nix
/
System
2
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Begin matrix migration

This commit is contained in:
Nathan McCarty 2023-06-04 12:31:53 -04:00
parent 115600af8b
commit 4b43c7aa6e
Signed by: thatonelutenist
SSH Key Fingerprint: SHA256:hwQEcmak9E6sdU9bXc98RHw/Xd1AhpB5HZT7ZSVJkRM
5 changed files with 173 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
machines/matrix/configuration.nix
View File

@ -114,10 +114,10 @@
auto_join_rooms =
[ "#space:community.rs" "#rules:community.rs" "#info:community.rs" ];
turn_uris = [
"turn:turn.community.rs:3478?transport=udp"
"turn:turn.community.rs:3478?transport=tcp"
# "turn:turn.community.rs:3478?transport=udp"
# "turn:turn.community.rs:3478?transport=tcp"
];
turn_user_lifetime = "1h";
# turn_user_lifetime = "1h";
};
extraConfigFiles = [ config.sops.secrets."matrix-secrets.yaml".path ];
};

20
machines/pendulum/configuration.nix
View File

@ -1,6 +1,7 @@
{ config, lib, pkgs, inputs, ... }:
{
imports = [ ./matrix.nix ];
# Sops setup for this machine
sops.secrets = {
"borg-ssh-key" = {
@ -11,10 +12,24 @@
sopsFile = ../../secrets/pendulum/borg.yaml;
format = "yaml";
};
"matrix-secrets.yaml" = {
owner = "matrix-synapse";
format = "binary";
sopsFile = ../../secrets/pendulum/recaptcha;
};
};
# Setup system configuration
nathan = {
services = {
nginx = {
enable = true;
acme = true;
};
matrix = {
enable = true;
baseDomain = "community.rs";
enableRegistration = true;
};
borg = {
enable = true;
extraExcludes = [
@ -28,7 +43,7 @@
passwordFile = config.sops.secrets."borg-password".path;
sshKey = config.sops.secrets."borg-ssh-key".path;
};
# postgresql.backup = true;
postgresql.backup = true;
};
config = {
setupGrub = false;
@ -42,6 +57,8 @@
};
# State version
system.stateVersion = "23.05";
# Postgres version
services.postgresql.package = pkgs.postgresql_15;
# Configure bootloader
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
@ -65,4 +82,5 @@
# Setup home manager
home-manager.users.nathan = import ./home.nix;
}

126
machines/pendulum/matrix.nix Normal file
View File

@ -0,0 +1,126 @@
{ config, lib, pkgs, ... }:
{
## Matrix configuration
# Create www-html group
users.groups.www-html.gid = 6848;
# Add shaurya
users.users.shaurya = {
isNormalUser = true;
home = "/home/shaurya";
description = "Shaurya";
extraGroups = [ "www-html" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDA8BwFgWGrX5is2rQV+T0dy4MUWhfpE5EzYxjgLuH1V shauryashubham1234567890@gmail.com"
];
shell = pkgs.nushell;
};
# Add www-html for my self
users.users.nathan = { extraGroups = [ "www-html" ]; };
# Configure matrix registration
services.matrix-synapse = {
settings = {
enable_registration_captcha = true;
allow_guest_access = false;
allow_public_rooms_over_federation = true;
experimental_features = { spaces_enabled = true; };
auto_join_rooms =
[ "#space:community.rs" "#rules:community.rs" "#info:community.rs" ];
turn_uris = [
# "turn:turn.community.rs:3478?transport=udp"
# "turn:turn.community.rs:3478?transport=tcp"
];
# turn_user_lifetime = "1h";
};
extraConfigFiles = [ config.sops.secrets."matrix-secrets.yaml".path ];
};
# Install our utilties
environment.systemPackages = with pkgs; [ matrix-synapse-tools.synadm ];
# Setup a task to cleanup the database
systemd.services.synapse-db-cleanup = {
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
};
path = with pkgs; [ matrix-synapse-tools.rust-synapse-compress-state ];
script = ''
synapse_auto_compressor -p "user=matrix-synapse password=synapse dbname=synapse host=localhost" -c 500 -n 100
'';
};
systemd.timers.synapse-db-cleanup = {
wantedBy = [ "timers.target" ];
partOf = [ "synapse-db-cleanup.service" ];
timerConfig = {
# Weekly on sunday mornings
OnCalendar = "Sun, 5:00";
Unit = "synapse-db-cleanup.service";
};
};
# Configure the vhost for the domain
services.nginx.virtualHosts = let
fqdn = let
join = hostName: domain:
hostName + lib.optionalString (domain != null) ".${domain}";
in join config.networking.hostName config.networking.domain;
in {
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
locations."/".extraConfig = ''
rewrite ^(.*)$ http://www.community.rs$1 redirect;
'';
};
# Main domain
"www.community.rs" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
root = "/var/www";
};
};
}

1
modules/linux/swaywm.nix
View File

@ -56,6 +56,7 @@ in with lib; {
enable = true;
# Enable the wrapper for gtk applications
wrapperFeatures.gtk = true;
package = null;
};
environment.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; };

24
secrets/pendulum/recaptcha Normal file
View File

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:xaTwPCDE4nTOsYobxMCGF42BhWDgAAN2DmMbYqFQlc12RY0Azy/S3a62XI4z+uPBUJlGFVHalWFKyS0ThmMjjfL1rZfusvGNYHjNCwiryBEMTXSH4JQip5qzxTSpnsoTLSnJhEZ/LU/40CxCE0WzYSv5hm20Xyq3Gf8jpQn2lIDgZVn6CdBd0c3eFiKu7Z7mcNY07mJ9UIHYXrp8oAwr+qw2GUOfvy4h,iv:q5BMv0eqcqypdXJtbrAMkq6FsHfhbq2a0jnDKMLdNBM=,tag:abScyBGkyigPrs2ZM8zlLQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQnV6enVhVUpKWklQenBq\nT2NrUHc3TGtmeGFDc1JtWFgwaGhiRzl4MFNnClhrTmFFZUh6ODNCNVJ1azhXUWwx\nblJDWENCanpSdnVmSCtubTdZQTVMUFEKLS0tIDk4K2czVFFqbGl1aEJyZXByV01B\nNXRSODFCRDlVVlQycE9ENXNGL2d3b3cK6UXVYoGb4GzuObFCJQelQhC/oT4YuUT/\nJX1hKPJFwdlgY7rhSrt0zmYmrjoAIC59o4B3nqSsNy4bFjCYjeVYOA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1448z8f03hgnem2qeh2020k5tyma4hv365af8fyk4t2vhefedcscsdjs53k",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcFFnTDRCYjJ4Vk5aOEVx\nM3NwNVY1MEFQdEg5K1NJZm5TWGIraUZ1YW5FCk8zN24vK01MZjhQNGdRdUFwYkdp\nUFNEaGJTdWNUNUdxSmVwdW01NHM4c0UKLS0tIEtkeDRCek5sLzBzb2RucFBIaWlV\nb3RNLzd0c0dlbnNDYjZEYTc2ZDNjTTQKUHSIcCVWPRhWLEWlHp+v8eEHOd9+UhpY\nfArxbP+xaJ1b5PATLiiNrgnJ9FiLJ6f8nnNE0d2lwBc4LEgBu+Lv8g==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-06-04T16:29:23Z",
"mac": "ENC[AES256_GCM,data:c+Q7CDXAErHyGBlPoipJa7cknba26DXzjDGIslsX9pvfHmPx3/NUYkqCANQRvBqECBB0sV5S+0gavxYVr1Yvfy+D7FNPzW8OLBom2af6MHQRUHFtDmTT16HPzF+aYP3Y5Deogsxh4JJRmUaM2HsGvgEK2mZ4rtATrFUSi0NTmT8=,iv:sfuq9g+7vGvlSQRhIKNIKAL1Nbl/gNwwxUK3qgoyFSE=,tag:XmmurLyNN4mp1/dPTcZW2Q==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}