156 lines
5.5 KiB
Nix
156 lines
5.5 KiB
Nix
|
{
|
||
|
flake,
|
||
|
config,
|
||
|
pkgs,
|
||
|
...
|
||
|
}:
|
||
|
{
|
||
|
# Use GRUB2 as the boot loader.
|
||
|
boot.loader.grub = {
|
||
|
enable = true;
|
||
|
devices = [ "/dev/vda" ];
|
||
|
};
|
||
|
|
||
|
pub-solar-os.networking.domain = "test.pub.solar";
|
||
|
|
||
|
systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
|
||
|
|
||
|
pub-solar-os.auth = {
|
||
|
enable = true;
|
||
|
database-password-file = "/tmp/dbf";
|
||
|
};
|
||
|
services.keycloak.database.createLocally = true;
|
||
|
|
||
|
services.matrix-authentication-service = {
|
||
|
enable = true;
|
||
|
createDatabase = true;
|
||
|
extraConfigFiles = [(pkgs.writeText "mas-extra-config.yml" ''
|
||
|
secrets:
|
||
|
encryption: 85c39ce195bd01d17b583687edf20ae09eede66f4ce043f15afc2afa719249c9
|
||
|
keys:
|
||
|
- kid: LYeYXYzVil
|
||
|
key: |
|
||
|
-----BEGIN RSA PRIVATE KEY-----
|
||
|
MIIEpAIBAAKCAQEA1l1iXIE9yFksgKmJ58hk9oj7UQ4iX5HX9Ll/EUDCRu+fuPuB
|
||
|
kYnski19RNoVIWQt3f8HYTeQLF1vhvj9AKFw+F0jklkC8/YrHzNPiB7LS08X4+K8
|
||
|
1DW+YI7EY0u0iB+uaChHvK8zYrk+qRmH0OGR7LdXRNqM75xMglkcnMagFbc/3ipO
|
||
|
47SgHFaUGkM62epeQPIsJq6BicxCyH/LhoccUtnj5+EOAF+eo8QPRj+ISfDdCebS
|
||
|
L7iYnpECFggVlexgbVRfeFtxDfHu5hpxjKwbTKYjDLMrZwlI0js4ZN9qchREAJ21
|
||
|
km4Xq4bqP+Pf0QiaEjeoqF/ZMmCFYY2gT3DSUQIDAQABAoIBAHLwd4EqOzplthr2
|
||
|
zN7e8GPQZxC7B2s/BBBQNfXGR2VJrta85GhpD9QBWB3G4XWaBY325LoX1NI090vj
|
||
|
zaS865oANsaNu6ub3ttH4+kUueSTcDfcp2sRthaH9n1XZmFmu1lV38EoH+FbemGp
|
||
|
Ms2pZVkLpVth5BfGMq/hoBnf1o5NTACSHd2InQnUQAbY16NvYZiY37hI3LllyIPI
|
||
|
z7hBvFcRf2JD3Bn7nmV+lTBOtcYA5f6ZrO0V2Ah75AGb6QAUSWgV9edqXkp6OmAV
|
||
|
jcVqfVsPwoPRpaarQ4M1lcvhYgwBKuUXFtcNPqqNk9ldYuYy/UW4E+psRrXkwvs2
|
||
|
50TB78ECgYEA3nx7XBZhYrvUEqLUYeIRhnRGoY0/snyjAMibl6NoJZLpyrk+b70x
|
||
|
Dh1k6LY9RwLfxRHDqnnHy9YY5Iu9QBTBYud8dD0JNOUUC8QWYV1G7AYLS9oe8kM5
|
||
|
z4aWhgNR3a9DidPQtv2SyK+1ZmGhB80T7nDlsK17fjjTUnj7lMhgnbUCgYEA9qe4
|
||
|
zzHfCZsDwoPPuMuAkZIjRxnwReY9fyAGGMdW4VrOgrOyVj4dDF0/R8p3LlS+TiUw
|
||
|
6bVlWqbP+H3Zkx9VaH7EUmiTFulshi/MxSBizdj4SHDhYHK+4H5PkeDusMTGAvOk
|
||
|
QaXB8ZbulHT3mdUc8lHucRHw2TIs8O8zaFBMo60CgYEAyCsxBYnxNlaNF/M9p48w
|
||
|
e0qT3XdqjphKQ0M5kXVoFx4Vj9mYTgnmX6+cgS6s9P2l+/TemLsWQdMu9DixHT1P
|
||
|
PD/OnfnoFZngrjFOfWzhiSpq8WSeIRLQqWCKfqnv9sZfulpC1tBPRpWnXCSML6uX
|
||
|
uhgC3zFGASr5HaNRneul2V0CgYBbkYSQlwkgPcY1jk2tYw9F+6TRHpYOvR0TdsYM
|
||
|
qOReISINb7zDO6f5ER0O/+Ei+B72T+RKvybzcn4+2CnP7o/8jSNBHMWOefXqExDI
|
||
|
Fe/YT7ZM3mstLSwjl4DevUyfn02LhvvxyyGnGMtVnd7V40Ity7DjlS9+0pvQjlzd
|
||
|
WwI4uQKBgQDQA3JSEl95T2nYmmlvX8a5rSNSSK/d6GRDvaNFAk659Jf3X2aYpHFM
|
||
|
TRO5t2EDIrBCpgBG2Tj9yOnm9Zht/T+783ziQ/6p2q1QX7Lfr6MiwnND4Cw0ZvYL
|
||
|
9xDiujZMtAEaEiz0a6pfHn/EfTA6Qvw/KYFmtXFGa+KuOwX4KgFlwQ==
|
||
|
-----END RSA PRIVATE KEY-----
|
||
|
- kid: cdMTgbM9rx
|
||
|
key: |
|
||
|
-----BEGIN EC PRIVATE KEY-----
|
||
|
MHcCAQEEIOlSK0D4WKNjPrfxojWNJSoFzYJ7TUNC4qVv0C3b+LSioAoGCCqGSM49
|
||
|
AwEHoUQDQgAE0lqYrp1gpDmCZASZ1L7Y5r0Kk9kbv6Qjn8FXzP4ujnFN8tFkHsun
|
||
|
MqmeW3j5Qmtw24gcEU1IPW6QwMz/ozosWQ==
|
||
|
-----END EC PRIVATE KEY-----
|
||
|
- kid: Hb1P9OK0rc
|
||
|
key: |
|
||
|
-----BEGIN EC PRIVATE KEY-----
|
||
|
MIGkAgEBBDAuDEN6zp1bBf2R3bBEKn8yGKlkV8jfNe1lZ1yvfsVWBPbVBoxJcEWG
|
||
|
krR1vBYdtjSgBwYFK4EEACKhZANiAAThozHhNOUZcybKe7W9K5zVZIXgmM3Fze/e
|
||
|
s6bHLpwPR1EEYNARPW7aLPPjf4d+iPXW5y6J0KCKvaXWvFAM9eL6a8X/W93VZmgO
|
||
|
8A9QN/PWOUz2ZOsp1xLWvgmZl4zHYNw=
|
||
|
-----END EC PRIVATE KEY-----
|
||
|
- kid: NpIOF10t5M
|
||
|
key: |
|
||
|
-----BEGIN EC PRIVATE KEY-----
|
||
|
MHQCAQEEIP3Vit8kpPw+JxnPLviS7+bM1EAJquG+0HFN6MT4Q1eDoAcGBSuBBAAK
|
||
|
oUQDQgAE2rnrYryxmN3RAgwh9JqrS7/cft592o9dG6C7sUloIpYcZVmZsVGpOUzB
|
||
|
UMyVVDVWwkAdxfASbDGu4yiSwy9uEw==
|
||
|
-----END EC PRIVATE KEY-----
|
||
|
|
||
|
'')];
|
||
|
settings = {
|
||
|
http.listeners = [
|
||
|
{
|
||
|
name = "web";
|
||
|
resources = [
|
||
|
{ name = "discovery"; }
|
||
|
{ name = "human"; }
|
||
|
{ name = "oauth"; }
|
||
|
{ name = "compat"; }
|
||
|
{ name = "graphql"; }
|
||
|
{ name = "assets"; path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; }
|
||
|
];
|
||
|
binds = [
|
||
|
{ host = "0.0.0.0"; port = 8090; }
|
||
|
];
|
||
|
proxy_protocol = false;
|
||
|
}
|
||
|
{
|
||
|
name = "internal";
|
||
|
resources = [
|
||
|
{ name = "health"; }
|
||
|
];
|
||
|
binds = [
|
||
|
{ host = "0.0.0.0"; port = 8081; }
|
||
|
];
|
||
|
proxy_protocol = false;
|
||
|
}
|
||
|
];
|
||
|
clients = [ {
|
||
|
client_id = "0000000000000000000SYNAPSE";
|
||
|
client_auth_method = "client_secret_basic";
|
||
|
client_secret = "unsecure123";
|
||
|
} ];
|
||
|
matrix = {
|
||
|
homeserver = config.services.matrix-synapse.settings.server_name;
|
||
|
secret = "unsecure123";
|
||
|
endpoint = "https://localhost:8448";
|
||
|
};
|
||
|
upstream_oauth2 = {
|
||
|
providers = [
|
||
|
{
|
||
|
id = "01H8PKNWKKRPCBW4YGH1RWV279";
|
||
|
issuer = "https://<keycloak>/realms/<realm>";
|
||
|
token_endpoint_auth_method = "client_secret_basic";
|
||
|
client_id = "matrix-authentication-service";
|
||
|
client_secret = "<client-secret>";
|
||
|
scope = "openid profile email";
|
||
|
claims_imports = {
|
||
|
localpart = {
|
||
|
action = "require";
|
||
|
template = "{{ user.preferred_username }}";
|
||
|
};
|
||
|
displayname = {
|
||
|
action = "suggest";
|
||
|
template = "{{ user.name }}";
|
||
|
};
|
||
|
email = {
|
||
|
action = "suggest";
|
||
|
template = "{{ user.email }}";
|
||
|
set_email_verification = "always";
|
||
|
};
|
||
|
};
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
services.openssh.openFirewall = true;
|
||
|
|
||
|
system.stateVersion = "24.05";
|
||
|
}
|