pub-solar/infra
6
1
Fork 3
Code Issues29 Pull requests9 Projects1 Releases Packages Wiki Activity Actions

Merge branch 'main' into feat/automated-account-deletion

Browse source
This commit is contained in:
b12f 2025-02-09 14:24:40 +01:00
commit 6ebe9a008b
Signed by: b12f
GPG key ID: 729956E1124F8F26
24 changed files with 268 additions and 287 deletions

21
.forgejo/workflows/check.yml
View file

@ -18,20 +18,7 @@ jobs:
# Prevent cache garbage collection by creating GC roots
mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results
for target in $(nix flake show --json --all-systems | jq --raw-output '
.["nixosConfigurations"] |
to_entries[] |
.key'
); do
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$target" ".#nixosConfigurations.${target}.config.system.build.toplevel"
done
for check in $(nix flake show --json --all-systems | jq --raw-output '
.checks."x86_64-linux" |
to_entries[] |
.key'
); do
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$check" ".#checks.x86_64-linux.${check}"
done
sed -i 's/virtualisation.cores .*/virtualisation.cores = 16;/' tests/keycloak.nix
sed -i 's/virtualisation.memorySize .*/virtualisation.memorySize = 16384;/' tests/keycloak.nix
# 1 eval-worker needs about 13GB of memory
nix --accept-flake-config --access-tokens '' develop --command nix-fast-build --no-nom --skip-cached --systems "x86_64-linux" --max-jobs 10 --eval-workers 2 --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/nix-fast-build

20
docs/keycloak/delete-unverified-accounts.md
View file

@ -12,7 +12,7 @@ Run following after SSH'ing to `nachtigall`.
Credentials for the following command are in keepass. Create a keycloak
config/credentials file at `/tmp/kcadm.config`:
```
```bash
sudo --user keycloak kcadm.sh config credentials \
--config /tmp/kcadm.config \
--server https://auth.pub.solar \
@ -22,7 +22,7 @@ sudo --user keycloak kcadm.sh config credentials \
Get list of accounts without a verified email address:
```
```bash
sudo --user keycloak kcadm.sh get \
--config /tmp/kcadm.config \
users \
@ -35,7 +35,7 @@ Review list of accounts, especially check `createdTimestamp` if any accounts
were created in the past 2 days. If so, delete those from the
`/tmp/keycloak-unverified-accounts` file.
```
```bash
createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )
# timestamps are in nanoseconds since epoch, so we need to strip the last three digits
@ -46,17 +46,17 @@ vim /tmp/keycloak-unverified-accounts
Check how many accounts are going to be deleted:
```
```bash
jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
```
```
```bash
jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
```
Final check before deletion (dry-run):
```
```bash
for id in $(cat /tmp/keycloak-unverified-account-ids)
do
echo sudo --user keycloak kcadm.sh delete \
@ -68,7 +68,7 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
THIS WILL DELETE ACCOUNTS:
```
```bash
for id in $(cat /tmp/keycloak-unverified-account-ids)
do
sudo --user keycloak kcadm.sh delete \
@ -77,3 +77,9 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
--realm pub.solar
done
```
Delete the temp files:
```bash
sudo rm /tmp/kcadm.config /tmp/keycloak-unverified-accounts /tmp/keycloak-unverified-account-ids
```

110
flake.lock generated
View file

@ -113,11 +113,11 @@
]
},
"locked": {
"lastModified": 1736711425,
"narHash": "sha256-8hKhPQuMtXfJi+4lPvw3FBk/zSJVHeb726Zo0uF1PP8=",
"lastModified": 1738765162,
"narHash": "sha256-3Z40qHaFScWUCVQrGc4Y+RdoPsh1R/wIh+AN4cTXP0I=",
"owner": "nix-community",
"repo": "disko",
"rev": "f720e64ec37fa16ebba6354eadf310f81555cc07",
"rev": "ff3568858c54bd306e9e1f2886f0f781df307dff",
"type": "github"
},
"original": {
@ -204,11 +204,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"lastModified": 1738453229,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"type": "github"
},
"original": {
@ -291,16 +291,16 @@
},
"fork": {
"locked": {
"lastModified": 1729963002,
"narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
"lastModified": 1738846146,
"narHash": "sha256-cIPiBEspPXQxju2AUZK9kjh6oqea+HkPFqmGv7yUztM=",
"owner": "teutat3s",
"repo": "nixpkgs",
"rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
"rev": "e370f40b129e47b08562524ab4f053a172a94273",
"type": "github"
},
"original": {
"owner": "teutat3s",
"ref": "init-matrix-authentication-service-module",
"ref": "init-matrix-authentication-service-module-0.13.0",
"repo": "nixpkgs",
"type": "github"
}
@ -312,16 +312,16 @@
]
},
"locked": {
"lastModified": 1726989464,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"lastModified": 1736373539,
"narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"ref": "release-24.11",
"repo": "home-manager",
"type": "github"
}
@ -358,11 +358,11 @@
]
},
"locked": {
"lastModified": 1731518114,
"narHash": "sha256-h9Wb3VjmXBZwTO3prRweUKwp2H9hZHCQKrkbU+2WPQs=",
"lastModified": 1738012343,
"narHash": "sha256-agMgWwVxXII+RtCqok8ROjzpKJung/5N5f2BVDmMC5Q=",
"ref": "main",
"rev": "060ecccc5f8c92a0705ab91ff047811efd559468",
"revCount": 36,
"rev": "4ffd7bc8ea032991756c5e8e8a37b039789045bc",
"revCount": 38,
"type": "git",
"url": "https://git.pub.solar/pub-solar/keycloak-theme"
},
@ -398,11 +398,11 @@
]
},
"locked": {
"lastModified": 1736819234,
"narHash": "sha256-deQVtIH4UJueELJqluAICUtX7OosD9paTP+5FgbiSwI=",
"lastModified": 1739034224,
"narHash": "sha256-Mj/8jDzh1KNmUhWqEeVlW3hO9MZkxqioJGnmR7rivaE=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "bd921223ba7cdac346477d7ea5204d6f4736fcc6",
"rev": "0b6f96a6b9efcfa8d3cc8023008bcbcd1b9bc1a4",
"type": "github"
},
"original": {
@ -430,14 +430,14 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1735774519,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"lastModified": 1738452942,
"narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
}
},
"nixpkgs-lib_2": {
@ -460,16 +460,16 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1735563628,
"narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
"lastModified": 1738843498,
"narHash": "sha256-7x+Q4xgFj9UxZZO9aUDCR8h4vyYut4zPUvfj3i+jBHE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
"rev": "f5a32fa27df91dfc4b762671a0e0a859a8a0058f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
@ -500,22 +500,21 @@
"nixpkgs": [
"unstable"
],
"nixpkgs-24_05": [
"nixpkgs-24_11": [
"nixpkgs"
],
"utils": "utils_2"
]
},
"locked": {
"lastModified": 1734885828,
"narHash": "sha256-G0fB1YBlkalu8lLGRB07K8CpUWNVd+unfrjNomSL7SM=",
"lastModified": 1734884447,
"narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "636b82f4175e3f6b1e80d2189bb0469e2ae01a55",
"rev": "63209b1def2c9fc891ad271f474a3464a5833294",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-24.05",
"ref": "nixos-24.11",
"repo": "nixos-mailserver",
"type": "gitlab"
}
@ -595,28 +594,13 @@
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1736798957,
"narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
"lastModified": 1739020877,
"narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
"rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
"type": "github"
},
"original": {
@ -643,24 +627,6 @@
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"inputs": {
"systems": "systems_6"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

57
flake.nix
View file

@ -1,14 +1,14 @@
{
inputs = {
# Track channels with commits tested and built by hydra
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module-0.13.0";
nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.url = "github:nix-community/home-manager/release-24.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts";
@ -40,8 +40,8 @@
element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker";
element-stickers.inputs.nixpkgs.follows = "nixpkgs";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "nixpkgs";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
simple-nixos-mailserver.inputs.nixpkgs-24_11.follows = "nixpkgs";
simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable";
};
@ -79,12 +79,49 @@
master = import inputs.master { inherit system; };
};
checks = import ./tests ({ inherit inputs self; } // args);
checks =
let
machinesPerSystem = {
aarch64-linux = [
"metronom"
];
x86_64-linux = [
"blue-shell"
"delite"
"nachtigall"
"tankstelle"
"trinkgenossin"
"underground"
];
};
nixosMachines = inputs.nixpkgs.lib.mapAttrs' (n: inputs.nixpkgs.lib.nameValuePair "nixos-${n}") (
inputs.nixpkgs.lib.genAttrs (machinesPerSystem.${system} or [ ]) (
name: self.nixosConfigurations.${name}.config.system.build.toplevel
)
);
nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
testDir = builtins.attrNames (builtins.readDir ./tests);
testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir;
in
builtins.listToAttrs (
map (x: {
name = "test-${lib.strings.removeSuffix ".nix" x}";
value = nixos-lib.runTest (
import (./tests + "/${x}") {
inherit self;
inherit pkgs;
inherit lib;
inherit config;
}
);
}) testFiles
)
// nixosMachines;
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
deploy-rs
nixpkgs-fmt
nix-fast-build
agenix
age-plugin-yubikey
cachix
@ -93,9 +130,9 @@
nvfetcher
shellcheck
shfmt
inputs.unstable.legacyPackages.${system}.treefmt2
treefmt2
nixos-generators
inputs.unstable.legacyPackages.${system}.opentofu
opentofu
terraform-backend-git
terraform-ls
jq
@ -122,7 +159,7 @@
system: deployLib: deployLib.deployChecks self.deploy
) inputs.deploy-rs.lib;
formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
formatter."x86_64-linux" = inputs.nixpkgs.legacyPackages."x86_64-linux".nixfmt-rfc-style;
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
nachtigall = {

16
hosts/nachtigall/configuration.nix
View file

@ -73,22 +73,24 @@
owner = "matrix-synapse";
};
age.secrets."matrix-synapse-sliding-sync-secret" = {
file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."matrix-authentication-service-secret-config.yml" = {
file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
mode = "400";
owner = "matrix-authentication-service";
};
# matrix-appservice-irc
age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
file = "${flake.self}/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
mode = "400";
owner = "matrix-appservice-irc";
};
pub-solar-os.matrix = {
enable = true;
appservice-irc.mediaproxy.signingKeyPath =
config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
synapse = {
sliding-sync.enable = false;
signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
extra-config-files = [
config.age.secrets."matrix-synapse-secret-config.yaml".path

6
hosts/nachtigall/default.nix
View file

@ -9,12 +9,10 @@
./networking.nix
./wireguard.nix
./backups.nix
"${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
"${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
"${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
];
disabledModules = [
"services/matrix/matrix-authentication-service.nix "
"services/web-apps/mastodon.nix"
"services/matrix/matrix-authentication-service.nix"
];
}

9
hosts/underground/configuration.nix
View file

@ -42,8 +42,17 @@
owner = "matrix-authentication-service";
};
# matrix-appservice-irc
age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
file = "${flake.self}/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
mode = "400";
owner = "matrix-appservice-irc";
};
pub-solar-os.matrix = {
enable = true;
appservice-irc.mediaproxy.signingKeyPath =
config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
synapse = {
extra-config-files = [
config.age.secrets."staging-matrix-synapse-secret-config.yaml".path

4
hosts/underground/default.nix
View file

@ -7,10 +7,10 @@
./configuration.nix
./networking.nix
"${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
"${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
];
disabledModules = [
"services/matrix/matrix-authentication-service.nix "
"services/matrix/matrix-authentication-service.nix"
];
}

8
logins/admins.nix
View file

@ -46,6 +46,14 @@
"fd00:fae:fae:fae:fae:205::/96"
];
}
{
# biolimo
publicKey = "gnLq6KikFVVGxLxPW+3ZnreokEKLDoso+cUepPOZsBA=";
allowedIPs = [
"10.7.6.206/32"
"fd00:fae:fae:fae:fae:206::/96"
];
}
];
};

3
modules/forgejo/default.nix
View file

@ -65,6 +65,7 @@
services.forgejo = {
enable = true;
package = pkgs.forgejo;
user = "gitea";
group = "gitea";
database = {
@ -75,7 +76,7 @@
};
stateDir = "/var/lib/forgejo";
lfs.enable = true;
mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
settings = {
DEFAULT.APP_NAME = "pub.solar git server";

3
modules/keycloak/default.nix
View file

@ -50,7 +50,8 @@
hostname = "auth.${config.pub-solar-os.networking.domain}";
http-host = "127.0.0.1";
http-port = 8080;
proxy = "edge";
proxy-headers = "xforwarded";
http-enabled = true;
};
themes = {
"pub.solar" =

213
modules/matrix-irc/default.nix
View file

@ -16,111 +16,128 @@ let
synapseClientPort = "${toString listenerWithClient.port}";
in
{
services.matrix-appservice-irc = {
enable = true;
localpart = "irc_bot";
port = 8010;
registrationUrl = "http://localhost:8010";
settings = {
homeserver = {
domain = "${config.pub-solar-os.networking.domain}";
url = "http://127.0.0.1:${synapseClientPort}";
media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
enablePresence = false;
options.pub-solar-os = {
matrix.appservice-irc.mediaproxy = {
signingKeyPath = lib.mkOption {
description = "Path to file containing the IRC appservice mediaproxy signing key";
type = lib.types.str;
default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
};
ircService = {
ident = {
address = "::";
enabled = false;
port = 1113;
};
};
config = {
services.matrix-appservice-irc = {
enable = true;
localpart = "irc_bot";
port = 8010;
registrationUrl = "http://localhost:8010";
settings = {
homeserver = {
domain = "${config.pub-solar-os.networking.domain}";
url = "http://127.0.0.1:${synapseClientPort}";
enablePresence = false;
};
logging = {
# set to debug for debugging
level = "warn";
maxFiles = 5;
toCosole = true;
};
matrixHandler = {
eventCacheSize = 4096;
};
metrics = {
enabled = true;
remoteUserAgeBuckets = [
"1h"
"1d"
"1w"
];
};
provisioning = {
enabled = false;
requestTimeoutSeconds = 300;
};
servers =
let
commonConfig = {
allowExpiredCerts = false;
botConfig = {
enabled = false;
joinChannelsIfNoUsers = false;
nick = "MatrixBot";
};
dynamicChannels = {
createAlias = true;
enabled = true;
federate = true;
joinRule = "public";
published = true;
};
ircClients = {
allowNickChanges = true;
concurrentReconnectLimit = 50;
idleTimeout = 10800;
lineLimit = 3;
maxClients = 30;
nickTemplate = "$DISPLAY[m]";
reconnectIntervalMs = 5000;
};
matrixClients = {
joinAttempts = -1;
};
membershipLists = {
enabled = true;
floodDelayMs = 10000;
global = {
ircToMatrix = {
incremental = true;
initial = true;
};
matrixToIrc = {
incremental = true;
initial = true;
ircService = {
ident = {
address = "::";
enabled = false;
port = 1113;
};
logging = {
# set to debug for debugging
level = "warn";
maxFiles = 5;
toCosole = true;
};
matrixHandler = {
eventCacheSize = 4096;
};
mediaProxy = {
signingKeyPath = config.pub-solar-os.matrix.appservice-irc.mediaproxy.signingKeyPath;
# keep media for 2 weeks
ttlSeconds = 1209600;
bindPort = 11111;
publicUrl = "https:///matrix.${config.pub-solar-os.networking.domain}/media";
};
metrics = {
enabled = true;
remoteUserAgeBuckets = [
"1h"
"1d"
"1w"
];
};
provisioning = {
enabled = false;
requestTimeoutSeconds = 300;
};
servers =
let
commonConfig = {
allowExpiredCerts = false;
botConfig = {
enabled = false;
joinChannelsIfNoUsers = false;
nick = "MatrixBot";
};
dynamicChannels = {
createAlias = true;
enabled = true;
federate = true;
joinRule = "public";
published = true;
};
ircClients = {
allowNickChanges = true;
concurrentReconnectLimit = 50;
idleTimeout = 10800;
lineLimit = 3;
maxClients = 30;
nickTemplate = "$DISPLAY[m]";
reconnectIntervalMs = 5000;
};
matrixClients = {
joinAttempts = -1;
};
membershipLists = {
enabled = true;
floodDelayMs = 10000;
global = {
ircToMatrix = {
incremental = true;
initial = true;
};
matrixToIrc = {
incremental = true;
initial = true;
};
};
};
port = 6697;
privateMessages = {
enabled = true;
federate = true;
};
sasl = false;
sendConnectionMessages = true;
ssl = true;
};
port = 6697;
privateMessages = {
enabled = true;
federate = true;
in
{
"irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig {
name = "libera";
dynamicChannels.groupId = "+libera.chat:localhost";
dynamicChannels.aliasTemplate = "#_libera_$CHANNEL";
matrixClients.displayName = "$NICK (LIBERA-IRC)";
};
"irc.scratch-network.net" = lib.attrsets.recursiveUpdate commonConfig {
name = "scratch";
matrixClients.displayName = "$NICK (SCRATCH-IRC)";
dynamicChannels.aliasTemplate = "#_scratch_$CHANNEL";
dynamicChannels.groupId = "+scratch-network.net:localhost";
};
sasl = false;
sendConnectionMessages = true;
ssl = true;
};
in
{
"irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig {
name = "libera";
dynamicChannels.groupId = "+libera.chat:localhost";
dynamicChannels.aliasTemplate = "#_libera_$CHANNEL";
matrixClients.displayName = "$NICK (LIBERA-IRC)";
};
"irc.scratch-network.net" = lib.attrsets.recursiveUpdate commonConfig {
name = "scratch";
matrixClients.displayName = "$NICK (SCRATCH-IRC)";
dynamicChannels.aliasTemplate = "#_scratch_$CHANNEL";
dynamicChannels.groupId = "+scratch-network.net:localhost";
};
};
};
};
};
};

17
modules/matrix/default.nix
View file

@ -32,11 +32,6 @@ in
type = lib.types.str;
default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
};
sliding-sync.enable = lib.mkEnableOption {
description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+";
default = false;
};
};
matrix-authentication-service = {
@ -339,18 +334,6 @@ in
};
};
services.matrix-sliding-sync = {
enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable;
settings = {
SYNCV3_SERVER = "https://${publicDomain}";
SYNCV3_BINDADDR = "127.0.0.1:8011";
# The bind addr for Prometheus metrics, which will be accessible at
# /metrics at this address
SYNCV3_PROM = "127.0.0.1:9100";
};
environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
};
pub-solar-os.backups.restic.matrix-synapse = {
paths = [
"/var/lib/matrix-synapse"

2
modules/mediawiki/default.nix
View file

@ -211,7 +211,7 @@ in
backend = "docker";
containers."mediawiki" = {
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.42.1";
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.42.4";
user = "1000:${builtins.toString gid}";
autoStart = true;

3
modules/nextcloud/default.nix
View file

@ -27,7 +27,7 @@
home = "/var/lib/nextcloud";
enable = true;
package = pkgs.nextcloud29;
package = pkgs.nextcloud30;
https = true;
secretFile = config.age.secrets."nextcloud-secrets".path; # secret
maxUploadSize = "1G";
@ -45,7 +45,6 @@
dbuser = "nextcloud";
dbtype = "pgsql";
dbname = "nextcloud";
dbtableprefix = "oc_";
};
settings = {

7
modules/nginx-matrix/default.nix
View file

@ -120,6 +120,13 @@ in
extraConfig = commonHeaders;
};
# For IRC appservice media proxy
"/media" = {
priority = 100;
proxyPass = "http://127.0.0.1:${toString (config.services.matrix-appservice-irc.settings.ircService.mediaProxy.bindPort)}";
extraConfig = commonHeaders;
};
# Forward to the auth service
"~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
priority = 100;

4
overlays/default.nix
View file

@ -10,14 +10,14 @@
final: prev:
let
unstable = import inputs.unstable { system = prev.system; };
fork = import inputs.fork { system = prev.system; };
in
{
matrix-authentication-service = fork.matrix-authentication-service;
element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
inherit (inputs) element-stickers maunium-stickerpicker;
};
mastodon = unstable.mastodon;
matrix-authentication-service = unstable.matrix-authentication-service;
}
)
];

BIN
secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age Normal file
View file

Binary file not shown.

45
secrets/matrix-synapse-sliding-sync-secret.age
View file

@ -1,45 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg GPTqfaZZC6ze7BUkT1uF4VslvE29BFKm0+AlJk+DKQQ
GxI7erqw8p3GrCArh5vZOiTmYh40DVisCphNyFhNTqM
-> ssh-ed25519 uYcDNw oo52Nh9BCO5NNF0YyzracKfvMifSiREsxyQqiRZ6WTs
JvqwRX5yOMtEYgWyc7dIQs85wDghMRHQCIi6t5QxIwo
-> ssh-rsa f5THog
w+B5hc0E9u1fFWNNPaTtPmJfPJWUBbRwHYK/T69g2ORNfaBYynl0LL4vSUs8o9Gw
rwBY+cLpth6e4tS819H5C7HtvT47KR3KF8JLxVjA2mbVO83+BnWFjThjYB452CdI
KZvQQPhkSH/43YF6pjxnQjNWB/wroScyjGVtUamcij7YHxt71z0AAnyqE5PgWEc6
6/ao5gLfTKhcWpxkTTz8LHn05s9IppXywDrvpwtJaU8LKgJT2H6Epsaci348lG+I
tAZYODhQqP+yKl92DZbuQQCjxH5CJfhdBs2ZR63hQPj9OrIFRjLg4V+1gdcxzAuz
9FwwIeLq3uxWXPdwTRR8RUsHEGhKMcVty4PkW0vlt+VwZrZBhdz3k+ApVG7Jvclz
MPZYLzKC0DiODqPuA23ye6suFRCHXYfq3ZyCIIN6wOci0X0crSr9ZXW4M8R7aWaZ
XDeZRaUgvd54WI0HZhVWBvJQyswgUXf+/RkS4aI8IgnNV801x12h+mTdWX9BC/cD
YRIWBnGkfTX4WM4OEE2VEgqSDuKl/90o2LFIquIIJULVd2Vs5C2S8FhJcsT7+HmL
TFWnLeIfGbw7RDUeH0c/Bbg9NK11SZF0/VdRZcBQ/zIXBMBlL1EZsH1HfIfhKISN
PyHFB5kfmuVIBhDXgtDdgjKfDmQL9/9Aq1U4ZMBcUKA
-> ssh-rsa kFDS0A
KysKtr7wrKKJ8w+Dj7qjJstyXtKIw9weFi9oVwJkMvy2utn+JARs7puh7KC27TXC
slZJrHf4vx+y8qSjRS0W4z8CPl8/auiYOilepT9JoxwGUP7J/nTr5SCofgWcdZm5
FtgHoCcABjzcF+mrKUofuqrx6oYSDCS0JkV2tClQI6ybXnjRwIIicLmBN9UDHCuU
9ZOesYp5XrJyBoD3Zv51b19xJyOfuWAUQvlNPRH2TpgvisutpESU/o869z5AMn4Z
BfDD/0oR1ALbk/sB3r13Xi6oJZAB2AbggoQRlwvPeWc3MdS+bFNV2o2ue0ov6Fkd
U5C/GnJVlyE0cv9I+YvxtLT6T/Gf/yoUZGfB7xD5QkHpMIEmKxUYqGNBB/NcnFMY
Tal8jMDtZDEk+uk0MahE7GsL6Z3xrkKTevG+Rr3j+beFYie2RJbNwwUyQ1lL3EoA
Rx1AMk+nYlvxVHiciYJNh9nffgAXXwO255IkWvYzmuPBEP1LmqadA4fQPf5Rgj3u
DuOX3hJ+rIyRIoDXOZio3SDf+bb380xCxF+7efJ27Ep0sFviAq5qKeptbyt51Dp8
tlbeYAylhVbV9Zgd+EozwE7Btlfqt3sbUij/0Iy+BdOYSPLmvx3oKybpipZ0i3fo
KR/bZHlMKF1Ipd5L7zEwh5aTjImuomoyRyZG3NWdv44
-> piv-p256 vRzPNw A7FwWUuml/VyHcOmha3R/DOg1RvnRXcwjaJJH/sgmsBR
+CP1/qY8sHbR7nkFl1T5HPsjYLRPDCSR01DEJaim96o
-> piv-p256 zqq/iw AgYhaJWqe+QbVCHkXsU7AQhWhte/fjwVbOgmHVRPHsEE
7jNmDI62i/9RakJhbo3MP0qMgXYGlhAW9BKo8HLWQYc
-> ssh-ed25519 YFSOsg cGPMyhqcd20TDBeMkSDJ8hQ/vE9cuDgVi1hfcwAKVjw
U9GRSr607w5oUGr0rC6XqdWMD65JidY/Ri3Ex1dmGXI
-> ssh-ed25519 iHV63A cW7bblsvL1TwI6lp8KjPfUwB5EzWilLhc6Z2geE3SQw
PzBdZ/LXA7iGI7ZjErredqC7ehHsr5MCY3qENv0nZI8
-> ssh-ed25519 BVsyTA AGDqp6Rrp2vStBU9+eJMGf5O4SZQIASE63n8vbf8PEs
SFakjoivQrFkSUBGZ9sISKVhAxNOpc2RxugiBTSK9/k
-> ssh-ed25519 +3V2lQ MmMv45CQFAdgkV/B7InOY22iXzvIU8TY41SV5Jxx7RQ
vNIRE5wSXVzy4miZLV90T1TEOhOjYQT12GWtZpsTxJ8
--- EBBXvYr1OpETpgXOsUfJn6h1e4rXF+olz6DbhDUWCcw
.Œ
ösÊ~¦—åHͯk 2 ¦À9<C380> ¶§ Bz¤¨?°3ëþTÇJ`§gº¦P°çioÙÜr<C39C>Š€" ØÝöwÒs-K€6©òšfÝ
ß0XÎŒvùXª&£8 š¶gÐ=ÄzrH¥jh>

4
secrets/secrets.nix
View file

@ -67,12 +67,14 @@ in
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys = nachtigallKeys ++ adminKeys;
"staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
"staging-matrix-authentication-service-secret-config.yml.age".publicKeys =
undergroundKeys ++ adminKeys;
"staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys =
undergroundKeys ++ adminKeys;
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;

BIN
secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age Normal file
View file

Binary file not shown.

1
tests/support/auth-server.nix
View file

@ -25,6 +25,7 @@ in
"f /tmp/dbf 1777 root root 10d password"
];
virtualisation.cores = 1;
virtualisation.memorySize = 4096;
pub-solar-os.auth = {

1
tests/support/client.nix
View file

@ -28,6 +28,7 @@ in
services.getty.autologinUser = "test-user";
virtualisation.cores = 1;
virtualisation.memorySize = 4096;
virtualisation.qemu.options = [ "-vga std" ];

1
tests/website.nix
View file

@ -25,6 +25,7 @@
./support/global.nix
];
virtualisation.cores = 16;
virtualisation.memorySize = 4096;
networking.interfaces.eth0.ipv4.addresses = [