flake update

Switch to conduwuit
ssh agent proper setup
2025-03-27 15:53:48 -04:00 · 2025-03-27 15:52:42 -04:00 · 2025-03-27 14:58:38 -04:00 · 2025-03-27 03:16:41 -04:00 · 2025-03-27 02:55:22 -04:00 · 2025-03-27 02:39:35 -04:00
7 changed files with 211 additions and 34 deletions
--- a/flake.lock
+++ b/flake.lock
@ -5,11 +5,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1735644329,
-        "narHash": "sha256-tO3HrHriyLvipc4xr+Ewtdlo7wM1OjXNjlWRgmM7peY=",
+        "lastModified": 1741473158,
+        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "f7795ede5b02664b57035b3b757876703e2c3eac",
+        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
        "type": "github"
      },
      "original": {
@ -39,11 +39,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1740872218,
-        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
+        "lastModified": 1741352980,
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
        "type": "github"
      },
      "original": {
@ -92,11 +92,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1739757849,
-        "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
+        "lastModified": 1742655702,
+        "narHash": "sha256-jbqlw4sPArFtNtA1s3kLg7/A4fzP4GLk9bGbtUJg0JQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
+        "rev": "0948aeedc296f964140d9429223c7e4a0702a1ff",
        "type": "github"
      },
      "original": {
@ -143,11 +143,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1740646007,
-        "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
+        "lastModified": 1742806253,
+        "narHash": "sha256-zvQ4GsCJT6MTOzPKLmlFyM+lxo0JGQ0cSFaZSACmWfY=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
+        "rev": "ecaa2d911e77c265c2a5bac8b583c40b0f151726",
        "type": "github"
      },
      "original": {
@ -163,11 +163,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1740567864,
-        "narHash": "sha256-eTS2wrC1jKR6PKXC9jZqQy5PwqbIOBLSLF3dwLiFJ8M=",
+        "lastModified": 1742999260,
+        "narHash": "sha256-wgeb7kSod9MAGm39MsVLsy2zxSbtCtckCkgfbjg6TLM=",
        "owner": "nix-community",
        "repo": "NixOS-WSL",
-        "rev": "1f40b43d01626ce994eb47150afa0d7215f396ca",
+        "rev": "64d679540fa4d7e2afdbbb53ea63e3e5019c1f52",
        "type": "github"
      },
      "original": {
@ -195,23 +195,26 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1740872140,
-        "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
+        "lastModified": 1740877520,
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
+        "type": "github"
      },
      "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1741010256,
-        "narHash": "sha256-WZNlK/KX7Sni0RyqLSqLPbK8k08Kq7H7RijPJbq9KHM=",
+        "lastModified": 1742889210,
+        "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ba487dbc9d04e0634c64e3b1f0d25839a0a68246",
+        "rev": "698214a32beb4f4c8e3942372c694f40848b360d",
        "type": "github"
      },
      "original": {
@ -223,11 +226,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1740463929,
-        "narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=",
+        "lastModified": 1740865531,
+        "narHash": "sha256-h00vGIh/jxcGl8aWdfnVRD74KuLpyY3mZgMFMy7iKIc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b",
+        "rev": "5ef6c425980847c78a80d759abc476e941a9bf42",
        "type": "github"
      },
      "original": {
@ -239,11 +242,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1740932899,
-        "narHash": "sha256-F0qDu2egq18M3edJwEOAE+D+VQ+yESK6YWPRQBfOqq8=",
+        "lastModified": 1742937945,
+        "narHash": "sha256-lWc+79eZRyvHp/SqMhHTMzZVhpxkRvthsP1Qx6UCq0E=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1546c45c538633ae40b93e2d14e0bb6fd8f13347",
+        "rev": "d02d88f8de5b882ccdde0465d8fa2db3aa1169f7",
        "type": "github"
      },
      "original": {
--- a/home-manager/machines/crash/home.nix
+++ b/home-manager/machines/crash/home.nix
@ -32,6 +32,7 @@
                ../../modules/programs/core.nix
                ../../modules/programs/devel.nix
                ../../modules/programs/ssh.nix
+                ../../modules/programs/ssh-agent.nix
                (import ../../modules/programs/emacs.nix {})
                ../../modules/programs/fonts.nix
                ../../modules/programs/desktop.nix
--- a/home-manager/modules/programs/ssh-agent.nix
+++ b/home-manager/modules/programs/ssh-agent.nix
@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Enable the agent
+  services.ssh-agent = {
+    enable = true;
+  };
+  # Setup fish init
+  programs.fish.shellInit =
+    ''
+    set -x SSH_AUTH_SOCK $XDG_RUNTIME_DIR/ssh-agent
+    ssh-add
+'';
+}
--- a/home-manager/modules/programs/ssh.nix
+++ b/home-manager/modules/programs/ssh.nix
@ -18,9 +18,21 @@
    controlPersist = "10m";
    # Configure known hosts
    matchBlocks = {
+      # rsync.net
+      "de1955" = {
+        hostname = "de1955.rsync.net";
+        user = "de1955";
+      };
+      # my nixos machines
      "tides" = {
        hostname = "150.136.87.190";
+        forwardAgent = true;
      };
+      "driftwood" = {
+        hostname = "driftwood.stranger.systems";
+        forwardAgent = true;
+      };
+      # Other Machines
      "static.stranger.systems" = {
        hostname = "129.153.226.221";
        user = "ubuntu";
--- a/nixos/machines/driftwood/configuration.nix
+++ b/nixos/machines/driftwood/configuration.nix
@ -1,10 +1,12 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
-{ config, lib, pkgs, ... }:
-
 {
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
@ -15,6 +17,37 @@
  i18n.defaultLocale = "en_US.UTF-8";

  system.stateVersion = "24.11"; # Did you read the comment?
+  networking.nat = {
+    enable = true;
+    internalInterfaces = ["ve-+"];
+    externalInterface = "enp5s0f0";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };

+  # Nginx configuration
+  # Configure automated TLS acquisition/renewal
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "admin@stranger.systems";
+    };
+  };
+
+  # ACME data must be readable by the NGINX user
+  users.users.nginx.extraGroups = [
+    "acme"
+  ];
+
+  # Enable nginx
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  # Open firewall ports for HTTP, HTTPS, and Matrix federation
+  networking.firewall.allowedTCPPorts = [80 443 8448];
+  networking.firewall.allowedUDPPorts = [80 443 8448];
 }
-
--- a/nixos/machines/driftwood/containers/conduit.nix
+++ b/nixos/machines/driftwood/containers/conduit.nix
@ -0,0 +1,110 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  containers.conduit-stranger-systems = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.100.10";
+    localAddress = "192.168.100.11";
+    hostAddress6 = "fc00::1";
+    localAddress6 = "fc00::2";
+    bindMounts = {
+      "/var/lib/" = {
+        hostPath = "/var/containers/conduit";
+        isReadOnly = false;
+      };
+    };
+    nixpkgs = inputs.nixpkgs-unstable.outPath;
+    config = {
+      config,
+      lib,
+      pkgs,
+      ...
+    }: {
+      # Conduit proper
+      services.conduwuit = {
+        enable = true;
+        settings.global = {
+          server_name = "stranger.systems";
+          rocksdb_optimize_for_spinning_disks = true;
+new_user_displayname_suffix = "";
+          allow_registration = true;
+          registration_token_file = "/var/lib/conduwuit/reg_token";
+          port = [6167];
+          address = ["0.0.0.0"];
+        };
+      };
+      # Open the port
+      networking.firewall.allowedTCPPorts = [6167];
+
+      system.stateVersion = "24.11";
+    };
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "matrix.stranger.systems" = {
+        forceSSL = true;
+        enableACME = true;
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+            ssl = false;
+          }
+          {
+            addr = "[::]";
+            port = 80;
+            ssl = false;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+
+        locations."/_matrix/" = {
+          proxyPass = "http://backend_conduit$request_uri";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+
+        extraConfig = ''
+          merge_slashes off;
+        '';
+      };
+    };
+
+    upstreams = {
+      "backend_conduit" = {
+        servers = {
+          "192.168.100.11:6167" = {};
+        };
+      };
+    };
+  };
+}
--- a/nixos/machines/driftwood/machine.nix
+++ b/nixos/machines/driftwood/machine.nix
@ -38,6 +38,7 @@
                  mutableUsers = false;
                })
                (import ../../modules/ssh.nix)
+                (import ./containers/conduit.nix)
              ];

              nix.settings.experimental-features = [
Author	SHA1	Message	Date
Nathan McCarty	ff0b40544a	flake update	2025-03-27 15:53:48 -04:00
Nathan McCarty	32e433123c	Switch to conduwuit	2025-03-27 15:52:42 -04:00
Nathan McCarty	582602fe82	ssh agent proper setup	2025-03-27 14:58:38 -04:00
Nathan McCarty	95feab33ad	Get conduit properly setup	2025-03-27 03:16:41 -04:00
Nathan McCarty	1baa1ce671	ngnix for conduit	2025-03-27 02:55:22 -04:00
Nathan McCarty	974de549bc	ssh-agent setup	2025-03-27 02:39:35 -04:00
Nathan McCarty	8dfd30b333	Initial conduit container setup	2025-03-27 02:36:18 -04:00