diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml
index 3479450..0a62d11 100644
--- a/.forgejo/workflows/check.yml
+++ b/.forgejo/workflows/check.yml
@@ -18,20 +18,7 @@ jobs:
# Prevent cache garbage collection by creating GC roots
mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results
- for target in $(nix flake show --json --all-systems | jq --raw-output '
- .["nixosConfigurations"] |
- to_entries[] |
- .key'
- ); do
- nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
- build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$target" ".#nixosConfigurations.${target}.config.system.build.toplevel"
- done
-
- for check in $(nix flake show --json --all-systems | jq --raw-output '
- .checks."x86_64-linux" |
- to_entries[] |
- .key'
- ); do
- nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
- build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$check" ".#checks.x86_64-linux.${check}"
- done
+ sed -i 's/virtualisation.cores .*/virtualisation.cores = 16;/' tests/keycloak.nix
+ sed -i 's/virtualisation.memorySize .*/virtualisation.memorySize = 16384;/' tests/keycloak.nix
+ # 1 eval-worker needs about 13GB of memory
+ nix --accept-flake-config --access-tokens '' develop --command nix-fast-build --no-nom --skip-cached --systems "x86_64-linux" --max-jobs 10 --eval-workers 2 --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/nix-fast-build
diff --git a/docs/keycloak/delete-unverified-accounts.md b/docs/keycloak/delete-unverified-accounts.md
index cb1ff0c..9f237e3 100644
--- a/docs/keycloak/delete-unverified-accounts.md
+++ b/docs/keycloak/delete-unverified-accounts.md
@@ -12,7 +12,7 @@ Run following after SSH'ing to `nachtigall`.
Credentials for the following command are in keepass. Create a keycloak
config/credentials file at `/tmp/kcadm.config`:
-```
+```bash
sudo --user keycloak kcadm.sh config credentials \
--config /tmp/kcadm.config \
--server https://auth.pub.solar \
@@ -22,7 +22,7 @@ sudo --user keycloak kcadm.sh config credentials \
Get list of accounts without a verified email address:
-```
+```bash
sudo --user keycloak kcadm.sh get \
--config /tmp/kcadm.config \
users \
@@ -35,7 +35,7 @@ Review list of accounts, especially check `createdTimestamp` if any accounts
were created in the past 2 days. If so, delete those from the
`/tmp/keycloak-unverified-accounts` file.
-```
+```bash
createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )
# timestamps are in nanoseconds since epoch, so we need to strip the last three digits
@@ -46,17 +46,17 @@ vim /tmp/keycloak-unverified-accounts
Check how many accounts are going to be deleted:
-```
+```bash
jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
```
-```
+```bash
jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
```
Final check before deletion (dry-run):
-```
+```bash
for id in $(cat /tmp/keycloak-unverified-account-ids)
do
echo sudo --user keycloak kcadm.sh delete \
@@ -68,7 +68,7 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
THIS WILL DELETE ACCOUNTS:
-```
+```bash
for id in $(cat /tmp/keycloak-unverified-account-ids)
do
sudo --user keycloak kcadm.sh delete \
@@ -77,3 +77,9 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
--realm pub.solar
done
```
+
+Delete the temp files:
+
+```bash
+sudo rm /tmp/kcadm.config /tmp/keycloak-unverified-accounts /tmp/keycloak-unverified-account-ids
+```
diff --git a/flake.lock b/flake.lock
index bb217bf..71e15fc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -113,11 +113,11 @@
]
},
"locked": {
- "lastModified": 1736711425,
- "narHash": "sha256-8hKhPQuMtXfJi+4lPvw3FBk/zSJVHeb726Zo0uF1PP8=",
+ "lastModified": 1738765162,
+ "narHash": "sha256-3Z40qHaFScWUCVQrGc4Y+RdoPsh1R/wIh+AN4cTXP0I=",
"owner": "nix-community",
"repo": "disko",
- "rev": "f720e64ec37fa16ebba6354eadf310f81555cc07",
+ "rev": "ff3568858c54bd306e9e1f2886f0f781df307dff",
"type": "github"
},
"original": {
@@ -204,11 +204,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
- "lastModified": 1736143030,
- "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
+ "lastModified": 1738453229,
+ "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"owner": "hercules-ci",
"repo": "flake-parts",
- "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
+ "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"type": "github"
},
"original": {
@@ -291,16 +291,16 @@
},
"fork": {
"locked": {
- "lastModified": 1729963002,
- "narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
+ "lastModified": 1738846146,
+ "narHash": "sha256-cIPiBEspPXQxju2AUZK9kjh6oqea+HkPFqmGv7yUztM=",
"owner": "teutat3s",
"repo": "nixpkgs",
- "rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
+ "rev": "e370f40b129e47b08562524ab4f053a172a94273",
"type": "github"
},
"original": {
"owner": "teutat3s",
- "ref": "init-matrix-authentication-service-module",
+ "ref": "init-matrix-authentication-service-module-0.13.0",
"repo": "nixpkgs",
"type": "github"
}
@@ -312,16 +312,16 @@
]
},
"locked": {
- "lastModified": 1726989464,
- "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
+ "lastModified": 1736373539,
+ "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
+ "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
"type": "github"
},
"original": {
"owner": "nix-community",
- "ref": "release-24.05",
+ "ref": "release-24.11",
"repo": "home-manager",
"type": "github"
}
@@ -358,11 +358,11 @@
]
},
"locked": {
- "lastModified": 1731518114,
- "narHash": "sha256-h9Wb3VjmXBZwTO3prRweUKwp2H9hZHCQKrkbU+2WPQs=",
+ "lastModified": 1738012343,
+ "narHash": "sha256-agMgWwVxXII+RtCqok8ROjzpKJung/5N5f2BVDmMC5Q=",
"ref": "main",
- "rev": "060ecccc5f8c92a0705ab91ff047811efd559468",
- "revCount": 36,
+ "rev": "4ffd7bc8ea032991756c5e8e8a37b039789045bc",
+ "revCount": 38,
"type": "git",
"url": "https://git.pub.solar/pub-solar/keycloak-theme"
},
@@ -398,11 +398,11 @@
]
},
"locked": {
- "lastModified": 1736819234,
- "narHash": "sha256-deQVtIH4UJueELJqluAICUtX7OosD9paTP+5FgbiSwI=",
+ "lastModified": 1739034224,
+ "narHash": "sha256-Mj/8jDzh1KNmUhWqEeVlW3hO9MZkxqioJGnmR7rivaE=",
"owner": "lnl7",
"repo": "nix-darwin",
- "rev": "bd921223ba7cdac346477d7ea5204d6f4736fcc6",
+ "rev": "0b6f96a6b9efcfa8d3cc8023008bcbcd1b9bc1a4",
"type": "github"
},
"original": {
@@ -430,14 +430,14 @@
},
"nixpkgs-lib": {
"locked": {
- "lastModified": 1735774519,
- "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
+ "lastModified": 1738452942,
+ "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+ "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
},
"original": {
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+ "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
}
},
"nixpkgs-lib_2": {
@@ -460,16 +460,16 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1735563628,
- "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
+ "lastModified": 1738843498,
+ "narHash": "sha256-7x+Q4xgFj9UxZZO9aUDCR8h4vyYut4zPUvfj3i+jBHE=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
+ "rev": "f5a32fa27df91dfc4b762671a0e0a859a8a0058f",
"type": "github"
},
"original": {
"owner": "nixos",
- "ref": "nixos-24.05",
+ "ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
@@ -500,22 +500,21 @@
"nixpkgs": [
"unstable"
],
- "nixpkgs-24_05": [
+ "nixpkgs-24_11": [
"nixpkgs"
- ],
- "utils": "utils_2"
+ ]
},
"locked": {
- "lastModified": 1734885828,
- "narHash": "sha256-G0fB1YBlkalu8lLGRB07K8CpUWNVd+unfrjNomSL7SM=",
+ "lastModified": 1734884447,
+ "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
- "rev": "636b82f4175e3f6b1e80d2189bb0469e2ae01a55",
+ "rev": "63209b1def2c9fc891ad271f474a3464a5833294",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
- "ref": "nixos-24.05",
+ "ref": "nixos-24.11",
"repo": "nixos-mailserver",
"type": "gitlab"
}
@@ -595,28 +594,13 @@
"type": "github"
}
},
- "systems_6": {
- "locked": {
- "lastModified": 1681028828,
- "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
- "owner": "nix-systems",
- "repo": "default",
- "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
- "type": "github"
- },
- "original": {
- "owner": "nix-systems",
- "repo": "default",
- "type": "github"
- }
- },
"unstable": {
"locked": {
- "lastModified": 1736798957,
- "narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
+ "lastModified": 1739020877,
+ "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
+ "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
"type": "github"
},
"original": {
@@ -643,24 +627,6 @@
"repo": "flake-utils",
"type": "github"
}
- },
- "utils_2": {
- "inputs": {
- "systems": "systems_6"
- },
- "locked": {
- "lastModified": 1709126324,
- "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
- "owner": "numtide",
- "repo": "flake-utils",
- "rev": "d465f4819400de7c8d874d50b982301f28a84605",
- "type": "github"
- },
- "original": {
- "owner": "numtide",
- "repo": "flake-utils",
- "type": "github"
- }
}
},
"root": "root",
diff --git a/flake.nix b/flake.nix
index 9612b61..30521b4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,14 +1,14 @@
{
inputs = {
# Track channels with commits tested and built by hydra
- nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
- fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
+ fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module-0.13.0";
nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
- home-manager.url = "github:nix-community/home-manager/release-24.05";
+ home-manager.url = "github:nix-community/home-manager/release-24.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts";
@@ -40,8 +40,8 @@
element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker";
element-stickers.inputs.nixpkgs.follows = "nixpkgs";
- simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
- simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "nixpkgs";
+ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
+ simple-nixos-mailserver.inputs.nixpkgs-24_11.follows = "nixpkgs";
simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable";
};
@@ -79,12 +79,49 @@
master = import inputs.master { inherit system; };
};
- checks = import ./tests ({ inherit inputs self; } // args);
+ checks =
+ let
+ machinesPerSystem = {
+ aarch64-linux = [
+ "metronom"
+ ];
+ x86_64-linux = [
+ "blue-shell"
+ "delite"
+ "nachtigall"
+ "tankstelle"
+ "trinkgenossin"
+ "underground"
+ ];
+ };
+ nixosMachines = inputs.nixpkgs.lib.mapAttrs' (n: inputs.nixpkgs.lib.nameValuePair "nixos-${n}") (
+ inputs.nixpkgs.lib.genAttrs (machinesPerSystem.${system} or [ ]) (
+ name: self.nixosConfigurations.${name}.config.system.build.toplevel
+ )
+ );
+ nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
+ testDir = builtins.attrNames (builtins.readDir ./tests);
+ testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir;
+ in
+ builtins.listToAttrs (
+ map (x: {
+ name = "test-${lib.strings.removeSuffix ".nix" x}";
+ value = nixos-lib.runTest (
+ import (./tests + "/${x}") {
+ inherit self;
+ inherit pkgs;
+ inherit lib;
+ inherit config;
+ }
+ );
+ }) testFiles
+ )
+ // nixosMachines;
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
deploy-rs
- nixpkgs-fmt
+ nix-fast-build
agenix
age-plugin-yubikey
cachix
@@ -93,9 +130,9 @@
nvfetcher
shellcheck
shfmt
- inputs.unstable.legacyPackages.${system}.treefmt2
+ treefmt2
nixos-generators
- inputs.unstable.legacyPackages.${system}.opentofu
+ opentofu
terraform-backend-git
terraform-ls
jq
@@ -122,7 +159,7 @@
system: deployLib: deployLib.deployChecks self.deploy
) inputs.deploy-rs.lib;
- formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
+ formatter."x86_64-linux" = inputs.nixpkgs.legacyPackages."x86_64-linux".nixfmt-rfc-style;
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
nachtigall = {
diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix
index 62dc644..11daca5 100644
--- a/hosts/nachtigall/configuration.nix
+++ b/hosts/nachtigall/configuration.nix
@@ -73,22 +73,24 @@
owner = "matrix-synapse";
};
- age.secrets."matrix-synapse-sliding-sync-secret" = {
- file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
- mode = "400";
- owner = "matrix-synapse";
- };
-
age.secrets."matrix-authentication-service-secret-config.yml" = {
file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
mode = "400";
owner = "matrix-authentication-service";
};
+ # matrix-appservice-irc
+ age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
+ file = "${flake.self}/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
+ mode = "400";
+ owner = "matrix-appservice-irc";
+ };
+
pub-solar-os.matrix = {
enable = true;
+ appservice-irc.mediaproxy.signingKeyPath =
+ config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
synapse = {
- sliding-sync.enable = false;
signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
extra-config-files = [
config.age.secrets."matrix-synapse-secret-config.yaml".path
diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix
index 100759a..e928436 100644
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@@ -9,12 +9,10 @@
./networking.nix
./wireguard.nix
./backups.nix
- "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
- "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
+ "${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
];
disabledModules = [
- "services/matrix/matrix-authentication-service.nix "
- "services/web-apps/mastodon.nix"
+ "services/matrix/matrix-authentication-service.nix"
];
}
diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix
index ff1c809..49efdfe 100644
--- a/hosts/underground/configuration.nix
+++ b/hosts/underground/configuration.nix
@@ -42,8 +42,17 @@
owner = "matrix-authentication-service";
};
+ # matrix-appservice-irc
+ age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
+ file = "${flake.self}/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
+ mode = "400";
+ owner = "matrix-appservice-irc";
+ };
+
pub-solar-os.matrix = {
enable = true;
+ appservice-irc.mediaproxy.signingKeyPath =
+ config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
synapse = {
extra-config-files = [
config.age.secrets."staging-matrix-synapse-secret-config.yaml".path
diff --git a/hosts/underground/default.nix b/hosts/underground/default.nix
index 5a612a4..99fe5f9 100644
--- a/hosts/underground/default.nix
+++ b/hosts/underground/default.nix
@@ -7,10 +7,10 @@
./configuration.nix
./networking.nix
- "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
+ "${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
];
disabledModules = [
- "services/matrix/matrix-authentication-service.nix "
+ "services/matrix/matrix-authentication-service.nix"
];
}
diff --git a/logins/admins.nix b/logins/admins.nix
index fbb23b4..2c31874 100644
--- a/logins/admins.nix
+++ b/logins/admins.nix
@@ -46,6 +46,14 @@
"fd00:fae:fae:fae:fae:205::/96"
];
}
+ {
+ # biolimo
+ publicKey = "gnLq6KikFVVGxLxPW+3ZnreokEKLDoso+cUepPOZsBA=";
+ allowedIPs = [
+ "10.7.6.206/32"
+ "fd00:fae:fae:fae:fae:206::/96"
+ ];
+ }
];
};
diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix
index 744d618..0de30ba 100644
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@@ -65,6 +65,7 @@
services.forgejo = {
enable = true;
+ package = pkgs.forgejo;
user = "gitea";
group = "gitea";
database = {
@@ -75,7 +76,7 @@
};
stateDir = "/var/lib/forgejo";
lfs.enable = true;
- mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
+ secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
settings = {
DEFAULT.APP_NAME = "pub.solar git server";
diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix
index 659c194..59b8e86 100644
--- a/modules/keycloak/default.nix
+++ b/modules/keycloak/default.nix
@@ -50,7 +50,8 @@
hostname = "auth.${config.pub-solar-os.networking.domain}";
http-host = "127.0.0.1";
http-port = 8080;
- proxy = "edge";
+ proxy-headers = "xforwarded";
+ http-enabled = true;
};
themes = {
"pub.solar" =
diff --git a/modules/matrix-irc/default.nix b/modules/matrix-irc/default.nix
index 1b4fa82..c026d8c 100644
--- a/modules/matrix-irc/default.nix
+++ b/modules/matrix-irc/default.nix
@@ -16,111 +16,128 @@ let
synapseClientPort = "${toString listenerWithClient.port}";
in
{
- services.matrix-appservice-irc = {
- enable = true;
- localpart = "irc_bot";
- port = 8010;
- registrationUrl = "http://localhost:8010";
- settings = {
- homeserver = {
- domain = "${config.pub-solar-os.networking.domain}";
- url = "http://127.0.0.1:${synapseClientPort}";
- media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
- enablePresence = false;
+ options.pub-solar-os = {
+ matrix.appservice-irc.mediaproxy = {
+ signingKeyPath = lib.mkOption {
+ description = "Path to file containing the IRC appservice mediaproxy signing key";
+ type = lib.types.str;
+ default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
};
- ircService = {
- ident = {
- address = "::";
- enabled = false;
- port = 1113;
+ };
+ };
+ config = {
+ services.matrix-appservice-irc = {
+ enable = true;
+ localpart = "irc_bot";
+ port = 8010;
+ registrationUrl = "http://localhost:8010";
+ settings = {
+ homeserver = {
+ domain = "${config.pub-solar-os.networking.domain}";
+ url = "http://127.0.0.1:${synapseClientPort}";
+ enablePresence = false;
};
- logging = {
- # set to debug for debugging
- level = "warn";
- maxFiles = 5;
- toCosole = true;
- };
- matrixHandler = {
- eventCacheSize = 4096;
- };
- metrics = {
- enabled = true;
- remoteUserAgeBuckets = [
- "1h"
- "1d"
- "1w"
- ];
- };
- provisioning = {
- enabled = false;
- requestTimeoutSeconds = 300;
- };
- servers =
- let
- commonConfig = {
- allowExpiredCerts = false;
- botConfig = {
- enabled = false;
- joinChannelsIfNoUsers = false;
- nick = "MatrixBot";
- };
- dynamicChannels = {
- createAlias = true;
- enabled = true;
- federate = true;
- joinRule = "public";
- published = true;
- };
- ircClients = {
- allowNickChanges = true;
- concurrentReconnectLimit = 50;
- idleTimeout = 10800;
- lineLimit = 3;
- maxClients = 30;
- nickTemplate = "$DISPLAY[m]";
- reconnectIntervalMs = 5000;
- };
- matrixClients = {
- joinAttempts = -1;
- };
- membershipLists = {
- enabled = true;
- floodDelayMs = 10000;
- global = {
- ircToMatrix = {
- incremental = true;
- initial = true;
- };
- matrixToIrc = {
- incremental = true;
- initial = true;
+ ircService = {
+ ident = {
+ address = "::";
+ enabled = false;
+ port = 1113;
+ };
+ logging = {
+ # set to debug for debugging
+ level = "warn";
+ maxFiles = 5;
+ toCosole = true;
+ };
+ matrixHandler = {
+ eventCacheSize = 4096;
+ };
+ mediaProxy = {
+ signingKeyPath = config.pub-solar-os.matrix.appservice-irc.mediaproxy.signingKeyPath;
+ # keep media for 2 weeks
+ ttlSeconds = 1209600;
+ bindPort = 11111;
+ publicUrl = "https:///matrix.${config.pub-solar-os.networking.domain}/media";
+ };
+ metrics = {
+ enabled = true;
+ remoteUserAgeBuckets = [
+ "1h"
+ "1d"
+ "1w"
+ ];
+ };
+ provisioning = {
+ enabled = false;
+ requestTimeoutSeconds = 300;
+ };
+ servers =
+ let
+ commonConfig = {
+ allowExpiredCerts = false;
+ botConfig = {
+ enabled = false;
+ joinChannelsIfNoUsers = false;
+ nick = "MatrixBot";
+ };
+ dynamicChannels = {
+ createAlias = true;
+ enabled = true;
+ federate = true;
+ joinRule = "public";
+ published = true;
+ };
+ ircClients = {
+ allowNickChanges = true;
+ concurrentReconnectLimit = 50;
+ idleTimeout = 10800;
+ lineLimit = 3;
+ maxClients = 30;
+ nickTemplate = "$DISPLAY[m]";
+ reconnectIntervalMs = 5000;
+ };
+ matrixClients = {
+ joinAttempts = -1;
+ };
+ membershipLists = {
+ enabled = true;
+ floodDelayMs = 10000;
+ global = {
+ ircToMatrix = {
+ incremental = true;
+ initial = true;
+ };
+ matrixToIrc = {
+ incremental = true;
+ initial = true;
+ };
};
};
+ port = 6697;
+ privateMessages = {
+ enabled = true;
+ federate = true;
+ };
+ sasl = false;
+ sendConnectionMessages = true;
+ ssl = true;
};
- port = 6697;
- privateMessages = {
- enabled = true;
- federate = true;
+ in
+ {
+ "irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig {
+ name = "libera";
+ dynamicChannels.groupId = "+libera.chat:localhost";
+ dynamicChannels.aliasTemplate = "#_libera_$CHANNEL";
+ matrixClients.displayName = "$NICK (LIBERA-IRC)";
+ };
+ "irc.scratch-network.net" = lib.attrsets.recursiveUpdate commonConfig {
+ name = "scratch";
+ matrixClients.displayName = "$NICK (SCRATCH-IRC)";
+ dynamicChannels.aliasTemplate = "#_scratch_$CHANNEL";
+ dynamicChannels.groupId = "+scratch-network.net:localhost";
};
- sasl = false;
- sendConnectionMessages = true;
- ssl = true;
};
- in
- {
- "irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig {
- name = "libera";
- dynamicChannels.groupId = "+libera.chat:localhost";
- dynamicChannels.aliasTemplate = "#_libera_$CHANNEL";
- matrixClients.displayName = "$NICK (LIBERA-IRC)";
- };
- "irc.scratch-network.net" = lib.attrsets.recursiveUpdate commonConfig {
- name = "scratch";
- matrixClients.displayName = "$NICK (SCRATCH-IRC)";
- dynamicChannels.aliasTemplate = "#_scratch_$CHANNEL";
- dynamicChannels.groupId = "+scratch-network.net:localhost";
- };
- };
+ };
};
};
};
diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix
index 53fbb9a..d1b2fc2 100644
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@@ -32,11 +32,6 @@ in
type = lib.types.str;
default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
};
-
- sliding-sync.enable = lib.mkEnableOption {
- description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+";
- default = false;
- };
};
matrix-authentication-service = {
@@ -339,18 +334,6 @@ in
};
};
- services.matrix-sliding-sync = {
- enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable;
- settings = {
- SYNCV3_SERVER = "https://${publicDomain}";
- SYNCV3_BINDADDR = "127.0.0.1:8011";
- # The bind addr for Prometheus metrics, which will be accessible at
- # /metrics at this address
- SYNCV3_PROM = "127.0.0.1:9100";
- };
- environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
- };
-
pub-solar-os.backups.restic.matrix-synapse = {
paths = [
"/var/lib/matrix-synapse"
diff --git a/modules/mediawiki/default.nix b/modules/mediawiki/default.nix
index 63367ab..fee2721 100644
--- a/modules/mediawiki/default.nix
+++ b/modules/mediawiki/default.nix
@@ -211,7 +211,7 @@ in
backend = "docker";
containers."mediawiki" = {
- image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.42.1";
+ image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.42.4";
user = "1000:${builtins.toString gid}";
autoStart = true;
diff --git a/modules/nextcloud/default.nix b/modules/nextcloud/default.nix
index 662d1ce..9cda818 100644
--- a/modules/nextcloud/default.nix
+++ b/modules/nextcloud/default.nix
@@ -27,7 +27,7 @@
home = "/var/lib/nextcloud";
enable = true;
- package = pkgs.nextcloud29;
+ package = pkgs.nextcloud30;
https = true;
secretFile = config.age.secrets."nextcloud-secrets".path; # secret
maxUploadSize = "1G";
@@ -45,7 +45,6 @@
dbuser = "nextcloud";
dbtype = "pgsql";
dbname = "nextcloud";
- dbtableprefix = "oc_";
};
settings = {
diff --git a/modules/nginx-matrix/default.nix b/modules/nginx-matrix/default.nix
index 1d82c10..f6274d8 100644
--- a/modules/nginx-matrix/default.nix
+++ b/modules/nginx-matrix/default.nix
@@ -120,6 +120,13 @@ in
extraConfig = commonHeaders;
};
+ # For IRC appservice media proxy
+ "/media" = {
+ priority = 100;
+ proxyPass = "http://127.0.0.1:${toString (config.services.matrix-appservice-irc.settings.ircService.mediaProxy.bindPort)}";
+ extraConfig = commonHeaders;
+ };
+
# Forward to the auth service
"~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
priority = 100;
diff --git a/overlays/default.nix b/overlays/default.nix
index 33f0e1d..02185db 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -10,14 +10,14 @@
final: prev:
let
unstable = import inputs.unstable { system = prev.system; };
+ fork = import inputs.fork { system = prev.system; };
in
{
+ matrix-authentication-service = fork.matrix-authentication-service;
element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
inherit (inputs) element-stickers maunium-stickerpicker;
};
- mastodon = unstable.mastodon;
- matrix-authentication-service = unstable.matrix-authentication-service;
}
)
];
diff --git a/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age b/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age
new file mode 100644
index 0000000..f38c861
Binary files /dev/null and b/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age differ
diff --git a/secrets/matrix-synapse-sliding-sync-secret.age b/secrets/matrix-synapse-sliding-sync-secret.age
deleted file mode 100644
index 088e91b..0000000
--- a/secrets/matrix-synapse-sliding-sync-secret.age
+++ /dev/null
@@ -1,45 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iDKjwg GPTqfaZZC6ze7BUkT1uF4VslvE29BFKm0+AlJk+DKQQ
-GxI7erqw8p3GrCArh5vZOiTmYh40DVisCphNyFhNTqM
--> ssh-ed25519 uYcDNw oo52Nh9BCO5NNF0YyzracKfvMifSiREsxyQqiRZ6WTs
-JvqwRX5yOMtEYgWyc7dIQs85wDghMRHQCIi6t5QxIwo
--> ssh-rsa f5THog
-w+B5hc0E9u1fFWNNPaTtPmJfPJWUBbRwHYK/T69g2ORNfaBYynl0LL4vSUs8o9Gw
-rwBY+cLpth6e4tS819H5C7HtvT47KR3KF8JLxVjA2mbVO83+BnWFjThjYB452CdI
-KZvQQPhkSH/43YF6pjxnQjNWB/wroScyjGVtUamcij7YHxt71z0AAnyqE5PgWEc6
-6/ao5gLfTKhcWpxkTTz8LHn05s9IppXywDrvpwtJaU8LKgJT2H6Epsaci348lG+I
-tAZYODhQqP+yKl92DZbuQQCjxH5CJfhdBs2ZR63hQPj9OrIFRjLg4V+1gdcxzAuz
-9FwwIeLq3uxWXPdwTRR8RUsHEGhKMcVty4PkW0vlt+VwZrZBhdz3k+ApVG7Jvclz
-MPZYLzKC0DiODqPuA23ye6suFRCHXYfq3ZyCIIN6wOci0X0crSr9ZXW4M8R7aWaZ
-XDeZRaUgvd54WI0HZhVWBvJQyswgUXf+/RkS4aI8IgnNV801x12h+mTdWX9BC/cD
-YRIWBnGkfTX4WM4OEE2VEgqSDuKl/90o2LFIquIIJULVd2Vs5C2S8FhJcsT7+HmL
-TFWnLeIfGbw7RDUeH0c/Bbg9NK11SZF0/VdRZcBQ/zIXBMBlL1EZsH1HfIfhKISN
-PyHFB5kfmuVIBhDXgtDdgjKfDmQL9/9Aq1U4ZMBcUKA
--> ssh-rsa kFDS0A
-KysKtr7wrKKJ8w+Dj7qjJstyXtKIw9weFi9oVwJkMvy2utn+JARs7puh7KC27TXC
-slZJrHf4vx+y8qSjRS0W4z8CPl8/auiYOilepT9JoxwGUP7J/nTr5SCofgWcdZm5
-FtgHoCcABjzcF+mrKUofuqrx6oYSDCS0JkV2tClQI6ybXnjRwIIicLmBN9UDHCuU
-9ZOesYp5XrJyBoD3Zv51b19xJyOfuWAUQvlNPRH2TpgvisutpESU/o869z5AMn4Z
-BfDD/0oR1ALbk/sB3r13Xi6oJZAB2AbggoQRlwvPeWc3MdS+bFNV2o2ue0ov6Fkd
-U5C/GnJVlyE0cv9I+YvxtLT6T/Gf/yoUZGfB7xD5QkHpMIEmKxUYqGNBB/NcnFMY
-Tal8jMDtZDEk+uk0MahE7GsL6Z3xrkKTevG+Rr3j+beFYie2RJbNwwUyQ1lL3EoA
-Rx1AMk+nYlvxVHiciYJNh9nffgAXXwO255IkWvYzmuPBEP1LmqadA4fQPf5Rgj3u
-DuOX3hJ+rIyRIoDXOZio3SDf+bb380xCxF+7efJ27Ep0sFviAq5qKeptbyt51Dp8
-tlbeYAylhVbV9Zgd+EozwE7Btlfqt3sbUij/0Iy+BdOYSPLmvx3oKybpipZ0i3fo
-KR/bZHlMKF1Ipd5L7zEwh5aTjImuomoyRyZG3NWdv44
--> piv-p256 vRzPNw A7FwWUuml/VyHcOmha3R/DOg1RvnRXcwjaJJH/sgmsBR
-+CP1/qY8sHbR7nkFl1T5HPsjYLRPDCSR01DEJaim96o
--> piv-p256 zqq/iw AgYhaJWqe+QbVCHkXsU7AQhWhte/fjwVbOgmHVRPHsEE
-7jNmDI62i/9RakJhbo3MP0qMgXYGlhAW9BKo8HLWQYc
--> ssh-ed25519 YFSOsg cGPMyhqcd20TDBeMkSDJ8hQ/vE9cuDgVi1hfcwAKVjw
-U9GRSr607w5oUGr0rC6XqdWMD65JidY/Ri3Ex1dmGXI
--> ssh-ed25519 iHV63A cW7bblsvL1TwI6lp8KjPfUwB5EzWilLhc6Z2geE3SQw
-PzBdZ/LXA7iGI7ZjErredqC7ehHsr5MCY3qENv0nZI8
--> ssh-ed25519 BVsyTA AGDqp6Rrp2vStBU9+eJMGf5O4SZQIASE63n8vbf8PEs
-SFakjoivQrFkSUBGZ9sISKVhAxNOpc2RxugiBTSK9/k
--> ssh-ed25519 +3V2lQ MmMv45CQFAdgkV/B7InOY22iXzvIU8TY41SV5Jxx7RQ
-vNIRE5wSXVzy4miZLV90T1TEOhOjYQT12GWtZpsTxJ8
---- EBBXvYr1OpETpgXOsUfJn6h1e4rXF+olz6DbhDUWCcw
-.��
-��s�~����Hͯk� 2 ��9�����Bz��?�3���T�J`��g��P��io��r���" ������w�s-K�6��f�
-�0XΌv��X�&�8�
��g�=�zrH�jh>�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3678d9b..9bf2f9d 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -67,12 +67,14 @@ in
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
- "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys;
+ "matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys = nachtigallKeys ++ adminKeys;
"staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
"staging-matrix-authentication-service-secret-config.yml.age".publicKeys =
undergroundKeys ++ adminKeys;
+ "staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys =
+ undergroundKeys ++ adminKeys;
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
diff --git a/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age b/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age
new file mode 100644
index 0000000..8b4a65e
Binary files /dev/null and b/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age differ
diff --git a/tests/support/auth-server.nix b/tests/support/auth-server.nix
index b86c6aa..17b05c2 100644
--- a/tests/support/auth-server.nix
+++ b/tests/support/auth-server.nix
@@ -25,6 +25,7 @@ in
"f /tmp/dbf 1777 root root 10d password"
];
+ virtualisation.cores = 1;
virtualisation.memorySize = 4096;
pub-solar-os.auth = {
diff --git a/tests/support/client.nix b/tests/support/client.nix
index 2c863d3..98986b0 100644
--- a/tests/support/client.nix
+++ b/tests/support/client.nix
@@ -28,6 +28,7 @@ in
services.getty.autologinUser = "test-user";
+ virtualisation.cores = 1;
virtualisation.memorySize = 4096;
virtualisation.qemu.options = [ "-vga std" ];
diff --git a/tests/website.nix b/tests/website.nix
index 7598ac1..a46a168 100644
--- a/tests/website.nix
+++ b/tests/website.nix
@@ -25,6 +25,7 @@
./support/global.nix
];
+ virtualisation.cores = 16;
virtualisation.memorySize = 4096;
networking.interfaces.eth0.ipv4.addresses = [