From 9fe684627fc1131004aeef3e10c52226db79a557 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Mon, 26 Sep 2022 23:31:01 -0400 Subject: [PATCH] Migrate matrix to new format --- .sops.yaml | 5 + flake.nix | 9 ++ machines/matrix/configuration.nix | 193 ++++++++++++++++++++++++++++++ machines/matrix/home.nix | 3 + modules/linux/services/matrix.nix | 2 +- secrets/matrix/borg.yaml | 31 +++++ secrets/matrix/recaptcha | 24 ++++ 7 files changed, 266 insertions(+), 1 deletion(-) create mode 100644 machines/matrix/configuration.nix create mode 100644 machines/matrix/home.nix create mode 100644 secrets/matrix/borg.yaml create mode 100644 secrets/matrix/recaptcha diff --git a/.sops.yaml b/.sops.yaml index 641d84f..0e5368f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -26,3 +26,8 @@ creation_rules: - age: - *nathan - *oracles + - path_regex: secrets/matrix + key_groups: + - age: + - *nathan + - *matrix diff --git a/flake.nix b/flake.nix index 135aef7..0b5026b 100644 --- a/flake.nix +++ b/flake.nix @@ -144,6 +144,15 @@ ]; }; + matrix = makeNixosSystem { + system = "x86_64-linux"; + hostName = "matrix"; + extraModules = [ + ./hardware/matrix.nix + ./machines/matrix/configuration.nix + ]; + }; + x86vm = makeNixosSystem { system = "x86_64-linux"; hostName = "x86vm"; diff --git a/machines/matrix/configuration.nix b/machines/matrix/configuration.nix new file mode 100644 index 0000000..6bff932 --- /dev/null +++ b/machines/matrix/configuration.nix @@ -0,0 +1,193 @@ +{ config, lib, pkgs, inputs, ... }: + +{ + # Sops setup for this machine + sops.secrets = { + "borg-ssh-key" = { + sopsFile = ../../secrets/matrix/borg.yaml; + format = "yaml"; + }; + "borg-password" = { + sopsFile = ../../secrets/matrix/borg.yaml; + format = "yaml"; + }; + "matrix-secrets.yaml" = { + owner = "matrix-synapse"; + format = "binary"; + sopsFile = ../../secrets/matrix/recaptcha; + }; + }; + # Setup system configuration + nathan = { + services = { + nginx = { + enable = true; + acme = true; + }; + matrix = { + enable = true; + baseDomain = "community.rs"; + enableRegistration = true; + }; + borg = { + enable = true; + extraExcludes = [ + "*/.cache" + "*/.tmp" + "/home/nathan/minecraft/server/backup" + "/var/lib/postgresql" + "/var/lib/redis" + "/var/lib/docker" + "/var/log" + "/var/minecraft" + "/var/sharedstore" + ]; + passwordFile = config.sops.secrets."borg-password".path; + sshKey = config.sops.secrets."borg-ssh-key".path; + }; + }; + config = { + setupGrub = false; + nix = { + autoUpdate = true; + autoGC = true; + }; + harden = false; + virtualization = { + docker = true; + }; + }; + }; + # Configure bootloader + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + boot.loader.grub.forceInstall = true; + boot.loader.timeout = 10; + boot.loader.grub.extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial + ''; + boot.kernelParams = [ + "console=ttyS0" + ]; + # Configure networking + networking = { + domain = "community.rs"; + useDHCP = false; + interfaces.enp0s5.useDHCP = true; + + nameservers = [ "1.1.1.1" ]; + # Open ports in firewall + firewall = { }; + }; + + # Setup home manager + home-manager.users.nathan = import ./home.nix; + + # Create www-html group + users.groups.www-html.gid = 6848; + # Add shaurya + users.users.shaurya = { + isNormalUser = true; + home = "/home/shaurya"; + description = "Shaurya"; + extraGroups = [ "www-html" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDA8BwFgWGrX5is2rQV+T0dy4MUWhfpE5EzYxjgLuH1V shauryashubham1234567890@gmail.com" + ]; + shell = pkgs.nushell; + }; + + # Add www-html for my self + users.users.nathan = { + extraGroups = [ "www-html" ]; + }; + + # Configure matrix registration + services.matrix-synapse.settings = { + enable_registration_captcha = true; + allow_guest_access = false; + extraConfig = '' + allow_public_rooms_over_federation: true + experimental_features: { spaces_enabled: true } + auto_join_rooms: [ "#space:community.rs" , #rules:community.rs" , "#info:community.rs" ] + ''; + turn_uris = [ "turn:turn.community.rs:3478?transport=udp" "turn:turn.community.rs:3478?transport=tcp" ]; + turn_user_lifetime = "1h"; + extraConfigFiles = [ config.sops.secrets."matrix-secrets.yaml".path ]; + }; + + # Configure the vhost for the domain + services.nginx.virtualHosts = + let + fqdn = + let + join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}"; + in + join config.networking.hostName config.networking.domain; + in + { + "${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + + locations."= /.well-known/matrix/server".extraConfig = + let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { "m.server" = "${fqdn}:443"; }; + in + '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { "base_url" = "https://${fqdn}"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + # ACAO required to allow element-web on any URL to request this json file + in + '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + locations."/".extraConfig = '' + rewrite ^(.*)$ http://www.community.rs$1 redirect; + ''; + }; + # Main domain + "www.community.rs" = { + enableACME = true; + forceSSL = true; + locations."= /.well-known/matrix/server".extraConfig = + let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { "m.server" = "${fqdn}:443"; }; + in + '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { "base_url" = "https://${fqdn}"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + # ACAO required to allow element-web on any URL to request this json file + in + '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + root = "/var/www"; + }; + }; +} diff --git a/machines/matrix/home.nix b/machines/matrix/home.nix new file mode 100644 index 0000000..88d8a3b --- /dev/null +++ b/machines/matrix/home.nix @@ -0,0 +1,3 @@ +{ config, lib, pkgs, ... }: + +{ } diff --git a/modules/linux/services/matrix.nix b/modules/linux/services/matrix.nix index f743a24..25bf528 100644 --- a/modules/linux/services/matrix.nix +++ b/modules/linux/services/matrix.nix @@ -25,7 +25,7 @@ with lib; matrix-synapse = { enable = true; settings = { - enable_registration = false; + enable_registration = nathan.services.matrix.enableRegistration; server_name = nathan.services.matrix.baseDomain; listeners = [ diff --git a/secrets/matrix/borg.yaml b/secrets/matrix/borg.yaml new file mode 100644 index 0000000..bae7973 --- /dev/null +++ b/secrets/matrix/borg.yaml @@ -0,0 +1,31 @@ +borg-ssh-key: ENC[AES256_GCM,data:XYQmGWK9jDwcyh+AY4IuUKiI3sGer+BkQklOYb+FGfKo8BXckGKkimerVYgQWYrnM7wG9beOqslm54DRx58IXc7vn8jAGQgnti6Y0h1TriZUami/ideuzioC+rlr2UrDs3kVYF4tplSnGNEn79eEAGA+yFa3+CNX0JcSyg5bzABUU1OlHmjzl6HcWFehnBGsp3uRckRHiZtoNkYbDEEqgyZPJeax7QuFtAykleRfCLaa/wYcwkVqjyL9nXIz4l4ixPrit+oWpQqNImGms9QWNF/Xgt18InnZc9uwLl3GwDA52I5OvK089xC+SvmSvROOYOn4Vf05knAi+f/zfQgEgmHnK9BIW4mgpyNkQaahxqlSZAsmCAbMTwzsChC7x4l2WiVyTc+SZtPDc+/fh6IlSYM24IjB2pBOQinBhsWv5JynAohmjwjL6aTRrqOKi6QJmRhw5L3c3PHz1o0gCXangftWIF1ucKo/UOAAKtNa338lTiHrYSc3L2zRPVtcEv7yFMxgWFIILym2vlCpqAPzvBJE3bK7Zkaib8dr,iv:HR6qT0eO9FI6BKTEPFoDYw1FCaIpYUxlR2Ipshj4MzM=,tag:yixPw+yuV++XHJBRBiPFeA==,type:str] +borg-password: ENC[AES256_GCM,data:Csi14MRZoKlC89/0clz9ogGVd0lJo+8235L/LQWVTbeth8D11SPD+FoXtg==,iv:2+ONcrulPUuW9oA7ZTEVY7l2x72BZtEU1529O5jDE5k=,tag:HFGDJ4QBk9PhMIvgXjh7Kg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdFN4bDVVWVdYMjRmYjl3 + YVdvL1Y5M0h5TTZmUFF6NWp3bk9vS21SOTFvClJOZEhKKzFVV0cyZE1ZMlVwU0tG + ZjN0Y0xQM2NTT29HeEd3azNQeUFaUTQKLS0tIE5yZDhhNkhsYjZwWWIvakpQdmhP + c24yVlJjOWdhSlVkblQ0SlUrNHpEeEkKnOs5sHASEB9S5fqoApj6ryBDprXSm0++ + jTdYdMva20hn9WZjm8e9A34Vhw5LTIgL8PeaTWO/qVCwBnhPAwrVig== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT1ZmM1FwRTNUVEMrYlRF + MlAzYlBnbHdtL1dtTDU3RTB1WHZSMzNML2lJCnNNK1B6dExHQlpaRE1yRFcwVytY + dDJ5bGxYdElHazlpanI0TVdPQnpvdVUKLS0tIFVzc1UraHh3TnNSYjZGbUhZSjlI + MlJ5OS9wMUMyRDNRMStjTkZtUEFrRHcKGDKLR5dOfwZi8cNciUCs6S8+Fza0qZ8f + hTU18SlABzsxpvV1Zpt4qpTkPjr4AN69TokoE9lJ9Re8fbgjZ1EahA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-09-27T03:11:22Z" + mac: ENC[AES256_GCM,data:ex9jF7XAYS6nYVQimuDq4SDOlfb8pJ/IdCml5KaFesb/GML9QS15+RXRcXpmyroudjRdDDmgvTuEOgCw1fhElCNd1GIdmeJW1zr7kKJOir8F4UCdDpXekUD9jYrrGHb6FH096RmWOqfxZAQBDZV+pg83rhMW+ZTKOZtOaujF5/w=,iv:t462VupFqQ6gOw1a+ySWA4tAiB6aYRzVzjBw8svPi1M=,tag:hvmULEFRyWprN6g038GREQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/matrix/recaptcha b/secrets/matrix/recaptcha new file mode 100644 index 0000000..389e6b4 --- /dev/null +++ b/secrets/matrix/recaptcha @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:n1TVra/4kQ7hSyVIGo7NMCWkIu/9NFCVxLMpYaygsY4MUZ6+7wt2Y46SYL+2f4USkfZzjuo046s9gB8BKEgUJRxA9cI+9H2+F22ebcCri+zMVCyU0CxkdtHcRx2/ctsqokxoRh4O+Motqqil1lbtaEiIP7GIJVqGq8BL2qVCfjjhYtwN41gaVnKfId6O4lialxIE8D7wrFT0vPAWH9maY3B9Ae6uRXy4,iv:/w3jVJzjbGuriqeIZALXVXBchdxRHNZgmEx2kzrpqDs=,tag:kieGBHYljPMyzN3/V5HH+g==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvd2JDVFZyQUdTamZPTHY5\nbVNzTlpyemtUQXdETEpzb3VPM0ZZdmJ6Um1jCmJiNlRkU3M1c1N2QnJ0ZnlzWitF\nMjh1dzU1M3RkL1JVcVVSK2YzMVRhaWsKLS0tIG1zY29NcGw5cnI1RC8rdm5KUlZM\nMU1LR2JFeHJ5WExKVll3UW1RN3RDd3cKhC0SnpobGHl7pMc81liVghcwCKJcXBgu\nlB9m0YBfDUJdCUisLJZEpkuobz3Px4AidBhJq1gdkWK/IKS42hdZYw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2b0FPV2pUY0o3L1FHV01M\nWkVIR21xby9SajZPVC83S2MzcnpyeVN1OFNFCm01bnRsSSs5UzFrVUhqUGR3Y3pL\nYWlNRlRPNnBObysvRi9VNEYzSG9SQncKLS0tIHdPT1hpamN6UlJyZ1VJT2drVWNi\neGR3a1o5ZXF1dXFHNTYzQjJ5QStrbTQKK3FmNpBatc697zTruvYB+zrxLFKbEKj8\nWNKyWztMqRxZuR8UtnlY+1qa/G90NijMaNO9Az3G82uR1TFas9e6kw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-09-27T03:29:56Z", + "mac": "ENC[AES256_GCM,data:o8RoMii4CvlCLPmXy0bqcxU66ui/RTmda4/ON2tv9Y/eiU9Cy9+9N7/oa6m079XWxwKiClAq1q+vw2nFYs4LIYzgfqUiNd8E625TF6J/BKRjCPHC+PtPPyHq+znS+EMjKNHfDTYPR8lCIZyvVVghgCqPqZSR83BkvE8c6C5PrmU=,iv:larsQNmaARyMAAF16lNYnGvn/rIE9wRPrbZAjiIvQNc=,tag:AUX9Z7RRrlHQYLU5XGoJ2Q==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file