forked from pub-solar/infra
Merge pull request 'matrix-authentication-service: init, test, migrate synapse' (#250) from mas-init into main
Reviewed-on: pub-solar/infra#250 Reviewed-by: b12f <b12f@noreply.git.pub.solar>
This commit is contained in:
commit
d8a793190d
25
flake.lock
25
flake.lock
|
@ -234,6 +234,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"fork": {
|
||||
"locked": {
|
||||
"lastModified": 1729963002,
|
||||
"narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
|
||||
"owner": "teutat3s",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "teutat3s",
|
||||
"ref": "init-matrix-authentication-service-module",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -264,11 +280,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1707424749,
|
||||
"narHash": "sha256-eTvts5E3zmD4/DoAI9KedQjRwica0cg36wwIVp1NWbM=",
|
||||
"lastModified": 1730041422,
|
||||
"narHash": "sha256-aEz5/yUJN/PSEXwPBuKMs2FbAmz68fDIQ9B0tVRVmTo=",
|
||||
"ref": "main",
|
||||
"rev": "1202a23c205b3c07a5feb5caf6813f21b3c69307",
|
||||
"revCount": 30,
|
||||
"rev": "09f7b1ed16c99f5fb5c5f9a2a73ccc9ff0645b35",
|
||||
"revCount": 32,
|
||||
"type": "git",
|
||||
"url": "https://git.pub.solar/pub-solar/keycloak-theme"
|
||||
},
|
||||
|
@ -354,6 +370,7 @@
|
|||
"element-stickers": "element-stickers",
|
||||
"element-themes": "element-themes",
|
||||
"flake-parts": "flake-parts",
|
||||
"fork": "fork",
|
||||
"home-manager": "home-manager",
|
||||
"keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
|
||||
"maunium-stickerpicker": "maunium-stickerpicker",
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
# Track channels with commits tested and built by hydra
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
|
||||
|
||||
nix-darwin.url = "github:lnl7/nix-darwin/master";
|
||||
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -152,6 +153,10 @@
|
|||
hostname = "tankstelle.wg.pub.solar";
|
||||
sshUser = username;
|
||||
};
|
||||
underground = {
|
||||
hostname = "80.244.242.3";
|
||||
sshUser = username;
|
||||
};
|
||||
trinkgenossin = {
|
||||
hostname = "trinkgenossin.wg.pub.solar";
|
||||
sshUser = username;
|
||||
|
|
|
@ -178,6 +178,30 @@
|
|||
self.nixosModules.nginx
|
||||
];
|
||||
};
|
||||
|
||||
underground = self.inputs.nixpkgs.lib.nixosSystem {
|
||||
specialArgs = {
|
||||
flake = {
|
||||
inherit self inputs config;
|
||||
};
|
||||
};
|
||||
modules = [
|
||||
self.inputs.agenix.nixosModules.default
|
||||
self.nixosModules.home-manager
|
||||
./underground
|
||||
self.nixosModules.overlays
|
||||
self.nixosModules.unlock-luks-on-boot
|
||||
self.nixosModules.core
|
||||
|
||||
self.nixosModules.backups
|
||||
self.nixosModules.keycloak
|
||||
self.nixosModules.postgresql
|
||||
self.nixosModules.matrix
|
||||
self.nixosModules.matrix-irc
|
||||
self.nixosModules.nginx
|
||||
self.nixosModules.nginx-matrix
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -48,6 +48,7 @@
|
|||
owner = "root";
|
||||
};
|
||||
|
||||
# keycloak
|
||||
age.secrets.keycloak-database-password = {
|
||||
file = "${flake.self}/secrets/keycloak-database-password.age";
|
||||
mode = "600";
|
||||
|
@ -59,6 +60,61 @@
|
|||
database-password-file = config.age.secrets.keycloak-database-password.path;
|
||||
};
|
||||
|
||||
# matrix-synapse
|
||||
age.secrets."matrix-synapse-signing-key" = {
|
||||
file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
|
||||
mode = "400";
|
||||
owner = "matrix-synapse";
|
||||
};
|
||||
|
||||
age.secrets."matrix-synapse-secret-config.yaml" = {
|
||||
file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
|
||||
mode = "400";
|
||||
owner = "matrix-synapse";
|
||||
};
|
||||
|
||||
age.secrets."matrix-synapse-sliding-sync-secret" = {
|
||||
file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
|
||||
mode = "400";
|
||||
owner = "matrix-synapse";
|
||||
};
|
||||
|
||||
age.secrets."matrix-authentication-service-secret-config.yml" = {
|
||||
file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
|
||||
mode = "400";
|
||||
owner = "matrix-authentication-service";
|
||||
};
|
||||
|
||||
pub-solar-os.matrix = {
|
||||
enable = true;
|
||||
synapse = {
|
||||
sliding-sync.enable = false;
|
||||
signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
|
||||
extra-config-files = [
|
||||
config.age.secrets."matrix-synapse-secret-config.yaml".path
|
||||
|
||||
# The registration file is automatically generated after starting the
|
||||
# appservice for the first time.
|
||||
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
|
||||
# /var/lib/matrix-synapse/
|
||||
# chown matrix-synapse:matrix-synapse \
|
||||
# /var/lib/matrix-synapse/telegram-registration.yaml
|
||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
];
|
||||
app-service-config-files = [
|
||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
"/var/lib/matrix-appservice-irc/registration.yml"
|
||||
# "/matrix-appservice-slack-registration.yaml"
|
||||
# "/hookshot-registration.yml"
|
||||
# "/matrix-mautrix-signal-registration.yaml"
|
||||
# "/matrix-mautrix-telegram-registration.yaml"
|
||||
];
|
||||
};
|
||||
matrix-authentication-service.extra-config-files = [
|
||||
config.age.secrets."matrix-authentication-service-secret-config.yml".path
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.postgresql = {
|
||||
after = [ "var-lib-postgresql.mount" ];
|
||||
requisite = [ "var-lib-postgresql.mount" ];
|
||||
|
|
|
@ -9,10 +9,12 @@
|
|||
./networking.nix
|
||||
./wireguard.nix
|
||||
./backups.nix
|
||||
"${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
|
||||
"${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
|
||||
];
|
||||
|
||||
disabledModules = [
|
||||
"services/matrix/matrix-authentication-service.nix "
|
||||
"services/web-apps/mastodon.nix"
|
||||
];
|
||||
}
|
||||
|
|
72
hosts/underground/configuration.nix
Normal file
72
hosts/underground/configuration.nix
Normal file
|
@ -0,0 +1,72 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
# Use GRUB2 as the boot loader.
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
devices = [ "/dev/vda" ];
|
||||
};
|
||||
|
||||
pub-solar-os.networking.domain = "test.pub.solar";
|
||||
|
||||
systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
|
||||
|
||||
# keycloak
|
||||
pub-solar-os.auth = {
|
||||
enable = true;
|
||||
database-password-file = "/tmp/dbf";
|
||||
};
|
||||
services.keycloak.database.createLocally = true;
|
||||
|
||||
# matrix-synapse
|
||||
# test.pub.solar /.well-known is required for federation
|
||||
services.nginx.virtualHosts."${config.pub-solar-os.networking.domain}" = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
age.secrets."staging-matrix-synapse-secret-config.yaml" = {
|
||||
file = "${flake.self}/secrets/staging-matrix-synapse-secret-config.yaml.age";
|
||||
mode = "400";
|
||||
owner = "matrix-synapse";
|
||||
};
|
||||
|
||||
age.secrets."staging-matrix-authentication-service-secret-config.yml" = {
|
||||
file = "${flake.self}/secrets/staging-matrix-authentication-service-secret-config.yml.age";
|
||||
mode = "400";
|
||||
owner = "matrix-authentication-service";
|
||||
};
|
||||
|
||||
pub-solar-os.matrix = {
|
||||
enable = true;
|
||||
synapse = {
|
||||
extra-config-files = [
|
||||
config.age.secrets."staging-matrix-synapse-secret-config.yaml".path
|
||||
|
||||
# The registration file is automatically generated after starting the
|
||||
# appservice for the first time.
|
||||
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
|
||||
# /var/lib/matrix-synapse/
|
||||
# chown matrix-synapse:matrix-synapse \
|
||||
# /var/lib/matrix-synapse/telegram-registration.yaml
|
||||
#"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
];
|
||||
app-service-config-files = [
|
||||
"/var/lib/matrix-appservice-irc/registration.yml"
|
||||
#"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
];
|
||||
};
|
||||
matrix-authentication-service.extra-config-files = [
|
||||
config.age.secrets."staging-matrix-authentication-service-secret-config.yml".path
|
||||
];
|
||||
};
|
||||
|
||||
services.openssh.openFirewall = true;
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
16
hosts/underground/default.nix
Normal file
16
hosts/underground/default.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ flake, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./configuration.nix
|
||||
|
||||
./networking.nix
|
||||
"${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
|
||||
];
|
||||
|
||||
disabledModules = [
|
||||
"services/matrix/matrix-authentication-service.nix "
|
||||
];
|
||||
}
|
47
hosts/underground/hardware-configuration.nix
Normal file
47
hosts/underground/hardware-configuration.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ahci"
|
||||
"xhci_pci"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
boot.initrd.luks.devices."cryptroot" = {
|
||||
device = "/dev/disk/by-label/cryptroot";
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-label/root";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-label/boot";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [
|
||||
{ device = "/dev/disk/by-label/swap"; }
|
||||
];
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
30
hosts/underground/networking.nix
Normal file
30
hosts/underground/networking.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
networking.hostName = "underground";
|
||||
|
||||
networking = {
|
||||
defaultGateway = {
|
||||
address = "80.244.242.1";
|
||||
interface = "enp1s0";
|
||||
};
|
||||
nameservers = [
|
||||
"95.129.51.51"
|
||||
"80.244.244.244"
|
||||
];
|
||||
interfaces.enp1s0 = {
|
||||
useDHCP = false;
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "80.244.242.3";
|
||||
prefixLength = 29;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -5,8 +5,9 @@
|
|||
...
|
||||
}:
|
||||
{
|
||||
age.secrets."coturn-static-auth-secret" = {
|
||||
file = "${flake.self}/secrets/coturn-static-auth-secret.age";
|
||||
age.secrets."nachtigall-coturn-static-auth-secret" = {
|
||||
file = "${flake.self}/secrets/nachtigall-coturn-static-auth-secret.age";
|
||||
path = "/run/agenix/coturn-static-auth-secret";
|
||||
mode = "400";
|
||||
owner = "turnserver";
|
||||
};
|
||||
|
@ -18,7 +19,7 @@
|
|||
min-port = 49000;
|
||||
max-port = 50000;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
|
||||
static-auth-secret-file = config.age.secrets."nachtigall-coturn-static-auth-secret".path;
|
||||
realm = "turn.${config.pub-solar-os.networking.domain}";
|
||||
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
||||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||
|
|
|
@ -16,11 +16,6 @@ let
|
|||
synapseClientPort = "${toString listenerWithClient.port}";
|
||||
in
|
||||
{
|
||||
systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
|
||||
"@system-service @pkey"
|
||||
"~@privileged @resources"
|
||||
"@chown"
|
||||
];
|
||||
services.matrix-appservice-irc = {
|
||||
enable = true;
|
||||
localpart = "irc_bot";
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
@ -9,24 +10,46 @@ let
|
|||
serverDomain = "${config.pub-solar-os.networking.domain}";
|
||||
in
|
||||
{
|
||||
age.secrets."matrix-synapse-signing-key" = {
|
||||
file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
|
||||
mode = "400";
|
||||
owner = "matrix-synapse";
|
||||
options.pub-solar-os = {
|
||||
matrix = {
|
||||
enable = lib.mkEnableOption "Enable matrix-synapse and matrix-authentication-service to run on the node";
|
||||
|
||||
synapse = {
|
||||
app-service-config-files = lib.mkOption {
|
||||
description = "List of app service config files";
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
age.secrets."matrix-synapse-secret-config.yaml" = {
|
||||
file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
|
||||
mode = "400";
|
||||
owner = "matrix-synapse";
|
||||
extra-config-files = lib.mkOption {
|
||||
description = "List of extra synapse config files";
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
age.secrets."matrix-synapse-sliding-sync-secret" = {
|
||||
file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
|
||||
mode = "400";
|
||||
owner = "matrix-synapse";
|
||||
signing_key_path = lib.mkOption {
|
||||
description = "Path to file containing the signing key";
|
||||
type = lib.types.str;
|
||||
default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
|
||||
};
|
||||
|
||||
sliding-sync.enable = lib.mkEnableOption {
|
||||
description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+";
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
|
||||
matrix-authentication-service = {
|
||||
extra-config-files = lib.mkOption {
|
||||
description = "List of extra mas config files";
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.pub-solar-os.matrix.enable {
|
||||
services.matrix-synapse = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
@ -194,7 +217,7 @@ in
|
|||
}
|
||||
];
|
||||
|
||||
signing_key_path = "/run/agenix/matrix-synapse-signing-key";
|
||||
signing_key_path = config.pub-solar-os.matrix.synapse.signing_key_path;
|
||||
|
||||
stream_writers = { };
|
||||
trusted_key_servers = [ { server_name = "matrix.org"; } ];
|
||||
|
@ -240,29 +263,12 @@ in
|
|||
};
|
||||
user_ips_max_age = "28d";
|
||||
|
||||
app_service_config_files = [
|
||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
"/var/lib/matrix-appservice-irc/registration.yml"
|
||||
# "/matrix-appservice-slack-registration.yaml"
|
||||
# "/hookshot-registration.yml"
|
||||
# "/matrix-mautrix-signal-registration.yaml"
|
||||
# "/matrix-mautrix-telegram-registration.yaml"
|
||||
];
|
||||
app_service_config_files = config.pub-solar-os.matrix.synapse.app-service-config-files;
|
||||
};
|
||||
|
||||
withJemalloc = true;
|
||||
|
||||
extraConfigFiles = [
|
||||
"/run/agenix/matrix-synapse-secret-config.yaml"
|
||||
|
||||
# The registration file is automatically generated after starting the
|
||||
# appservice for the first time.
|
||||
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
|
||||
# /var/lib/matrix-synapse/
|
||||
# chown matrix-synapse:matrix-synapse \
|
||||
# /var/lib/matrix-synapse/telegram-registration.yaml
|
||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
];
|
||||
extraConfigFiles = config.pub-solar-os.matrix.synapse.extra-config-files;
|
||||
|
||||
extras = [
|
||||
"oidc"
|
||||
|
@ -272,8 +278,56 @@ in
|
|||
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
|
||||
};
|
||||
|
||||
services.matrix-sliding-sync = {
|
||||
services.matrix-authentication-service = {
|
||||
enable = true;
|
||||
createDatabase = true;
|
||||
extraConfigFiles = config.pub-solar-os.matrix.matrix-authentication-service.extra-config-files;
|
||||
|
||||
settings = {
|
||||
http.public_base = "https://mas.${config.pub-solar-os.networking.domain}";
|
||||
http.issuer = "https://mas.${config.pub-solar-os.networking.domain}";
|
||||
http.listeners = [
|
||||
{
|
||||
name = "web";
|
||||
resources = [
|
||||
{ name = "discovery"; }
|
||||
{ name = "human"; }
|
||||
{ name = "oauth"; }
|
||||
{ name = "compat"; }
|
||||
{ name = "graphql"; }
|
||||
{
|
||||
name = "assets";
|
||||
path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets";
|
||||
}
|
||||
];
|
||||
binds = [
|
||||
{
|
||||
host = "0.0.0.0";
|
||||
port = 8090;
|
||||
}
|
||||
];
|
||||
proxy_protocol = false;
|
||||
}
|
||||
{
|
||||
name = "internal";
|
||||
resources = [
|
||||
{ name = "health"; }
|
||||
];
|
||||
binds = [
|
||||
{
|
||||
host = "0.0.0.0";
|
||||
port = 8081;
|
||||
}
|
||||
];
|
||||
proxy_protocol = false;
|
||||
}
|
||||
];
|
||||
passwords.enabled = false;
|
||||
};
|
||||
};
|
||||
|
||||
services.matrix-sliding-sync = {
|
||||
enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable;
|
||||
settings = {
|
||||
SYNCV3_SERVER = "https://${publicDomain}";
|
||||
SYNCV3_BINDADDR = "127.0.0.1:8011";
|
||||
|
@ -284,7 +338,7 @@ in
|
|||
environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
|
||||
};
|
||||
|
||||
services.restic.backups.matrix-synapse-storagebox = {
|
||||
pub-solar-os.backups.restic.matrix-synapse = {
|
||||
paths = [
|
||||
"/var/lib/matrix-synapse"
|
||||
"/var/lib/matrix-appservice-irc"
|
||||
|
@ -295,8 +349,6 @@ in
|
|||
OnCalendar = "*-*-* 05:00:00 Etc/UTC";
|
||||
};
|
||||
initialize = true;
|
||||
passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
|
||||
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
|
||||
backupPrepareCommand = ''
|
||||
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
|
||||
'';
|
||||
|
@ -309,4 +361,5 @@ in
|
|||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -10,11 +10,14 @@ let
|
|||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
'';
|
||||
clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
|
||||
clientConfig = import ./element-client-config.nix { inherit config lib pkgs; };
|
||||
wellKnownClient = domain: {
|
||||
"m.homeserver".base_url = "https://matrix.${domain}";
|
||||
"m.identity_server".base_url = "https://matrix.${domain}";
|
||||
"org.matrix.msc3575.proxy".url = "https://matrix.${domain}";
|
||||
"org.matrix.msc2965.authentication" = {
|
||||
issuer = "https://mas.${domain}/";
|
||||
account = "https://mas.${domain}/account";
|
||||
};
|
||||
"im.vector.riot.e2ee".default = true;
|
||||
"io.element.e2ee" = {
|
||||
default = true;
|
||||
|
@ -85,6 +88,27 @@ in
|
|||
root = pkgs.element-stickerpicker;
|
||||
};
|
||||
|
||||
"mas.${config.pub-solar-os.networking.domain}" = {
|
||||
root = "/dev/null";
|
||||
|
||||
forceSSL = lib.mkDefault true;
|
||||
enableACME = lib.mkDefault true;
|
||||
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:8090";
|
||||
|
||||
extraConfig = ''
|
||||
${commonHeaders}
|
||||
proxy_http_version 1.1;
|
||||
|
||||
# Forward the client IP address
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
"matrix.${config.pub-solar-os.networking.domain}" = {
|
||||
root = "/dev/null";
|
||||
|
||||
|
@ -99,28 +123,41 @@ in
|
|||
locations = {
|
||||
# For telegram
|
||||
"/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
|
||||
priority = 100;
|
||||
proxyPass = "http://127.0.0.1:8009";
|
||||
extraConfig = commonHeaders;
|
||||
};
|
||||
|
||||
# sliding-sync
|
||||
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
|
||||
proxyPass = "http://127.0.0.1:8011";
|
||||
extraConfig = commonHeaders;
|
||||
# Forward to the auth service
|
||||
"~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
|
||||
priority = 100;
|
||||
proxyPass = "http://127.0.0.1:8090";
|
||||
|
||||
extraConfig = ''
|
||||
${commonHeaders}
|
||||
proxy_http_version 1.1;
|
||||
|
||||
# Forward the client IP address
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
'';
|
||||
};
|
||||
|
||||
"~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = {
|
||||
# Forward to Synapse
|
||||
# as per https://element-hq.github.io/synapse/latest/reverse_proxy.html#nginx
|
||||
"~ ^(/_matrix|/_synapse/client)" = {
|
||||
priority = 200;
|
||||
proxyPass = "http://127.0.0.1:8008";
|
||||
|
||||
extraConfig = ''
|
||||
${commonHeaders}
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size 50M;
|
||||
proxy_max_temp_file_size 0;
|
||||
proxy_http_version 1.1;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,9 +1,14 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
default_server_config = {
|
||||
"m.homeserver" = {
|
||||
base_url = "https://matrix.pub.solar";
|
||||
server_name = "pub.solar";
|
||||
base_url = "https://matrix.${config.pub-solar-os.networking.domain}";
|
||||
server_name = "${config.pub-solar-os.networking.domain}";
|
||||
};
|
||||
"m.identity_server" = {
|
||||
base_url = "";
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
inherit (inputs) element-stickers maunium-stickerpicker;
|
||||
};
|
||||
mastodon = unstable.mastodon;
|
||||
matrix-authentication-service = unstable.matrix-authentication-service;
|
||||
}
|
||||
)
|
||||
];
|
||||
|
|
BIN
secrets/matrix-authentication-service-secret-config.yml.age
Normal file
BIN
secrets/matrix-authentication-service-secret-config.yml.age
Normal file
Binary file not shown.
Binary file not shown.
|
@ -7,6 +7,7 @@ let
|
|||
trinkgenossin-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZXRDpom/LtyoCxvRuoONARKxIT6wNUwEyUjzHRE7DG root@trinkgenossin";
|
||||
delite-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKo7zlfQhcJ5/okFTOoOstZtmEL1iNlHxQ4q2baEcWT root@delite";
|
||||
blue-shell-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9g9X0a/MaVtbh44IeLxcq+McuYec0GYAdLsseBpk5f root@blue-shell";
|
||||
underground-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGF3PtA89yhVkmN7aJI6gqXK8DW9L7kI71IgiK4TAEwI root@underground";
|
||||
|
||||
adminKeys = builtins.foldl' (
|
||||
keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)
|
||||
|
@ -24,6 +25,8 @@ let
|
|||
|
||||
blueshellKeys = [ blue-shell-host ];
|
||||
|
||||
undergroundKeys = [ underground-host ];
|
||||
|
||||
garageKeys = [
|
||||
trinkgenossin-host
|
||||
delite-host
|
||||
|
@ -65,6 +68,11 @@ in
|
|||
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
|
||||
"staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
|
||||
"staging-matrix-authentication-service-secret-config.yml.age".publicKeys =
|
||||
undergroundKeys ++ adminKeys;
|
||||
|
||||
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
|
@ -84,7 +92,7 @@ in
|
|||
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
|
||||
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"nachtigall-coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
|
||||
"grafana-admin-password.age".publicKeys = trinkgenossinKeys ++ adminKeys;
|
||||
"grafana-keycloak-client-secret.age".publicKeys = trinkgenossinKeys ++ adminKeys;
|
||||
|
|
Binary file not shown.
BIN
secrets/staging-matrix-synapse-secret-config.yaml.age
Normal file
BIN
secrets/staging-matrix-synapse-secret-config.yaml.age
Normal file
Binary file not shown.
|
@ -109,6 +109,11 @@ resource "namecheap_domain_records" "pub-solar" {
|
|||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "mas"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "ci"
|
||||
type = "A"
|
||||
|
@ -184,11 +189,6 @@ resource "namecheap_domain_records" "pub-solar" {
|
|||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "list"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "obs-portal"
|
||||
type = "CNAME"
|
||||
|
@ -322,6 +322,16 @@ resource "namecheap_domain_records" "pub-solar" {
|
|||
address = "list.pub.solar."
|
||||
mx_pref = "0"
|
||||
}
|
||||
record {
|
||||
hostname = "list"
|
||||
type = "A"
|
||||
address = "138.201.80.102"
|
||||
}
|
||||
record {
|
||||
hostname = "list"
|
||||
type = "AAAA"
|
||||
address = "2a01:4f8:172:1c25::1"
|
||||
}
|
||||
record {
|
||||
hostname = "nachtigall"
|
||||
type = "A"
|
||||
|
@ -332,10 +342,40 @@ resource "namecheap_domain_records" "pub-solar" {
|
|||
type = "AAAA"
|
||||
address = "2a01:4f8:172:1c25::1"
|
||||
}
|
||||
record {
|
||||
hostname = "underground"
|
||||
type = "A"
|
||||
address = "80.244.242.3"
|
||||
}
|
||||
record {
|
||||
hostname = "test"
|
||||
type = "CNAME"
|
||||
address = "underground.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "mas.test"
|
||||
type = "CNAME"
|
||||
address = "underground.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "matrix.test"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
address = "underground.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "chat.test"
|
||||
type = "CNAME"
|
||||
address = "underground.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "stickers.chat.test"
|
||||
type = "CNAME"
|
||||
address = "underground.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "auth.test"
|
||||
type = "CNAME"
|
||||
address = "underground.pub.solar."
|
||||
}
|
||||
# SRV records can only be changed via NameCheap Web UI
|
||||
# add comment
|
||||
|
|
Loading…
Reference in a new issue