From 8dfd30b3330abc9b9da57b058b3b5e198f843a56 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Thu, 27 Mar 2025 02:13:19 -0400 Subject: [PATCH 1/7] Initial conduit container setup --- nixos/machines/driftwood/configuration.nix | 29 +++++++++++-- .../machines/driftwood/containers/conduit.nix | 41 +++++++++++++++++++ nixos/machines/driftwood/machine.nix | 1 + 3 files changed, 67 insertions(+), 4 deletions(-) create mode 100644 nixos/machines/driftwood/containers/conduit.nix diff --git a/nixos/machines/driftwood/configuration.nix b/nixos/machines/driftwood/configuration.nix index f04a9a0..79740d7 100644 --- a/nixos/machines/driftwood/configuration.nix +++ b/nixos/machines/driftwood/configuration.nix @@ -1,10 +1,12 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ config, lib, pkgs, ... }: - { + config, + lib, + pkgs, + ... +}: { # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -15,6 +17,25 @@ i18n.defaultLocale = "en_US.UTF-8"; system.stateVersion = "24.11"; # Did you read the comment? + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "enp5s0f0"; + # Lazy IPv6 connectivity for the container + enableIPv6 = true; + }; + # Nginx configuration + # Configure automated TLS acquisition/renewal + security.acme = { + acceptTerms = true; + defaults = { + email = "admin@stranger.systems"; + }; + }; + + # ACME data must be readable by the NGINX user + # users.users.nginx.extraGroups = [ + # "acme" + # ]; } - diff --git a/nixos/machines/driftwood/containers/conduit.nix b/nixos/machines/driftwood/containers/conduit.nix new file mode 100644 index 0000000..a519334 --- /dev/null +++ b/nixos/machines/driftwood/containers/conduit.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + pkgs, + ... +}: { + containers.conduit = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::2"; + bindMounts = { + "/var/lib/" = { + hostPath = "/var/containers/conduit"; + isReadOnly = false; + }; + }; + config = { + config, + lib, + pkgs, + ... + }: { + # Conduit proper + services.matrix-conduit = { + enable = true; + settings.global = { + server_name = "stranger.systems"; + allow_registration = false; + port = 6167; + }; + }; + # Open the port + networking.firewall.allowedTCPPorts = [6167]; + + system.stateVersion = "24.11"; + }; + }; +} diff --git a/nixos/machines/driftwood/machine.nix b/nixos/machines/driftwood/machine.nix index 6530412..759513b 100644 --- a/nixos/machines/driftwood/machine.nix +++ b/nixos/machines/driftwood/machine.nix @@ -38,6 +38,7 @@ mutableUsers = false; }) (import ../../modules/ssh.nix) + (import ./containers/conduit.nix) ]; nix.settings.experimental-features = [ From 974de549bccef2bdd98fc1c693577964c82ca895 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Thu, 27 Mar 2025 02:39:35 -0400 Subject: [PATCH 2/7] ssh-agent setup --- home-manager/modules/programs/ssh.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/home-manager/modules/programs/ssh.nix b/home-manager/modules/programs/ssh.nix index 386c110..4896613 100644 --- a/home-manager/modules/programs/ssh.nix +++ b/home-manager/modules/programs/ssh.nix @@ -4,6 +4,9 @@ pkgs, ... }: { + services.ssh-agent = { + enable = true; + }; programs.ssh = { # SSH configuration enable = true; @@ -16,10 +19,17 @@ # enable session reuse controlMaster = "auto"; controlPersist = "10m"; + # setup agent + addKeysToAgent = "yes"; # Configure known hosts matchBlocks = { "tides" = { hostname = "150.136.87.190"; + forwardAgent = true; + }; + "driftwood" = { + hostname = "driftwood.stranger.systems"; + forwardAgent = true; }; "static.stranger.systems" = { hostname = "129.153.226.221"; From 1baa1ce67114fce9f2662a27bfff7ab821cdd535 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Thu, 27 Mar 2025 02:55:22 -0400 Subject: [PATCH 3/7] ngnix for conduit --- nixos/machines/driftwood/configuration.nix | 14 ++++- .../machines/driftwood/containers/conduit.nix | 63 +++++++++++++++++++ 2 files changed, 74 insertions(+), 3 deletions(-) diff --git a/nixos/machines/driftwood/configuration.nix b/nixos/machines/driftwood/configuration.nix index 79740d7..a39e323 100644 --- a/nixos/machines/driftwood/configuration.nix +++ b/nixos/machines/driftwood/configuration.nix @@ -35,7 +35,15 @@ }; # ACME data must be readable by the NGINX user - # users.users.nginx.extraGroups = [ - # "acme" - # ]; + users.users.nginx.extraGroups = [ + "acme" + ]; + + # Enable nginx + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; +recommendedOptimisation = true; + }; } diff --git a/nixos/machines/driftwood/containers/conduit.nix b/nixos/machines/driftwood/containers/conduit.nix index a519334..b752ead 100644 --- a/nixos/machines/driftwood/containers/conduit.nix +++ b/nixos/machines/driftwood/containers/conduit.nix @@ -38,4 +38,67 @@ system.stateVersion = "24.11"; }; }; + + services.nginx = { + virtualHosts = { + "matrix.stranger.systems" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 80; + ssl = false; + } + { + addr = "[::]"; + port = 80; + ssl = false; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + ]; + + locations."/_matrix/" = { + proxyPass = "http://backend_conduit$request_uri"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + + extraConfig = '' + merge_slashes off; + ''; + }; + }; + + upstreams = { + "backend_conduit" = { + servers = { + "192.168.100.11:6167" = {}; + }; + }; + }; + }; } From 95feab33ad453f1b9cebf33cd32577d9c562bbae Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Thu, 27 Mar 2025 03:16:41 -0400 Subject: [PATCH 4/7] Get conduit properly setup --- nixos/machines/driftwood/configuration.nix | 6 +++++- nixos/machines/driftwood/containers/conduit.nix | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/nixos/machines/driftwood/configuration.nix b/nixos/machines/driftwood/configuration.nix index a39e323..9263ba9 100644 --- a/nixos/machines/driftwood/configuration.nix +++ b/nixos/machines/driftwood/configuration.nix @@ -44,6 +44,10 @@ enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; -recommendedOptimisation = true; + recommendedOptimisation = true; }; + + # Open firewall ports for HTTP, HTTPS, and Matrix federation + networking.firewall.allowedTCPPorts = [80 443 8448]; + networking.firewall.allowedUDPPorts = [80 443 8448]; } diff --git a/nixos/machines/driftwood/containers/conduit.nix b/nixos/machines/driftwood/containers/conduit.nix index b752ead..df8b731 100644 --- a/nixos/machines/driftwood/containers/conduit.nix +++ b/nixos/machines/driftwood/containers/conduit.nix @@ -30,6 +30,7 @@ server_name = "stranger.systems"; allow_registration = false; port = 6167; + address = "0.0.0.0"; }; }; # Open the port From 582602fe82492cfdda7c8d7390e5ec783a9f5492 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Thu, 27 Mar 2025 14:58:38 -0400 Subject: [PATCH 5/7] ssh agent proper setup --- home-manager/machines/crash/home.nix | 1 + home-manager/modules/programs/ssh-agent.nix | 17 +++++++++++++++++ home-manager/modules/programs/ssh.nix | 12 +++++++----- 3 files changed, 25 insertions(+), 5 deletions(-) create mode 100644 home-manager/modules/programs/ssh-agent.nix diff --git a/home-manager/machines/crash/home.nix b/home-manager/machines/crash/home.nix index b57d562..f16278b 100644 --- a/home-manager/machines/crash/home.nix +++ b/home-manager/machines/crash/home.nix @@ -32,6 +32,7 @@ ../../modules/programs/core.nix ../../modules/programs/devel.nix ../../modules/programs/ssh.nix + ../../modules/programs/ssh-agent.nix (import ../../modules/programs/emacs.nix {}) ../../modules/programs/fonts.nix ../../modules/programs/desktop.nix diff --git a/home-manager/modules/programs/ssh-agent.nix b/home-manager/modules/programs/ssh-agent.nix new file mode 100644 index 0000000..73d9324 --- /dev/null +++ b/home-manager/modules/programs/ssh-agent.nix @@ -0,0 +1,17 @@ +{ + config, + lib, + pkgs, + ... +}: { + # Enable the agent + services.ssh-agent = { + enable = true; + }; + # Setup fish init + programs.fish.shellInit = + '' + set -x SSH_AUTH_SOCK $XDG_RUNTIME_DIR/ssh-agent + ssh-add +''; +} diff --git a/home-manager/modules/programs/ssh.nix b/home-manager/modules/programs/ssh.nix index 4896613..65a00bc 100644 --- a/home-manager/modules/programs/ssh.nix +++ b/home-manager/modules/programs/ssh.nix @@ -4,9 +4,6 @@ pkgs, ... }: { - services.ssh-agent = { - enable = true; - }; programs.ssh = { # SSH configuration enable = true; @@ -19,10 +16,14 @@ # enable session reuse controlMaster = "auto"; controlPersist = "10m"; - # setup agent - addKeysToAgent = "yes"; # Configure known hosts matchBlocks = { + # rsync.net + "de1955" = { + hostname = "de1955.rsync.net"; + user = "de1955"; + }; + # my nixos machines "tides" = { hostname = "150.136.87.190"; forwardAgent = true; @@ -31,6 +32,7 @@ hostname = "driftwood.stranger.systems"; forwardAgent = true; }; + # Other Machines "static.stranger.systems" = { hostname = "129.153.226.221"; user = "ubuntu"; From 32e433123c0e68a7db452d68b456f8d0cceb6ad8 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Thu, 27 Mar 2025 15:15:06 -0400 Subject: [PATCH 6/7] Switch to conduwuit --- nixos/machines/driftwood/containers/conduit.nix | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/nixos/machines/driftwood/containers/conduit.nix b/nixos/machines/driftwood/containers/conduit.nix index df8b731..7d66cce 100644 --- a/nixos/machines/driftwood/containers/conduit.nix +++ b/nixos/machines/driftwood/containers/conduit.nix @@ -2,9 +2,10 @@ config, lib, pkgs, + inputs, ... }: { - containers.conduit = { + containers.conduit-stranger-systems = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; @@ -17,6 +18,7 @@ isReadOnly = false; }; }; + nixpkgs = inputs.nixpkgs-unstable.outPath; config = { config, lib, @@ -24,13 +26,16 @@ ... }: { # Conduit proper - services.matrix-conduit = { + services.conduwuit = { enable = true; settings.global = { server_name = "stranger.systems"; - allow_registration = false; - port = 6167; - address = "0.0.0.0"; + rocksdb_optimize_for_spinning_disks = true; +new_user_displayname_suffix = ""; + allow_registration = true; + registration_token_file = "/var/lib/conduwuit/reg_token"; + port = [6167]; + address = ["0.0.0.0"]; }; }; # Open the port From ff0b40544aa183d4456cf8267a8c45415b245886 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Thu, 27 Mar 2025 15:53:48 -0400 Subject: [PATCH 7/7] flake update --- flake.lock | 63 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 33 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index 646bb5e..6723954 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1735644329, - "narHash": "sha256-tO3HrHriyLvipc4xr+Ewtdlo7wM1OjXNjlWRgmM7peY=", + "lastModified": 1741473158, + "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", "owner": "numtide", "repo": "devshell", - "rev": "f7795ede5b02664b57035b3b757876703e2c3eac", + "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", "type": "github" }, "original": { @@ -39,11 +39,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1740872218, - "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=", + "lastModified": 1741352980, + "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3876f6b87db82f33775b1ef5ea343986105db764", + "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", "type": "github" }, "original": { @@ -92,11 +92,11 @@ ] }, "locked": { - "lastModified": 1739757849, - "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", + "lastModified": 1742655702, + "narHash": "sha256-jbqlw4sPArFtNtA1s3kLg7/A4fzP4GLk9bGbtUJg0JQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", + "rev": "0948aeedc296f964140d9429223c7e4a0702a1ff", "type": "github" }, "original": { @@ -143,11 +143,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1740646007, - "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=", + "lastModified": 1742806253, + "narHash": "sha256-zvQ4GsCJT6MTOzPKLmlFyM+lxo0JGQ0cSFaZSACmWfY=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49", + "rev": "ecaa2d911e77c265c2a5bac8b583c40b0f151726", "type": "github" }, "original": { @@ -163,11 +163,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1740567864, - "narHash": "sha256-eTS2wrC1jKR6PKXC9jZqQy5PwqbIOBLSLF3dwLiFJ8M=", + "lastModified": 1742999260, + "narHash": "sha256-wgeb7kSod9MAGm39MsVLsy2zxSbtCtckCkgfbjg6TLM=", "owner": "nix-community", "repo": "NixOS-WSL", - "rev": "1f40b43d01626ce994eb47150afa0d7215f396ca", + "rev": "64d679540fa4d7e2afdbbb53ea63e3e5019c1f52", "type": "github" }, "original": { @@ -195,23 +195,26 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1740872140, - "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz" + "lastModified": 1740877520, + "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1741010256, - "narHash": "sha256-WZNlK/KX7Sni0RyqLSqLPbK8k08Kq7H7RijPJbq9KHM=", + "lastModified": 1742889210, + "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ba487dbc9d04e0634c64e3b1f0d25839a0a68246", + "rev": "698214a32beb4f4c8e3942372c694f40848b360d", "type": "github" }, "original": { @@ -223,11 +226,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1740463929, - "narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=", + "lastModified": 1740865531, + "narHash": "sha256-h00vGIh/jxcGl8aWdfnVRD74KuLpyY3mZgMFMy7iKIc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b", + "rev": "5ef6c425980847c78a80d759abc476e941a9bf42", "type": "github" }, "original": { @@ -239,11 +242,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1740932899, - "narHash": "sha256-F0qDu2egq18M3edJwEOAE+D+VQ+yESK6YWPRQBfOqq8=", + "lastModified": 1742937945, + "narHash": "sha256-lWc+79eZRyvHp/SqMhHTMzZVhpxkRvthsP1Qx6UCq0E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1546c45c538633ae40b93e2d14e0bb6fd8f13347", + "rev": "d02d88f8de5b882ccdde0465d8fa2db3aa1169f7", "type": "github" }, "original": {