From b15f7a38f2b1a8d0c9d07c9ec1c8d9986371aa4e Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 26 Oct 2024 02:03:31 +0200 Subject: [PATCH] wip: init host underground to test mas related to #242 --- flake.lock | 17 ++ flake.nix | 5 + hosts/default.nix | 25 +++ hosts/underground/configuration.nix | 155 +++++++++++++++++++ hosts/underground/default.nix | 16 ++ hosts/underground/hardware-configuration.nix | 34 ++++ hosts/underground/networking.nix | 24 +++ modules/matrix/default.nix | 4 +- overlays/default.nix | 1 + terraform/dns.tf | 22 ++- 10 files changed, 299 insertions(+), 4 deletions(-) create mode 100644 hosts/underground/configuration.nix create mode 100644 hosts/underground/default.nix create mode 100644 hosts/underground/hardware-configuration.nix create mode 100644 hosts/underground/networking.nix diff --git a/flake.lock b/flake.lock index ae964ea..2eaeddc 100644 --- a/flake.lock +++ b/flake.lock @@ -234,6 +234,22 @@ "type": "github" } }, + "fork": { + "locked": { + "lastModified": 1729895651, + "narHash": "sha256-jsDi++W3uhb2lxYU257H4zXVgC6lbJ1hbI4vqqag6lE=", + "owner": "teutat3s", + "repo": "nixpkgs", + "rev": "e60ba9494f5783468e1aab1a490cf764a24ca0c0", + "type": "github" + }, + "original": { + "owner": "teutat3s", + "ref": "init-matrix-authentication-service-module", + "repo": "nixpkgs", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -354,6 +370,7 @@ "element-stickers": "element-stickers", "element-themes": "element-themes", "flake-parts": "flake-parts", + "fork": "fork", "home-manager": "home-manager", "keycloak-theme-pub-solar": "keycloak-theme-pub-solar", "maunium-stickerpicker": "maunium-stickerpicker", diff --git a/flake.nix b/flake.nix index a417b49..923092c 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ # Track channels with commits tested and built by hydra nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module"; nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; @@ -152,6 +153,10 @@ hostname = "tankstelle.wg.pub.solar"; sshUser = username; }; + underground = { + hostname = "80.244.242.3"; + sshUser = username; + }; trinkgenossin = { hostname = "trinkgenossin.wg.pub.solar"; sshUser = username; diff --git a/hosts/default.nix b/hosts/default.nix index 6f159d0..ae1cde5 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -178,6 +178,31 @@ self.nixosModules.nginx ]; }; + + underground = self.inputs.nixpkgs.lib.nixosSystem { + specialArgs = { + flake = { + inherit self inputs config; + }; + }; + modules = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./underground + self.nixosModules.overlays + self.nixosModules.unlock-luks-on-boot + self.nixosModules.core + + self.nixosModules.backups + self.nixosModules.keycloak + self.nixosModules.postgresql + self.nixosModules.matrix + self.nixosModules.matrix-irc + self.nixosModules.matrix-telegram + self.nixosModules.nginx + self.nixosModules.nginx-matrix + ]; + }; }; }; } diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix new file mode 100644 index 0000000..fca294f --- /dev/null +++ b/hosts/underground/configuration.nix @@ -0,0 +1,155 @@ +{ + flake, + config, + pkgs, + ... +}: +{ + # Use GRUB2 as the boot loader. + boot.loader.grub = { + enable = true; + devices = [ "/dev/vda" ]; + }; + + pub-solar-os.networking.domain = "test.pub.solar"; + + systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ]; + + pub-solar-os.auth = { + enable = true; + database-password-file = "/tmp/dbf"; + }; + services.keycloak.database.createLocally = true; + + services.matrix-authentication-service = { + enable = true; + createDatabase = true; + extraConfigFiles = [(pkgs.writeText "mas-extra-config.yml" '' +secrets: + encryption: 85c39ce195bd01d17b583687edf20ae09eede66f4ce043f15afc2afa719249c9 + keys: + - kid: LYeYXYzVil + key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEA1l1iXIE9yFksgKmJ58hk9oj7UQ4iX5HX9Ll/EUDCRu+fuPuB + kYnski19RNoVIWQt3f8HYTeQLF1vhvj9AKFw+F0jklkC8/YrHzNPiB7LS08X4+K8 + 1DW+YI7EY0u0iB+uaChHvK8zYrk+qRmH0OGR7LdXRNqM75xMglkcnMagFbc/3ipO + 47SgHFaUGkM62epeQPIsJq6BicxCyH/LhoccUtnj5+EOAF+eo8QPRj+ISfDdCebS + L7iYnpECFggVlexgbVRfeFtxDfHu5hpxjKwbTKYjDLMrZwlI0js4ZN9qchREAJ21 + km4Xq4bqP+Pf0QiaEjeoqF/ZMmCFYY2gT3DSUQIDAQABAoIBAHLwd4EqOzplthr2 + zN7e8GPQZxC7B2s/BBBQNfXGR2VJrta85GhpD9QBWB3G4XWaBY325LoX1NI090vj + zaS865oANsaNu6ub3ttH4+kUueSTcDfcp2sRthaH9n1XZmFmu1lV38EoH+FbemGp + Ms2pZVkLpVth5BfGMq/hoBnf1o5NTACSHd2InQnUQAbY16NvYZiY37hI3LllyIPI + z7hBvFcRf2JD3Bn7nmV+lTBOtcYA5f6ZrO0V2Ah75AGb6QAUSWgV9edqXkp6OmAV + jcVqfVsPwoPRpaarQ4M1lcvhYgwBKuUXFtcNPqqNk9ldYuYy/UW4E+psRrXkwvs2 + 50TB78ECgYEA3nx7XBZhYrvUEqLUYeIRhnRGoY0/snyjAMibl6NoJZLpyrk+b70x + Dh1k6LY9RwLfxRHDqnnHy9YY5Iu9QBTBYud8dD0JNOUUC8QWYV1G7AYLS9oe8kM5 + z4aWhgNR3a9DidPQtv2SyK+1ZmGhB80T7nDlsK17fjjTUnj7lMhgnbUCgYEA9qe4 + zzHfCZsDwoPPuMuAkZIjRxnwReY9fyAGGMdW4VrOgrOyVj4dDF0/R8p3LlS+TiUw + 6bVlWqbP+H3Zkx9VaH7EUmiTFulshi/MxSBizdj4SHDhYHK+4H5PkeDusMTGAvOk + QaXB8ZbulHT3mdUc8lHucRHw2TIs8O8zaFBMo60CgYEAyCsxBYnxNlaNF/M9p48w + e0qT3XdqjphKQ0M5kXVoFx4Vj9mYTgnmX6+cgS6s9P2l+/TemLsWQdMu9DixHT1P + PD/OnfnoFZngrjFOfWzhiSpq8WSeIRLQqWCKfqnv9sZfulpC1tBPRpWnXCSML6uX + uhgC3zFGASr5HaNRneul2V0CgYBbkYSQlwkgPcY1jk2tYw9F+6TRHpYOvR0TdsYM + qOReISINb7zDO6f5ER0O/+Ei+B72T+RKvybzcn4+2CnP7o/8jSNBHMWOefXqExDI + Fe/YT7ZM3mstLSwjl4DevUyfn02LhvvxyyGnGMtVnd7V40Ity7DjlS9+0pvQjlzd + WwI4uQKBgQDQA3JSEl95T2nYmmlvX8a5rSNSSK/d6GRDvaNFAk659Jf3X2aYpHFM + TRO5t2EDIrBCpgBG2Tj9yOnm9Zht/T+783ziQ/6p2q1QX7Lfr6MiwnND4Cw0ZvYL + 9xDiujZMtAEaEiz0a6pfHn/EfTA6Qvw/KYFmtXFGa+KuOwX4KgFlwQ== + -----END RSA PRIVATE KEY----- + - kid: cdMTgbM9rx + key: | + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIOlSK0D4WKNjPrfxojWNJSoFzYJ7TUNC4qVv0C3b+LSioAoGCCqGSM49 + AwEHoUQDQgAE0lqYrp1gpDmCZASZ1L7Y5r0Kk9kbv6Qjn8FXzP4ujnFN8tFkHsun + MqmeW3j5Qmtw24gcEU1IPW6QwMz/ozosWQ== + -----END EC PRIVATE KEY----- + - kid: Hb1P9OK0rc + key: | + -----BEGIN EC PRIVATE KEY----- + MIGkAgEBBDAuDEN6zp1bBf2R3bBEKn8yGKlkV8jfNe1lZ1yvfsVWBPbVBoxJcEWG + krR1vBYdtjSgBwYFK4EEACKhZANiAAThozHhNOUZcybKe7W9K5zVZIXgmM3Fze/e + s6bHLpwPR1EEYNARPW7aLPPjf4d+iPXW5y6J0KCKvaXWvFAM9eL6a8X/W93VZmgO + 8A9QN/PWOUz2ZOsp1xLWvgmZl4zHYNw= + -----END EC PRIVATE KEY----- + - kid: NpIOF10t5M + key: | + -----BEGIN EC PRIVATE KEY----- + MHQCAQEEIP3Vit8kpPw+JxnPLviS7+bM1EAJquG+0HFN6MT4Q1eDoAcGBSuBBAAK + oUQDQgAE2rnrYryxmN3RAgwh9JqrS7/cft592o9dG6C7sUloIpYcZVmZsVGpOUzB + UMyVVDVWwkAdxfASbDGu4yiSwy9uEw== + -----END EC PRIVATE KEY----- + + '')]; + settings = { + http.listeners = [ + { + name = "web"; + resources = [ + { name = "discovery"; } + { name = "human"; } + { name = "oauth"; } + { name = "compat"; } + { name = "graphql"; } + { name = "assets"; path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; } + ]; + binds = [ + { host = "0.0.0.0"; port = 8090; } + ]; + proxy_protocol = false; + } + { + name = "internal"; + resources = [ + { name = "health"; } + ]; + binds = [ + { host = "0.0.0.0"; port = 8081; } + ]; + proxy_protocol = false; + } + ]; + clients = [ { + client_id = "0000000000000000000SYNAPSE"; + client_auth_method = "client_secret_basic"; + client_secret = "unsecure123"; + } ]; + matrix = { + homeserver = config.services.matrix-synapse.settings.server_name; + secret = "unsecure123"; + endpoint = "https://localhost:8448"; + }; + upstream_oauth2 = { + providers = [ + { + id = "01H8PKNWKKRPCBW4YGH1RWV279"; + issuer = "https:///realms/"; + token_endpoint_auth_method = "client_secret_basic"; + client_id = "matrix-authentication-service"; + client_secret = ""; + scope = "openid profile email"; + claims_imports = { + localpart = { + action = "require"; + template = "{{ user.preferred_username }}"; + }; + displayname = { + action = "suggest"; + template = "{{ user.name }}"; + }; + email = { + action = "suggest"; + template = "{{ user.email }}"; + set_email_verification = "always"; + }; + }; + } + ]; + }; + }; + }; + + services.openssh.openFirewall = true; + + system.stateVersion = "24.05"; +} diff --git a/hosts/underground/default.nix b/hosts/underground/default.nix new file mode 100644 index 0000000..5a612a4 --- /dev/null +++ b/hosts/underground/default.nix @@ -0,0 +1,16 @@ +{ flake, ... }: + +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./configuration.nix + + ./networking.nix + "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix" + ]; + + disabledModules = [ + "services/matrix/matrix-authentication-service.nix " + ]; +} diff --git a/hosts/underground/hardware-configuration.nix b/hosts/underground/hardware-configuration.nix new file mode 100644 index 0000000..e4738a1 --- /dev/null +++ b/hosts/underground/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-label/cryptroot"; + }; + + fileSystems."/" = + { device = "/dev/disk/by-label/root"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-label/swap"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/underground/networking.nix b/hosts/underground/networking.nix new file mode 100644 index 0000000..3085c7b --- /dev/null +++ b/hosts/underground/networking.nix @@ -0,0 +1,24 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + + networking.hostName = "underground"; + + networking = { + defaultGateway = { + address = "80.244.242.1"; + interface = "enp1s0"; + }; + nameservers = ["95.129.51.51" "80.244.244.244"]; + interfaces.enp1s0 = { + useDHCP = false; + ipv4.addresses = [ + { address = "80.244.242.3"; prefixLength = 29; } + ]; + }; + }; +} diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 3165911..6cffd5e 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -284,7 +284,7 @@ in environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; }; - services.restic.backups.matrix-synapse-storagebox = { + pub-solar-os.backups.restic.keycloak = { paths = [ "/var/lib/matrix-synapse" "/var/lib/matrix-appservice-irc" @@ -295,8 +295,6 @@ in OnCalendar = "*-*-* 05:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; - repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql ''; diff --git a/overlays/default.nix b/overlays/default.nix index 50ede5d..33f0e1d 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -17,6 +17,7 @@ inherit (inputs) element-stickers maunium-stickerpicker; }; mastodon = unstable.mastodon; + matrix-authentication-service = unstable.matrix-authentication-service; } ) ]; diff --git a/terraform/dns.tf b/terraform/dns.tf index d4a8d43..b52e366 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -332,10 +332,30 @@ resource "namecheap_domain_records" "pub-solar" { type = "AAAA" address = "2a01:4f8:172:1c25::1" } + record { + hostname = "underground" + type = "A" + address = "80.244.242.3" + } record { hostname = "matrix.test" type = "CNAME" - address = "nachtigall.pub.solar." + address = "underground.pub.solar." + } + record { + hostname = "chat.test" + type = "CNAME" + address = "underground.pub.solar." + } + record { + hostname = "stickers.chat.test" + type = "CNAME" + address = "underground.pub.solar." + } + record { + hostname = "auth.test" + type = "CNAME" + address = "underground.pub.solar." } # SRV records can only be changed via NameCheap Web UI # add comment