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."nachtigall-matrix-synapse-secret-config.yaml" = {
file = "${flake.self}/secrets/nachtigall-matrix-synapse-secret-config.yaml.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."nachtigall-matrix-synapse-sliding-sync-secret" = {
file = "${flake.self}/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age";
mode = "400";
owner = "matrix-synapse";
};
pub-solar-os.matrix-synapse = {
enable = true;
signing_key_path = config.age.secrets."nachtigall-matrix-synapse-signing-key".path;
extra-config-files = [
config.age.secrets."nachtigall-matrix-synapse-secret-config.yaml".path
# The registration file is automatically generated after starting the
# appservice for the first time.
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse \
# /var/lib/matrix-synapse/telegram-registration.yaml
"/var/lib/matrix-synapse/telegram-registration.yaml"
];
app-service-config-files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-appservice-irc/registration.yml"
# "/matrix-appservice-slack-registration.yaml"
# "/hookshot-registration.yml"
# "/matrix-mautrix-signal-registration.yaml"
# "/matrix-mautrix-telegram-registration.yaml"
];
};
systemd.services.postgresql = { systemd.services.postgresql = {
after = [ "var-lib-postgresql.mount" ]; after = [ "var-lib-postgresql.mount" ];
requisite = [ "var-lib-postgresql.mount" ]; requisite = [ "var-lib-postgresql.mount" ];

View file

@ -0,0 +1,107 @@
{
flake,
config,
pkgs,
...
}:
{
# Use GRUB2 as the boot loader.
boot.loader.grub = {
enable = true;
devices = [ "/dev/vda" ];
};
pub-solar-os.networking.domain = "test.pub.solar";
systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
# keycloak
pub-solar-os.auth = {
enable = true;
database-password-file = "/tmp/dbf";
};
services.keycloak.database.createLocally = true;
# matrix-synapse
# test.pub.solar /.well-known is required for federation
services.nginx.virtualHosts."${config.pub-solar-os.networking.domain}" = {
default = true;
enableACME = true;
forceSSL = true;
};
age.secrets."underground-matrix-synapse-secret-config.yaml" = {
file = "${flake.self}/secrets/underground-matrix-synapse-secret-config.yaml.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."underground-matrix-authentication-service-secret-config.yml" = {
file = "${flake.self}/secrets/underground-matrix-authentication-service-secret-config.yml.age";
mode = "400";
owner = "matrix-authentication-service";
};
pub-solar-os.matrix-synapse = {
enable = true;
extra-config-files = [
config.age.secrets."underground-matrix-synapse-secret-config.yaml".path
# The registration file is automatically generated after starting the
# appservice for the first time.
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse \
# /var/lib/matrix-synapse/telegram-registration.yaml
#"/var/lib/matrix-synapse/telegram-registration.yaml"
];
app-service-config-files = [
"/var/lib/matrix-appservice-irc/registration.yml"
#"/var/lib/matrix-synapse/telegram-registration.yaml"
];
};
services.matrix-authentication-service = {
enable = true;
createDatabase = true;
extraConfigFiles = [
config.age.secrets."underground-matrix-authentication-service-secret-config.yml".path
];
settings = {
http.public_base = "https://mas.${config.pub-solar-os.networking.domain}";
http.issuer = "https://mas.${config.pub-solar-os.networking.domain}";
http.listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{ name = "assets"; path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; }
];
binds = [
{ host = "0.0.0.0"; port = 8090; }
];
proxy_protocol = false;
}
{
name = "internal";
resources = [
{ name = "health"; }
];
binds = [
{ host = "0.0.0.0"; port = 8081; }
];
proxy_protocol = false;
}
];
passwords.enabled = false;
};
};
services.openssh.openFirewall = true;
system.stateVersion = "24.05";
}

View file

@ -0,0 +1,16 @@
{ flake, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./configuration.nix
./networking.nix
"${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
];
disabledModules = [
"services/matrix/matrix-authentication-service.nix "
];
}

View file

@ -0,0 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-label/cryptroot";
};
fileSystems."/" =
{ device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-label/swap"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -0,0 +1,24 @@
{
config,
pkgs,
flake,
...
}:
{
networking.hostName = "underground";
networking = {
defaultGateway = {
address = "80.244.242.1";
interface = "enp1s0";
};
nameservers = ["95.129.51.51" "80.244.244.244"];
interfaces.enp1s0 = {
useDHCP = false;
ipv4.addresses = [
{ address = "80.244.242.3"; prefixLength = 29; }
];
};
};
}

View file

@ -5,8 +5,8 @@
... ...
}: }:
{ {
age.secrets."coturn-static-auth-secret" = { age.secrets."nachtigall-coturn-static-auth-secret" = {
file = "${flake.self}/secrets/coturn-static-auth-secret.age"; file = "${flake.self}/secrets/nachtigall-coturn-static-auth-secret.age";
mode = "400"; mode = "400";
owner = "turnserver"; owner = "turnserver";
}; };
@ -18,7 +18,7 @@
min-port = 49000; min-port = 49000;
max-port = 50000; max-port = 50000;
use-auth-secret = true; use-auth-secret = true;
static-auth-secret-file = "/run/agenix/coturn-static-auth-secret"; static-auth-secret-file = "/run/agenix/nachtigall-coturn-static-auth-secret";
realm = "turn.${config.pub-solar-os.networking.domain}"; realm = "turn.${config.pub-solar-os.networking.domain}";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";

View file

@ -16,11 +16,6 @@ let
synapseClientPort = "${toString listenerWithClient.port}"; synapseClientPort = "${toString listenerWithClient.port}";
in in
{ {
systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
"@system-service @pkey"
"~@privileged @resources"
"@chown"
];
services.matrix-appservice-irc = { services.matrix-appservice-irc = {
enable = true; enable = true;
localpart = "irc_bot"; localpart = "irc_bot";

View file

@ -1,6 +1,7 @@
{ {
flake, flake,
config, config,
lib,
pkgs, pkgs,
... ...
}: }:
@ -9,304 +10,291 @@ let
serverDomain = "${config.pub-solar-os.networking.domain}"; serverDomain = "${config.pub-solar-os.networking.domain}";
in in
{ {
age.secrets."matrix-synapse-signing-key" = { options.pub-solar-os.matrix-synapse = {
file = "${flake.self}/secrets/matrix-synapse-signing-key.age"; enable = lib.mkEnableOption "Enable matrix-synapse to run on the node";
mode = "400";
owner = "matrix-synapse"; app-service-config-files = lib.mkOption {
description = "List of app service config files";
type = lib.types.listOf lib.types.str;
default = [];
};
extra-config-files = lib.mkOption {
description = "List of extra synapse config files";
type = lib.types.listOf lib.types.str;
default = [];
};
signing_key_path = lib.mkOption {
description = "Path to file containing the signing key";
type = lib.types.str;
default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
};
}; };
age.secrets."matrix-synapse-secret-config.yaml" = { config = lib.mkIf config.pub-solar-os.matrix-synapse.enable {
file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age"; services.matrix-synapse = {
mode = "400"; enable = true;
owner = "matrix-synapse"; settings = {
}; server_name = serverDomain;
public_baseurl = "https://${publicDomain}/";
age.secrets."matrix-synapse-sliding-sync-secret" = { database = {
file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age"; name = "psycopg2";
mode = "400"; args = {
owner = "matrix-synapse"; host = "/run/postgresql";
}; cp_max = 10;
cp_min = 5;
services.matrix-synapse = { database = "matrix";
enable = true; };
settings = { allow_unsafe_locale = false;
server_name = serverDomain; txn_limit = 0;
public_baseurl = "https://${publicDomain}/";
database = {
name = "psycopg2";
args = {
host = "/run/postgresql";
cp_max = 10;
cp_min = 5;
database = "matrix";
}; };
allow_unsafe_locale = false; listeners = [
txn_limit = 0; {
}; bind_addresses = [ "127.0.0.1" ];
listeners = [ port = 8008;
{ resources = [
bind_addresses = [ "127.0.0.1" ]; {
port = 8008; compress = true;
resources = [ names = [ "client" ];
{ }
compress = true; {
names = [ "client" ]; compress = false;
} names = [ "federation" ];
{ }
compress = false; ];
names = [ "federation" ]; tls = false;
} type = "http";
]; x_forwarded = true;
tls = false; }
type = "http"; {
x_forwarded = true; bind_addresses = [ "127.0.0.1" ];
} port = 8012;
{ resources = [ { names = [ "metrics" ]; } ];
bind_addresses = [ "127.0.0.1" ]; tls = false;
port = 8012; type = "metrics";
resources = [ { names = [ "metrics" ]; } ]; }
tls = false; ];
type = "metrics";
}
];
account_threepid_delegates.msisdn = ""; account_threepid_delegates.msisdn = "";
alias_creation_rules = [ alias_creation_rules = [
{ {
action = "allow"; action = "allow";
alias = "*"; alias = "*";
room_id = "*"; room_id = "*";
user_id = "*"; user_id = "*";
} }
]; ];
allow_guest_access = false; allow_guest_access = false;
allow_public_rooms_over_federation = true; allow_public_rooms_over_federation = true;
allow_public_rooms_without_auth = false; allow_public_rooms_without_auth = false;
auto_join_rooms = [ auto_join_rooms = [
"#community:${serverDomain}" "#community:${serverDomain}"
"#general:${serverDomain}" "#general:${serverDomain}"
]; ];
autocreate_auto_join_rooms = true; autocreate_auto_join_rooms = true;
caches.global_factor = 0.5; caches.global_factor = 0.5;
default_room_version = "10"; default_room_version = "10";
disable_msisdn_registration = true; disable_msisdn_registration = true;
enable_media_repo = true; enable_media_repo = true;
enable_metrics = true; enable_metrics = true;
mau_stats_only = true; mau_stats_only = true;
enable_registration = false; enable_registration = false;
enable_registration_captcha = false; enable_registration_captcha = false;
enable_registration_without_verification = false; enable_registration_without_verification = false;
enable_room_list_search = true; enable_room_list_search = true;
encryption_enabled_by_default_for_room_type = "off"; encryption_enabled_by_default_for_room_type = "off";
event_cache_size = "100K"; event_cache_size = "100K";
federation_rr_transactions_per_room_per_second = 50; federation_rr_transactions_per_room_per_second = 50;
federation_client_minimum_tls_version = "1.2"; federation_client_minimum_tls_version = "1.2";
forget_rooms_on_leave = true; forget_rooms_on_leave = true;
include_profile_data_on_invite = true; include_profile_data_on_invite = true;
instance_map = { }; instance_map = { };
limit_profile_requests_to_users_who_share_rooms = false; limit_profile_requests_to_users_who_share_rooms = false;
max_spider_size = "10M"; max_spider_size = "10M";
max_upload_size = "50M"; max_upload_size = "50M";
media_storage_providers = [ ]; media_storage_providers = [ ];
password_config = { password_config = {
enabled = false; enabled = false;
localdb_enabled = false; localdb_enabled = false;
pepper = ""; pepper = "";
}; };
presence.enabled = true; presence.enabled = true;
push.include_content = false; push.include_content = false;
rc_admin_redaction = { rc_admin_redaction = {
burst_count = 50; burst_count = 50;
per_second = 1; per_second = 1;
}; };
rc_federation = { rc_federation = {
concurrent = 3; concurrent = 3;
reject_limit = 50; reject_limit = 50;
sleep_delay = 500; sleep_delay = 500;
sleep_limit = 10; sleep_limit = 10;
window_size = 1000; window_size = 1000;
}; };
rc_invites = { rc_invites = {
per_issuer = { per_issuer = {
burst_count = 10;
per_second = 0.3;
};
per_room = {
burst_count = 10;
per_second = 0.3;
};
per_user = {
burst_count = 5;
per_second = 3.0e-3;
};
};
rc_joins = {
local = {
burst_count = 10;
per_second = 0.1;
};
remote = {
burst_count = 10;
per_second = 1.0e-2;
};
};
rc_login = {
account = {
burst_count = 3;
per_second = 0.17;
};
address = {
burst_count = 3;
per_second = 0.17;
};
failed_attempts = {
burst_count = 3;
per_second = 0.17;
};
};
rc_message = {
burst_count = 10; burst_count = 10;
per_second = 0.3; per_second = 0.2;
}; };
per_room = { rc_registration = {
burst_count = 10;
per_second = 0.3;
};
per_user = {
burst_count = 5;
per_second = 3.0e-3;
};
};
rc_joins = {
local = {
burst_count = 10;
per_second = 0.1;
};
remote = {
burst_count = 10;
per_second = 1.0e-2;
};
};
rc_login = {
account = {
burst_count = 3; burst_count = 3;
per_second = 0.17; per_second = 0.17;
}; };
address = { redaction_retention_period = "7d";
burst_count = 3; forgotten_room_retention_period = "7d";
per_second = 0.17; redis.enabled = false;
}; registration_requires_token = false;
failed_attempts = { registrations_require_3pid = [ "email" ];
burst_count = 3; report_stats = false;
per_second = 0.17; require_auth_for_profile_requests = false;
room_list_publication_rules = [
{
action = "allow";
alias = "*";
room_id = "*";
user_id = "*";
}
];
signing_key_path = config.pub-solar-os.matrix-synapse.signing_key_path;
stream_writers = { };
trusted_key_servers = [ { server_name = "matrix.org"; } ];
suppress_key_server_warning = true;
turn_allow_guests = false;
turn_uris = [
"turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:${config.services.coturn.realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h";
url_preview_accept_language = [
"en-US"
"en"
];
url_preview_enabled = true;
url_preview_ip_range_blacklist = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"192.0.0.0/24"
"169.254.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"192.0.2.0/24"
"198.51.100.0/24"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fe80::/10"
"fc00::/7"
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
];
user_directory = {
prefer_local_users = false;
search_all_users = false;
}; };
user_ips_max_age = "28d";
app_service_config_files = config.pub-solar-os.matrix-synapse.app-service-config-files;
}; };
rc_message = {
burst_count = 10; withJemalloc = true;
per_second = 0.2;
}; extraConfigFiles = config.pub-solar-os.matrix-synapse.extra-config-files;
rc_registration = {
burst_count = 3; extras = [
per_second = 0.17; "oidc"
}; "redis"
redaction_retention_period = "7d";
forgotten_room_retention_period = "7d";
redis.enabled = false;
registration_requires_token = false;
registrations_require_3pid = [ "email" ];
report_stats = false;
require_auth_for_profile_requests = false;
room_list_publication_rules = [
{
action = "allow";
alias = "*";
room_id = "*";
user_id = "*";
}
]; ];
signing_key_path = "/run/agenix/matrix-synapse-signing-key"; plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
stream_writers = { };
trusted_key_servers = [ { server_name = "matrix.org"; } ];
suppress_key_server_warning = true;
turn_allow_guests = false;
turn_uris = [
"turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:${config.services.coturn.realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h";
url_preview_accept_language = [
"en-US"
"en"
];
url_preview_enabled = true;
url_preview_ip_range_blacklist = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"192.0.0.0/24"
"169.254.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"192.0.2.0/24"
"198.51.100.0/24"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fe80::/10"
"fc00::/7"
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
];
user_directory = {
prefer_local_users = false;
search_all_users = false;
};
user_ips_max_age = "28d";
app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-appservice-irc/registration.yml"
# "/matrix-appservice-slack-registration.yaml"
# "/hookshot-registration.yml"
# "/matrix-mautrix-signal-registration.yaml"
# "/matrix-mautrix-telegram-registration.yaml"
];
}; };
withJemalloc = true; #services.matrix-sliding-sync = {
# enable = true;
# settings = {
# SYNCV3_SERVER = "https://${publicDomain}";
# SYNCV3_BINDADDR = "127.0.0.1:8011";
# # The bind addr for Prometheus metrics, which will be accessible at
# # /metrics at this address
# SYNCV3_PROM = "127.0.0.1:9100";
# };
# environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
#};
extraConfigFiles = [ pub-solar-os.backups.restic.matrix-synapse = {
"/run/agenix/matrix-synapse-secret-config.yaml" paths = [
"/var/lib/matrix-synapse"
# The registration file is automatically generated after starting the "/var/lib/matrix-appservice-irc"
# appservice for the first time. "/var/lib/mautrix-telegram"
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \ "/tmp/matrix-synapse-backup.sql"
# /var/lib/matrix-synapse/ ];
# chown matrix-synapse:matrix-synapse \ timerConfig = {
# /var/lib/matrix-synapse/telegram-registration.yaml OnCalendar = "*-*-* 05:00:00 Etc/UTC";
"/var/lib/matrix-synapse/telegram-registration.yaml" };
]; initialize = true;
backupPrepareCommand = ''
extras = [ ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
"oidc" '';
"redis" backupCleanupCommand = ''
]; rm /tmp/matrix-synapse-backup.sql
'';
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; pruneOpts = [
}; "--keep-daily 7"
"--keep-weekly 4"
services.matrix-sliding-sync = { "--keep-monthly 3"
enable = true; ];
settings = {
SYNCV3_SERVER = "https://${publicDomain}";
SYNCV3_BINDADDR = "127.0.0.1:8011";
# The bind addr for Prometheus metrics, which will be accessible at
# /metrics at this address
SYNCV3_PROM = "127.0.0.1:9100";
}; };
environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
};
services.restic.backups.matrix-synapse-storagebox = {
paths = [
"/var/lib/matrix-synapse"
"/var/lib/matrix-appservice-irc"
"/var/lib/mautrix-telegram"
"/tmp/matrix-synapse-backup.sql"
];
timerConfig = {
OnCalendar = "*-*-* 05:00:00 Etc/UTC";
};
initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/matrix-synapse-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
}; };
} }

View file

@ -10,11 +10,14 @@ let
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
''; '';
clientConfig = import ./element-client-config.nix { inherit lib pkgs; }; clientConfig = import ./element-client-config.nix { inherit config lib pkgs; };
wellKnownClient = domain: { wellKnownClient = domain: {
"m.homeserver".base_url = "https://matrix.${domain}"; "m.homeserver".base_url = "https://matrix.${domain}";
"m.identity_server".base_url = "https://matrix.${domain}"; "m.identity_server".base_url = "https://matrix.${domain}";
"org.matrix.msc3575.proxy".url = "https://matrix.${domain}"; "org.matrix.msc2965.authentication" = {
issuer = "https://mas.${domain}/";
account = "https://mas.${domain}/account";
};
"im.vector.riot.e2ee".default = true; "im.vector.riot.e2ee".default = true;
"io.element.e2ee" = { "io.element.e2ee" = {
default = true; default = true;
@ -85,6 +88,27 @@ in
root = pkgs.element-stickerpicker; root = pkgs.element-stickerpicker;
}; };
"mas.${config.pub-solar-os.networking.domain}" = {
root = "/dev/null";
forceSSL = lib.mkDefault true;
enableACME = lib.mkDefault true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8090";
extraConfig = ''
${commonHeaders}
proxy_http_version 1.1;
# Forward the client IP address
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
"matrix.${config.pub-solar-os.networking.domain}" = { "matrix.${config.pub-solar-os.networking.domain}" = {
root = "/dev/null"; root = "/dev/null";
@ -99,28 +123,41 @@ in
locations = { locations = {
# For telegram # For telegram
"/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = { "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
priority = 100;
proxyPass = "http://127.0.0.1:8009"; proxyPass = "http://127.0.0.1:8009";
extraConfig = commonHeaders; extraConfig = commonHeaders;
}; };
# sliding-sync # Forward to the auth service
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
proxyPass = "http://127.0.0.1:8011"; priority = 100;
extraConfig = commonHeaders; proxyPass = "http://127.0.0.1:8090";
extraConfig = ''
${commonHeaders}
proxy_http_version 1.1;
# Forward the client IP address
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
}; };
"~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = { # Forward to Synapse
# as per https://element-hq.github.io/synapse/latest/reverse_proxy.html#nginx
"~ ^(/_matrix|/_synapse/client)" = {
priority = 200;
proxyPass = "http://127.0.0.1:8008"; proxyPass = "http://127.0.0.1:8008";
extraConfig = '' extraConfig = ''
${commonHeaders} ${commonHeaders}
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
client_body_buffer_size 25M; client_body_buffer_size 25M;
client_max_body_size 50M; client_max_body_size 50M;
proxy_max_temp_file_size 0; proxy_max_temp_file_size 0;
proxy_http_version 1.1;
''; '';
}; };
}; };

View file

@ -1,9 +1,9 @@
{ pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
default_server_config = { default_server_config = {
"m.homeserver" = { "m.homeserver" = {
base_url = "https://matrix.pub.solar"; base_url = "https://matrix.${config.pub-solar-os.networking.domain}";
server_name = "pub.solar"; server_name = "${config.pub-solar-os.networking.domain}";
}; };
"m.identity_server" = { "m.identity_server" = {
base_url = ""; base_url = "";

View file

@ -17,6 +17,7 @@
inherit (inputs) element-stickers maunium-stickerpicker; inherit (inputs) element-stickers maunium-stickerpicker;
}; };
mastodon = unstable.mastodon; mastodon = unstable.mastodon;
matrix-authentication-service = unstable.matrix-authentication-service;
} }
) )
]; ];

View file

@ -7,6 +7,7 @@ let
trinkgenossin-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZXRDpom/LtyoCxvRuoONARKxIT6wNUwEyUjzHRE7DG root@trinkgenossin"; trinkgenossin-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZXRDpom/LtyoCxvRuoONARKxIT6wNUwEyUjzHRE7DG root@trinkgenossin";
delite-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKo7zlfQhcJ5/okFTOoOstZtmEL1iNlHxQ4q2baEcWT root@delite"; delite-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKo7zlfQhcJ5/okFTOoOstZtmEL1iNlHxQ4q2baEcWT root@delite";
blue-shell-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9g9X0a/MaVtbh44IeLxcq+McuYec0GYAdLsseBpk5f root@blue-shell"; blue-shell-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9g9X0a/MaVtbh44IeLxcq+McuYec0GYAdLsseBpk5f root@blue-shell";
underground-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGF3PtA89yhVkmN7aJI6gqXK8DW9L7kI71IgiK4TAEwI root@underground";
adminKeys = builtins.foldl' ( adminKeys = builtins.foldl' (
keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys) keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)
@ -24,6 +25,8 @@ let
blueshellKeys = [ blue-shell-host ]; blueshellKeys = [ blue-shell-host ];
undergroundKeys = [ underground-host ];
garageKeys = [ garageKeys = [
trinkgenossin-host trinkgenossin-host
delite-host delite-host
@ -62,9 +65,12 @@ in
"forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"underground-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
"underground-matrix-authentication-service-secret-config.yml.age".publicKeys = undergroundKeys ++ adminKeys;
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
@ -84,7 +90,7 @@ in
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys; "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"grafana-admin-password.age".publicKeys = trinkgenossinKeys ++ adminKeys; "grafana-admin-password.age".publicKeys = trinkgenossinKeys ++ adminKeys;
"grafana-keycloak-client-secret.age".publicKeys = trinkgenossinKeys ++ adminKeys; "grafana-keycloak-client-secret.age".publicKeys = trinkgenossinKeys ++ adminKeys;

View file

@ -332,10 +332,40 @@ resource "namecheap_domain_records" "pub-solar" {
type = "AAAA" type = "AAAA"
address = "2a01:4f8:172:1c25::1" address = "2a01:4f8:172:1c25::1"
} }
record {
hostname = "underground"
type = "A"
address = "80.244.242.3"
}
record {
hostname = "test"
type = "CNAME"
address = "underground.pub.solar."
}
record {
hostname = "mas.test"
type = "CNAME"
address = "underground.pub.solar."
}
record { record {
hostname = "matrix.test" hostname = "matrix.test"
type = "CNAME" type = "CNAME"
address = "nachtigall.pub.solar." address = "underground.pub.solar."
}
record {
hostname = "chat.test"
type = "CNAME"
address = "underground.pub.solar."
}
record {
hostname = "stickers.chat.test"
type = "CNAME"
address = "underground.pub.solar."
}
record {
hostname = "auth.test"
type = "CNAME"
address = "underground.pub.solar."
} }
# SRV records can only be changed via NameCheap Web UI # SRV records can only be changed via NameCheap Web UI
# add comment # add comment