diff options
Diffstat (limited to 'host/Rory-nginx')
| -rwxr-xr-x | host/Rory-nginx/configuration.nix | 5 | ||||
| -rwxr-xr-x | host/Rory-nginx/hosts/rory.gay/conduit.nix | 25 | ||||
| -rwxr-xr-x | host/Rory-nginx/post-rebuild.sh | 2 | ||||
| -rwxr-xr-x | host/Rory-nginx/services/discordbots.nix | 15 | ||||
| -rwxr-xr-x | host/Rory-nginx/services/matrix/conduit.nix | 20 | ||||
| -rwxr-xr-x | host/Rory-nginx/services/matrix/coturn.nix | 54 | ||||
| -rwxr-xr-x | host/Rory-nginx/services/matrix/draupnir.nix | 53 | ||||
| -rwxr-xr-x | host/Rory-nginx/services/matrix/matrix-appservice-discord.nix | 26 | ||||
| -rwxr-xr-x | host/Rory-nginx/services/matrix/root.nix | 13 | ||||
| -rwxr-xr-x | host/Rory-nginx/services/matrix/synapse.nix | 207 | ||||
| -rwxr-xr-x | host/Rory-nginx/services/postgres.nix | 40 |
11 files changed, 459 insertions, 1 deletions
diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix index 2f2f7cc..2c33448 100755 --- a/host/Rory-nginx/configuration.nix +++ b/host/Rory-nginx/configuration.nix @@ -6,6 +6,11 @@ ../../modules/base-server.nix ../../modules/users/levi.nix ../../modules/users/db2k.nix + + ../../modules/services/nginx.nix + ../../modules/services/postgres.nix + ../../modules/services/synapse.nix + ./software.nix ]; users.groups.ocp = {}; diff --git a/host/Rory-nginx/hosts/rory.gay/conduit.nix b/host/Rory-nginx/hosts/rory.gay/conduit.nix new file mode 100755 index 0000000..8c293d7 --- /dev/null +++ b/host/Rory-nginx/hosts/rory.gay/conduit.nix @@ -0,0 +1,25 @@ +{ + enableACME = true; + addSSL = true; + locations."/_matrix" = { + proxyPass = "http://192.168.1.5:6167"; + extraConfig = '' + if ($request_method = 'OPTIONS') { + more_set_headers 'Access-Control-Allow-Origin: *'; + more_set_headers 'Access-Control-Allow-Methods: *'; + # + # Custom headers and headers various browsers *should* be OK with but aren't + # + more_set_headers 'Access-Control-Allow-Headers: *'; + # + # Tell client that this pre-flight info is valid for 20 days + # + more_set_headers 'Access-Control-Max-Age: 1728000'; + more_set_headers 'Content-Type: text/plain; charset=utf-8'; + more_set_headers 'Content-Length: 0'; + return 204; + } + ''; + }; + #locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008"; +} diff --git a/host/Rory-nginx/post-rebuild.sh b/host/Rory-nginx/post-rebuild.sh index ea6e013..0ea1293 100755 --- a/host/Rory-nginx/post-rebuild.sh +++ b/host/Rory-nginx/post-rebuild.sh @@ -8,7 +8,7 @@ REACHABLE_DOMAIN='http://localhost:8008' # -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md # Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat> # Explicit authorisation to use the code has been granted by the original author -# for use by members of the Rory system (https://rory.gay) +# for use by members of the Rory& system (https://rory.gay) # the magic function: diff --git a/host/Rory-nginx/services/discordbots.nix b/host/Rory-nginx/services/discordbots.nix new file mode 100755 index 0000000..b0b9cf2 --- /dev/null +++ b/host/Rory-nginx/services/discordbots.nix @@ -0,0 +1,15 @@ +{ config, pkgs, lib, botcore-v4, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + # ./services.nix + botcore-v4.modules.bots + botcore-v4.modules.frontend + botcore-v4.modules.dataupdater + botcore-v4.modules.users + ]; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} \ No newline at end of file diff --git a/host/Rory-nginx/services/matrix/conduit.nix b/host/Rory-nginx/services/matrix/conduit.nix new file mode 100755 index 0000000..77ba1fb --- /dev/null +++ b/host/Rory-nginx/services/matrix/conduit.nix @@ -0,0 +1,20 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + services.matrix-conduit = { + enable = true; + settings.global = { + server_name = "conduit.rory.gay"; + }; + database_backend = "rocksdb"; + enable_lightning_bolt = true; + max_concurrent_requests = 1000; + }; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/coturn.nix b/host/Rory-nginx/services/matrix/coturn.nix new file mode 100755 index 0000000..434dd52 --- /dev/null +++ b/host/Rory-nginx/services/matrix/coturn.nix @@ -0,0 +1,54 @@ +{ config, pkgs, lib, ... }: + +{ + + # coturn (WebRTC) + services.coturn = rec { + enable = false; # Alicia - figure out secret first... + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret = "will be world readable for local users :("; + realm = "turn.example.com"; + # Alicia - figure out how to get this to work, since nginx runs on separate machine... + #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + #services.matrix-synapse = with config.services.coturn; { + # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; + # turn_shared_secret = static-auth-secret; + # turn_user_lifetime = "1h"; + #}; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/draupnir.nix b/host/Rory-nginx/services/matrix/draupnir.nix new file mode 100755 index 0000000..19a2f16 --- /dev/null +++ b/host/Rory-nginx/services/matrix/draupnir.nix @@ -0,0 +1,53 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + # Alicia - doesnt work yet... until in nixpkgs... + services.draupnir = { + enable = true; + + pantalaimon = { + enable = true; + username = "draupnir"; + passwordFile = "/etc/draupnir-password"; + options = { + homeserver = "http://localhost:8008"; + ssl = false; + }; + + }; + managementRoom = "#draupnir-mgmt:rory.gay"; + homeserverUrl = "http://localhost:8008"; + verboseLogging = false; + settings = { + recordIgnoredInvites = false; + automaticallyRedactForReasons = [ "*" ]; + fasterMembershipChecks = true; + backgroundDelayMS = 100; + pollReports = true; + admin.enableMakeRoomAdminCommand = true; + commands.ban.defaultReasons = [ + "spam" + "harassment" + "transphobia" + "scam" + ]; + protections = { + wordlist = { + words = [ + "tranny" + "faggot" + ]; + minutesBeforeTrusting = 0; + }; + }; + }; + }; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix b/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix new file mode 100755 index 0000000..3f2225f --- /dev/null +++ b/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: + +{ + # Discord bridge + services.matrix-appservice-discord = { + enable = false; # Alicia - figure out secret first... + environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; + # The appservice is pre-configured to use SQLite by default. + # It's also possible to use PostgreSQL. + settings = { + bridge = { + domain = "rory.gay"; + homeserverUrl = "https://matrix.rory.gay"; + }; + + # The service uses SQLite by default, but it's also possible to use + # PostgreSQL instead: + database = { + # filename = ""; # empty value to disable sqlite + connString = "postgres://postgres@127.0.0.1/matrix-appservice-discord"; + }; + }; + }; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/root.nix b/host/Rory-nginx/services/matrix/root.nix new file mode 100755 index 0000000..f9a9d49 --- /dev/null +++ b/host/Rory-nginx/services/matrix/root.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, botcore-v4, ... }: + +{ + imports = + [ + ./synapse.nix + ./coturn.nix + ./matrix-appservice-discord.nix + ./draupnir.nix + ]; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} \ No newline at end of file diff --git a/host/Rory-nginx/services/matrix/synapse.nix b/host/Rory-nginx/services/matrix/synapse.nix new file mode 100755 index 0000000..b69af7a --- /dev/null +++ b/host/Rory-nginx/services/matrix/synapse.nix @@ -0,0 +1,207 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + services.matrix-synapse = { + enable = true; + withJemalloc = true; + + # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html + settings = { + server_name = "rory.gay"; + + enable_registration = true; + registration_requires_token = true; + + require_membership_for_aliases = false; + redaction_retention_period = null; + user_ips_max_age = null; + allow_device_name_lookup_over_federation = true; + + federation = { + client_timeout = "60s"; + max_short_retries = 6; + max_short_retry_delay = "10s"; + max_long_retries = 5; + max_long_retry_delay = "30s"; + }; + + event_cache_size = "30K"; #defaults to 10K + caches = { + global_factor = 1.0; + sync_response_cache_duration = "30m"; + cache_autotuning = { + max_cache_memory_usage = "2048M"; + target_cache_memory_usage = "1024M"; + min_cache_ttl = "30m"; + }; + }; + + + # Alicia - figure this out later... + #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"]; + registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; + + listeners = [ + { + port = 8008; + bind_addresses = [ "192.168.1.2" "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "client" "federation" ]; + compress = true; + } ]; + } + ]; + dynamic_thumbnails = true; + presence = { + enable = true; + update_interval = 60; + }; + url_preview_enabled = true; + database = { + name = "psycopg2"; + args = { + user = "matrix-synapse-rory-gay"; + #passwordFile = "/run/secrets/matrix-synapse-password"; + password = "somepassword"; + database = "matrix-synapse-rory-gay"; + host = "127.0.0.1"; + application_name = "matrix-synapse (rory.gay)"; + cp_min = 5; + cp_max = 50; + #cp_reconnect_interval = "True"; + }; + }; + app_service_config_files = [ + #"/etc/matrix-synapse/appservice-registration.yaml" + ]; + + rc_message = { + per_second = 1000; + burst_count = 1000; + }; + rc_login = { + address = { + per_second = 1000; + burst_count = 1000; + }; + account = { + per_second = 1000; + burst_count = 1000; + }; + failed_attempts = { + per_second = 0.1; + burst_count = 3; + }; + }; + rc_joins = { + local = { + per_second = 1000; + burst_count = 1000; + }; + remote = { + per_second = 1000; + burst_count = 1000; + }; + }; + rc_joins_per_room = { + per_second = 1000; + burst_count = 1000; + }; + rc_invites = { + per_room = { + per_second = 1000; + burst_count = 1000; + }; + per_user = { + per_second = 1000; + burst_count = 1000; + }; + per_issuer = { + per_second = 1000; + burst_count = 1000; + }; + }; + rc_federation = { + window_size = 10; + sleep_limit = 1000; + sleep_delay = 100; + reject_limit = 1000; + concurrent = 100; + }; + federation_rr_transactions_per_room_per_second = 1; + + max_image_pixels = "100M"; + + ui_auth = { + session_timeout = "1m"; + }; + + login_via_existing_session = { + enabled = true; + require_ui_auth = true; + token_timeout = "1y"; + }; + + #sentry = { + # dsn = "https://77c8de07855d4e0c90dbcf0945a04f01@sentry.thearcanebrony.net/14"; + #}; + + report_stats = false; + + user_directory = { + enabled = true; + search_all_users = true; + prefer_local_users = true; + }; + }; + + plugins = with pkgs.matrix-synapse-plugins; [ + # Alicia - need to port draupnir... + #matrix-synapse-mjolnir-antispam +# matrix-synapse-pam + ]; +# extraConfigFiles = [ +# (pkgs.writeTextFile { +# name = "matrix-synapse-extra-config.yml"; +# text = '' +# modules: +# - module: "pam_auth_provider.PAMAuthProvider" +# config: +# create_users: true +# skip_user_check: false +# ''; +# }) +# ]; + }; + + systemd.services.matrix-synapse-reg-token = { + description = "Random registration token for Synapse."; + before = ["matrix-synapse.service"]; # So the registration can be used by Synapse + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + + script = '' + + if [ ! -f "registration_shared_secret.txt" ] + then + cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt + else + echo Not generating key, key exists; + fi''; + serviceConfig = { + User = "matrix-synapse"; + Group = "matrix-synapse"; + WorkingDirectory = "/var/lib/matrix-synapse"; + }; + }; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/postgres.nix b/host/Rory-nginx/services/postgres.nix new file mode 100755 index 0000000..7b75435 --- /dev/null +++ b/host/Rory-nginx/services/postgres.nix @@ -0,0 +1,40 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + systemd.tmpfiles.rules = [ "d /mnt/postgres/data 0750 postgres postgres" ]; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + enableTCPIP = true; + authentication = pkgs.lib.mkOverride 10 '' + # TYPE, DATABASE, USER, ADDRESS, METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host discordbots discordbots 192.168.1.2/32 trust + host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust + host all all 0.0.0.0/0 md5 + ''; + # initialScript = pkgs.writeText "backend-initScript" '' + # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB; + # CREATE DATABASE nixcloud; + # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud; + # ''; + dataDir = "/mnt/postgres/data"; + settings = { + "max_connections" = "100"; + "shared_buffers" = "128MB"; + "max_wal_size" = "1GB"; + "min_wal_size" = "80MB"; + }; + }; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + |