Migrate matrix to new format

.sops.yaml

@@ -26,3 +26,8 @@ creation_rules:
       - age:
           - *nathan
           - *oracles
+  - path_regex: secrets/matrix
+    key_groups:
+      - age:
+          - *nathan
+          - *matrix

flake.nix

@@ -144,6 +144,15 @@
           ];
         };
 
+        matrix = makeNixosSystem {
+          system = "x86_64-linux";
+          hostName = "matrix";
+          extraModules = [
+            ./hardware/matrix.nix
+            ./machines/matrix/configuration.nix
+          ];
+        };
+
         x86vm = makeNixosSystem {
           system = "x86_64-linux";
           hostName = "x86vm";

machines/matrix/configuration.nix

@@ -0,0 +1,193 @@
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  # Sops setup for this machine
+  sops.secrets = {
+    "borg-ssh-key" = {
+      sopsFile = ../../secrets/matrix/borg.yaml;
+      format = "yaml";
+    };
+    "borg-password" = {
+      sopsFile = ../../secrets/matrix/borg.yaml;
+      format = "yaml";
+    };
+    "matrix-secrets.yaml" = {
+      owner = "matrix-synapse";
+      format = "binary";
+      sopsFile = ../../secrets/matrix/recaptcha;
+    };
+  };
+  # Setup system configuration
+  nathan = {
+    services = {
+      nginx = {
+        enable = true;
+        acme = true;
+      };
+      matrix = {
+        enable = true;
+        baseDomain = "community.rs";
+        enableRegistration = true;
+      };
+      borg = {
+        enable = true;
+        extraExcludes = [
+          "*/.cache"
+          "*/.tmp"
+          "/home/nathan/minecraft/server/backup"
+          "/var/lib/postgresql"
+          "/var/lib/redis"
+          "/var/lib/docker"
+          "/var/log"
+          "/var/minecraft"
+          "/var/sharedstore"
+        ];
+        passwordFile = config.sops.secrets."borg-password".path;
+        sshKey = config.sops.secrets."borg-ssh-key".path;
+      };
+    };
+    config = {
+      setupGrub = false;
+      nix = {
+        autoUpdate = true;
+        autoGC = true;
+      };
+      harden = false;
+      virtualization = {
+        docker = true;
+      };
+    };
+  };
+  # Configure bootloader
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+  boot.loader.grub.forceInstall = true;
+  boot.loader.timeout = 10;
+  boot.loader.grub.extraConfig = ''
+    serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
+    terminal_input serial;
+    terminal_output serial
+  '';
+  boot.kernelParams = [
+    "console=ttyS0"
+  ];
+  # Configure networking
+  networking = {
+    domain = "community.rs";
+    useDHCP = false;
+    interfaces.enp0s5.useDHCP = true;
+
+    nameservers = [ "1.1.1.1" ];
+    # Open ports in firewall
+    firewall = { };
+  };
+
+  # Setup home manager
+  home-manager.users.nathan = import ./home.nix;
+
+  # Create www-html group
+  users.groups.www-html.gid = 6848;
+  # Add shaurya
+  users.users.shaurya = {
+    isNormalUser = true;
+    home = "/home/shaurya";
+    description = "Shaurya";
+    extraGroups = [ "www-html" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDA8BwFgWGrX5is2rQV+T0dy4MUWhfpE5EzYxjgLuH1V shauryashubham1234567890@gmail.com"
+    ];
+    shell = pkgs.nushell;
+  };
+
+  # Add www-html for my self
+  users.users.nathan = {
+    extraGroups = [ "www-html" ];
+  };
+
+  # Configure matrix registration
+  services.matrix-synapse.settings = {
+    enable_registration_captcha = true;
+    allow_guest_access = false;
+    extraConfig = ''
+      allow_public_rooms_over_federation: true
+      experimental_features: { spaces_enabled: true }
+      auto_join_rooms: [ "#space:community.rs" , #rules:community.rs" , "#info:community.rs" ]
+    '';
+    turn_uris = [ "turn:turn.community.rs:3478?transport=udp" "turn:turn.community.rs:3478?transport=tcp" ];
+    turn_user_lifetime = "1h";
+    extraConfigFiles = [ config.sops.secrets."matrix-secrets.yaml".path ];
+  };
+
+  # Configure the vhost for the domain
+  services.nginx.virtualHosts =
+    let
+      fqdn =
+        let
+          join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
+        in
+        join config.networking.hostName config.networking.domain;
+    in
+    {
+      "${config.networking.domain}" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."= /.well-known/matrix/server".extraConfig =
+          let
+            # use 443 instead of the default 8448 port to unite
+            # the client-server and server-server port for simplicity
+            server = { "m.server" = "${fqdn}:443"; };
+          in
+          ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+        locations."= /.well-known/matrix/client".extraConfig =
+          let
+            client = {
+              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
+              "m.identity_server" = { "base_url" = "https://vector.im"; };
+            };
+            # ACAO required to allow element-web on any URL to request this json file
+          in
+          ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
+        locations."/".extraConfig = ''
+          rewrite ^(.*)$ http://www.community.rs$1 redirect;
+        '';
+      };
+      # Main domain
+      "www.community.rs" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."= /.well-known/matrix/server".extraConfig =
+          let
+            # use 443 instead of the default 8448 port to unite
+            # the client-server and server-server port for simplicity
+            server = { "m.server" = "${fqdn}:443"; };
+          in
+          ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+        locations."= /.well-known/matrix/client".extraConfig =
+          let
+            client = {
+              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
+              "m.identity_server" = { "base_url" = "https://vector.im"; };
+            };
+            # ACAO required to allow element-web on any URL to request this json file
+          in
+          ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
+        root = "/var/www";
+      };
+    };
+}

machines/matrix/home.nix

@@ -0,0 +1,3 @@
+{ config, lib, pkgs, ... }:
+
+{ }

modules/linux/services/matrix.nix

@@ -25,7 +25,7 @@ with lib;
           matrix-synapse = {
             enable = true;
             settings = {
-              enable_registration = false;
+              enable_registration = nathan.services.matrix.enableRegistration;
               server_name = nathan.services.matrix.baseDomain;
 
               listeners = [

secrets/matrix/borg.yaml

@@ -0,0 +1,31 @@
+borg-ssh-key: ENC[AES256_GCM,data:XYQmGWK9jDwcyh+AY4IuUKiI3sGer+BkQklOYb+FGfKo8BXckGKkimerVYgQWYrnM7wG9beOqslm54DRx58IXc7vn8jAGQgnti6Y0h1TriZUami/ideuzioC+rlr2UrDs3kVYF4tplSnGNEn79eEAGA+yFa3+CNX0JcSyg5bzABUU1OlHmjzl6HcWFehnBGsp3uRckRHiZtoNkYbDEEqgyZPJeax7QuFtAykleRfCLaa/wYcwkVqjyL9nXIz4l4ixPrit+oWpQqNImGms9QWNF/Xgt18InnZc9uwLl3GwDA52I5OvK089xC+SvmSvROOYOn4Vf05knAi+f/zfQgEgmHnK9BIW4mgpyNkQaahxqlSZAsmCAbMTwzsChC7x4l2WiVyTc+SZtPDc+/fh6IlSYM24IjB2pBOQinBhsWv5JynAohmjwjL6aTRrqOKi6QJmRhw5L3c3PHz1o0gCXangftWIF1ucKo/UOAAKtNa338lTiHrYSc3L2zRPVtcEv7yFMxgWFIILym2vlCpqAPzvBJE3bK7Zkaib8dr,iv:HR6qT0eO9FI6BKTEPFoDYw1FCaIpYUxlR2Ipshj4MzM=,tag:yixPw+yuV++XHJBRBiPFeA==,type:str]
+borg-password: ENC[AES256_GCM,data:Csi14MRZoKlC89/0clz9ogGVd0lJo+8235L/LQWVTbeth8D11SPD+FoXtg==,iv:2+ONcrulPUuW9oA7ZTEVY7l2x72BZtEU1529O5jDE5k=,tag:HFGDJ4QBk9PhMIvgXjh7Kg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdFN4bDVVWVdYMjRmYjl3
+            YVdvL1Y5M0h5TTZmUFF6NWp3bk9vS21SOTFvClJOZEhKKzFVV0cyZE1ZMlVwU0tG
+            ZjN0Y0xQM2NTT29HeEd3azNQeUFaUTQKLS0tIE5yZDhhNkhsYjZwWWIvakpQdmhP
+            c24yVlJjOWdhSlVkblQ0SlUrNHpEeEkKnOs5sHASEB9S5fqoApj6ryBDprXSm0++
+            jTdYdMva20hn9WZjm8e9A34Vhw5LTIgL8PeaTWO/qVCwBnhPAwrVig==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT1ZmM1FwRTNUVEMrYlRF
+            MlAzYlBnbHdtL1dtTDU3RTB1WHZSMzNML2lJCnNNK1B6dExHQlpaRE1yRFcwVytY
+            dDJ5bGxYdElHazlpanI0TVdPQnpvdVUKLS0tIFVzc1UraHh3TnNSYjZGbUhZSjlI
+            MlJ5OS9wMUMyRDNRMStjTkZtUEFrRHcKGDKLR5dOfwZi8cNciUCs6S8+Fza0qZ8f
+            hTU18SlABzsxpvV1Zpt4qpTkPjr4AN69TokoE9lJ9Re8fbgjZ1EahA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-27T03:11:22Z"
+    mac: ENC[AES256_GCM,data:ex9jF7XAYS6nYVQimuDq4SDOlfb8pJ/IdCml5KaFesb/GML9QS15+RXRcXpmyroudjRdDDmgvTuEOgCw1fhElCNd1GIdmeJW1zr7kKJOir8F4UCdDpXekUD9jYrrGHb6FH096RmWOqfxZAQBDZV+pg83rhMW+ZTKOZtOaujF5/w=,iv:t462VupFqQ6gOw1a+ySWA4tAiB6aYRzVzjBw8svPi1M=,tag:hvmULEFRyWprN6g038GREQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

secrets/matrix/recaptcha

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:n1TVra/4kQ7hSyVIGo7NMCWkIu/9NFCVxLMpYaygsY4MUZ6+7wt2Y46SYL+2f4USkfZzjuo046s9gB8BKEgUJRxA9cI+9H2+F22ebcCri+zMVCyU0CxkdtHcRx2/ctsqokxoRh4O+Motqqil1lbtaEiIP7GIJVqGq8BL2qVCfjjhYtwN41gaVnKfId6O4lialxIE8D7wrFT0vPAWH9maY3B9Ae6uRXy4,iv:/w3jVJzjbGuriqeIZALXVXBchdxRHNZgmEx2kzrpqDs=,tag:kieGBHYljPMyzN3/V5HH+g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvd2JDVFZyQUdTamZPTHY5\nbVNzTlpyemtUQXdETEpzb3VPM0ZZdmJ6Um1jCmJiNlRkU3M1c1N2QnJ0ZnlzWitF\nMjh1dzU1M3RkL1JVcVVSK2YzMVRhaWsKLS0tIG1zY29NcGw5cnI1RC8rdm5KUlZM\nMU1LR2JFeHJ5WExKVll3UW1RN3RDd3cKhC0SnpobGHl7pMc81liVghcwCKJcXBgu\nlB9m0YBfDUJdCUisLJZEpkuobz3Px4AidBhJq1gdkWK/IKS42hdZYw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2b0FPV2pUY0o3L1FHV01M\nWkVIR21xby9SajZPVC83S2MzcnpyeVN1OFNFCm01bnRsSSs5UzFrVUhqUGR3Y3pL\nYWlNRlRPNnBObysvRi9VNEYzSG9SQncKLS0tIHdPT1hpamN6UlJyZ1VJT2drVWNi\neGR3a1o5ZXF1dXFHNTYzQjJ5QStrbTQKK3FmNpBatc697zTruvYB+zrxLFKbEKj8\nWNKyWztMqRxZuR8UtnlY+1qa/G90NijMaNO9Az3G82uR1TFas9e6kw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2022-09-27T03:29:56Z",
+		"mac": "ENC[AES256_GCM,data:o8RoMii4CvlCLPmXy0bqcxU66ui/RTmda4/ON2tv9Y/eiU9Cy9+9N7/oa6m079XWxwKiClAq1q+vw2nFYs4LIYzgfqUiNd8E625TF6J/BKRjCPHC+PtPPyHq+znS+EMjKNHfDTYPR8lCIZyvVVghgCqPqZSR83BkvE8c6C5PrmU=,iv:larsQNmaARyMAAF16lNYnGvn/rIE9wRPrbZAjiIvQNc=,tag:AUX9Z7RRrlHQYLU5XGoJ2Q==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}