From 546f932f1700931cd659964105129fd9f2ea5d3e Mon Sep 17 00:00:00 2001 From: TheArcaneBrony Date: Sun, 7 May 2023 16:28:02 +0200 Subject: Split software configuration from hardware configuration to prepare for merging --- host/Rory-devenv/configuration.nix | 68 +---------- host/Rory-devenv/software.nix | 78 ++++++++++++ host/Rory-discordbots/configuration.nix | 6 +- host/Rory-discordbots/software.nix | 15 +++ host/Rory-fosscord/configuration.nix | 4 +- host/Rory-fosscord/software.nix | 14 +++ host/Rory-nginx/configuration.nix | 74 +---------- host/Rory-nginx/software.nix | 83 +++++++++++++ host/Rory-postgres/configuration.nix | 30 +---- host/Rory-postgres/software.nix | 40 ++++++ host/Rory-synapse/configuration.nix | 200 +----------------------------- host/Rory-synapse/software.nix | 210 ++++++++++++++++++++++++++++++++ 12 files changed, 446 insertions(+), 376 deletions(-) create mode 100755 host/Rory-devenv/software.nix create mode 100755 host/Rory-discordbots/software.nix create mode 100755 host/Rory-fosscord/software.nix create mode 100755 host/Rory-nginx/software.nix create mode 100755 host/Rory-postgres/software.nix create mode 100755 host/Rory-synapse/software.nix diff --git a/host/Rory-devenv/configuration.nix b/host/Rory-devenv/configuration.nix index ae1fe1a..108ff82 100755 --- a/host/Rory-devenv/configuration.nix +++ b/host/Rory-devenv/configuration.nix @@ -4,6 +4,7 @@ imports = [ ../../modules/base-server.nix + ./software.nix ]; networking = { @@ -18,73 +19,6 @@ } ]; }; - systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ]; - - services = { - postgresql = { - enable = true; - package = pkgs.postgresql_14; - enableTCPIP = true; - authentication = pkgs.lib.mkOverride 10 '' - # TYPE, DATABASE, USER, ADDRESS, METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - host all all 0.0.0.0/0 md5 - ''; - # initialScript = pkgs.writeText "backend-initScript" '' - # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB; - # CREATE DATABASE nixcloud; - # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud; - # ''; - - # we dont care about data here - this is a dev env - #dataDir = "/data/pg"; - settings = { - "max_connections" = "100"; - "shared_buffers" = "128MB"; - "max_wal_size" = "1GB"; - "min_wal_size" = "80MB"; - }; - }; - xserver = { - enable = true; - desktopManager.plasma5 = { - enable = true; - #phonon-backend = "gstreamer"; - excludePackages = with pkgs.libsForQt5; [ konsole print-manager khelpcenter oxygen okular gwenview elisa ]; - }; - displayManager.sddm.enable = true; - displayManager.sddm.autoLogin = { - enable = true; - user = "Rory"; - }; - libinput.enable = true; - videoDrivers = [ "qxl" ]; - }; - qemuGuest.enable = true; - spice-vdagentd.enable = true; - }; - - environment.systemPackages = with pkgs; [ - zsh - gnome-console - kitty - feh - lsd - sshfs - cinnamon.nemo - firefox-bin - udisks - gparted - glxinfo - vscode-with-extensions - nodejs - ]; - fonts.fonts = with pkgs; [ - (nerdfonts.override { fonts = [ "JetBrainsMono" ]; }) - ]; - system.stateVersion = "22.11"; # DO NOT EDIT! } diff --git a/host/Rory-devenv/software.nix b/host/Rory-devenv/software.nix new file mode 100755 index 0000000..2d26885 --- /dev/null +++ b/host/Rory-devenv/software.nix @@ -0,0 +1,78 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ]; + + services = { + postgresql = { + enable = true; + package = pkgs.postgresql_14; + enableTCPIP = true; + authentication = pkgs.lib.mkOverride 10 '' + # TYPE, DATABASE, USER, ADDRESS, METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 0.0.0.0/0 md5 + ''; + # initialScript = pkgs.writeText "backend-initScript" '' + # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB; + # CREATE DATABASE nixcloud; + # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud; + # ''; + + # we dont care about data here - this is a dev env + #dataDir = "/data/pg"; + settings = { + "max_connections" = "100"; + "shared_buffers" = "128MB"; + "max_wal_size" = "1GB"; + "min_wal_size" = "80MB"; + }; + }; + xserver = { + enable = true; + desktopManager.plasma5 = { + enable = true; + #phonon-backend = "gstreamer"; + excludePackages = with pkgs.libsForQt5; [ konsole print-manager khelpcenter oxygen okular gwenview elisa ]; + }; + displayManager.sddm.enable = true; + displayManager.sddm.autoLogin = { + enable = true; + user = "Rory"; + }; + libinput.enable = true; + videoDrivers = [ "qxl" ]; + }; + qemuGuest.enable = true; + spice-vdagentd.enable = true; + }; + + environment.systemPackages = with pkgs; [ + zsh + gnome-console + kitty + feh + lsd + sshfs + cinnamon.nemo + firefox-bin + udisks + gparted + glxinfo + vscode-with-extensions + nodejs + ]; + fonts.fonts = with pkgs; [ + (nerdfonts.override { fonts = [ "JetBrainsMono" ]; }) + ]; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-discordbots/configuration.nix b/host/Rory-discordbots/configuration.nix index 958ae5c..dbc509c 100755 --- a/host/Rory-discordbots/configuration.nix +++ b/host/Rory-discordbots/configuration.nix @@ -4,11 +4,7 @@ imports = [ ../../modules/base-server.nix - # ./services.nix - botcore-v4.modules.bots - botcore-v4.modules.frontend - botcore-v4.modules.dataupdater - botcore-v4.modules.users + ./software.nix ]; networking = { diff --git a/host/Rory-discordbots/software.nix b/host/Rory-discordbots/software.nix new file mode 100755 index 0000000..b0b9cf2 --- /dev/null +++ b/host/Rory-discordbots/software.nix @@ -0,0 +1,15 @@ +{ config, pkgs, lib, botcore-v4, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + # ./services.nix + botcore-v4.modules.bots + botcore-v4.modules.frontend + botcore-v4.modules.dataupdater + botcore-v4.modules.users + ]; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} \ No newline at end of file diff --git a/host/Rory-fosscord/configuration.nix b/host/Rory-fosscord/configuration.nix index a58ba05..84c997e 100755 --- a/host/Rory-fosscord/configuration.nix +++ b/host/Rory-fosscord/configuration.nix @@ -4,9 +4,7 @@ imports = [ ../../modules/base-server.nix - # ./services.nix - discord-client-proxy.modules.proxy - discord-client-proxy.modules.users + ./software.nix ]; networking = { diff --git a/host/Rory-fosscord/software.nix b/host/Rory-fosscord/software.nix new file mode 100755 index 0000000..78f4412 --- /dev/null +++ b/host/Rory-fosscord/software.nix @@ -0,0 +1,14 @@ +{ config, pkgs, lib, discord-client-proxy, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + # ./services.nix + discord-client-proxy.modules.proxy + discord-client-proxy.modules.users + ]; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix index 8400a75..c38a1bf 100755 --- a/host/Rory-nginx/configuration.nix +++ b/host/Rory-nginx/configuration.nix @@ -4,7 +4,7 @@ imports = [ ../../modules/base-server.nix - ../../modules/packages/gitfs.nix + ./software.nix ]; networking = { @@ -19,77 +19,5 @@ } ]; }; - services = { - nginx = { - enable = true; - package = pkgs.nginxQuic; - recommendedProxySettings = true; - recommendedTlsSettings = true; - appendConfig = '' - worker_processes 16; - ''; - eventsConfig = '' - #use kqueue; - worker_connections 512; - ''; - upstreams = import ./matrix/upstreams.nix; - virtualHosts = { - "siliconheaven.thearcanebrony.net" = import ./hosts/thearcanebrony.net/siliconheaven.nix; - "lfs.thearcanebrony.net" = import ./hosts/thearcanebrony.net/lfs.nix; - "http.thearcanebrony.net" = import ./hosts/thearcanebrony.net/http.nix; - "thearcanebrony.net" = import ./hosts/thearcanebrony.net/root.nix; - "sentry.thearcanebrony.net" = import ./hosts/thearcanebrony.net/sentry.nix; - "awooradio.thearcanebrony.net" = import ./hosts/thearcanebrony.net/awooradio.nix; - "search.thearcanebrony.net" = import ./hosts/thearcanebrony.net/search.nix; - "git.thearcanebrony.net" = import ./hosts/thearcanebrony.net/git.nix; - "files.thearcanebrony.net" = import ./hosts/thearcanebrony.net/files.nix; - "spigotav.thearcanebrony.net" = import ./hosts/thearcanebrony.net/spigotav.nix; - "terra.thearcanebrony.net" = import ./hosts/thearcanebrony.net/terra.nix; - "vives.thearcanebrony.net" = import ./hosts/thearcanebrony.net/vives.nix; - "rory.gay" = import ./hosts/rory.gay/root.nix; - "rory.boo" = import ./hosts/rory.gay/root.nix; - "lfs.rory.gay" = import ./hosts/rory.gay/lfs.nix; - "git.rory.gay" = import ./hosts/rory.gay/git.nix; - "matrix.rory.gay" = import ./hosts/rory.gay/matrix.nix; - "mru.rory.gay" = import ./hosts/rory.gay/mru.nix; - "tunnel.rory.boo" = import ./hosts/rory.boo/tunnel.nix; - "boorunav.com" = import ./hosts/boorunav.com/root.nix; - "catgirlsaresexy.com" = import ./hosts/catgirlsaresexy.com/root.nix; - "sugarcanemc.org" = import ./hosts/sugarcanemc.org/root.nix; - - #bots... - "0bottests.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "catnipbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "impulsyeeter.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "omnibot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "yatopiawatchdog.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "playground.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "kinobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "siliconbotpublic.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "thearcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "anonbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "hericanbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "siliconbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "impulsbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "studiobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "carsnbots.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "binsh.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "fosscordbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "sugarcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - "gradbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; - }; - }; - }; - systemd.services.nginx.serviceConfig = { - LimitNOFILE=5000000; - }; - systemd.services.nginx.requires = [ "data.mount" ]; - security.acme.acceptTerms = true; - security.acme.defaults.email = "root@thearcanebrony.net"; - - environment.systemPackages = with pkgs; [ - #gitfs - ]; - system.stateVersion = "22.11"; # DO NOT EDIT! } diff --git a/host/Rory-nginx/software.nix b/host/Rory-nginx/software.nix new file mode 100755 index 0000000..a551c6b --- /dev/null +++ b/host/Rory-nginx/software.nix @@ -0,0 +1,83 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + #../../modules/packages/gitfs.nix + ]; + + services = { + nginx = { + enable = true; + package = pkgs.nginxQuic; + recommendedProxySettings = true; + recommendedTlsSettings = true; + appendConfig = '' + worker_processes 16; + ''; + eventsConfig = '' + #use kqueue; + worker_connections 512; + ''; + upstreams = import ./matrix/upstreams.nix; + virtualHosts = { + "siliconheaven.thearcanebrony.net" = import ./hosts/thearcanebrony.net/siliconheaven.nix; + "lfs.thearcanebrony.net" = import ./hosts/thearcanebrony.net/lfs.nix; + "http.thearcanebrony.net" = import ./hosts/thearcanebrony.net/http.nix; + "thearcanebrony.net" = import ./hosts/thearcanebrony.net/root.nix; + "sentry.thearcanebrony.net" = import ./hosts/thearcanebrony.net/sentry.nix; + "awooradio.thearcanebrony.net" = import ./hosts/thearcanebrony.net/awooradio.nix; + "search.thearcanebrony.net" = import ./hosts/thearcanebrony.net/search.nix; + "git.thearcanebrony.net" = import ./hosts/thearcanebrony.net/git.nix; + "files.thearcanebrony.net" = import ./hosts/thearcanebrony.net/files.nix; + "spigotav.thearcanebrony.net" = import ./hosts/thearcanebrony.net/spigotav.nix; + "terra.thearcanebrony.net" = import ./hosts/thearcanebrony.net/terra.nix; + "vives.thearcanebrony.net" = import ./hosts/thearcanebrony.net/vives.nix; + "rory.gay" = import ./hosts/rory.gay/root.nix; + "rory.boo" = import ./hosts/rory.gay/root.nix; + "lfs.rory.gay" = import ./hosts/rory.gay/lfs.nix; + "git.rory.gay" = import ./hosts/rory.gay/git.nix; + "matrix.rory.gay" = import ./hosts/rory.gay/matrix.nix; + "mru.rory.gay" = import ./hosts/rory.gay/mru.nix; + "tunnel.rory.boo" = import ./hosts/rory.boo/tunnel.nix; + "boorunav.com" = import ./hosts/boorunav.com/root.nix; + "catgirlsaresexy.com" = import ./hosts/catgirlsaresexy.com/root.nix; + "sugarcanemc.org" = import ./hosts/sugarcanemc.org/root.nix; + + #bots... + "0bottests.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "catnipbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "impulsyeeter.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "omnibot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "yatopiawatchdog.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "playground.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "kinobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "siliconbotpublic.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "thearcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "anonbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "hericanbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "siliconbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "impulsbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "studiobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "carsnbots.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "binsh.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "fosscordbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "sugarcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + "gradbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix; + }; + }; + }; + systemd.services.nginx.serviceConfig = { + LimitNOFILE=5000000; + }; + systemd.services.nginx.requires = [ "data.mount" ]; + security.acme.acceptTerms = true; + security.acme.defaults.email = "root@thearcanebrony.net"; + + environment.systemPackages = with pkgs; [ + #gitfs + ]; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} diff --git a/host/Rory-postgres/configuration.nix b/host/Rory-postgres/configuration.nix index fef0296..f399f78 100755 --- a/host/Rory-postgres/configuration.nix +++ b/host/Rory-postgres/configuration.nix @@ -4,6 +4,7 @@ imports = [ ../../modules/base-server.nix + ./software.nix ]; networking = { @@ -17,35 +18,6 @@ prefixLength = 16; } ]; }; - - systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ]; - - services.postgresql = { - enable = true; - package = pkgs.postgresql_14; - enableTCPIP = true; - authentication = pkgs.lib.mkOverride 10 '' - # TYPE, DATABASE, USER, ADDRESS, METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - host discordbots discordbots 192.168.1.50/32 trust - host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust - host all all 0.0.0.0/0 md5 - ''; - # initialScript = pkgs.writeText "backend-initScript" '' - # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB; - # CREATE DATABASE nixcloud; - # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud; - # ''; - dataDir = "/data/pg"; - settings = { - "max_connections" = "100"; - "shared_buffers" = "128MB"; - "max_wal_size" = "1GB"; - "min_wal_size" = "80MB"; - }; - }; system.stateVersion = "22.11"; # DO NOT EDIT! } diff --git a/host/Rory-postgres/software.nix b/host/Rory-postgres/software.nix new file mode 100755 index 0000000..99cdd64 --- /dev/null +++ b/host/Rory-postgres/software.nix @@ -0,0 +1,40 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ]; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + enableTCPIP = true; + authentication = pkgs.lib.mkOverride 10 '' + # TYPE, DATABASE, USER, ADDRESS, METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host discordbots discordbots 192.168.1.50/32 trust + host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust + host all all 0.0.0.0/0 md5 + ''; + # initialScript = pkgs.writeText "backend-initScript" '' + # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB; + # CREATE DATABASE nixcloud; + # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud; + # ''; + dataDir = "/data/pg"; + settings = { + "max_connections" = "100"; + "shared_buffers" = "128MB"; + "max_wal_size" = "1GB"; + "min_wal_size" = "80MB"; + }; + }; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-synapse/configuration.nix b/host/Rory-synapse/configuration.nix index 46da7b6..020a804 100755 --- a/host/Rory-synapse/configuration.nix +++ b/host/Rory-synapse/configuration.nix @@ -4,6 +4,7 @@ imports = [ ../../modules/base-server.nix + ./software.nix ]; networking = { @@ -18,205 +19,6 @@ } ]; }; - # coturn (WebRTC) - services.coturn = rec { - enable = false; # Alicia - figure out secret first... - no-cli = true; - no-tcp-relay = true; - min-port = 49000; - max-port = 50000; - use-auth-secret = true; - static-auth-secret = "will be world readable for local users :("; - realm = "turn.example.com"; - # Alicia - figure out how to get this to work, since nginx runs on separate machine... - #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; - #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; - extraConfig = '' - # for debugging - verbose - # ban private IP ranges - no-multicast-peers - denied-peer-ip=0.0.0.0-0.255.255.255 - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=100.64.0.0-100.127.255.255 - denied-peer-ip=127.0.0.0-127.255.255.255 - denied-peer-ip=169.254.0.0-169.254.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=192.0.0.0-192.0.0.255 - denied-peer-ip=192.0.2.0-192.0.2.255 - denied-peer-ip=192.88.99.0-192.88.99.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=198.18.0.0-198.19.255.255 - denied-peer-ip=198.51.100.0-198.51.100.255 - denied-peer-ip=203.0.113.0-203.0.113.255 - denied-peer-ip=240.0.0.0-255.255.255.255 - denied-peer-ip=::1 - denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff - denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 - denied-peer-ip=100::-100::ffff:ffff:ffff:ffff - denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - ''; - }; - - #services.matrix-synapse = with config.services.coturn; { - # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; - # turn_shared_secret = static-auth-secret; - # turn_user_lifetime = "1h"; - #}; - - # Discord bridge - services.matrix-appservice-discord = { - enable = false; # Alicia - figure out secret first... - environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; - # The appservice is pre-configured to use SQLite by default. - # It's also possible to use PostgreSQL. - settings = { - bridge = { - domain = "rory.gay"; - homeserverUrl = "https://matrix.rory.gay"; - }; - - # The service uses SQLite by default, but it's also possible to use - # PostgreSQL instead: - database = { - # filename = ""; # empty value to disable sqlite - connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord"; - }; - }; - }; - - services.matrix-synapse = { - enable = true; - - settings = { - server_name = "rory.gay"; - - enable_registration = false; - # Alicia - figure this out later... - #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"]; - registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; - - # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410 - listeners = [ - { - port = 8008; - bind_addresses = [ "192.168.1.5" "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ { - names = [ "client" "federation" ]; - compress = true; - } ]; - } - ]; - dynamic_thumbnails = true; - - presence = { - enable = true; - update_interval = 60; - }; - url_preview_enabled = true; - - database = { - name = "psycopg2"; - args = { - user = "matrix-synapse-rory-gay"; - #passwordFile = "/run/secrets/matrix-synapse-password"; - password = "somepassword"; - database = "matrix-synapse-rory-gay"; - host = "192.168.1.3"; - }; - }; - app_service_config_files = [ - #"/etc/matrix-synapse/appservice-registration.yaml" - ]; - }; - - plugins = with pkgs.matrix-synapse-plugins; [ - # Alicia - need to port draupnir... - #matrix-synapse-mjolnir-antispam -# matrix-synapse-pam - ]; -# extraConfigFiles = [ -# (pkgs.writeTextFile { -# name = "matrix-synapse-extra-config.yml"; -# text = '' -# modules: -# - module: "pam_auth_provider.PAMAuthProvider" -# config: -# create_users: true -# skip_user_check: false -# ''; -# }) -# ]; - }; - - # Alicia - doesnt work yet... until in nixpkgs... - services.draupnir = { - enable = true; - - pantalaimon = { - enable = true; - username = "draupnir"; - passwordFile = "/etc/draupnir-password"; - options = { - homeserver = "http://localhost:8008"; - ssl = false; - }; - - }; - managementRoom = "#draupnir-mgmt:rory.gay"; - homeserverUrl = "http://localhost:8008"; - verboseLogging = false; - settings = { - recordIgnoredInvites = false; - automaticallyRedactForReasons = [ "*" ]; - fasterMembershipChecks = true; - backgroundDelayMS = 100; - pollReports = true; - admin.enableMakeRoomAdminCommand = true; - commands.ban.defaultReasons = [ - "spam" - "harassment" - "transphobia" - "scam" - ]; - protections = { - wordlist = { - words = [ - "tranny" - "faggot" - ]; - minutesBeforeTrusting = 0; - }; - }; - }; - }; - - systemd.services.matrix-synapse-reg-token = { - description = "Random registration token for Synapse."; - before = ["matrix-synapse.service"]; # So the registration can be used by Synapse - wantedBy = ["multi-user.target"]; - after = ["network.target"]; - - script = '' - - if [ ! -f "registration_shared_secret.txt" ] - then - cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt - else - echo Not generating key, key exists; - fi''; - serviceConfig = { - User = "matrix-synapse"; - Group = "matrix-synapse"; - WorkingDirectory = "/var/lib/matrix-synapse"; - }; - }; system.stateVersion = "22.11"; # DO NOT EDIT! } diff --git a/host/Rory-synapse/software.nix b/host/Rory-synapse/software.nix new file mode 100755 index 0000000..87e2788 --- /dev/null +++ b/host/Rory-synapse/software.nix @@ -0,0 +1,210 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + # coturn (WebRTC) + services.coturn = rec { + enable = false; # Alicia - figure out secret first... + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret = "will be world readable for local users :("; + realm = "turn.example.com"; + # Alicia - figure out how to get this to work, since nginx runs on separate machine... + #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + + #services.matrix-synapse = with config.services.coturn; { + # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; + # turn_shared_secret = static-auth-secret; + # turn_user_lifetime = "1h"; + #}; + + # Discord bridge + services.matrix-appservice-discord = { + enable = false; # Alicia - figure out secret first... + environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; + # The appservice is pre-configured to use SQLite by default. + # It's also possible to use PostgreSQL. + settings = { + bridge = { + domain = "rory.gay"; + homeserverUrl = "https://matrix.rory.gay"; + }; + + # The service uses SQLite by default, but it's also possible to use + # PostgreSQL instead: + database = { + # filename = ""; # empty value to disable sqlite + connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord"; + }; + }; + }; + + services.matrix-synapse = { + enable = true; + + settings = { + server_name = "rory.gay"; + + enable_registration = false; + # Alicia - figure this out later... + #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"]; + registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; + + # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410 + listeners = [ + { + port = 8008; + bind_addresses = [ "192.168.1.5" "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "client" "federation" ]; + compress = true; + } ]; + } + ]; + dynamic_thumbnails = true; + + presence = { + enable = true; + update_interval = 60; + }; + url_preview_enabled = true; + + database = { + name = "psycopg2"; + args = { + user = "matrix-synapse-rory-gay"; + #passwordFile = "/run/secrets/matrix-synapse-password"; + password = "somepassword"; + database = "matrix-synapse-rory-gay"; + host = "192.168.1.3"; + }; + }; + app_service_config_files = [ + #"/etc/matrix-synapse/appservice-registration.yaml" + ]; + }; + + plugins = with pkgs.matrix-synapse-plugins; [ + # Alicia - need to port draupnir... + #matrix-synapse-mjolnir-antispam +# matrix-synapse-pam + ]; +# extraConfigFiles = [ +# (pkgs.writeTextFile { +# name = "matrix-synapse-extra-config.yml"; +# text = '' +# modules: +# - module: "pam_auth_provider.PAMAuthProvider" +# config: +# create_users: true +# skip_user_check: false +# ''; +# }) +# ]; + }; + + # Alicia - doesnt work yet... until in nixpkgs... + services.draupnir = { + enable = true; + + pantalaimon = { + enable = true; + username = "draupnir"; + passwordFile = "/etc/draupnir-password"; + options = { + homeserver = "http://localhost:8008"; + ssl = false; + }; + + }; + managementRoom = "#draupnir-mgmt:rory.gay"; + homeserverUrl = "http://localhost:8008"; + verboseLogging = false; + settings = { + recordIgnoredInvites = false; + automaticallyRedactForReasons = [ "*" ]; + fasterMembershipChecks = true; + backgroundDelayMS = 100; + pollReports = true; + admin.enableMakeRoomAdminCommand = true; + commands.ban.defaultReasons = [ + "spam" + "harassment" + "transphobia" + "scam" + ]; + protections = { + wordlist = { + words = [ + "tranny" + "faggot" + ]; + minutesBeforeTrusting = 0; + }; + }; + }; + }; + + systemd.services.matrix-synapse-reg-token = { + description = "Random registration token for Synapse."; + before = ["matrix-synapse.service"]; # So the registration can be used by Synapse + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + + script = '' + + if [ ! -f "registration_shared_secret.txt" ] + then + cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt + else + echo Not generating key, key exists; + fi''; + serviceConfig = { + User = "matrix-synapse"; + Group = "matrix-synapse"; + WorkingDirectory = "/var/lib/matrix-synapse"; + }; + }; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + -- cgit 1.4.1