Migrate matrix to new format

This commit is contained in:
Nathan McCarty 2022-09-26 23:31:01 -04:00
parent c948b9633a
commit 9fe684627f
Signed by: thatonelutenist
GPG Key ID: D70DA3DD4D1E9F96
7 changed files with 266 additions and 1 deletions

View File

@ -26,3 +26,8 @@ creation_rules:
- age: - age:
- *nathan - *nathan
- *oracles - *oracles
- path_regex: secrets/matrix
key_groups:
- age:
- *nathan
- *matrix

View File

@ -144,6 +144,15 @@
]; ];
}; };
matrix = makeNixosSystem {
system = "x86_64-linux";
hostName = "matrix";
extraModules = [
./hardware/matrix.nix
./machines/matrix/configuration.nix
];
};
x86vm = makeNixosSystem { x86vm = makeNixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
hostName = "x86vm"; hostName = "x86vm";

View File

@ -0,0 +1,193 @@
{ config, lib, pkgs, inputs, ... }:
{
# Sops setup for this machine
sops.secrets = {
"borg-ssh-key" = {
sopsFile = ../../secrets/matrix/borg.yaml;
format = "yaml";
};
"borg-password" = {
sopsFile = ../../secrets/matrix/borg.yaml;
format = "yaml";
};
"matrix-secrets.yaml" = {
owner = "matrix-synapse";
format = "binary";
sopsFile = ../../secrets/matrix/recaptcha;
};
};
# Setup system configuration
nathan = {
services = {
nginx = {
enable = true;
acme = true;
};
matrix = {
enable = true;
baseDomain = "community.rs";
enableRegistration = true;
};
borg = {
enable = true;
extraExcludes = [
"*/.cache"
"*/.tmp"
"/home/nathan/minecraft/server/backup"
"/var/lib/postgresql"
"/var/lib/redis"
"/var/lib/docker"
"/var/log"
"/var/minecraft"
"/var/sharedstore"
];
passwordFile = config.sops.secrets."borg-password".path;
sshKey = config.sops.secrets."borg-ssh-key".path;
};
};
config = {
setupGrub = false;
nix = {
autoUpdate = true;
autoGC = true;
};
harden = false;
virtualization = {
docker = true;
};
};
};
# Configure bootloader
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.loader.grub.forceInstall = true;
boot.loader.timeout = 10;
boot.loader.grub.extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
boot.kernelParams = [
"console=ttyS0"
];
# Configure networking
networking = {
domain = "community.rs";
useDHCP = false;
interfaces.enp0s5.useDHCP = true;
nameservers = [ "1.1.1.1" ];
# Open ports in firewall
firewall = { };
};
# Setup home manager
home-manager.users.nathan = import ./home.nix;
# Create www-html group
users.groups.www-html.gid = 6848;
# Add shaurya
users.users.shaurya = {
isNormalUser = true;
home = "/home/shaurya";
description = "Shaurya";
extraGroups = [ "www-html" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDA8BwFgWGrX5is2rQV+T0dy4MUWhfpE5EzYxjgLuH1V shauryashubham1234567890@gmail.com"
];
shell = pkgs.nushell;
};
# Add www-html for my self
users.users.nathan = {
extraGroups = [ "www-html" ];
};
# Configure matrix registration
services.matrix-synapse.settings = {
enable_registration_captcha = true;
allow_guest_access = false;
extraConfig = ''
allow_public_rooms_over_federation: true
experimental_features: { spaces_enabled: true }
auto_join_rooms: [ "#space:community.rs" , #rules:community.rs" , "#info:community.rs" ]
'';
turn_uris = [ "turn:turn.community.rs:3478?transport=udp" "turn:turn.community.rs:3478?transport=tcp" ];
turn_user_lifetime = "1h";
extraConfigFiles = [ config.sops.secrets."matrix-secrets.yaml".path ];
};
# Configure the vhost for the domain
services.nginx.virtualHosts =
let
fqdn =
let
join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
in
join config.networking.hostName config.networking.domain;
in
{
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in
''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
locations."/".extraConfig = ''
rewrite ^(.*)$ http://www.community.rs$1 redirect;
'';
};
# Main domain
"www.community.rs" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in
''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
root = "/var/www";
};
};
}

3
machines/matrix/home.nix Normal file
View File

@ -0,0 +1,3 @@
{ config, lib, pkgs, ... }:
{ }

View File

@ -25,7 +25,7 @@ with lib;
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
settings = { settings = {
enable_registration = false; enable_registration = nathan.services.matrix.enableRegistration;
server_name = nathan.services.matrix.baseDomain; server_name = nathan.services.matrix.baseDomain;
listeners = [ listeners = [

31
secrets/matrix/borg.yaml Normal file
View File

@ -0,0 +1,31 @@
borg-ssh-key: ENC[AES256_GCM,data:XYQmGWK9jDwcyh+AY4IuUKiI3sGer+BkQklOYb+FGfKo8BXckGKkimerVYgQWYrnM7wG9beOqslm54DRx58IXc7vn8jAGQgnti6Y0h1TriZUami/ideuzioC+rlr2UrDs3kVYF4tplSnGNEn79eEAGA+yFa3+CNX0JcSyg5bzABUU1OlHmjzl6HcWFehnBGsp3uRckRHiZtoNkYbDEEqgyZPJeax7QuFtAykleRfCLaa/wYcwkVqjyL9nXIz4l4ixPrit+oWpQqNImGms9QWNF/Xgt18InnZc9uwLl3GwDA52I5OvK089xC+SvmSvROOYOn4Vf05knAi+f/zfQgEgmHnK9BIW4mgpyNkQaahxqlSZAsmCAbMTwzsChC7x4l2WiVyTc+SZtPDc+/fh6IlSYM24IjB2pBOQinBhsWv5JynAohmjwjL6aTRrqOKi6QJmRhw5L3c3PHz1o0gCXangftWIF1ucKo/UOAAKtNa338lTiHrYSc3L2zRPVtcEv7yFMxgWFIILym2vlCpqAPzvBJE3bK7Zkaib8dr,iv:HR6qT0eO9FI6BKTEPFoDYw1FCaIpYUxlR2Ipshj4MzM=,tag:yixPw+yuV++XHJBRBiPFeA==,type:str]
borg-password: ENC[AES256_GCM,data:Csi14MRZoKlC89/0clz9ogGVd0lJo+8235L/LQWVTbeth8D11SPD+FoXtg==,iv:2+ONcrulPUuW9oA7ZTEVY7l2x72BZtEU1529O5jDE5k=,tag:HFGDJ4QBk9PhMIvgXjh7Kg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdFN4bDVVWVdYMjRmYjl3
YVdvL1Y5M0h5TTZmUFF6NWp3bk9vS21SOTFvClJOZEhKKzFVV0cyZE1ZMlVwU0tG
ZjN0Y0xQM2NTT29HeEd3azNQeUFaUTQKLS0tIE5yZDhhNkhsYjZwWWIvakpQdmhP
c24yVlJjOWdhSlVkblQ0SlUrNHpEeEkKnOs5sHASEB9S5fqoApj6ryBDprXSm0++
jTdYdMva20hn9WZjm8e9A34Vhw5LTIgL8PeaTWO/qVCwBnhPAwrVig==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT1ZmM1FwRTNUVEMrYlRF
MlAzYlBnbHdtL1dtTDU3RTB1WHZSMzNML2lJCnNNK1B6dExHQlpaRE1yRFcwVytY
dDJ5bGxYdElHazlpanI0TVdPQnpvdVUKLS0tIFVzc1UraHh3TnNSYjZGbUhZSjlI
MlJ5OS9wMUMyRDNRMStjTkZtUEFrRHcKGDKLR5dOfwZi8cNciUCs6S8+Fza0qZ8f
hTU18SlABzsxpvV1Zpt4qpTkPjr4AN69TokoE9lJ9Re8fbgjZ1EahA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-27T03:11:22Z"
mac: ENC[AES256_GCM,data:ex9jF7XAYS6nYVQimuDq4SDOlfb8pJ/IdCml5KaFesb/GML9QS15+RXRcXpmyroudjRdDDmgvTuEOgCw1fhElCNd1GIdmeJW1zr7kKJOir8F4UCdDpXekUD9jYrrGHb6FH096RmWOqfxZAQBDZV+pg83rhMW+ZTKOZtOaujF5/w=,iv:t462VupFqQ6gOw1a+ySWA4tAiB6aYRzVzjBw8svPi1M=,tag:hvmULEFRyWprN6g038GREQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

24
secrets/matrix/recaptcha Normal file
View File

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:n1TVra/4kQ7hSyVIGo7NMCWkIu/9NFCVxLMpYaygsY4MUZ6+7wt2Y46SYL+2f4USkfZzjuo046s9gB8BKEgUJRxA9cI+9H2+F22ebcCri+zMVCyU0CxkdtHcRx2/ctsqokxoRh4O+Motqqil1lbtaEiIP7GIJVqGq8BL2qVCfjjhYtwN41gaVnKfId6O4lialxIE8D7wrFT0vPAWH9maY3B9Ae6uRXy4,iv:/w3jVJzjbGuriqeIZALXVXBchdxRHNZgmEx2kzrpqDs=,tag:kieGBHYljPMyzN3/V5HH+g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvd2JDVFZyQUdTamZPTHY5\nbVNzTlpyemtUQXdETEpzb3VPM0ZZdmJ6Um1jCmJiNlRkU3M1c1N2QnJ0ZnlzWitF\nMjh1dzU1M3RkL1JVcVVSK2YzMVRhaWsKLS0tIG1zY29NcGw5cnI1RC8rdm5KUlZM\nMU1LR2JFeHJ5WExKVll3UW1RN3RDd3cKhC0SnpobGHl7pMc81liVghcwCKJcXBgu\nlB9m0YBfDUJdCUisLJZEpkuobz3Px4AidBhJq1gdkWK/IKS42hdZYw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2b0FPV2pUY0o3L1FHV01M\nWkVIR21xby9SajZPVC83S2MzcnpyeVN1OFNFCm01bnRsSSs5UzFrVUhqUGR3Y3pL\nYWlNRlRPNnBObysvRi9VNEYzSG9SQncKLS0tIHdPT1hpamN6UlJyZ1VJT2drVWNi\neGR3a1o5ZXF1dXFHNTYzQjJ5QStrbTQKK3FmNpBatc697zTruvYB+zrxLFKbEKj8\nWNKyWztMqRxZuR8UtnlY+1qa/G90NijMaNO9Az3G82uR1TFas9e6kw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-09-27T03:29:56Z",
"mac": "ENC[AES256_GCM,data:o8RoMii4CvlCLPmXy0bqcxU66ui/RTmda4/ON2tv9Y/eiU9Cy9+9N7/oa6m079XWxwKiClAq1q+vw2nFYs4LIYzgfqUiNd8E625TF6J/BKRjCPHC+PtPPyHq+znS+EMjKNHfDTYPR8lCIZyvVVghgCqPqZSR83BkvE8c6C5PrmU=,iv:larsQNmaARyMAAF16lNYnGvn/rIE9wRPrbZAjiIvQNc=,tag:AUX9Z7RRrlHQYLU5XGoJ2Q==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}