From d6cc9c81640b0950606071313a33c995a27649e5 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 26 Oct 2024 02:03:31 +0200 Subject: [PATCH 01/11] matrix-authentication-service: init host underground to test mas, related to #242 --- flake.lock | 17 + flake.nix | 5 + hosts/default.nix | 24 + hosts/nachtigall/configuration.nix | 45 ++ hosts/underground/configuration.nix | 107 ++++ hosts/underground/default.nix | 16 + hosts/underground/hardware-configuration.nix | 34 ++ hosts/underground/networking.nix | 24 + modules/coturn/default.nix | 6 +- modules/matrix-irc/default.nix | 5 - modules/matrix/default.nix | 540 +++++++++--------- modules/nginx-matrix/default.nix | 55 +- .../nginx-matrix/element-client-config.nix | 6 +- overlays/default.nix | 1 + ... nachtigall-coturn-static-auth-secret.age} | 0 ...all-matrix-synapse-secret-config.yaml.age} | Bin ...nachtigall-matrix-synapse-signing-key.age} | Bin ...ll-matrix-synapse-sliding-sync-secret.age} | 0 secrets/secrets.nix | 14 +- ...thentication-service-secret-config.yml.age | Bin 0 -> 6263 bytes ...ound-matrix-synapse-secret-config.yaml.age | Bin 0 -> 4219 bytes terraform/dns.tf | 32 +- 22 files changed, 630 insertions(+), 301 deletions(-) create mode 100644 hosts/underground/configuration.nix create mode 100644 hosts/underground/default.nix create mode 100644 hosts/underground/hardware-configuration.nix create mode 100644 hosts/underground/networking.nix rename secrets/{coturn-static-auth-secret.age => nachtigall-coturn-static-auth-secret.age} (100%) rename secrets/{matrix-synapse-secret-config.yaml.age => nachtigall-matrix-synapse-secret-config.yaml.age} (100%) rename secrets/{matrix-synapse-signing-key.age => nachtigall-matrix-synapse-signing-key.age} (100%) rename secrets/{matrix-synapse-sliding-sync-secret.age => nachtigall-matrix-synapse-sliding-sync-secret.age} (100%) create mode 100644 secrets/underground-matrix-authentication-service-secret-config.yml.age create mode 100644 secrets/underground-matrix-synapse-secret-config.yaml.age diff --git a/flake.lock b/flake.lock index ae964ea3..8c962683 100644 --- a/flake.lock +++ b/flake.lock @@ -234,6 +234,22 @@ "type": "github" } }, + "fork": { + "locked": { + "lastModified": 1729963002, + "narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=", + "owner": "teutat3s", + "repo": "nixpkgs", + "rev": "005faaacbeede0296dec5c844f508027ab8a3ff6", + "type": "github" + }, + "original": { + "owner": "teutat3s", + "ref": "init-matrix-authentication-service-module", + "repo": "nixpkgs", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -354,6 +370,7 @@ "element-stickers": "element-stickers", "element-themes": "element-themes", "flake-parts": "flake-parts", + "fork": "fork", "home-manager": "home-manager", "keycloak-theme-pub-solar": "keycloak-theme-pub-solar", "maunium-stickerpicker": "maunium-stickerpicker", diff --git a/flake.nix b/flake.nix index a417b498..923092cb 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ # Track channels with commits tested and built by hydra nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module"; nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; @@ -152,6 +153,10 @@ hostname = "tankstelle.wg.pub.solar"; sshUser = username; }; + underground = { + hostname = "80.244.242.3"; + sshUser = username; + }; trinkgenossin = { hostname = "trinkgenossin.wg.pub.solar"; sshUser = username; diff --git a/hosts/default.nix b/hosts/default.nix index 6f159d09..e7a8f2ea 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -178,6 +178,30 @@ self.nixosModules.nginx ]; }; + + underground = self.inputs.nixpkgs.lib.nixosSystem { + specialArgs = { + flake = { + inherit self inputs config; + }; + }; + modules = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./underground + self.nixosModules.overlays + self.nixosModules.unlock-luks-on-boot + self.nixosModules.core + + self.nixosModules.backups + self.nixosModules.keycloak + self.nixosModules.postgresql + self.nixosModules.matrix + self.nixosModules.matrix-irc + self.nixosModules.nginx + self.nixosModules.nginx-matrix + ]; + }; }; }; } diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index c226ed04..eb7e657f 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -48,6 +48,7 @@ owner = "root"; }; + # keycloak age.secrets.keycloak-database-password = { file = "${flake.self}/secrets/keycloak-database-password.age"; mode = "600"; @@ -59,6 +60,50 @@ database-password-file = config.age.secrets.keycloak-database-password.path; }; + # matrix-synapse + age.secrets."nachtigall-matrix-synapse-signing-key" = { + file = "${flake.self}/secrets/nachtigall-matrix-synapse-signing-key.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + age.secrets."nachtigall-matrix-synapse-secret-config.yaml" = { + file = "${flake.self}/secrets/nachtigall-matrix-synapse-secret-config.yaml.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + age.secrets."nachtigall-matrix-synapse-sliding-sync-secret" = { + file = "${flake.self}/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + + pub-solar-os.matrix-synapse = { + enable = true; + signing_key_path = config.age.secrets."nachtigall-matrix-synapse-signing-key".path; + extra-config-files = [ + config.age.secrets."nachtigall-matrix-synapse-secret-config.yaml".path + + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + "/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-synapse/telegram-registration.yaml" + "/var/lib/matrix-appservice-irc/registration.yml" + # "/matrix-appservice-slack-registration.yaml" + # "/hookshot-registration.yml" + # "/matrix-mautrix-signal-registration.yaml" + # "/matrix-mautrix-telegram-registration.yaml" + ]; + }; + systemd.services.postgresql = { after = [ "var-lib-postgresql.mount" ]; requisite = [ "var-lib-postgresql.mount" ]; diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix new file mode 100644 index 00000000..b53f5dd6 --- /dev/null +++ b/hosts/underground/configuration.nix @@ -0,0 +1,107 @@ +{ + flake, + config, + pkgs, + ... +}: +{ + # Use GRUB2 as the boot loader. + boot.loader.grub = { + enable = true; + devices = [ "/dev/vda" ]; + }; + + pub-solar-os.networking.domain = "test.pub.solar"; + + systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ]; + + # keycloak + pub-solar-os.auth = { + enable = true; + database-password-file = "/tmp/dbf"; + }; + services.keycloak.database.createLocally = true; + + # matrix-synapse + # test.pub.solar /.well-known is required for federation + services.nginx.virtualHosts."${config.pub-solar-os.networking.domain}" = { + default = true; + enableACME = true; + forceSSL = true; + }; + + age.secrets."underground-matrix-synapse-secret-config.yaml" = { + file = "${flake.self}/secrets/underground-matrix-synapse-secret-config.yaml.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + age.secrets."underground-matrix-authentication-service-secret-config.yml" = { + file = "${flake.self}/secrets/underground-matrix-authentication-service-secret-config.yml.age"; + mode = "400"; + owner = "matrix-authentication-service"; + }; + + pub-solar-os.matrix-synapse = { + enable = true; + extra-config-files = [ + config.age.secrets."underground-matrix-synapse-secret-config.yaml".path + + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-appservice-irc/registration.yml" + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + }; + + services.matrix-authentication-service = { + enable = true; + createDatabase = true; + extraConfigFiles = [ + config.age.secrets."underground-matrix-authentication-service-secret-config.yml".path + ]; + settings = { + http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; + http.issuer = "https://mas.${config.pub-solar-os.networking.domain}"; + http.listeners = [ + { + name = "web"; + resources = [ + { name = "discovery"; } + { name = "human"; } + { name = "oauth"; } + { name = "compat"; } + { name = "graphql"; } + { name = "assets"; path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; } + ]; + binds = [ + { host = "0.0.0.0"; port = 8090; } + ]; + proxy_protocol = false; + } + { + name = "internal"; + resources = [ + { name = "health"; } + ]; + binds = [ + { host = "0.0.0.0"; port = 8081; } + ]; + proxy_protocol = false; + } + ]; + passwords.enabled = false; + }; + }; + + services.openssh.openFirewall = true; + + system.stateVersion = "24.05"; +} diff --git a/hosts/underground/default.nix b/hosts/underground/default.nix new file mode 100644 index 00000000..5a612a44 --- /dev/null +++ b/hosts/underground/default.nix @@ -0,0 +1,16 @@ +{ flake, ... }: + +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./configuration.nix + + ./networking.nix + "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix" + ]; + + disabledModules = [ + "services/matrix/matrix-authentication-service.nix " + ]; +} diff --git a/hosts/underground/hardware-configuration.nix b/hosts/underground/hardware-configuration.nix new file mode 100644 index 00000000..e4738a1b --- /dev/null +++ b/hosts/underground/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-label/cryptroot"; + }; + + fileSystems."/" = + { device = "/dev/disk/by-label/root"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-label/swap"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/underground/networking.nix b/hosts/underground/networking.nix new file mode 100644 index 00000000..3085c7bc --- /dev/null +++ b/hosts/underground/networking.nix @@ -0,0 +1,24 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + + networking.hostName = "underground"; + + networking = { + defaultGateway = { + address = "80.244.242.1"; + interface = "enp1s0"; + }; + nameservers = ["95.129.51.51" "80.244.244.244"]; + interfaces.enp1s0 = { + useDHCP = false; + ipv4.addresses = [ + { address = "80.244.242.3"; prefixLength = 29; } + ]; + }; + }; +} diff --git a/modules/coturn/default.nix b/modules/coturn/default.nix index d8635aab..a7d3e867 100644 --- a/modules/coturn/default.nix +++ b/modules/coturn/default.nix @@ -5,8 +5,8 @@ ... }: { - age.secrets."coturn-static-auth-secret" = { - file = "${flake.self}/secrets/coturn-static-auth-secret.age"; + age.secrets."nachtigall-coturn-static-auth-secret" = { + file = "${flake.self}/secrets/nachtigall-coturn-static-auth-secret.age"; mode = "400"; owner = "turnserver"; }; @@ -18,7 +18,7 @@ min-port = 49000; max-port = 50000; use-auth-secret = true; - static-auth-secret-file = "/run/agenix/coturn-static-auth-secret"; + static-auth-secret-file = "/run/agenix/nachtigall-coturn-static-auth-secret"; realm = "turn.${config.pub-solar-os.networking.domain}"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; diff --git a/modules/matrix-irc/default.nix b/modules/matrix-irc/default.nix index f64d25c1..02217d29 100644 --- a/modules/matrix-irc/default.nix +++ b/modules/matrix-irc/default.nix @@ -16,11 +16,6 @@ let synapseClientPort = "${toString listenerWithClient.port}"; in { - systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [ - "@system-service @pkey" - "~@privileged @resources" - "@chown" - ]; services.matrix-appservice-irc = { enable = true; localpart = "irc_bot"; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 3165911c..d8518d3f 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -1,6 +1,7 @@ { flake, config, + lib, pkgs, ... }: @@ -9,304 +10,291 @@ let serverDomain = "${config.pub-solar-os.networking.domain}"; in { - age.secrets."matrix-synapse-signing-key" = { - file = "${flake.self}/secrets/matrix-synapse-signing-key.age"; - mode = "400"; - owner = "matrix-synapse"; + options.pub-solar-os.matrix-synapse = { + enable = lib.mkEnableOption "Enable matrix-synapse to run on the node"; + + app-service-config-files = lib.mkOption { + description = "List of app service config files"; + type = lib.types.listOf lib.types.str; + default = []; + }; + + extra-config-files = lib.mkOption { + description = "List of extra synapse config files"; + type = lib.types.listOf lib.types.str; + default = []; + }; + + signing_key_path = lib.mkOption { + description = "Path to file containing the signing key"; + type = lib.types.str; + default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; + }; }; - age.secrets."matrix-synapse-secret-config.yaml" = { - file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age"; - mode = "400"; - owner = "matrix-synapse"; - }; - - age.secrets."matrix-synapse-sliding-sync-secret" = { - file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age"; - mode = "400"; - owner = "matrix-synapse"; - }; - - services.matrix-synapse = { - enable = true; - settings = { - server_name = serverDomain; - public_baseurl = "https://${publicDomain}/"; - database = { - name = "psycopg2"; - args = { - host = "/run/postgresql"; - cp_max = 10; - cp_min = 5; - database = "matrix"; + config = lib.mkIf config.pub-solar-os.matrix-synapse.enable { + services.matrix-synapse = { + enable = true; + settings = { + server_name = serverDomain; + public_baseurl = "https://${publicDomain}/"; + database = { + name = "psycopg2"; + args = { + host = "/run/postgresql"; + cp_max = 10; + cp_min = 5; + database = "matrix"; + }; + allow_unsafe_locale = false; + txn_limit = 0; }; - allow_unsafe_locale = false; - txn_limit = 0; - }; - listeners = [ - { - bind_addresses = [ "127.0.0.1" ]; - port = 8008; - resources = [ - { - compress = true; - names = [ "client" ]; - } - { - compress = false; - names = [ "federation" ]; - } - ]; - tls = false; - type = "http"; - x_forwarded = true; - } - { - bind_addresses = [ "127.0.0.1" ]; - port = 8012; - resources = [ { names = [ "metrics" ]; } ]; - tls = false; - type = "metrics"; - } - ]; + listeners = [ + { + bind_addresses = [ "127.0.0.1" ]; + port = 8008; + resources = [ + { + compress = true; + names = [ "client" ]; + } + { + compress = false; + names = [ "federation" ]; + } + ]; + tls = false; + type = "http"; + x_forwarded = true; + } + { + bind_addresses = [ "127.0.0.1" ]; + port = 8012; + resources = [ { names = [ "metrics" ]; } ]; + tls = false; + type = "metrics"; + } + ]; - account_threepid_delegates.msisdn = ""; - alias_creation_rules = [ - { - action = "allow"; - alias = "*"; - room_id = "*"; - user_id = "*"; - } - ]; - allow_guest_access = false; - allow_public_rooms_over_federation = true; - allow_public_rooms_without_auth = false; - auto_join_rooms = [ - "#community:${serverDomain}" - "#general:${serverDomain}" - ]; + account_threepid_delegates.msisdn = ""; + alias_creation_rules = [ + { + action = "allow"; + alias = "*"; + room_id = "*"; + user_id = "*"; + } + ]; + allow_guest_access = false; + allow_public_rooms_over_federation = true; + allow_public_rooms_without_auth = false; + auto_join_rooms = [ + "#community:${serverDomain}" + "#general:${serverDomain}" + ]; - autocreate_auto_join_rooms = true; - caches.global_factor = 0.5; + autocreate_auto_join_rooms = true; + caches.global_factor = 0.5; - default_room_version = "10"; - disable_msisdn_registration = true; - enable_media_repo = true; - enable_metrics = true; - mau_stats_only = true; - enable_registration = false; - enable_registration_captcha = false; - enable_registration_without_verification = false; - enable_room_list_search = true; - encryption_enabled_by_default_for_room_type = "off"; - event_cache_size = "100K"; - federation_rr_transactions_per_room_per_second = 50; - federation_client_minimum_tls_version = "1.2"; - forget_rooms_on_leave = true; - include_profile_data_on_invite = true; - instance_map = { }; - limit_profile_requests_to_users_who_share_rooms = false; + default_room_version = "10"; + disable_msisdn_registration = true; + enable_media_repo = true; + enable_metrics = true; + mau_stats_only = true; + enable_registration = false; + enable_registration_captcha = false; + enable_registration_without_verification = false; + enable_room_list_search = true; + encryption_enabled_by_default_for_room_type = "off"; + event_cache_size = "100K"; + federation_rr_transactions_per_room_per_second = 50; + federation_client_minimum_tls_version = "1.2"; + forget_rooms_on_leave = true; + include_profile_data_on_invite = true; + instance_map = { }; + limit_profile_requests_to_users_who_share_rooms = false; - max_spider_size = "10M"; - max_upload_size = "50M"; - media_storage_providers = [ ]; + max_spider_size = "10M"; + max_upload_size = "50M"; + media_storage_providers = [ ]; - password_config = { - enabled = false; - localdb_enabled = false; - pepper = ""; - }; + password_config = { + enabled = false; + localdb_enabled = false; + pepper = ""; + }; - presence.enabled = true; - push.include_content = false; + presence.enabled = true; + push.include_content = false; - rc_admin_redaction = { - burst_count = 50; - per_second = 1; - }; - rc_federation = { - concurrent = 3; - reject_limit = 50; - sleep_delay = 500; - sleep_limit = 10; - window_size = 1000; - }; - rc_invites = { - per_issuer = { + rc_admin_redaction = { + burst_count = 50; + per_second = 1; + }; + rc_federation = { + concurrent = 3; + reject_limit = 50; + sleep_delay = 500; + sleep_limit = 10; + window_size = 1000; + }; + rc_invites = { + per_issuer = { + burst_count = 10; + per_second = 0.3; + }; + per_room = { + burst_count = 10; + per_second = 0.3; + }; + per_user = { + burst_count = 5; + per_second = 3.0e-3; + }; + }; + rc_joins = { + local = { + burst_count = 10; + per_second = 0.1; + }; + remote = { + burst_count = 10; + per_second = 1.0e-2; + }; + }; + rc_login = { + account = { + burst_count = 3; + per_second = 0.17; + }; + address = { + burst_count = 3; + per_second = 0.17; + }; + failed_attempts = { + burst_count = 3; + per_second = 0.17; + }; + }; + rc_message = { burst_count = 10; - per_second = 0.3; + per_second = 0.2; }; - per_room = { - burst_count = 10; - per_second = 0.3; - }; - per_user = { - burst_count = 5; - per_second = 3.0e-3; - }; - }; - rc_joins = { - local = { - burst_count = 10; - per_second = 0.1; - }; - remote = { - burst_count = 10; - per_second = 1.0e-2; - }; - }; - rc_login = { - account = { + rc_registration = { burst_count = 3; per_second = 0.17; }; - address = { - burst_count = 3; - per_second = 0.17; - }; - failed_attempts = { - burst_count = 3; - per_second = 0.17; + redaction_retention_period = "7d"; + forgotten_room_retention_period = "7d"; + redis.enabled = false; + registration_requires_token = false; + registrations_require_3pid = [ "email" ]; + report_stats = false; + require_auth_for_profile_requests = false; + room_list_publication_rules = [ + { + action = "allow"; + alias = "*"; + room_id = "*"; + user_id = "*"; + } + ]; + + signing_key_path = config.pub-solar-os.matrix-synapse.signing_key_path; + + stream_writers = { }; + trusted_key_servers = [ { server_name = "matrix.org"; } ]; + suppress_key_server_warning = true; + + turn_allow_guests = false; + turn_uris = [ + "turn:${config.services.coturn.realm}:3478?transport=udp" + "turn:${config.services.coturn.realm}:3478?transport=tcp" + ]; + turn_user_lifetime = "1h"; + + url_preview_accept_language = [ + "en-US" + "en" + ]; + url_preview_enabled = true; + url_preview_ip_range_blacklist = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + "192.0.0.0/24" + "169.254.0.0/16" + "192.88.99.0/24" + "198.18.0.0/15" + "192.0.2.0/24" + "198.51.100.0/24" + "203.0.113.0/24" + "224.0.0.0/4" + "::1/128" + "fe80::/10" + "fc00::/7" + "2001:db8::/32" + "ff00::/8" + "fec0::/10" + ]; + + user_directory = { + prefer_local_users = false; + search_all_users = false; }; + user_ips_max_age = "28d"; + + app_service_config_files = config.pub-solar-os.matrix-synapse.app-service-config-files; }; - rc_message = { - burst_count = 10; - per_second = 0.2; - }; - rc_registration = { - burst_count = 3; - per_second = 0.17; - }; - redaction_retention_period = "7d"; - forgotten_room_retention_period = "7d"; - redis.enabled = false; - registration_requires_token = false; - registrations_require_3pid = [ "email" ]; - report_stats = false; - require_auth_for_profile_requests = false; - room_list_publication_rules = [ - { - action = "allow"; - alias = "*"; - room_id = "*"; - user_id = "*"; - } + + withJemalloc = true; + + extraConfigFiles = config.pub-solar-os.matrix-synapse.extra-config-files; + + extras = [ + "oidc" + "redis" ]; - signing_key_path = "/run/agenix/matrix-synapse-signing-key"; - - stream_writers = { }; - trusted_key_servers = [ { server_name = "matrix.org"; } ]; - suppress_key_server_warning = true; - - turn_allow_guests = false; - turn_uris = [ - "turn:${config.services.coturn.realm}:3478?transport=udp" - "turn:${config.services.coturn.realm}:3478?transport=tcp" - ]; - turn_user_lifetime = "1h"; - - url_preview_accept_language = [ - "en-US" - "en" - ]; - url_preview_enabled = true; - url_preview_ip_range_blacklist = [ - "127.0.0.0/8" - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" - "100.64.0.0/10" - "192.0.0.0/24" - "169.254.0.0/16" - "192.88.99.0/24" - "198.18.0.0/15" - "192.0.2.0/24" - "198.51.100.0/24" - "203.0.113.0/24" - "224.0.0.0/4" - "::1/128" - "fe80::/10" - "fc00::/7" - "2001:db8::/32" - "ff00::/8" - "fec0::/10" - ]; - - user_directory = { - prefer_local_users = false; - search_all_users = false; - }; - user_ips_max_age = "28d"; - - app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-appservice-irc/registration.yml" - # "/matrix-appservice-slack-registration.yaml" - # "/hookshot-registration.yml" - # "/matrix-mautrix-signal-registration.yaml" - # "/matrix-mautrix-telegram-registration.yaml" - ]; + plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; }; - withJemalloc = true; + #services.matrix-sliding-sync = { + # enable = true; + # settings = { + # SYNCV3_SERVER = "https://${publicDomain}"; + # SYNCV3_BINDADDR = "127.0.0.1:8011"; + # # The bind addr for Prometheus metrics, which will be accessible at + # # /metrics at this address + # SYNCV3_PROM = "127.0.0.1:9100"; + # }; + # environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; + #}; - extraConfigFiles = [ - "/run/agenix/matrix-synapse-secret-config.yaml" - - # The registration file is automatically generated after starting the - # appservice for the first time. - # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ - # /var/lib/matrix-synapse/ - # chown matrix-synapse:matrix-synapse \ - # /var/lib/matrix-synapse/telegram-registration.yaml - "/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - - extras = [ - "oidc" - "redis" - ]; - - plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; - }; - - services.matrix-sliding-sync = { - enable = true; - settings = { - SYNCV3_SERVER = "https://${publicDomain}"; - SYNCV3_BINDADDR = "127.0.0.1:8011"; - # The bind addr for Prometheus metrics, which will be accessible at - # /metrics at this address - SYNCV3_PROM = "127.0.0.1:9100"; + pub-solar-os.backups.restic.matrix-synapse = { + paths = [ + "/var/lib/matrix-synapse" + "/var/lib/matrix-appservice-irc" + "/var/lib/mautrix-telegram" + "/tmp/matrix-synapse-backup.sql" + ]; + timerConfig = { + OnCalendar = "*-*-* 05:00:00 Etc/UTC"; + }; + initialize = true; + backupPrepareCommand = '' + ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql + ''; + backupCleanupCommand = '' + rm /tmp/matrix-synapse-backup.sql + ''; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; }; - environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; - }; - - services.restic.backups.matrix-synapse-storagebox = { - paths = [ - "/var/lib/matrix-synapse" - "/var/lib/matrix-appservice-irc" - "/var/lib/mautrix-telegram" - "/tmp/matrix-synapse-backup.sql" - ]; - timerConfig = { - OnCalendar = "*-*-* 05:00:00 Etc/UTC"; - }; - initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; - repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; - backupPrepareCommand = '' - ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql - ''; - backupCleanupCommand = '' - rm /tmp/matrix-synapse-backup.sql - ''; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - ]; }; } diff --git a/modules/nginx-matrix/default.nix b/modules/nginx-matrix/default.nix index 0e236dce..603de360 100644 --- a/modules/nginx-matrix/default.nix +++ b/modules/nginx-matrix/default.nix @@ -10,11 +10,14 @@ let add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-XSS-Protection "1; mode=block"; ''; - clientConfig = import ./element-client-config.nix { inherit lib pkgs; }; + clientConfig = import ./element-client-config.nix { inherit config lib pkgs; }; wellKnownClient = domain: { "m.homeserver".base_url = "https://matrix.${domain}"; "m.identity_server".base_url = "https://matrix.${domain}"; - "org.matrix.msc3575.proxy".url = "https://matrix.${domain}"; + "org.matrix.msc2965.authentication" = { + issuer = "https://mas.${domain}/"; + account = "https://mas.${domain}/account"; + }; "im.vector.riot.e2ee".default = true; "io.element.e2ee" = { default = true; @@ -85,6 +88,27 @@ in root = pkgs.element-stickerpicker; }; + "mas.${config.pub-solar-os.networking.domain}" = { + root = "/dev/null"; + + forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8090"; + + extraConfig = '' + ${commonHeaders} + proxy_http_version 1.1; + + # Forward the client IP address + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + "matrix.${config.pub-solar-os.networking.domain}" = { root = "/dev/null"; @@ -99,28 +123,41 @@ in locations = { # For telegram "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = { + priority = 100; proxyPass = "http://127.0.0.1:8009"; extraConfig = commonHeaders; }; - # sliding-sync - "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { - proxyPass = "http://127.0.0.1:8011"; - extraConfig = commonHeaders; + # Forward to the auth service + "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = { + priority = 100; + proxyPass = "http://127.0.0.1:8090"; + + extraConfig = '' + ${commonHeaders} + proxy_http_version 1.1; + + # Forward the client IP address + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; }; - "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = { + # Forward to Synapse + # as per https://element-hq.github.io/synapse/latest/reverse_proxy.html#nginx + "~ ^(/_matrix|/_synapse/client)" = { + priority = 200; proxyPass = "http://127.0.0.1:8008"; extraConfig = '' ${commonHeaders} + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; client_body_buffer_size 25M; client_max_body_size 50M; proxy_max_temp_file_size 0; + proxy_http_version 1.1; ''; }; }; diff --git a/modules/nginx-matrix/element-client-config.nix b/modules/nginx-matrix/element-client-config.nix index b3eaf9b1..617d3bc3 100644 --- a/modules/nginx-matrix/element-client-config.nix +++ b/modules/nginx-matrix/element-client-config.nix @@ -1,9 +1,9 @@ -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: { default_server_config = { "m.homeserver" = { - base_url = "https://matrix.pub.solar"; - server_name = "pub.solar"; + base_url = "https://matrix.${config.pub-solar-os.networking.domain}"; + server_name = "${config.pub-solar-os.networking.domain}"; }; "m.identity_server" = { base_url = ""; diff --git a/overlays/default.nix b/overlays/default.nix index 50ede5d3..33f0e1de 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -17,6 +17,7 @@ inherit (inputs) element-stickers maunium-stickerpicker; }; mastodon = unstable.mastodon; + matrix-authentication-service = unstable.matrix-authentication-service; } ) ]; diff --git a/secrets/coturn-static-auth-secret.age b/secrets/nachtigall-coturn-static-auth-secret.age similarity index 100% rename from secrets/coturn-static-auth-secret.age rename to secrets/nachtigall-coturn-static-auth-secret.age diff --git a/secrets/matrix-synapse-secret-config.yaml.age b/secrets/nachtigall-matrix-synapse-secret-config.yaml.age similarity index 100% rename from secrets/matrix-synapse-secret-config.yaml.age rename to secrets/nachtigall-matrix-synapse-secret-config.yaml.age diff --git a/secrets/matrix-synapse-signing-key.age b/secrets/nachtigall-matrix-synapse-signing-key.age similarity index 100% rename from secrets/matrix-synapse-signing-key.age rename to secrets/nachtigall-matrix-synapse-signing-key.age diff --git a/secrets/matrix-synapse-sliding-sync-secret.age b/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age similarity index 100% rename from secrets/matrix-synapse-sliding-sync-secret.age rename to secrets/nachtigall-matrix-synapse-sliding-sync-secret.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 999cec92..402fc79d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,6 +7,7 @@ let trinkgenossin-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZXRDpom/LtyoCxvRuoONARKxIT6wNUwEyUjzHRE7DG root@trinkgenossin"; delite-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKo7zlfQhcJ5/okFTOoOstZtmEL1iNlHxQ4q2baEcWT root@delite"; blue-shell-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9g9X0a/MaVtbh44IeLxcq+McuYec0GYAdLsseBpk5f root@blue-shell"; + underground-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGF3PtA89yhVkmN7aJI6gqXK8DW9L7kI71IgiK4TAEwI root@underground"; adminKeys = builtins.foldl' ( keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys) @@ -24,6 +25,8 @@ let blueshellKeys = [ blue-shell-host ]; + undergroundKeys = [ underground-host ]; + garageKeys = [ trinkgenossin-host delite-host @@ -62,9 +65,12 @@ in "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys; - "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; - "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; - "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "nachtigall-matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; + "nachtigall-matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; + "nachtigall-matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + + "underground-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; + "underground-matrix-authentication-service-secret-config.yml.age".publicKeys = undergroundKeys ++ adminKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys; @@ -84,7 +90,7 @@ in "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys; - "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "nachtigall-coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "grafana-admin-password.age".publicKeys = trinkgenossinKeys ++ adminKeys; "grafana-keycloak-client-secret.age".publicKeys = trinkgenossinKeys ++ adminKeys; diff --git a/secrets/underground-matrix-authentication-service-secret-config.yml.age b/secrets/underground-matrix-authentication-service-secret-config.yml.age new file mode 100644 index 0000000000000000000000000000000000000000..eaab469c83d3200a67f0b3f539330957499b9aed GIT binary patch literal 6263 zcmZXVcT^9G|Nk>?^0u=_%BWkS_g-YY_ul&*^4@#zw`*rhSxHLSqlAb`G8#%s;b!Yr zmr|reLiF|fo%1>8JN|#2^Ej{9>+yQNWE#~1m04l;S)DqIImTkw0Nr4~f+b-NhjxKV z34z1G=rAhU4uNUHOfrnp3&H6mW|cw*WcqawF4Zn3x>>~ERdO`Tjxu9l0wTo%K>_3z zwMj=(+es7xRPR8@nPf1+1C(GzXf+N&Q}fLZ29<5X@flXk|E9Sl3Ov&jrsF|5R5X=< zF-r_&zM3MltH}r$0_0O_;1oPk$R>+me5a3YG&%qTh6te$(!~OkPs1U4RBSw-g$D^m zbf1oH!HHmQv|r89K?Ot!>OVBQLl&ln^T`$sK;k0lKxhHnB%ra`HYDC}p)2er1kGr) z5ojC-N#`X&X*iBhg?AI=OaqH=_1oooun~eIi6tzy5dacJ!=hQ@LRs8sg$F6NNpUI<2JN?zAQYaP z6oTw|K6bB_}d^8gpYqV2{7`c%PBZ2)Y8W-wCgB)I#-;7j>Q3NIn#>3F4 zI1~xX;A7Y(2|)$WD>x9VU+8ujqWJHj3XM|ZYxp1 zKzpHH8Q%*8Q4K_?fMT>#y}*GKK5(i}Xkm(In9-K+#Z^ zfa`LBqG1Lg(eqn$o5swySs*F{j!BTwv;c!uAth?vMy`b_^ztEOB^t}8=$J+!(#Uke zr5c*bfR)1)EF6$1r2?gFB^)FZJ2=sBH-)B$*{A@AO9hkRv}hz7?GZ5{V2s^klhH&N z5!D8@sLdn+5n<6wMR2851;MdVCM6XC64)_PklkTXK!hj&jKxJ6X)Kgct0Cx+c$(3o z?Pq4Z>)RSD+U zXzXaLRG>BJC`^nA#6jtybd5%06riK&cIEFCFzpNhj3Qh+|Z2NcXXBKk3WOKB{EE8!l6gVFUlu9H(jtwL>%SBk7 zgk?oINM0@Zx5r)+9!B9u<5@0@Po&`TB^)yp4#5yb5)WC2hk-FPClp08xgcODNu-9$ z+|_wIB!`)%N3!5tyc?>*n;~)* zTMMJm6c(Obg2L*Z3Z?+5kpPSe0~iG2d+mBA-Yhf|EK&nUEvLF^N}JXI)o9Hej8Shx z5=k7*|MS?Yb1$$$;D|6c*U$bP{TP^xj#8l9WQg7YM}g%ss?w-;W0_>93Iz2VU@`}a zfde88Y!*WWa54lAJD+LRDbaQ$U8AsBC<2w5XV+N;0`l*?W^;We2uCG@^Ev;6<+s^@ zy5B4Z(xPMw$wrP?sACZMu0I+%k%*J)2v0{!AYsN!iHaw3b!@^i5k$_;eGvGY7-j7ggD4734!wMZf zJ|+z0)kuw8iUk8h3uwe>C!c4rJM@06#liB5%oZ3?0;6Jhc%qLZ0LYONDNRi>`N&oo ziOj?DC}N1rLH0SUToaLu7QF=x z#yXHRE+0$qpmk6JkHEysX&$Tx1VDq8Hj5OES8!cWrIXD7!f*;3TS!;V6L963INFw&{6qccg@@R;frsY_D5(?ns zW8vm=H!ckVEqm|VU-WlTfpPK5Nktjs3Z9;}u~H)wJN7Ti`4^3>nvv2KGk+d@@Bzoi znQ<=@3k_wHpR9>VI}yCb>#3N5arbII>GXiL5DY#;#c(^Q(q#$DN)UroO3f8H)dg9{KGBXxO?QC>X2tQ1d>*cnF*>gG=s|l!sqyFCU@bHvpBaj;({0K?de6;=2 zoxfuP?{*{)ZyFq1mh<68()#<){*ApnwkOLkPg%6_jW+q%yteeF#c{HALDW&@!OA8od->R)A5*T9kscAXvm+)5xKDw-mc%K z5BL_$hT^5&-aVbtL7(>YZ)iUHvv$we@!!IZjsLVPS$eG_c2(kYX%Riz*orT?NwxG& zTzx*)N+|dm#vgyLXxns&WbacEe0xZS=y(DR~qtLMSYI%7rzX;a% z{B?2k(+j0@f`a$QVSBWkiZhwB>y-V+OY=(yw*CEj`r1ut#q(s_m9HMsDm&3^Sx7p0v`(y!!>{% z_0=eVw>|WB!u4Tw!8xOTM$M6?&x=zX9Q?GSlW{Wp-PE<`ps^ngBk*&+RTXr0`V%Bw zr_0LILi%R@QBv{b?(BWV++%Y}QzquKvd52hS%w7ANxqf~s^T4oEsA(k!MdhTF(p3& zzA9ftMQpv(^3T9Q+VIBS5sgbi7f1n7Tc%E&y(XhK_-nw?RI1cOY*0F{wr={IH7CYi zxVg49z_6Q<+nAgbn9_b4>peQuxi@pqnXf?u7_;zs;Y@8`Zn@{YXYCKk1pJ=@v;@i7`eOJL%uH9Z3j*qPb4@i!X1luEZ>9vh-oBN_ zS%_^V_9*U*tbUp?5cIlBWZJm+6D8+$$+fB9BEclokC9m=F-zCShP?mmt(lvfTy?3e zaEBu*Q*>_NWBY)$_IKlziv*Aq)ff@3dVzI||Y-n4lF4(taY`i)6IpWu!kM}P>%vtww<~>M!`HBPe zAr~~OPCd)M5a`--AAaIf;jmJCV4at5$0yeWE-sv@0$P}!{+f%*p%Zp2O4_7}zhn!w z!}T5iO#IR33f@;Xz`8V5w5Ja?cG!dyz3N!${6jb!iql?+@@gk1R1oV(s17n4d=9sdU-U;4|ddFAsPZeP_<1&b1-1@2_3WO#OM1J$v?#%Lg7st|-*j z|Jpfy*SKZ-6CR{i&y45XJb!i4j&)I|5XGIRTY#Cp{*=DMA<%y(T|Ch#ebW|~8N1hw zp4Te3r|biL|9YL@V~OKz1b1ycADUK>zD4L{546O1xAvVy{?lF(q8AigjGdp^JuKv9 zM1CFRz`FzQF4wlVBy>++{AqS!ddc3fTPudYsVWz(hLpa3sLYY`s7;el=m;?&{%|6u zW<%A)MbDi%NlP*oZ^)Ik!NwNjSVVpb_DFYotZtZVv+sxOx&s)8R>(woqgBjmIPzl(|-+% z$~9k`uRHh7ng}V%kN=JVREPo9#fPqi9AOQr|22}yphPYiv8m~K(-};|?Ukm^s_)lU zCu9tx{EEI27%;DYboXTZ0$6kS;Hmpz3&Z0Ujs3Z4-9GP&)OW|k_KJ3P+Z*HdK@E}V z4<9yG7F8Da-{Kd9fn#F#HPnqq=OqU#XHDzIZ;2ixt$XuFIP68D>;txa&9RfPp=+iW zuU=_iclIK9Tt~dFLa*EMxKsFG<{IMCIY;hKx$=2F&8SRkNLY^khz)4@mlyD=q8ZXS z^wEjW14A8S+Ko{O2e3_aZ}g81IfQj4E0l=3lpIMO{j{f@oOb58rWaQt9y* z10gqL*%`?=y>N3!=$H9BhV_0f0i{!Wde_A~-n1N%Ir%_ZA~8y-pL zZZgfNE;U3Pfz;Oi0)?blXvL^^zK)oK&4C+tW_V84B?OIp-?F{SxidX4IW>P#_;z{5 z=ia2j5u7mr!Gjijgw!^XB9k{4Is@7nTRrQF*@N~}cJi~9Erl7g@Kbu%A9F539cr9; z5{3xQdZC@nd@ylULFKakuz-ULBWLL~E8aDAnRXsI7M2A(-!n>CFbmK%EPrUiTT1rK z!y?>O7M*qJrlT;`-oBznHZu3ic751zO10$V=luZvizAblrd(fgXBKkRgI$g5wpmwN zSLIin%?6!pq6}Yx%mBb?62$fXSB>c-K*o*GDB`F_Wl^2 z^D4Uc_>!`Z)5|`bsM=Jy?Ru*svq+h{g@hWl?@+{!i@7}XEh))zv>x3eg4S1(OOJIM^k8SzBQhdM?6VW0&{dj3<&)TeQZ6$$^ zr0<`h{gd)t$AeTcq30Up53jQyx2{?^zi~zRH{B-yj~OoNVcRE!pE_k0u(oZ#kigXD z#R>C|nG+%(bgtO**YIz$vwzh`o;VVEypnXqQGD=W^_1Sv9`%X^SMRirxK?kvHEi00 z{%5qN+--jc1O+W0F?m{3iE#JWgWEpL!UtW6T-6_AnC`h&vH;Q&acqwD^iF7tPOY`beI z1w0!AxcMrLM)BUP?+*lY>`2~wzb1U_yLll)iyPk$4(_R>3~9R(wQ{|5&H9x~IEUl* z7hTbhCMX?c=1f*B5JV;|?mXPr%l-(k~Fq-Iy<1+FKX zC!}p}7_e=YK3`wQJ;vWfdt-(CX(A7=rqm!M=b-zjTbD26JRYvtRz65{bM?HC+_0LW zZz#!K!1d};4P7Jcu(B)dN$^$UI*f$lSO&?a^(w5OXiZT_Mpt`K}GXW z!QW48mW0$*$U@g3=6`;+EAMsMr~KwR-q)mKS8FDngMx~rcW1YZ>Jt@o%vxJX`q4p+ zjRf0|6JM3@ZKWYU%!*RPY|V=}pVW3>b@jWqsDT*um}^shhIj8}eW%Y%W6W>3U0qIQ zZ`m#>rkD&1C)^BZJ-#JtMv^CR?E}`0JW&bj*p%AKi<|$fIrq|J$qeqNAN={TA3X%9 z>zla7{H}M){w-W;@6Nff`&rVP0oD7vD*c!LKs-4QK35dpd^#w-$~f$DO%HbH$>xoT zJ%4$|+}p4+Ddi%v0*svK5c52cg^$DYr|Tzm<9JI_-G^!IWtl6kgMW>iMw(Y2$4x=L z7&bDY{=nSU>$ zcs(&K^z7Ge!-CEvlb)IM28c;!GBc@@Oft!Yz6dUYyTBqv zK#*NP%9W+9pa`-oy)WgmNH2mk1p#Tw$M>D%IrqEwA9#Q7dEV!J9zTJX;PGIJqtjF( z{$3(Q2v`xXWOy;dkR><`I@pCswAOf5WD7gt|DGo>YPMpoi1*-ALLb0sp3@7=Lj{>d++!p4sJQCE{=xBBhiy;5A3g zL|jKP1eeX^ykd2bF-W3vjVA3*IlWduBvINe#sCPXBCHMK6G1O8;E$-B(XhoJbLS-% zztiYvqQ<{f*}XuNb+N1zfVG9Mh=%Gl?0HFM@7=KK0)$DN*&_KYJp6i;N^23j3E4W zIA?}4Qioqadg7Q-9FFIbj5lv1@t8aib8;qJnX%a1W_QG;do>OuPz@Zjq%9mT=U3w# z>lU*SIwFP?sGL-JlrSn3d0Ez+@F4~U&x1xC5O6Ru3G4|XASjZ?_!cwcBq70$Y4nY2t1qD3%qI(l*lX4U?QZ~3B!=jM9UrOm>&)a0f>&o z^hus5KqOO9+QoQ6ag&^~XQQYvpmV~QN{rbgCWg__m^Lbo;&BrQ>%9!$F2&QhUtwZl zv(iFGc_vNXk`OzsYz}c#DVNqOm3gD2L7EjOY=VqKNEwn?C}+!wXeeaTv7k5{l>40= zfRGtgIOq}c0x`Z->(ATBFwnQr@&l zseE-!ht!kd<@J7CMCAaOcI(X=&H(@_3JWO1umbi4Vp?U;<<$6dR!E8l9k!Is4Wn9V zOqtbK!upt&if4G34iBQTv>C}J5+a1rb8)>n`g24NqH!qkps5MBpR}FI+k)KQ#8wS;0!;U0Z(WlZ0GlWL84i6I`TuLz#H}R}#p;{~=WSlUg!^AcrDNxw7F@Z3`q<9 zES)50ZKE}!E3E|-9kn^~X0DfL@Y zlr@To1p1U9g+myV^Gfncvjvqzpp=3V>I@N{%s+4axR8A z{~s%#ObV!1EC7p|v4|`v&ccX>MB%K#iIG~hNG+9HXs1r?PEukhD?>yn2TvXio7^%6 zLgYD$4|1%P6oUv(B~>}C;#CghRWOMHmnuHMy zm8-N6!-Fk}s5qk3%SoTe6eq=m&?^cf3d|R`x@F;*C7{cDai2AUu>aNAkc;6QU@?(b z#C&R(R-YsyfF^A46TXyA>2NS^y-S_-hs0c3gj;ke6`|*)O&X6`AH_izrpU+Tj7g2e zRIEzGVT1wCCG-wem@mVEp+u7TPbK+c7Z9};JG^KhWWixcCLs!vN(_{0As-aNy&;v( zisWochumco3)Qxqo@dcoG7c&g(~tqoYSLg9xkw=q0%{Ft$`Gz7jQW#^PRp`Un}SzT zQc?`1WGESrXl-V9CgzmVh$~5m5Fo389d;_q8nLuSk<)7xagCFAr}@D{^4I&Wf2ZKc z$jWI z1Ii~Gu1_s5on3aLWB9irgKL@W*k|yCUc7Ya!|drt#T|REZ<2-tJcI$Bd*4*Ffst#(c=#(;A`WVy1Bx8YXZcw|XIlj&dmN^Z7jcd9e`vvNiL%H9Qqh5NrKIAKTI)@ql7 zy-UCLv-kE`28`%l39SLK1*Vyu>7s|=ZGDY&|67y5hF$kZT@)|*OPBjGar1G%d69l) z4XTbG?`_(Q?w=h5Hyv8Au4wP1l9@m6{pF436Zai*t&omNecE!?pJnx3FTaV6-CF|8 z+EO^JRP;zbz%5dxq6M>%i~v z%f@H-8p>x}FJ6^wdFQ+3)%KI^^QT7k)O6{xdGV~rW&4}YoX-~m=Z9A`EqPSZhFN~M z_3fpTr#5c-_QIJRFD@R7KKgFjw&bnF^IlwE5tzI8>UwAJa^Q`+E-OB-+;DnLv!cgk z6}44g>G}0r2e$3K1z4MF^@eQipS!0|e`o)$Oo_PudZ(VFHrDVLz#WjJ$%~p*ptgpTFV%WN~?>&;8tmjSnrh3LtpVybL ze{^WGv3kd`tE;-}rt*C~R=zFKU*$P}d!Q1-H=9m)O+7Omfa`siwz|`_4GYm_3lHwv zb>Y;QZii1Coms?`@_U{?JMHZ0)R@uDN1r}ZIICeLSgSZ+dGI7d6cn7B`(#05-u!jV z#QjgN>agA|Z|@wvVR8?7>M!kf|7dbTQ^mCr?KV3GPty}q+U^suG}M zJN&;fISul;axbaAr$GdkU@{N_TL46jRZzkTfjC=apgL}z*Y*6Ks>PuUb?nco!GkRx_G>)e zA9_|j@S{a77RGm6z_(61T3$+x9sS05Z{z%aQ#=HEeBkWPOTXN+;`iLLfn&+iJA2Pb z=1J&I&z~E6g{Zx4*NXd~A0A(}Qt~3xxGizN4c)Aty-h8dy}JWB_WRC>@Mp_^-BvJa zj(srywI3|XzAYCiKJxdUSJv!@4*F}qHXNOJ^TY2`A9v04EiQOqrcV9v&cXqu3yTJ= z-f8@De)55=w0iQ)InDzQhA){nazw?$fwXqeXV<3mneyqhlOwJ)>G}-*38P$%6aRSY zx5y^K6oqBY{u3sNt+GHYT3SQs-+Ka~Z_~)?c2SLfQM(pO^-^DyHf%$WszkKk1(GoK;3SHm1s`4q)um0UXcEE`tM;b#?9XG4`@XOX; zjUb9|ym)uRu~kJ+iy}W4Ega_QeAYho;>z{Rth%OwkB$$YyX4!0U6!zi2Ie0e@162k zvY$L_@#EbwPYb3$YSsVg#z`Z8se#)y)Iw{9ohz>s3#iqXZ~Oc7I?-%=Q+2mZ8F)sY zqk}7M{~S;?l+C@=YO{G=;8sZ3`t-v37C+xmj#~fe{c~HMOqM?>obXJ2*IhOHy?vK2 z_2+Hh`Jt9w^Pn#?tYp*vSH>CMjJ*P+p Q51QL~#-^6TukLRDKWNaec>n+a literal 0 HcmV?d00001 diff --git a/terraform/dns.tf b/terraform/dns.tf index d4a8d431..5372c390 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -332,10 +332,40 @@ resource "namecheap_domain_records" "pub-solar" { type = "AAAA" address = "2a01:4f8:172:1c25::1" } + record { + hostname = "underground" + type = "A" + address = "80.244.242.3" + } + record { + hostname = "test" + type = "CNAME" + address = "underground.pub.solar." + } + record { + hostname = "mas.test" + type = "CNAME" + address = "underground.pub.solar." + } record { hostname = "matrix.test" type = "CNAME" - address = "nachtigall.pub.solar." + address = "underground.pub.solar." + } + record { + hostname = "chat.test" + type = "CNAME" + address = "underground.pub.solar." + } + record { + hostname = "stickers.chat.test" + type = "CNAME" + address = "underground.pub.solar." + } + record { + hostname = "auth.test" + type = "CNAME" + address = "underground.pub.solar." } # SRV records can only be changed via NameCheap Web UI # add comment From 7775ad332eb40cf34718c3d3e1adfe60cd8c45bf Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 27 Oct 2024 17:27:17 +0100 Subject: [PATCH 02/11] matrix: do not change paths for nachtigall secrets --- hosts/nachtigall/configuration.nix | 4 ++++ modules/coturn/default.nix | 3 ++- modules/matrix/default.nix | 26 +++++++++++++++----------- 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index eb7e657f..f49be986 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -63,18 +63,21 @@ # matrix-synapse age.secrets."nachtigall-matrix-synapse-signing-key" = { file = "${flake.self}/secrets/nachtigall-matrix-synapse-signing-key.age"; + path = "/run/agenix/matrix-synapse-signing-key"; mode = "400"; owner = "matrix-synapse"; }; age.secrets."nachtigall-matrix-synapse-secret-config.yaml" = { file = "${flake.self}/secrets/nachtigall-matrix-synapse-secret-config.yaml.age"; + path = "/run/agenix/matrix-synapse-secret-config.yaml"; mode = "400"; owner = "matrix-synapse"; }; age.secrets."nachtigall-matrix-synapse-sliding-sync-secret" = { file = "${flake.self}/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age"; + path = "/run/agenix/matrix-synapse-sliding-sync-secret"; mode = "400"; owner = "matrix-synapse"; }; @@ -82,6 +85,7 @@ pub-solar-os.matrix-synapse = { enable = true; + sliding-sync.enable = true; signing_key_path = config.age.secrets."nachtigall-matrix-synapse-signing-key".path; extra-config-files = [ config.age.secrets."nachtigall-matrix-synapse-secret-config.yaml".path diff --git a/modules/coturn/default.nix b/modules/coturn/default.nix index a7d3e867..bf364487 100644 --- a/modules/coturn/default.nix +++ b/modules/coturn/default.nix @@ -7,6 +7,7 @@ { age.secrets."nachtigall-coturn-static-auth-secret" = { file = "${flake.self}/secrets/nachtigall-coturn-static-auth-secret.age"; + path = "/run/agenix/coturn-static-auth-secret"; mode = "400"; owner = "turnserver"; }; @@ -18,7 +19,7 @@ min-port = 49000; max-port = 50000; use-auth-secret = true; - static-auth-secret-file = "/run/agenix/nachtigall-coturn-static-auth-secret"; + static-auth-secret-file = config.age.secrets."nachtigall-coturn-static-auth-secret".path; realm = "turn.${config.pub-solar-os.networking.domain}"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index d8518d3f..c0bee63c 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -30,6 +30,10 @@ in type = lib.types.str; default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; }; + sliding-sync.enable = lib.mkEnableOption { + description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+"; + default = false; + }; }; config = lib.mkIf config.pub-solar-os.matrix-synapse.enable { @@ -261,17 +265,17 @@ in plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; }; - #services.matrix-sliding-sync = { - # enable = true; - # settings = { - # SYNCV3_SERVER = "https://${publicDomain}"; - # SYNCV3_BINDADDR = "127.0.0.1:8011"; - # # The bind addr for Prometheus metrics, which will be accessible at - # # /metrics at this address - # SYNCV3_PROM = "127.0.0.1:9100"; - # }; - # environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; - #}; + services.matrix-sliding-sync = { + enable = config.pub-solar-os.matrix-synapse.sliding-sync.enable; + settings = { + SYNCV3_SERVER = "https://${publicDomain}"; + SYNCV3_BINDADDR = "127.0.0.1:8011"; + # The bind addr for Prometheus metrics, which will be accessible at + # /metrics at this address + SYNCV3_PROM = "127.0.0.1:9100"; + }; + environmentFile = config.age.secrets."nachtigall-matrix-synapse-sliding-sync-secret".path; + }; pub-solar-os.backups.restic.matrix-synapse = { paths = [ From 9d7d25136909fe053e36964c2fed8a5173f030c5 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 27 Oct 2024 17:28:20 +0100 Subject: [PATCH 03/11] style: fix formatting --- hosts/nachtigall/configuration.nix | 1 - hosts/underground/configuration.nix | 15 +++++-- hosts/underground/hardware-configuration.nix | 45 ++++++++++++------- hosts/underground/networking.nix | 10 ++++- modules/matrix/default.nix | 4 +- .../nginx-matrix/element-client-config.nix | 7 ++- secrets/secrets.nix | 3 +- 7 files changed, 59 insertions(+), 26 deletions(-) diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index f49be986..69b191c3 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -82,7 +82,6 @@ owner = "matrix-synapse"; }; - pub-solar-os.matrix-synapse = { enable = true; sliding-sync.enable = true; diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix index b53f5dd6..131cb163 100644 --- a/hosts/underground/configuration.nix +++ b/hosts/underground/configuration.nix @@ -79,10 +79,16 @@ { name = "oauth"; } { name = "compat"; } { name = "graphql"; } - { name = "assets"; path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; } + { + name = "assets"; + path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; + } ]; binds = [ - { host = "0.0.0.0"; port = 8090; } + { + host = "0.0.0.0"; + port = 8090; + } ]; proxy_protocol = false; } @@ -92,7 +98,10 @@ { name = "health"; } ]; binds = [ - { host = "0.0.0.0"; port = 8081; } + { + host = "0.0.0.0"; + port = 8081; + } ]; proxy_protocol = false; } diff --git a/hosts/underground/hardware-configuration.nix b/hosts/underground/hardware-configuration.nix index e4738a1b..28ab939e 100644 --- a/hosts/underground/hardware-configuration.nix +++ b/hosts/underground/hardware-configuration.nix @@ -1,14 +1,27 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; @@ -16,19 +29,19 @@ device = "/dev/disk/by-label/cryptroot"; }; - fileSystems."/" = - { device = "/dev/disk/by-label/root"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-label/boot"; - fsType = "ext4"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; - swapDevices = - [ { device = "/dev/disk/by-label/swap"; } - ]; + swapDevices = [ + { device = "/dev/disk/by-label/swap"; } + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/underground/networking.nix b/hosts/underground/networking.nix index 3085c7bc..0f08a7e5 100644 --- a/hosts/underground/networking.nix +++ b/hosts/underground/networking.nix @@ -13,11 +13,17 @@ address = "80.244.242.1"; interface = "enp1s0"; }; - nameservers = ["95.129.51.51" "80.244.244.244"]; + nameservers = [ + "95.129.51.51" + "80.244.244.244" + ]; interfaces.enp1s0 = { useDHCP = false; ipv4.addresses = [ - { address = "80.244.242.3"; prefixLength = 29; } + { + address = "80.244.242.3"; + prefixLength = 29; + } ]; }; }; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index c0bee63c..1d955979 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -16,13 +16,13 @@ in app-service-config-files = lib.mkOption { description = "List of app service config files"; type = lib.types.listOf lib.types.str; - default = []; + default = [ ]; }; extra-config-files = lib.mkOption { description = "List of extra synapse config files"; type = lib.types.listOf lib.types.str; - default = []; + default = [ ]; }; signing_key_path = lib.mkOption { diff --git a/modules/nginx-matrix/element-client-config.nix b/modules/nginx-matrix/element-client-config.nix index 617d3bc3..80fed558 100644 --- a/modules/nginx-matrix/element-client-config.nix +++ b/modules/nginx-matrix/element-client-config.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { default_server_config = { "m.homeserver" = { diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 402fc79d..7165ba69 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -70,7 +70,8 @@ in "nachtigall-matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "underground-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; - "underground-matrix-authentication-service-secret-config.yml.age".publicKeys = undergroundKeys ++ adminKeys; + "underground-matrix-authentication-service-secret-config.yml.age".publicKeys = + undergroundKeys ++ adminKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys; From 8244e605b669a71707dba13186ded74f02887f2a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 27 Oct 2024 16:51:07 +0100 Subject: [PATCH 04/11] fix: passkey support in pub.solar keycloak theme --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 8c962683..a9ee1879 100644 --- a/flake.lock +++ b/flake.lock @@ -280,11 +280,11 @@ ] }, "locked": { - "lastModified": 1707424749, - "narHash": "sha256-eTvts5E3zmD4/DoAI9KedQjRwica0cg36wwIVp1NWbM=", + "lastModified": 1730041422, + "narHash": "sha256-aEz5/yUJN/PSEXwPBuKMs2FbAmz68fDIQ9B0tVRVmTo=", "ref": "main", - "rev": "1202a23c205b3c07a5feb5caf6813f21b3c69307", - "revCount": 30, + "rev": "09f7b1ed16c99f5fb5c5f9a2a73ccc9ff0645b35", + "revCount": 32, "type": "git", "url": "https://git.pub.solar/pub-solar/keycloak-theme" }, From c9c2d06a98b49e3d97dc3c7712c24933be9cf2a9 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 28 Oct 2024 21:38:43 +0100 Subject: [PATCH 05/11] dns: add CNAME record for mas.pub.solar --- terraform/dns.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/dns.tf b/terraform/dns.tf index 5372c390..236cd0d0 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -109,6 +109,11 @@ resource "namecheap_domain_records" "pub-solar" { type = "CNAME" address = "nachtigall.pub.solar." } + record { + hostname = "mas" + type = "CNAME" + address = "nachtigall.pub.solar." + } record { hostname = "ci" type = "A" From 472f9aa68b51cb0071b26c828636290ca5c807cc Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 28 Oct 2024 21:39:00 +0100 Subject: [PATCH 06/11] dns: list.pub.solar should be A / AAAA records --- terraform/dns.tf | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index 236cd0d0..cb3b81ce 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -189,11 +189,6 @@ resource "namecheap_domain_records" "pub-solar" { type = "CNAME" address = "nachtigall.pub.solar." } - record { - hostname = "list" - type = "CNAME" - address = "nachtigall.pub.solar." - } record { hostname = "obs-portal" type = "CNAME" @@ -327,6 +322,16 @@ resource "namecheap_domain_records" "pub-solar" { address = "list.pub.solar." mx_pref = "0" } + record { + hostname = "list" + type = "A" + address = "138.201.80.102" + } + record { + hostname = "list" + type = "AAAA" + address = "2a01:4f8:172:1c25::1" + } record { hostname = "nachtigall" type = "A" From 4434a901369c78126b105828c804eba15d81075d Mon Sep 17 00:00:00 2001 From: b12f Date: Wed, 30 Oct 2024 17:14:47 +0100 Subject: [PATCH 07/11] modules/matrix: rename secrets to not include hostnames --- hosts/nachtigall/configuration.nix | 16 ++++++++-------- hosts/underground/configuration.nix | 12 ++++++------ ...ge => matrix-synapse-secret-config.yaml.age} | Bin ...g-key.age => matrix-synapse-signing-key.age} | Bin ...e => matrix-synapse-sliding-sync-secret.age} | 0 secrets/secrets.nix | 10 +++++----- ...uthentication-service-secret-config.yml.age} | Bin ...aging-matrix-synapse-secret-config.yaml.age} | Bin 8 files changed, 19 insertions(+), 19 deletions(-) rename secrets/{nachtigall-matrix-synapse-secret-config.yaml.age => matrix-synapse-secret-config.yaml.age} (100%) rename secrets/{nachtigall-matrix-synapse-signing-key.age => matrix-synapse-signing-key.age} (100%) rename secrets/{nachtigall-matrix-synapse-sliding-sync-secret.age => matrix-synapse-sliding-sync-secret.age} (100%) rename secrets/{underground-matrix-authentication-service-secret-config.yml.age => staging-matrix-authentication-service-secret-config.yml.age} (100%) rename secrets/{underground-matrix-synapse-secret-config.yaml.age => staging-matrix-synapse-secret-config.yaml.age} (100%) diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 69b191c3..dac4fc62 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -61,22 +61,22 @@ }; # matrix-synapse - age.secrets."nachtigall-matrix-synapse-signing-key" = { - file = "${flake.self}/secrets/nachtigall-matrix-synapse-signing-key.age"; + age.secrets."matrix-synapse-signing-key" = { + file = "${flake.self}/secrets/matrix-synapse-signing-key.age"; path = "/run/agenix/matrix-synapse-signing-key"; mode = "400"; owner = "matrix-synapse"; }; - age.secrets."nachtigall-matrix-synapse-secret-config.yaml" = { - file = "${flake.self}/secrets/nachtigall-matrix-synapse-secret-config.yaml.age"; + age.secrets."matrix-synapse-secret-config.yaml" = { + file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age"; path = "/run/agenix/matrix-synapse-secret-config.yaml"; mode = "400"; owner = "matrix-synapse"; }; - age.secrets."nachtigall-matrix-synapse-sliding-sync-secret" = { - file = "${flake.self}/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age"; + age.secrets."matrix-synapse-sliding-sync-secret" = { + file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age"; path = "/run/agenix/matrix-synapse-sliding-sync-secret"; mode = "400"; owner = "matrix-synapse"; @@ -85,9 +85,9 @@ pub-solar-os.matrix-synapse = { enable = true; sliding-sync.enable = true; - signing_key_path = config.age.secrets."nachtigall-matrix-synapse-signing-key".path; + signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; extra-config-files = [ - config.age.secrets."nachtigall-matrix-synapse-secret-config.yaml".path + config.age.secrets."matrix-synapse-secret-config.yaml".path # The registration file is automatically generated after starting the # appservice for the first time. diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix index 131cb163..74b1d79d 100644 --- a/hosts/underground/configuration.nix +++ b/hosts/underground/configuration.nix @@ -30,14 +30,14 @@ forceSSL = true; }; - age.secrets."underground-matrix-synapse-secret-config.yaml" = { - file = "${flake.self}/secrets/underground-matrix-synapse-secret-config.yaml.age"; + age.secrets."staging-matrix-synapse-secret-config.yaml" = { + file = "${flake.self}/secrets/staging-matrix-synapse-secret-config.yaml.age"; mode = "400"; owner = "matrix-synapse"; }; - age.secrets."underground-matrix-authentication-service-secret-config.yml" = { - file = "${flake.self}/secrets/underground-matrix-authentication-service-secret-config.yml.age"; + age.secrets."staging-matrix-authentication-service-secret-config.yml" = { + file = "${flake.self}/secrets/staging-matrix-authentication-service-secret-config.yml.age"; mode = "400"; owner = "matrix-authentication-service"; }; @@ -45,7 +45,7 @@ pub-solar-os.matrix-synapse = { enable = true; extra-config-files = [ - config.age.secrets."underground-matrix-synapse-secret-config.yaml".path + config.age.secrets."staging-matrix-synapse-secret-config.yaml".path # The registration file is automatically generated after starting the # appservice for the first time. @@ -65,7 +65,7 @@ enable = true; createDatabase = true; extraConfigFiles = [ - config.age.secrets."underground-matrix-authentication-service-secret-config.yml".path + config.age.secrets."staging-matrix-authentication-service-secret-config.yml".path ]; settings = { http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; diff --git a/secrets/nachtigall-matrix-synapse-secret-config.yaml.age b/secrets/matrix-synapse-secret-config.yaml.age similarity index 100% rename from secrets/nachtigall-matrix-synapse-secret-config.yaml.age rename to secrets/matrix-synapse-secret-config.yaml.age diff --git a/secrets/nachtigall-matrix-synapse-signing-key.age b/secrets/matrix-synapse-signing-key.age similarity index 100% rename from secrets/nachtigall-matrix-synapse-signing-key.age rename to secrets/matrix-synapse-signing-key.age diff --git a/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age b/secrets/matrix-synapse-sliding-sync-secret.age similarity index 100% rename from secrets/nachtigall-matrix-synapse-sliding-sync-secret.age rename to secrets/matrix-synapse-sliding-sync-secret.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7165ba69..6eaede2a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -65,12 +65,12 @@ in "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys; - "nachtigall-matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; - "nachtigall-matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; - "nachtigall-matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; - "underground-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; - "underground-matrix-authentication-service-secret-config.yml.age".publicKeys = + "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; + "staging-matrix-authentication-service-secret-config.yml.age".publicKeys = undergroundKeys ++ adminKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; diff --git a/secrets/underground-matrix-authentication-service-secret-config.yml.age b/secrets/staging-matrix-authentication-service-secret-config.yml.age similarity index 100% rename from secrets/underground-matrix-authentication-service-secret-config.yml.age rename to secrets/staging-matrix-authentication-service-secret-config.yml.age diff --git a/secrets/underground-matrix-synapse-secret-config.yaml.age b/secrets/staging-matrix-synapse-secret-config.yaml.age similarity index 100% rename from secrets/underground-matrix-synapse-secret-config.yaml.age rename to secrets/staging-matrix-synapse-secret-config.yaml.age From 9d9bcf9a15eecb342201be1eeed0224e3c35efa3 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 30 Oct 2024 17:57:33 +0100 Subject: [PATCH 08/11] mas: move to module, add secrets for prod --- hosts/nachtigall/configuration.nix | 53 +++++---- hosts/nachtigall/default.nix | 2 + hosts/underground/configuration.nix | 80 +++----------- modules/matrix/default.nix | 103 ++++++++++++++---- ...thentication-service-secret-config.yml.age | Bin 0 -> 6276 bytes secrets/secrets.nix | 1 + 6 files changed, 135 insertions(+), 104 deletions(-) create mode 100644 secrets/matrix-authentication-service-secret-config.yml.age diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index dac4fc62..8bfba8de 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -82,28 +82,39 @@ owner = "matrix-synapse"; }; - pub-solar-os.matrix-synapse = { - enable = true; - sliding-sync.enable = true; - signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; - extra-config-files = [ - config.age.secrets."matrix-synapse-secret-config.yaml".path + age.secrets."matrix-authentication-service-secret-config.yml" = { + file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age"; + mode = "400"; + owner = "matrix-authentication-service"; + }; - # The registration file is automatically generated after starting the - # appservice for the first time. - # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ - # /var/lib/matrix-synapse/ - # chown matrix-synapse:matrix-synapse \ - # /var/lib/matrix-synapse/telegram-registration.yaml - "/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - app-service-config-files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-appservice-irc/registration.yml" - # "/matrix-appservice-slack-registration.yaml" - # "/hookshot-registration.yml" - # "/matrix-mautrix-signal-registration.yaml" - # "/matrix-mautrix-telegram-registration.yaml" + pub-solar-os.matrix = { + enable = true; + synapse = { + sliding-sync.enable = true; + signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; + extra-config-files = [ + config.age.secrets."matrix-synapse-secret-config.yaml".path + + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + "/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-synapse/telegram-registration.yaml" + "/var/lib/matrix-appservice-irc/registration.yml" + # "/matrix-appservice-slack-registration.yaml" + # "/hookshot-registration.yml" + # "/matrix-mautrix-signal-registration.yaml" + # "/matrix-mautrix-telegram-registration.yaml" + ]; + }; + matrix-authentication-service.extra-config-files = [ + config.age.secrets."matrix-authentication-service-secret-config.yml".path ]; }; diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 9a69c4f2..100759a6 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -9,10 +9,12 @@ ./networking.nix ./wireguard.nix ./backups.nix + "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix" "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix" ]; disabledModules = [ + "services/matrix/matrix-authentication-service.nix " "services/web-apps/mastodon.nix" ]; } diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix index 74b1d79d..ff1c8096 100644 --- a/hosts/underground/configuration.nix +++ b/hosts/underground/configuration.nix @@ -42,72 +42,28 @@ owner = "matrix-authentication-service"; }; - pub-solar-os.matrix-synapse = { + pub-solar-os.matrix = { enable = true; - extra-config-files = [ - config.age.secrets."staging-matrix-synapse-secret-config.yaml".path + synapse = { + extra-config-files = [ + config.age.secrets."staging-matrix-synapse-secret-config.yaml".path - # The registration file is automatically generated after starting the - # appservice for the first time. - # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ - # /var/lib/matrix-synapse/ - # chown matrix-synapse:matrix-synapse \ - # /var/lib/matrix-synapse/telegram-registration.yaml - #"/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - app-service-config-files = [ - "/var/lib/matrix-appservice-irc/registration.yml" - #"/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - }; - - services.matrix-authentication-service = { - enable = true; - createDatabase = true; - extraConfigFiles = [ + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-appservice-irc/registration.yml" + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + }; + matrix-authentication-service.extra-config-files = [ config.age.secrets."staging-matrix-authentication-service-secret-config.yml".path ]; - settings = { - http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; - http.issuer = "https://mas.${config.pub-solar-os.networking.domain}"; - http.listeners = [ - { - name = "web"; - resources = [ - { name = "discovery"; } - { name = "human"; } - { name = "oauth"; } - { name = "compat"; } - { name = "graphql"; } - { - name = "assets"; - path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; - } - ]; - binds = [ - { - host = "0.0.0.0"; - port = 8090; - } - ]; - proxy_protocol = false; - } - { - name = "internal"; - resources = [ - { name = "health"; } - ]; - binds = [ - { - host = "0.0.0.0"; - port = 8081; - } - ]; - proxy_protocol = false; - } - ]; - passwords.enabled = false; - }; }; services.openssh.openFirewall = true; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 1d955979..0f6963c9 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -10,33 +10,46 @@ let serverDomain = "${config.pub-solar-os.networking.domain}"; in { - options.pub-solar-os.matrix-synapse = { - enable = lib.mkEnableOption "Enable matrix-synapse to run on the node"; + options.pub-solar-os = { + matrix = { + enable = lib.mkEnableOption "Enable matrix-synapse and matrix-authentication-service to run on the node"; - app-service-config-files = lib.mkOption { - description = "List of app service config files"; - type = lib.types.listOf lib.types.str; - default = [ ]; - }; + synapse = { + app-service-config-files = lib.mkOption { + description = "List of app service config files"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; - extra-config-files = lib.mkOption { - description = "List of extra synapse config files"; - type = lib.types.listOf lib.types.str; - default = [ ]; - }; + extra-config-files = lib.mkOption { + description = "List of extra synapse config files"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; - signing_key_path = lib.mkOption { - description = "Path to file containing the signing key"; - type = lib.types.str; - default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; - }; - sliding-sync.enable = lib.mkEnableOption { - description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+"; - default = false; + signing_key_path = lib.mkOption { + description = "Path to file containing the signing key"; + type = lib.types.str; + default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; + }; + + sliding-sync.enable = lib.mkEnableOption { + description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+"; + default = false; + }; + }; + + matrix-authentication-service = { + extra-config-files = lib.mkOption { + description = "List of extra mas config files"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; }; }; - config = lib.mkIf config.pub-solar-os.matrix-synapse.enable { + config = lib.mkIf config.pub-solar-os.matrix.enable { services.matrix-synapse = { enable = true; settings = { @@ -265,6 +278,54 @@ in plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; }; + services.matrix-authentication-service = { + enable = true; + createDatabase = true; + extraConfigFiles = config.pub-solar-os.matrix.matrix-authentication-service.extra-config-files; + + settings = { + http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; + http.issuer = "https://mas.${config.pub-solar-os.networking.domain}"; + http.listeners = [ + { + name = "web"; + resources = [ + { name = "discovery"; } + { name = "human"; } + { name = "oauth"; } + { name = "compat"; } + { name = "graphql"; } + { + name = "assets"; + path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; + } + ]; + binds = [ + { + host = "0.0.0.0"; + port = 8090; + } + ]; + proxy_protocol = false; + } + { + name = "internal"; + resources = [ + { name = "health"; } + ]; + binds = [ + { + host = "0.0.0.0"; + port = 8081; + } + ]; + proxy_protocol = false; + } + ]; + passwords.enabled = false; + }; + }; + services.matrix-sliding-sync = { enable = config.pub-solar-os.matrix-synapse.sliding-sync.enable; settings = { diff --git a/secrets/matrix-authentication-service-secret-config.yml.age b/secrets/matrix-authentication-service-secret-config.yml.age new file mode 100644 index 0000000000000000000000000000000000000000..50cd3f21e6b0388f7639d20121f218efe5c20fa7 GIT binary patch literal 6276 zcmZ9O_g@W)|HqB$)^TrUC{kvZBWJH9&fcT5&#CC_z4vJ;Nk%9nWF%ZNDp^H@O0JQF zP|3Bf9V#p1>-)p!@%Vl}f5G$demq{U*YhpYsA5%Sh23X$>MZ7Y7P|)Ih5%v{q8$!x ztV#(*ARw4%9f7X*XriG&DhMv${-lu~4n$b8$)|+zlg=y)2Vh05B1O3bIa{Xw{=lIIaoC(y9}A zIyBg#RFha#hDRx6nQUwU+z9dfhh}%kqSXjK#i9W??RFoXk7nppT8RQART2brILfYp zqNo-V6~l!|sBXE=M#1|X7(5$ncGGMaKZ%)0^I-G}goKC#z~Cex5TnM6KzcV;X+^RK zI8R=j;&ji;aznxr1~y7TP!fy) zhubs&u@`N(fPo|_#vyk2)DoQoMy6SrL?W82<~u-mJ&_1yI@DqcQ)gw7Kr|>(U?NFu zI66g!Q8IY~02hx{n>|n|l!%a9pgu2{&vUEU9G6rCx2xoOKG=ldQD8VBUXCW4^a?AU z?86(~9G!rwlnOZ_GJwoV#JGSerNtxk8vJ?*o&^S>4Ni!Pi_vPWay3$GMY*X4K2&Ow zcs+2h00;51%>$Vn#SgEooB%CZSj&R5onDAtsv!Cl5)>7nH*0(@i3_a6sl9xdpUM_#ITo`~tT*sX1fL#k; zU@?|$04d>0o!+fuD=hyv#|9FC2gU+)P^wn~)6h*)7bsB;bo#_ny5A*-nQeX=2Z!X) z5p0|XO6NO77@Ay4*TS$eztYQ5yZj!vO6BnZNbE!%ScL?+!9Fs`CgVs%O1~S!S0I=Y zxsZxOQ1vb`9Yp8BeOL+DNEWli94niIRap%%pArex18fMb!%MP@KnRvzz>!#8bR$(K zv2mR~2@_8v_#L=JFoU8t0BLxRlqxpcS!AtL%AiOXKn>CDrvacO6kKA`(!E%xR|0m} zY#ViMyV}nH$<1&))kstfqoBmUri8`i zl6)Ws0fRO}@Lru9Y&OX3C?rvD0lL&G4MB+Gu#Gqp)T39D?0%$!W^zhxRIVDv_E@cA z02XAh;N^CjU#~*RWKa#AX#`UE3MfM^#u8w36$|7xVnq^@ljWoE{Q^GO$0HG>SQi`0 zgPVnPH9#PCda-n?nPvjA4W3^EfT#0GE+bG3@=ys#xQwoGqo_VP1EFE)u`U>wq5!g` z2#Slt(D8v@eIh`k;u6GQ1{F>wnlTa&f(;fcjRFxDq4l#piC`zpL}uIg3WAKI1w*}w zSSrO1v4d$QJi|m6LA-c?4^L1z$T}=SEl)%cv?Pz z<@d92B%%On=j){=g%qe0A}nwafbGQMJaibw{7V%!w@c{q>$y5R%mfC}NiZ@(=Y^Q@ zAicy5fhYcNj;%U(tQCqtM!UIw&adgmLKSir$P7jaeNdJP$AM}=Ks?1slNo3_o`<8h z5?L&!6zp+={B{6TCk4T=YBwGt(R)!MMpxkhiNaS>jj83iH2V%2L3<}Gn2f>|aGx|UM{EtH=Bp%zLiG~?aMi?eb~x6csU%#&Qu9n&ZD|I*Jep!$wn(bP^Lu$5Lo63Q?kmyBI<-2PF_=DR8z)3`N;= zWHJk^Gm>#|0P|Oih-fPYC}J_xpkG?z;Cb+0I_3GPT)DwQMw8_lBG`mOkTw5J!wDTe zJ~mpA2+`_zOc4n!Vtd#sFh|Ss*knFBkiY=iur{+6A)^r0V23A>2ms3&ax9DE2N8jC zFqgvxt8fk}iz7?4s1s=tw3u&)I=C3V!A%tWHw_3ALXC;hI3ffjb`m`(xnBi18wG*vWrad26qmrb`tL`8ew z&Q_nQZEr~Rv=*^`fBta8g;R|;j*W(cSAVSh5JnIT*@xJ5tt#S1R?i+dWc||6WnYp2 z7YyM~_n_gG`6K2?7tAi-W)Sl6|CaBWQc-O>`g>4v0)SN8Sy&i#;h&oYkAbL6Ue!y{ z4VyN5li}p`h&z%`(2(luHLzw__OJu;fdT_#zO{6G^2Pb5lleEgj>nZ$q)yrs6ml(e zLBSDa^Xu&uw5`a58An}bPO=dbg4-^Pe}9s%&jhkQt2w^M>zjKWnkvk^opV0L&s(0@ zc}nwQtnU7PoZ?OV^xB3>=Z&>>gZUSLIkpv#uaK_Ym$)XB;Tuz8GSpC_mDnq&Y=2CuW;M$#Y$1OD zZ}uxzwFNW3MH2p*@>fHLr9m_@@p)viWz^>V7hcZ=zOOxc{?6x_3s*+01}1;kM_N^H zGDJxGMNJuC?>K%KEI>EWjLNKdv9!@1eu)6J5Pr-wdl401mTcfD9@1RY+T zRt=n${Ff?er`LT|^*z-i`4KaDTR`I{?DC9=w}=sIHaGowwdU%SL&7PhdtUg95Xauy5e{$>s`}@ zM}IbcGe3M3Y>GqI7WpS_DacjECNXF1ZH}J&uywGE5yEeVpTyrmpOpA}OzpI^`oHI3OSaElHT@9pv zXVPDVvqM`eTV5Q4e_9?l@$lBD^V1l8%OBiG@s<)TCtKfc-o5udW8=h+VSkslt}g9+ z`C1iF)>1w4a&XM8VHFDisZ|Ff&$RI_vaLa7&UN~&CxfO=A9w#wWq1B1z`OFpsN3rO zQI)c)j<7#{fw`YOs;WbBb+OCn_pV9)2rKI~v>D#hiF(Zfma`_^iObaLmLw+4{Qqd6I5Wt~O|CbxLgP zmfqLHhp=~rFa5ikDte6xeY4V&mGF!mHFngTIB?His5&roEB9uDt0&-N|EkQ}SB{7{ zL#CWcnfoqWHHN%+=T*tQMPmjn(?48#B#nxirHaei-PX>4Z#t3wbqA*22T5<89e zn7=S3@79CGn6rxs9#O-JJmj)bGa*H@7`yjQn7X^J;mO|E5%Y?Iz&YBp2T$xev1!fn zg$I`{O}yfq(_V6iQg=B#vS!UO*3N&{4^J-X{~FTXk%&;%9zy08X4@@>Xy^Fms5bnt z6Bm1UyCNO+wQt&sx{BWf7c|P#rlM9v9kA##!r~yadGQIO=5w!L$nq~I9bY~>N``Np zwU!crT-MRn3z>oX0$_cjgwZ2qDRNc*Ps`l9V;lL73a;n@O8*lvpIx$4;!{V8+rb1?hWSMy~eGFo?d&a#@KE% zbXA12M_GqLdtW_av~B2J)6m#_SS30gr%DZdk7qWqrIk>4I>MD`>~#i#rzEx!K+1K^bu{(4;t<;gHK%x&q7q@_9YF@ zZz7J!eWhJ7tnKo(Dp3qXgEG;H^@3K0?>9vd>rlA`k?Y|Wluom50 zrXPL$hU;$7;cV{e2^PL&#@m6$*4ZA{Lh?oU(4fN&irlcpf8(x^&Q<&cKkzQ=K;hOK zgXNXbxLfnTZ+iA>szD{5_s{YH7~)X@w{JTOx$mhdod3gJT|Fn2_bK!YcO(3Gia7Jm zKwkPfc-Q0Tf93n~G(S6E`_ScCO@*5`En()Eu?I;san&lk+=|Csw#J%9Mp@ne|q`uw%?&}}mg-PpbT+oEg%pnN9eBS;W=;rs18WOMS(l76!? zD|6Gsr`%3dr;tP!{(K*vb^K(`&jYeA9nJXr6ILwxe$q9WSqPuj^QaWpI>lfPZTY;e zzd3i)p4sMYw?l{h`pGSa7F&2HbWiWTZ_f{mANe5X{N*cwZyR{F7atkhyuZO0|NDX# zn_4(}(mGwmAL7XUTa?816M!o*JL-477k{jb??O{IO=POaCoM3)-jjVIq+-jv&M&cd zV@~F#VC(U}2gr1{7E%u!Sz~x_-mAks+*tLXd>`h}xP}Z<{JE}S^P_TVA11x~YIx8X z;4GW~GcVkDxo`I3Ra@blzgo}kyE+I{lyp*@cWxGh>GF?#$(RsfUCD@v;!k^icb+e$ za^{~LIpz2C!tO_rIRluy-{&+>H5t>xynuVt*JvhYO)&<9_<)9IYu6>784{A9{@Gf$ zao7FUo%`PH{)w-<6}Yh?=iAANlqBLTAb`768_VASBJ7S7@l(9?P9a-yS z0C!P>B4F^r&w)vwkMN@-C!7yIy|M7`>~rJH`JsxR^Z0dV^{aK6p&^;&_n+yiW8U>A zY&&#UIDg|yWn4{hKr(LTyHxs;s!`Cj&! z4-Lhzor1U2FI9GR*uIh5hh_yYsdXguwRK-z`_c@4X4;&*DdaS2kaII__Y7u)q!-}) zxNm838@oA?Rwy50hsrF!_$l$j~J>{)W$-7*HMu z-+Gd{|3O#d@12uN4d2ph?=I3C{vG^KFzqS8F-m@<>x0%guK99)i9G-DuKm2r5h*RB zM|`WiuaXf~)CB~Ne*E~>9^&jqzV{5J@E zp=fpYF?V0vfr-2NIGZ8LF^@OqU3z}v@$D;Zhih?XN3BH&AH2|{3CG6oQ^#b7{8zkpNg_;R+c8fqx&a930jD^48s&T{|CKz1`$-Gdt4uT)Z)f&*Fp( s`v@BEmGx%k)KAt5?$z`wi;9zK_~AvHq)$ literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6eaede2a..88a632aa 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -68,6 +68,7 @@ in "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys; "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; "staging-matrix-authentication-service-secret-config.yml.age".publicKeys = From 041d311bb270d2e1d991950474d258ebe60535ea Mon Sep 17 00:00:00 2001 From: b12f Date: Wed, 30 Oct 2024 18:34:25 +0100 Subject: [PATCH 09/11] modules/matrix: rename used config options --- hosts/nachtigall/configuration.nix | 3 --- modules/matrix/default.nix | 10 +++++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 8bfba8de..67e1c6d4 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -63,21 +63,18 @@ # matrix-synapse age.secrets."matrix-synapse-signing-key" = { file = "${flake.self}/secrets/matrix-synapse-signing-key.age"; - path = "/run/agenix/matrix-synapse-signing-key"; mode = "400"; owner = "matrix-synapse"; }; age.secrets."matrix-synapse-secret-config.yaml" = { file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age"; - path = "/run/agenix/matrix-synapse-secret-config.yaml"; mode = "400"; owner = "matrix-synapse"; }; age.secrets."matrix-synapse-sliding-sync-secret" = { file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age"; - path = "/run/agenix/matrix-synapse-sliding-sync-secret"; mode = "400"; owner = "matrix-synapse"; }; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 0f6963c9..b8c05469 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -217,7 +217,7 @@ in } ]; - signing_key_path = config.pub-solar-os.matrix-synapse.signing_key_path; + signing_key_path = config.pub-solar-os.matrix.synapse.signing_key_path; stream_writers = { }; trusted_key_servers = [ { server_name = "matrix.org"; } ]; @@ -263,12 +263,12 @@ in }; user_ips_max_age = "28d"; - app_service_config_files = config.pub-solar-os.matrix-synapse.app-service-config-files; + app_service_config_files = config.pub-solar-os.matrix.synapse.app-service-config-files; }; withJemalloc = true; - extraConfigFiles = config.pub-solar-os.matrix-synapse.extra-config-files; + extraConfigFiles = config.pub-solar-os.matrix.synapse.extra-config-files; extras = [ "oidc" @@ -327,7 +327,7 @@ in }; services.matrix-sliding-sync = { - enable = config.pub-solar-os.matrix-synapse.sliding-sync.enable; + enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable; settings = { SYNCV3_SERVER = "https://${publicDomain}"; SYNCV3_BINDADDR = "127.0.0.1:8011"; @@ -335,7 +335,7 @@ in # /metrics at this address SYNCV3_PROM = "127.0.0.1:9100"; }; - environmentFile = config.age.secrets."nachtigall-matrix-synapse-sliding-sync-secret".path; + environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; }; pub-solar-os.backups.restic.matrix-synapse = { From 7ba5a7bdd65a03b97877d31e4dbc52cb1c892b83 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 30 Oct 2024 20:30:39 +0100 Subject: [PATCH 10/11] matrix: disable sliding-sync proxy, it's built into synapse now, update synapse config to use matrix-authentication-service --- hosts/nachtigall/configuration.nix | 2 +- secrets/matrix-synapse-secret-config.yaml.age | Bin 4186 -> 5033 bytes 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 67e1c6d4..62dc644a 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -88,7 +88,7 @@ pub-solar-os.matrix = { enable = true; synapse = { - sliding-sync.enable = true; + sliding-sync.enable = false; signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; extra-config-files = [ config.age.secrets."matrix-synapse-secret-config.yaml".path diff --git a/secrets/matrix-synapse-secret-config.yaml.age b/secrets/matrix-synapse-secret-config.yaml.age index 86c590e2fecf761c0daf842244b494b0abdd5def..5f52638a36857a58713f7299042b571f9023a8d8 100644 GIT binary patch literal 5033 zcmZ9NXIE4QqlGorjIj|!5KvT%Wzgv@DlonGGv$mZ&YY=ddOK6BC>F#5!AL+wB@qi& zKv66xmRO^pv7-iwXs{xfsHm^^L+-lw{RPk3d+nmPm?oQCkT2p1*xaruZl48%;82s( zQ~ZAGWRnq3BH?H$HkJ?$SyHGvfJ*mk(F74Ms5D|V_^^Z&72O5| z0=9yv(sGC(hr+}20AF*>1?g@*#v8=C!hRDV&pp*}Kr7R^!20;>v z+rpL!bjCo0tk#8964<4%l7b4CK+Xp!PJo8c83u_^Zl*&JnMy_x0g5Ha)SLKHj+!P2 zp=EZmz#CxkC^Rw)kVyj`st$|u@*`fSRjp-`Ff_ghZFh6gZnEFZcksL@n-mYQ!k&;< z%ch_i9xnhZK@S#BHd6>ZD}!#}MU*b8L`Jbh{4|AJj^mn%Od^Dn3p7CmqBrqSc!ycR zkh6qLA>^y3g#2SZUZ2;B$1lN{VY)s{bfcLvk4@l5xLAYQ8Nu;_PBBGlKs%JYFzi6s zLc3k7B}5cb6b684JSA)gLAzQ;v@xs#K4^4Mt3Yc<2PBN*X!rJw0z@ZQdM4+6(ky%tyg;b|=*ua2|Am^~L>R`xCfUI7t4sqys zkWGm(kcB=aS|soXLkg}4rN+xFArmng4a&S0sZXV0gJ_S>ij_n$WMM=l4A|Xvjt}jC ztvpcTQYh&H*ldd8rEF)E>p-*;l%9i&y3j%~h4v-e7_F1W4@PkMfK?XM1A499<M# zY#hi9v*iCb$94`&iKU~sRLJb~u>iB4;0KLN$VdV}UxdR{i6dgM)6LP-bYhiRMdUk# zSTUl}n{6^V-zbKd1{Q;_K$B5CEf*A%*=Q*katgeV#UvrR7;H*NN5M(yUo46c4WK3% zM%+P2>z4v{9Z?OUy%@1e$>REqLOaSs!s$VdiH`xX0)|T>mw+;*79i+#FiEHq8I5u~ z?25>+R2B$v(KHQ947q|b6%0wOK7qi7)}lCOiHk@iDSQfv&P~Ea=uw(Mr}pdk`~Z*3 z!_#~ig2l!p@!2{a7nW%iswf37<0%aokJoMzk}W7@gb;BF1PnEa3nMJ5O~+$~T;_n> z5TKHzMxmbI)pO89KS6Eu3*71u7ly1+SnF1?0Gd@#r#nyqm&0O(5r-9lI5>`2=@4V2 zGL-}456EP?ARGu{6+Vid8TP8VB#Yb2Aow*Q4bJn$C{BoOcAHT_9)#v_Xk0)cA%i@* z#={c3_-++lLy`qlGER`hRY5AWmEtsk0TSNmq6VT~rwoDoHeN_g*4t2FW`Kov@YH-r zi;mD>nw&8A%mIIQN&1~?=bf)kcGq5_s!S{21F$NDrOlL!g}UK3ozxAywg^u#)6c@;O#I3$%kAH=2w$GjK*7+DPZQwHS&+4ih~5|EAe^YBGVI zqT*{1B^f5FI8qyn!i@qtDh;a?d+7`>2@QoTDu>C7jw(r%upcF4YNc)(-3G7`r%=mv zTlj_u%r;u12ruj;%Vi8e8VzuQA-nZ|KlER147EQ3&{JqIxpbWVp3ZD zAfTZ`7)#K^hA>`=heL3n<#-i}>?bM|enu3-00|tmA5iH)m@Nh{5oZMN(^d?x4iZ7K`hZPaK!mK9PC~OM~ z!_nxX8kbycHKHj&tP%40IZD7K1-uGFh=B2{)J()Llyk%OFL|6iIRzi$(+D(>Ol32S zYz9LX#gQ0B#3-~XTsA)-QAjLQw-Lq!SzZ;Yj<|GW0^^!*pAGC4E~+^+@}Y?sY+#jN zz^-c&J_aUQ>N-D^Y^*ZPwL?j>C0TJ3|7grl_;%}D#fGkzlFo35JWjCqyYW5JD%-4m z=U=hh{otX0b@|w&-sen$)RWVhnf&O|b1Bn@`4&Bl&47M|lO2CwYOC2^_3Q)#^>p=b z-RYufd~j63qfM4xlOCN|BF$Ly$3Hs8+DijnPi}ob_igPe|FS#j$j*6Bhl|uh+W3Oh z`ptiBzB57MdWoDIotF3dL~>!?qgkxo6VjLsP21l_(%Z8+_V{o1 zS9NE9el%@lGq`zg>`f6& zcTV$SknOxTU$G`{!aCtBvh_rL;`A8>8?VwGKa>i#dXGt_)z6K_-DXTz_CaoM*}!T0 zN41ngsGt3fFX`E+lIs1jn$?ZFkKfsJu`4imRjaPJqww4xZH1dV92?Flrf1BbR9RNH z8MkWh((=rhC+`cd3L&*M^@*BU7eK+@@sD+f1N(u{3og*n2wkejD zxj$fM_lx#9*IF*@QK>TYyP79Zos2eh!6r``7(06ra+0dMXif76BcT-~PQ?JJiKjWI$bN=$bdR33j-!=Ha zi^WsEuRHlo4U)DeWEb`8D4>6=u-y!Wx{{;qd+&|QUEaLVt6RIiOv46_SXW#fRF>na z9&ynzA@{48drwRm&ca1C=*zmdS8)Iu-B2=Q?;3mUqKQ+pakoDAiFN$5=h-*s$9+P7 zrmi}3V~Th4g+r@@YgP?^xz_*o()0Z(<8T)qz$L?q_GbLu@|&hJcb&ay%7i@T&{&Q2 zE`y)9biuUkTiR!~etKE@Y*N{|Z!6AccNf!p#syv9X}g)?lW#Z3@m+JAroR?m9d>2N zyUb(JtJ6HIQFEH+SM37d#%Ekee3TwK|08&<>8s;YAAT+#ylIy_ZWMH5U0VM}U3Ny% zPxy|?oSQK*ggD8-&v|VS_r#Ls1qYvgJrAjE?J=>%m_J~TbldMs)54A9AC9#RN2Sf1 z^XU5NVAoVmMgab>kfQs?bYs~j(Vkn7P##-27RYhPCM_vn zW!b;d5xbe#mfP0LQN@0Hj1Cd1Df((`b{b^Z4JvpeRV`}u93UBleWvXisO zFHSApEBXDq?-$vNTaFRJy&oqv50zkYe#~eeJMq?r50nDm$b+s$y7G`_$-DWkE9Olj{0EwV&uPGu{h$unbnM;s^pp3m zE-d;ueqmnIpcJsT`};&}*~rAlqiQkl&kuW^C|=Yy;rxptu}^c&_jVbJP;ymf z`JL<4smqFJxdUvUU*F%FxbbKWtziAS@=WXYJ(~@U$BrAV_k#y=a{h=mE-cr-@8_9X z`O80hM#Oh_9_tbCq|W~P)yWd@&9w!hxUCzyn`b0+mOV&_N$i!MrMC%C@`tRS6GnY%Bh1 z>Q9(&dleU-UnHh0gOc2brkJW~YXeiQ3gnaKMUQ`t`TDuIy=Q8Re%e2OCd)2I#`O91 zqdj|TSLv&}@25}k6wV)Z>Ce`cF*N9_TNn3z9(tohd2IKPPtwx^u*W&%@2V>&4&oQy zECpGvV0(=u3!I%_VH@+Y^N6F5W?Iwe=ak^=v-L^o%2w{ic#rAEtQA9MetW&;pkjF8 zQSf9|cwr*6O|D%ybIbI~ZADX;4}4IKt9>N@j5&>+mp!lJUi!Teas8KKNxd6~0;RF8 zJ`w60E4GQaGh@N!o->-MSBR~ueMKeWYMA>#e>{~x3^a}KTWz#nL<*uPFb_*VSGmIFGrlq`yW0z`HF+@)LUw%W|uy5EoV2x z+%Jm7^DqZSDGk}W=8JC!7H%zS6JASt@~e68hZjk6BlU~9Ov8b>YTk_G2w|}4J2E5g z0rlbs%z&(!P47OOCx5zYTJ-+j%8&O;)cVc|QVFM^&RVs)F~k_be%+RT{zToM(ae_I z&Z4Z2?c@4PGoEs0S0(2&W9KZn9_=OgbI^Tp<&e=w8wckU^-b_mzFjYUTdfMRZQtAn~zBv7 z<0c)RHD=rk#(+!fVym$-YGZxxxImXJ)_U_!;B;#VcIQW=$a5SlQ*E4aJ*l<0XCM#% ze%-B0`&SkGk-hA6p>WRm`>`9wpQ&xkJn|E~eaWznJbp|9J)c7ud^PtUZm_SLxMpv* zp^=ju|2L!m!Lh_{Iz3hNHU`tQWM{A`I*3+Z{~&hwtuu?3M%Iv?1{UmK!0}1M$5pNz zfj5~yxxPKk+ihaEZ*v$wqO=#e({sa*}o$|UBp`ww^@Jg5Kw literal 4186 zcmZ9N`F|7T+J`GGpea_Cihv*$gw_+m_3MiYX6^@jxfC`mGpk+spx9<VO}R$s~%3uo{hUbcG3`<7!u&w}-VB4Fu`EN}P=HCMy$4 z>N4txDxyJM3Eu4?2u6T9F*yqe^`fX+n+U;xoyR?hRGdu)#jMU@juIfK5jtbITU&AiNc8#O%`Bx z#^sMID4muusVpW{jMZi>RG<)IA#)O79iYLVG;ls3D-!Em(G;L}%4~K)lw!hMA_lXt zC~7eHGdyD;AypU+TU?Yds7^RMDC3UUT}l?v@LWnyIW!hbk|Hc#dydv3lt5|?*mLQ8 zAnRAC)3P)LgW{;lpKBj9mbVFgye;cYr&M&xE#m;I9g)USvpFATU1%hX_^b#aP~b6h zR-aXf+(LjVP=u2x*hw7WWC25`?hlZ5Abz^8%pNn^i_wr!J?L$iiBw3kYVETr8WV z6J$zYOyMd#ot8;hc@&Sz6h=H$aELP+DQ0#=eQuq`7Yb8hCt@S?g+eG)kYrNnh=Jg= zyxvd7fN(&`OHb1IKXCW677H6SEKX2!r2;8@g^lIXly7m$*Lb?txTNSBRAV2h6?oH{iP zC_$|i%?eC`G-!pADK|@?7{%M&5u-EjbJzh+R)8aZENoXt*&q&w$gq{jYYb_<3BZz} zuq*0;+>DnJI2=w|?tgGD%zk(qBfs7CEy5NvZZO)k_K~AAyd>Cradz2QGPUVe; zxI)B5!bZ>%#5sY~?kM=Q;y96@b@619$#I}Q#-(_e%ZL?tMCc6r;t@v2Bn>W&%#v}5 zoi3S@!O{{HpH%97oB#r1dL9otawc5jQDAA054Oudcf_N|OhFts2ebh(uS}tYh1aHI z5xLF4s!=5M)e?y#IcMoVXb;bx?K8B-NDW=HcLS83# z6w)b^7Im{cLQC@y;D%z6lsz1@zycEwmc)SuQ(k* z4f41YB6)EZ4@VS8+A5KOluhqY>sd`g5D3wZpje{P(#i}?(mF3|PH8M&gff9yz-@AS z0Kgk_+ayFmszQ=shtFhjn;}RlmmnTg?V|)*Wh6uS!$LF12l5im7Usc-#}LqfB1=X^ z1oEa#A!*OB(u`92zaA&Ux#}b!lUL*%1zUUcD?{Q~zJOVCa0I4Zs1diwVWC3?U?3Vw z0c^~PS@Tw_nLur}uplBarzx#WD>o!CyE82fsKf0ATzgxlY1Q?g7B^B3absNavd5;nkUO>lJ30WgA)DVlQ7nj~ln z>d3esHTqPb-=~0MZX^-YQ$e4Tk3rF7%0&L(eg4&1iAp;j5?vbk#we_(WK6kQH1hdrPt+37`1w{!K(2&xL7XpcbbaG@VK&qK)?u^ zR_4hZ!A4zthLNWkufrzuaQ2W`GIGjFKFGs>UPeS66 zvk|2yVId(`GKuFUX^fC^+}~+JkN{%#3V#8~%5XIpNK4%*S;(eT3PF~%^PD4_mD>DC zTheA>@Kl~8l>*#jv!#46o3tj`c)-cwKw8vZ(yn%8a4L_;oiNva%#>EAa0{xdt1D2P zmAN^OGA_!dj1t5^3q$RV8w>Mv$Y)4L^&x%SnNcH!5N#Kn+BVfRTluKpkmE0lPAzRb z@}n8fJ-%?KV?CO>aHw-=ExPEVtJC+*={4^~!4UPEt0YAe?pKLdZ=PMa|IPd*_a)qm z1CHpj<o;a zEnTvz{?1@OxhvXXS}xr0RHywf4%q#2m4A?CUH#pjhoYxCCz9(PZ*yY8hHYWb$d9Cm$J32|;p&+P}Md;4sey!mcbQ_rfi zCB@yJ1V7Mit^DSh5O8_DjNf`~x$@WHMBksUe~JvZyt#gD>-h!!dz~+N=x~ z?wxiA0~%~y=a1Vtu`A;@Td7ce%NZ-W&%f`>l}yQ$ zk}t+Kojd-VW%cOae<8*XTU099r5qj;ymoTY#hWAk({)JcAJtzs8?G4#Qt2(Wd!1@t z7T;=o)QWIx?kjG8U3}X0@RP2?pC1jCG;W>d`e{#xi*>MVHOH;oRykW*&V0+nra|RO7wvZ;ou(Hf40z*5zG$UvT0}RF*&X! zk~hB9{|@oi_^}fPtWa#u=ne_+e{;Qc!}H{{5ys#m;|rWJhULN#ir!URW5ezx~GZHHhm( zkAJKfd2H{$+qP}izuemYw+}_SUuKSvS2Ue0V@s{K=G?zPCeH5~zrae~L=qn!%hlft z**jC;O|_psyXceAhSpA^X@F7N@8sw7fx@wGyMveixPEnh)1Q4h6P4Zz@Aa*`V(+zx zYdN-9omrjX$4pA>S+{;g<|4Fn$CIJwh=Zf%6!7;)6e@4?DKW#q4P9d{`1OhgJaKhn|J?8ddJ5%Cbq6^A*u1p$L;?7pCvzS z!xR&L?%2C@|KgS&|&urwot<_tPPJDIp@Dpvfmc3LYUb8PdJXw5u ze)Fly8G-knOf8C3#y$tvEv$02T^rxCbwuvpMVDGL zrHY!%Ra-88{2c!InCv^l&XU)LAV0)bZiQmKFVVlp+wv1;&OGwU$KEGzKOV3-es6T_ zxBEw?&(1Es8}3_Xti3;$YJO+M)n5iX8!nAp3Gueh&E#g+jjzx`(cIcxs>g!J>&w<0 zZ&n47OCLQPYdP86|0)}3ZD8t}>pnOHH^Adf-G?x=XK-v-ckRRyz0m*W+e4$h(%6G;O>muAI}jTXM!AzPoo^ z@jKep-yQf~xZ;t+xM9|VswZV_v#0FM?NU;?Xh)KnaAPLgkW?z2garw;xPYsHkX From 3ec5c9f343cbe0bc84d39c53a38c6a419045a5d7 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 30 Oct 2024 20:32:47 +0100 Subject: [PATCH 11/11] style: fix formatting --- modules/matrix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index b8c05469..958a6c13 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -335,7 +335,7 @@ in # /metrics at this address SYNCV3_PROM = "127.0.0.1:9100"; }; - environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; + environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; }; pub-solar-os.backups.restic.matrix-synapse = {