wip: init host underground to test mas

related to #242

flake.lock

@@ -234,6 +234,22 @@
         "type": "github"
       }
     },
+    "fork": {
+      "locked": {
+        "lastModified": 1729895651,
+        "narHash": "sha256-jsDi++W3uhb2lxYU257H4zXVgC6lbJ1hbI4vqqag6lE=",
+        "owner": "teutat3s",
+        "repo": "nixpkgs",
+        "rev": "e60ba9494f5783468e1aab1a490cf764a24ca0c0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "teutat3s",
+        "ref": "init-matrix-authentication-service-module",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -354,6 +370,7 @@
         "element-stickers": "element-stickers",
         "element-themes": "element-themes",
         "flake-parts": "flake-parts",
+        "fork": "fork",
         "home-manager": "home-manager",
         "keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
         "maunium-stickerpicker": "maunium-stickerpicker",

flake.nix

@@ -3,6 +3,7 @@
     # Track channels with commits tested and built by hydra
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
 
     nix-darwin.url = "github:lnl7/nix-darwin/master";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
@@ -152,6 +153,10 @@
               hostname = "tankstelle.wg.pub.solar";
               sshUser = username;
             };
+            underground = {
+              hostname = "80.244.242.3";
+              sshUser = username;
+            };
             trinkgenossin = {
               hostname = "trinkgenossin.wg.pub.solar";
               sshUser = username;

hosts/default.nix

@@ -178,6 +178,31 @@
           self.nixosModules.nginx
         ];
       };
+
+      underground = self.inputs.nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          flake = {
+            inherit self inputs config;
+          };
+        };
+        modules = [
+          self.inputs.agenix.nixosModules.default
+          self.nixosModules.home-manager
+          ./underground
+          self.nixosModules.overlays
+          self.nixosModules.unlock-luks-on-boot
+          self.nixosModules.core
+
+          self.nixosModules.backups
+          self.nixosModules.keycloak
+          self.nixosModules.postgresql
+          self.nixosModules.matrix
+          self.nixosModules.matrix-irc
+          self.nixosModules.matrix-telegram
+          self.nixosModules.nginx
+          self.nixosModules.nginx-matrix
+        ];
+      };
     };
   };
 }

hosts/underground/configuration.nix

@@ -0,0 +1,155 @@
+{
+  flake,
+  config,
+  pkgs,
+  ...
+}:
+{
+  # Use GRUB2 as the boot loader.
+  boot.loader.grub = {
+    enable = true;
+    devices = [ "/dev/vda" ];
+  };
+
+  pub-solar-os.networking.domain = "test.pub.solar";
+
+  systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
+
+  pub-solar-os.auth = {
+    enable = true;
+    database-password-file = "/tmp/dbf";
+  };
+  services.keycloak.database.createLocally = true;
+
+  services.matrix-authentication-service = {
+    enable = true;
+    createDatabase = true;
+    extraConfigFiles = [(pkgs.writeText "mas-extra-config.yml" ''
+secrets:
+  encryption: 85c39ce195bd01d17b583687edf20ae09eede66f4ce043f15afc2afa719249c9
+  keys:
+  - kid: LYeYXYzVil
+    key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEpAIBAAKCAQEA1l1iXIE9yFksgKmJ58hk9oj7UQ4iX5HX9Ll/EUDCRu+fuPuB
+      kYnski19RNoVIWQt3f8HYTeQLF1vhvj9AKFw+F0jklkC8/YrHzNPiB7LS08X4+K8
+      1DW+YI7EY0u0iB+uaChHvK8zYrk+qRmH0OGR7LdXRNqM75xMglkcnMagFbc/3ipO
+      47SgHFaUGkM62epeQPIsJq6BicxCyH/LhoccUtnj5+EOAF+eo8QPRj+ISfDdCebS
+      L7iYnpECFggVlexgbVRfeFtxDfHu5hpxjKwbTKYjDLMrZwlI0js4ZN9qchREAJ21
+      km4Xq4bqP+Pf0QiaEjeoqF/ZMmCFYY2gT3DSUQIDAQABAoIBAHLwd4EqOzplthr2
+      zN7e8GPQZxC7B2s/BBBQNfXGR2VJrta85GhpD9QBWB3G4XWaBY325LoX1NI090vj
+      zaS865oANsaNu6ub3ttH4+kUueSTcDfcp2sRthaH9n1XZmFmu1lV38EoH+FbemGp
+      Ms2pZVkLpVth5BfGMq/hoBnf1o5NTACSHd2InQnUQAbY16NvYZiY37hI3LllyIPI
+      z7hBvFcRf2JD3Bn7nmV+lTBOtcYA5f6ZrO0V2Ah75AGb6QAUSWgV9edqXkp6OmAV
+      jcVqfVsPwoPRpaarQ4M1lcvhYgwBKuUXFtcNPqqNk9ldYuYy/UW4E+psRrXkwvs2
+      50TB78ECgYEA3nx7XBZhYrvUEqLUYeIRhnRGoY0/snyjAMibl6NoJZLpyrk+b70x
+      Dh1k6LY9RwLfxRHDqnnHy9YY5Iu9QBTBYud8dD0JNOUUC8QWYV1G7AYLS9oe8kM5
+      z4aWhgNR3a9DidPQtv2SyK+1ZmGhB80T7nDlsK17fjjTUnj7lMhgnbUCgYEA9qe4
+      zzHfCZsDwoPPuMuAkZIjRxnwReY9fyAGGMdW4VrOgrOyVj4dDF0/R8p3LlS+TiUw
+      6bVlWqbP+H3Zkx9VaH7EUmiTFulshi/MxSBizdj4SHDhYHK+4H5PkeDusMTGAvOk
+      QaXB8ZbulHT3mdUc8lHucRHw2TIs8O8zaFBMo60CgYEAyCsxBYnxNlaNF/M9p48w
+      e0qT3XdqjphKQ0M5kXVoFx4Vj9mYTgnmX6+cgS6s9P2l+/TemLsWQdMu9DixHT1P
+      PD/OnfnoFZngrjFOfWzhiSpq8WSeIRLQqWCKfqnv9sZfulpC1tBPRpWnXCSML6uX
+      uhgC3zFGASr5HaNRneul2V0CgYBbkYSQlwkgPcY1jk2tYw9F+6TRHpYOvR0TdsYM
+      qOReISINb7zDO6f5ER0O/+Ei+B72T+RKvybzcn4+2CnP7o/8jSNBHMWOefXqExDI
+      Fe/YT7ZM3mstLSwjl4DevUyfn02LhvvxyyGnGMtVnd7V40Ity7DjlS9+0pvQjlzd
+      WwI4uQKBgQDQA3JSEl95T2nYmmlvX8a5rSNSSK/d6GRDvaNFAk659Jf3X2aYpHFM
+      TRO5t2EDIrBCpgBG2Tj9yOnm9Zht/T+783ziQ/6p2q1QX7Lfr6MiwnND4Cw0ZvYL
+      9xDiujZMtAEaEiz0a6pfHn/EfTA6Qvw/KYFmtXFGa+KuOwX4KgFlwQ==
+      -----END RSA PRIVATE KEY-----
+  - kid: cdMTgbM9rx
+    key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MHcCAQEEIOlSK0D4WKNjPrfxojWNJSoFzYJ7TUNC4qVv0C3b+LSioAoGCCqGSM49
+      AwEHoUQDQgAE0lqYrp1gpDmCZASZ1L7Y5r0Kk9kbv6Qjn8FXzP4ujnFN8tFkHsun
+      MqmeW3j5Qmtw24gcEU1IPW6QwMz/ozosWQ==
+      -----END EC PRIVATE KEY-----
+  - kid: Hb1P9OK0rc
+    key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MIGkAgEBBDAuDEN6zp1bBf2R3bBEKn8yGKlkV8jfNe1lZ1yvfsVWBPbVBoxJcEWG
+      krR1vBYdtjSgBwYFK4EEACKhZANiAAThozHhNOUZcybKe7W9K5zVZIXgmM3Fze/e
+      s6bHLpwPR1EEYNARPW7aLPPjf4d+iPXW5y6J0KCKvaXWvFAM9eL6a8X/W93VZmgO
+      8A9QN/PWOUz2ZOsp1xLWvgmZl4zHYNw=
+      -----END EC PRIVATE KEY-----
+  - kid: NpIOF10t5M
+    key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MHQCAQEEIP3Vit8kpPw+JxnPLviS7+bM1EAJquG+0HFN6MT4Q1eDoAcGBSuBBAAK
+      oUQDQgAE2rnrYryxmN3RAgwh9JqrS7/cft592o9dG6C7sUloIpYcZVmZsVGpOUzB
+      UMyVVDVWwkAdxfASbDGu4yiSwy9uEw==
+      -----END EC PRIVATE KEY-----
+
+        '')];
+    settings = {
+      http.listeners = [
+        {
+          name = "web";
+          resources = [
+            { name = "discovery"; }
+            { name = "human"; }
+            { name = "oauth"; }
+            { name = "compat"; }
+            { name = "graphql"; }
+            { name = "assets"; path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; }
+          ];
+          binds = [
+            { host = "0.0.0.0"; port = 8090; }
+          ];
+          proxy_protocol = false;
+        }
+        {
+          name = "internal";
+          resources = [
+            { name = "health"; }
+          ];
+          binds = [
+            { host = "0.0.0.0"; port = 8081; }
+          ];
+          proxy_protocol = false;
+        }
+      ];
+      clients = [ {
+        client_id = "0000000000000000000SYNAPSE";
+        client_auth_method = "client_secret_basic";
+        client_secret = "unsecure123";
+      } ];
+      matrix = {
+        homeserver = config.services.matrix-synapse.settings.server_name;
+        secret = "unsecure123";
+        endpoint = "https://localhost:8448";
+      };
+      upstream_oauth2 = {
+        providers = [
+          {
+            id = "01H8PKNWKKRPCBW4YGH1RWV279";
+            issuer = "https://<keycloak>/realms/<realm>";
+            token_endpoint_auth_method = "client_secret_basic";
+            client_id = "matrix-authentication-service";
+            client_secret = "<client-secret>";
+            scope = "openid profile email";
+            claims_imports = {
+              localpart = {
+                action = "require";
+                template = "{{ user.preferred_username }}";
+              };
+              displayname = {
+                action = "suggest";
+                template = "{{ user.name }}";
+              };
+              email = {
+                action = "suggest";
+                template = "{{ user.email }}";
+                set_email_verification = "always";
+              };
+            };
+          }
+        ];
+      };
+    };
+  };
+
+  services.openssh.openFirewall = true;
+
+  system.stateVersion = "24.05";
+}

hosts/underground/default.nix

@@ -0,0 +1,16 @@
+{ flake, ... }:
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./configuration.nix
+
+    ./networking.nix
+    "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
+  ];
+
+  disabledModules = [
+    "services/matrix/matrix-authentication-service.nix "
+  ];
+}

hosts/underground/hardware-configuration.nix

@@ -0,0 +1,34 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-label/cryptroot";
+  };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-label/root";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-label/boot";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-label/swap"; }
+    ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/underground/networking.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+
+  networking.hostName = "underground";
+
+  networking = {
+    defaultGateway = {
+      address = "80.244.242.1";
+      interface = "enp1s0";
+    };
+    nameservers = ["95.129.51.51" "80.244.244.244"];
+    interfaces.enp1s0 = {
+      useDHCP = false;
+      ipv4.addresses = [
+        { address = "80.244.242.3"; prefixLength = 29; }
+      ];
+    };
+  };
+}

modules/matrix/default.nix

@@ -284,7 +284,7 @@ in
     environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
   };
 
-  services.restic.backups.matrix-synapse-storagebox = {
+  pub-solar-os.backups.restic.keycloak = {
     paths = [
       "/var/lib/matrix-synapse"
       "/var/lib/matrix-appservice-irc"
@@ -295,8 +295,6 @@ in
       OnCalendar = "*-*-* 05:00:00 Etc/UTC";
     };
     initialize = true;
-    passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
-    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
     backupPrepareCommand = ''
       ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
     '';

overlays/default.nix

@@ -17,6 +17,7 @@
                   inherit (inputs) element-stickers maunium-stickerpicker;
                 };
                 mastodon = unstable.mastodon;
+                matrix-authentication-service = unstable.matrix-authentication-service;
               }
             )
           ];

terraform/dns.tf

@@ -332,10 +332,30 @@ resource "namecheap_domain_records" "pub-solar" {
     type     = "AAAA"
     address  = "2a01:4f8:172:1c25::1"
   }
+  record {
+    hostname = "underground"
+    type     = "A"
+    address  = "80.244.242.3"
+  }
   record {
     hostname = "matrix.test"
     type     = "CNAME"
-    address  = "nachtigall.pub.solar."
+    address  = "underground.pub.solar."
+  }
+  record {
+    hostname = "chat.test"
+    type     = "CNAME"
+    address  = "underground.pub.solar."
+  }
+  record {
+    hostname = "stickers.chat.test"
+    type     = "CNAME"
+    address  = "underground.pub.solar."
+  }
+  record {
+    hostname = "auth.test"
+    type     = "CNAME"
+    address  = "underground.pub.solar."
   }
   # SRV records can only be changed via NameCheap Web UI
   # add comment