diff --git a/flake.nix b/flake.nix index b13e49c..8fceebd 100644 --- a/flake.nix +++ b/flake.nix @@ -69,18 +69,15 @@ }; }) ]; - coreModules = baseModules ++ [ - ./modules/common.nix - ./modules/ssh.nix + sopsModules = [ sops-nix.nixosModules.sops - home-manager.nixosModules.home-manager ## Setup sops ({ pkgs, config, ... }: { # Add default secrets sops.defaultSopsFile = ./secrets/nathan.yaml; # Use system ssh key as an age key sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - # Load up lastfm scrobbling secret + # Load up lastfm scrobbling secret sops.secrets.lastfm-conf = { owner = "nathan"; format = "binary"; @@ -88,6 +85,11 @@ }; }) ]; + coreModules = baseModules ++ sopsModules ++ [ + ./modules/common.nix + ./modules/ssh.nix + home-manager.nixosModules.home-manager + ]; setHomeManagerVersions = ({ pkgs, config, unstable, ... }: { home-manager.users.nathan.programs = { starship.package = unstable.starship; diff --git a/modules/audio.nix b/modules/audio.nix index 675a796..054e1f2 100644 --- a/modules/audio.nix +++ b/modules/audio.nix @@ -57,8 +57,8 @@ ]; # Add noisetorch for microphone noise canceling #programs.noisetorch = { - # enable = true; TODO: https://github.com/noisetorch/NoiseTorch/releases/tag/0.11.6 - # Use latest noisetorch, its a fast moving target - #package = unstable.noisetorch; + # enable = true; TODO: https://github.com/noisetorch/NoiseTorch/releases/tag/0.11.6 + # Use latest noisetorch, its a fast moving target + #package = unstable.noisetorch; #}; } diff --git a/secrets/matrix-community-recaptcha b/secrets/matrix-community-recaptcha new file mode 100644 index 0000000..6faf1de --- /dev/null +++ b/secrets/matrix-community-recaptcha @@ -0,0 +1,40 @@ +{ + "data": "ENC[AES256_GCM,data:UB2N8XWfhEE1zB8f6YPGD+cOFl2jUUMTQrByBiQG3xyWcMxe8EIl8SUasQVWhkfPbmCj/GoBJxqhuLX5obpNtEUjwfa7ZEw7C8QhqXKyxQJgXqEvLDZLU5ruPJMhvOOX7SkQ3VJi9S8xCjzE8XEE2iUna6R6AGSAaXMn2xz5z1wIT1wrZ9Xt4TGaBYZBz9lJRWAbAvmnCmcLpnlLPezrBKkHuZ2OxcHa,iv:0Ztry4JaGMWdSKvmaeFAn/ljGyC8MMnE0qbGKpCVOVE=,tag:KcgEsJ1tHsetGPRsXRxY/g==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXQnZCRDhHUjg5eG0yWnZx\nYXJFcU8rVE4vMXlyUDZReEVncGxDR0Z2d0RFCjBOcmYvSkUxdVdSZTc5VGhRMEtt\nSnRtNGFqNlI0Z1pIekZ5aTFQb3o2ZU0KLS0tIHVkekxoVFM1b0FLUXJoN3Q5VGlv\ndWova0NweTBpQ01uZzRwbzJ2ak0weGMKAuR63tTq2Fkmxm/9K+yPRlZ9GGbfb0q3\nZCp8tbuy2vqxYP4Ndp+VwS75I0k+sIqH8N+O6O3iDH2PLaruDTs7OQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTzBlZDNxVGlYTnZpdGh1\nQlpDalJQb25HWVl4NlBVQWowaml6eEN1SEJNCnJwQmh4cm10N0NFUVpzcnZFb3d6\nb1UxRHlvNVFCZDZjTktKM0pySjdkZW8KLS0tIHl0SHVtamFoTjBaeFlrNDQwSk1U\nZFhCeU12Z2FqZ0lmY25aSnNFOHlYaDQKvzdGDlKy2aGD23qGSw8qJc54S4DSfY8J\n+Op31cW3poALYglQ8C0LuExCE4GS6iJIroRVbL+x0OssiN6cFgfUqQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSkpjanI4bkRVSlcycVp6\ndDd2dnQrRVlSMEtSaFlXQ1FTTHliRURGMUZjCi9iUHV5OXVJNU5IYStrVnlpZ0hM\na2pNQytHcktIMi9OaTU4aURXcG5NcEkKLS0tIGxOL0k5a2IrWjNEYStiSHNnWjg4\nU1hmb1ZNa1JKSnJOc05QaTRFQ2RMYmMKmk0Uoz7B2Qh0IuX9RhDq5RSnn8HW5k9F\n1OZHeyf6wfkn+g9AN5d/3CWXBbj34CV1BJnLQ9RFPgR0geLMtM5N9g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdm53WWpzQzJTSktoUkVQ\neFY3cEJaTnpTMkJRaU9JY2tNbzhaeXRIUVdnClI4RkdYSzZlM2dPNmpVVzRsNnlI\ncE1PWkMxYnRCajNwdlJGc2NPQkhwdncKLS0tIG41Y3dacHNHYWRjS1BQTnl4Vzh3\nc0dMZEpITFBqK3pYdnBZR09OOGd1eTgKbp6Hjc0XhCaRXO3k+fmuSRfcnHGZ7SSS\nZXAJIrwLx6X1GK0xfDsdbUuvHMN5hxfRaOXODCF3u/EvjWLNJVvEXw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIc2xNVjA5Z0VySUxrMjFs\ncGF5Wlk1cW44Zyt4NktzT0xIa3E1OG0xS1VzClZ1NmFnSzErZjBQTVVDdG5NMTlL\nR0p6a2JCbE9qRG1sQ1dBYU1tOWF1SlkKLS0tIEtCdmxpcWl3aVJTb2ZBMjhEY1px\ndnpUdTVMMGtFRWh1K1ZJV2llUnZBYmcKb0RaR2jMemxbc0hQqdhEydV4NUTbx141\nVkbDsoU3mQERyx2pUWUx4HiOt7LpegdmkZduI/Qi2w/qv/ts4xdiXQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUUVzTzRsdHROVVUzdlAx\ncEFTckNLMzFjTGYrblp5V09OMUs5TVM5L3hNClowVkFjaGFqdStSNjlQN2pSMGdC\nVFF1ZHh0aDB6RnM5QTNjcDBuTU9BaTAKLS0tIFdQZXhGZ2c2UC96NXVaTFlkbVBw\nYkU1cFB5djBGYkROVFdtWWQzVGVkTGcKcbXpTXupE1xmE2GSHvYjxTPb4G2cNmk3\nbTDcGetBChLZFl29pa6fdQEdp+eFQ6ctUOAHMu3o2W6XxlMjnbiRCw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-05-23T03:59:56Z", + "mac": "ENC[AES256_GCM,data:NENsER5bRswiwXaPfy0Tlc2wAetvqg9NXBVePX8Zkddv/40L5uhPzMmZUbS66AxtmlGMEZ9PNr7KQnmvFzpzHiGzft55sTOFAboAVcv3xFL+GFsQd3f853daHjGrj51d554eGY4tmrtNoOQI1ctPdoQ8rVGfnmjAnzRwQjHttLs=,iv:Y24nW2eINCeK4UTf7RcP8zhkUNvdNGlLEQqgTTUlTsw=,tag:ccIl1aKJhMVlhheS/sEXwA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/secrets/matrix-community.yaml b/secrets/matrix-community.yaml deleted file mode 100644 index 1b24399..0000000 --- a/secrets/matrix-community.yaml +++ /dev/null @@ -1,31 +0,0 @@ -community_recaptcha_public_key: ENC[AES256_GCM,data:+0EKbzHODlj5y0zFyDpx3YTCnoWAx0c9SeYE5xLG0MvaRDR9hhL+2Q==,iv:pe1qqcGm1ZTDkBIbn/7sz9SwrGD3/d0W53aablJOhps=,tag:yilfX0hlGfAjHTqxjMXc0A==,type:str] -community_recaptcha_secret_key: ENC[AES256_GCM,data:G0AqjIH5HVG/1BMqDvfU0q4Fctm485AfFBIFH87qDFRKvak+Nz18Qg==,iv:X/AGgV2rCHfFEwAbFLrNH3gWenpOb17xDnbzIDN2Ca4=,tag:cU/kN+mOvsUx+yXRMM+lgA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcjl1amRmWnNoMVc0ZHBl - d01SenFsM25lR014SFNRaDVVWDNRSGlyV2hNCm1Ibk9rK0EvUWo3SGFBTHlzZEFL - N3U1R0Rrb25telhjR0NVQmk3TG9FazgKLS0tIEJIZ3M4cmdPUVliSGxuMm1ydGNM - SThSOGVIVjcvR1VUcnUvQTdKQkcxa28KsrE00JbE2w18zSeijAqmhKXuvZdfVqWI - A5RoXDz9yOE2TNaojaRFBIudbNAJWiCy8J6Y2iFKKFvPLo9ChigfGw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaGhab2d1cFFmK1VMUjhQ - c0RTOTkrTis1djh3a3k1RkkwQmpUYk83M2dVCnlNY3pyM2JSakNydjlTSkdUOFVJ - Y2NlV0ZaZ0NWZkR3UmVvQXpnOEE1ekkKLS0tIDhWOTl6Wm8xekZhZUdmcnRFY1ha - ZThRbXh6UnljZFhNVGczUjU1a280R2cKq1pY/Ju1d1mYFuZaTivsvCefhtL3E69R - jBCLqwVPlK64meXI8hP1XDEV3KLGgiWbS5oAlx7VSF1OW+nwrOzSUw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-05-23T02:42:32Z" - mac: ENC[AES256_GCM,data:zKKeZO1IjxSavd9ocvPzX46Tvl5rTDo5UPJ+s0aqOeO3LucV/JICXEWtk7AWbgJY/BWc27jw/k8zpKsbkh1EPwMeMMFniY3YAt/lwov187fVM+rSZ1YtiE0xxgN8oBJQ3QMZJCt4QfAmVOMRokH2YO3kWEipEGjnuY9tFfd/kAo=,iv:jy0ReVsFNbrTHnVJk8Hyd/7l6Px48xlhFNdtTANL6rE=,tag:rMoYC47W+z4I8Eh5DYrEWg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.1 diff --git a/system-specific/matrix/matrix.nix b/system-specific/matrix/matrix.nix index abd06a6..8848d87 100644 --- a/system-specific/matrix/matrix.nix +++ b/system-specific/matrix/matrix.nix @@ -395,6 +395,15 @@ in }; }; + # Matrix recaptcha keys + sops.secrets."matrix-secrets.yaml" = { + owner = config.users.users.nobody.name; + group = config.users.users.nobody.name; + mode = "0440"; + format = "binary"; + sopsFile = ../../secrets/matrix-community-recaptcha; + }; + services.matrix-synapse = { enable = true; server_name = config.networking.domain; @@ -413,7 +422,8 @@ in ]; } ]; - enable_registration = false; + enable_registration = true; + enable_registration_captcha = true; allow_guest_access = false; extraConfig = '' allow_public_rooms_over_federation: true @@ -421,7 +431,8 @@ in auto_join_rooms: [ "#space:community.rs" , "#rust:community.rs" , "#rules:community.rs" , "#info:community.rs" ] ''; turn_uris = [ "turn:turn.community.rs:3478?transport=udp" "turn:turn.community.rs:3478?transport=tcp" ]; - turn_shared_secret = "5C1rbLi5pPJhEGTzkVR1"; turn_user_lifetime = "1h"; + # Configure secrets + extraConfigFiles = [ config.sops.secrets."matrix-secrets.yaml".path ]; }; }