From 95ceb640e4de44994c265155464f81e1893dd394 Mon Sep 17 00:00:00 2001 From: TheArcaneBrony Date: Fri, 18 Aug 2023 02:53:26 +0200 Subject: Refactor --- flake.nix | 48 +--- host/Rory-discordbots/configuration.nix | 23 -- host/Rory-discordbots/software.nix | 15 - host/Rory-nginx/configuration.nix | 5 + host/Rory-nginx/hosts/rory.gay/conduit.nix | 25 ++ host/Rory-nginx/post-rebuild.sh | 2 +- host/Rory-nginx/services/discordbots.nix | 15 + host/Rory-nginx/services/matrix/conduit.nix | 20 ++ host/Rory-nginx/services/matrix/coturn.nix | 54 ++++ host/Rory-nginx/services/matrix/draupnir.nix | 53 ++++ .../services/matrix/matrix-appservice-discord.nix | 26 ++ host/Rory-nginx/services/matrix/root.nix | 13 + host/Rory-nginx/services/matrix/synapse.nix | 207 +++++++++++++ host/Rory-nginx/services/postgres.nix | 40 +++ host/Rory-postgres/configuration.nix | 24 -- host/Rory-postgres/software.nix | 40 --- host/Rory-synapse/configuration.nix | 24 -- host/Rory-synapse/post-rebuild.sh | 31 -- host/Rory-synapse/pre-rebuild.sh | 2 - host/Rory-synapse/software.nix | 319 --------------------- update.sh | 9 + 21 files changed, 478 insertions(+), 517 deletions(-) delete mode 100755 host/Rory-discordbots/configuration.nix delete mode 100755 host/Rory-discordbots/software.nix create mode 100755 host/Rory-nginx/hosts/rory.gay/conduit.nix create mode 100755 host/Rory-nginx/services/discordbots.nix create mode 100755 host/Rory-nginx/services/matrix/conduit.nix create mode 100755 host/Rory-nginx/services/matrix/coturn.nix create mode 100755 host/Rory-nginx/services/matrix/draupnir.nix create mode 100755 host/Rory-nginx/services/matrix/matrix-appservice-discord.nix create mode 100755 host/Rory-nginx/services/matrix/root.nix create mode 100755 host/Rory-nginx/services/matrix/synapse.nix create mode 100755 host/Rory-nginx/services/postgres.nix delete mode 100755 host/Rory-postgres/configuration.nix delete mode 100755 host/Rory-postgres/software.nix delete mode 100755 host/Rory-synapse/configuration.nix delete mode 100755 host/Rory-synapse/post-rebuild.sh delete mode 100755 host/Rory-synapse/pre-rebuild.sh delete mode 100755 host/Rory-synapse/software.nix diff --git a/flake.nix b/flake.nix index 17fc916..1273d08 100755 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,15 @@ home-manager = { url = "github:nix-community/home-manager/master"; }; + conduit = { + url = "gitlab:famedly/conduit"; + + # Assuming you have an input for nixpkgs called `nixpkgs`. If you experience + # build failures while using this, try commenting/deleting this line. This + # will probably also require you to always build from source. + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; outputs = { self, nixpkgs, home-manager, botcore-v4 }: { @@ -21,48 +30,12 @@ modules = [ ./host/Rory-nginx/configuration.nix ./hardware-configuration.nix - ./host/Rory-discordbots/software.nix - ./host/Rory-synapse/software.nix - ./host/Rory-postgres/software.nix - home-manager.nixosModules.home-manager - ]; - specialArgs = { - inherit botcore-v4; - inherit home-manager; - }; - }; - Rory-postgres = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./host/Rory-postgres/configuration.nix - ./hardware-configuration.nix - home-manager.nixosModules.home-manager - ]; - specialArgs = { - inherit home-manager; - }; - }; - Rory-synapse = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./host/Rory-synapse/configuration.nix - ./hardware-configuration.nix - home-manager.nixosModules.home-manager - ]; - specialArgs = { - inherit home-manager; - }; - }; - Rory-discordbots = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./host/Rory-discordbots/configuration.nix - ./hardware-configuration.nix home-manager.nixosModules.home-manager ]; specialArgs = { inherit botcore-v4; inherit home-manager; + inherit conduit; }; }; Rory-devenv = nixpkgs.lib.nixosSystem { @@ -76,7 +49,6 @@ inherit home-manager; }; }; - }; }; } diff --git a/host/Rory-discordbots/configuration.nix b/host/Rory-discordbots/configuration.nix deleted file mode 100755 index dbc509c..0000000 --- a/host/Rory-discordbots/configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, pkgs, lib, botcore-v4, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - ./software.nix - ]; - - networking = { - hostName = "Rory-discordbots"; - interfaces.ens18.ipv4.addresses = [ { - address = "192.168.1.50"; - prefixLength = 24; - } ]; - interfaces.ens19.ipv4.addresses = [ { - address = "10.10.10.50"; - prefixLength = 16; - } ]; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} \ No newline at end of file diff --git a/host/Rory-discordbots/software.nix b/host/Rory-discordbots/software.nix deleted file mode 100755 index b0b9cf2..0000000 --- a/host/Rory-discordbots/software.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, pkgs, lib, botcore-v4, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - # ./services.nix - botcore-v4.modules.bots - botcore-v4.modules.frontend - botcore-v4.modules.dataupdater - botcore-v4.modules.users - ]; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} \ No newline at end of file diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix index 2f2f7cc..2c33448 100755 --- a/host/Rory-nginx/configuration.nix +++ b/host/Rory-nginx/configuration.nix @@ -6,6 +6,11 @@ ../../modules/base-server.nix ../../modules/users/levi.nix ../../modules/users/db2k.nix + + ../../modules/services/nginx.nix + ../../modules/services/postgres.nix + ../../modules/services/synapse.nix + ./software.nix ]; users.groups.ocp = {}; diff --git a/host/Rory-nginx/hosts/rory.gay/conduit.nix b/host/Rory-nginx/hosts/rory.gay/conduit.nix new file mode 100755 index 0000000..8c293d7 --- /dev/null +++ b/host/Rory-nginx/hosts/rory.gay/conduit.nix @@ -0,0 +1,25 @@ +{ + enableACME = true; + addSSL = true; + locations."/_matrix" = { + proxyPass = "http://192.168.1.5:6167"; + extraConfig = '' + if ($request_method = 'OPTIONS') { + more_set_headers 'Access-Control-Allow-Origin: *'; + more_set_headers 'Access-Control-Allow-Methods: *'; + # + # Custom headers and headers various browsers *should* be OK with but aren't + # + more_set_headers 'Access-Control-Allow-Headers: *'; + # + # Tell client that this pre-flight info is valid for 20 days + # + more_set_headers 'Access-Control-Max-Age: 1728000'; + more_set_headers 'Content-Type: text/plain; charset=utf-8'; + more_set_headers 'Content-Length: 0'; + return 204; + } + ''; + }; + #locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008"; +} diff --git a/host/Rory-nginx/post-rebuild.sh b/host/Rory-nginx/post-rebuild.sh index ea6e013..0ea1293 100755 --- a/host/Rory-nginx/post-rebuild.sh +++ b/host/Rory-nginx/post-rebuild.sh @@ -8,7 +8,7 @@ REACHABLE_DOMAIN='http://localhost:8008' # -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md # Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat> # Explicit authorisation to use the code has been granted by the original author -# for use by members of the Rory system (https://rory.gay) +# for use by members of the Rory& system (https://rory.gay) # the magic function: diff --git a/host/Rory-nginx/services/discordbots.nix b/host/Rory-nginx/services/discordbots.nix new file mode 100755 index 0000000..b0b9cf2 --- /dev/null +++ b/host/Rory-nginx/services/discordbots.nix @@ -0,0 +1,15 @@ +{ config, pkgs, lib, botcore-v4, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + # ./services.nix + botcore-v4.modules.bots + botcore-v4.modules.frontend + botcore-v4.modules.dataupdater + botcore-v4.modules.users + ]; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} \ No newline at end of file diff --git a/host/Rory-nginx/services/matrix/conduit.nix b/host/Rory-nginx/services/matrix/conduit.nix new file mode 100755 index 0000000..77ba1fb --- /dev/null +++ b/host/Rory-nginx/services/matrix/conduit.nix @@ -0,0 +1,20 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + services.matrix-conduit = { + enable = true; + settings.global = { + server_name = "conduit.rory.gay"; + }; + database_backend = "rocksdb"; + enable_lightning_bolt = true; + max_concurrent_requests = 1000; + }; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/coturn.nix b/host/Rory-nginx/services/matrix/coturn.nix new file mode 100755 index 0000000..434dd52 --- /dev/null +++ b/host/Rory-nginx/services/matrix/coturn.nix @@ -0,0 +1,54 @@ +{ config, pkgs, lib, ... }: + +{ + + # coturn (WebRTC) + services.coturn = rec { + enable = false; # Alicia - figure out secret first... + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret = "will be world readable for local users :("; + realm = "turn.example.com"; + # Alicia - figure out how to get this to work, since nginx runs on separate machine... + #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + #services.matrix-synapse = with config.services.coturn; { + # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; + # turn_shared_secret = static-auth-secret; + # turn_user_lifetime = "1h"; + #}; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/draupnir.nix b/host/Rory-nginx/services/matrix/draupnir.nix new file mode 100755 index 0000000..19a2f16 --- /dev/null +++ b/host/Rory-nginx/services/matrix/draupnir.nix @@ -0,0 +1,53 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + # Alicia - doesnt work yet... until in nixpkgs... + services.draupnir = { + enable = true; + + pantalaimon = { + enable = true; + username = "draupnir"; + passwordFile = "/etc/draupnir-password"; + options = { + homeserver = "http://localhost:8008"; + ssl = false; + }; + + }; + managementRoom = "#draupnir-mgmt:rory.gay"; + homeserverUrl = "http://localhost:8008"; + verboseLogging = false; + settings = { + recordIgnoredInvites = false; + automaticallyRedactForReasons = [ "*" ]; + fasterMembershipChecks = true; + backgroundDelayMS = 100; + pollReports = true; + admin.enableMakeRoomAdminCommand = true; + commands.ban.defaultReasons = [ + "spam" + "harassment" + "transphobia" + "scam" + ]; + protections = { + wordlist = { + words = [ + "tranny" + "faggot" + ]; + minutesBeforeTrusting = 0; + }; + }; + }; + }; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix b/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix new file mode 100755 index 0000000..3f2225f --- /dev/null +++ b/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: + +{ + # Discord bridge + services.matrix-appservice-discord = { + enable = false; # Alicia - figure out secret first... + environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; + # The appservice is pre-configured to use SQLite by default. + # It's also possible to use PostgreSQL. + settings = { + bridge = { + domain = "rory.gay"; + homeserverUrl = "https://matrix.rory.gay"; + }; + + # The service uses SQLite by default, but it's also possible to use + # PostgreSQL instead: + database = { + # filename = ""; # empty value to disable sqlite + connString = "postgres://postgres@127.0.0.1/matrix-appservice-discord"; + }; + }; + }; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/root.nix b/host/Rory-nginx/services/matrix/root.nix new file mode 100755 index 0000000..f9a9d49 --- /dev/null +++ b/host/Rory-nginx/services/matrix/root.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, botcore-v4, ... }: + +{ + imports = + [ + ./synapse.nix + ./coturn.nix + ./matrix-appservice-discord.nix + ./draupnir.nix + ]; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} \ No newline at end of file diff --git a/host/Rory-nginx/services/matrix/synapse.nix b/host/Rory-nginx/services/matrix/synapse.nix new file mode 100755 index 0000000..b69af7a --- /dev/null +++ b/host/Rory-nginx/services/matrix/synapse.nix @@ -0,0 +1,207 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + services.matrix-synapse = { + enable = true; + withJemalloc = true; + + # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html + settings = { + server_name = "rory.gay"; + + enable_registration = true; + registration_requires_token = true; + + require_membership_for_aliases = false; + redaction_retention_period = null; + user_ips_max_age = null; + allow_device_name_lookup_over_federation = true; + + federation = { + client_timeout = "60s"; + max_short_retries = 6; + max_short_retry_delay = "10s"; + max_long_retries = 5; + max_long_retry_delay = "30s"; + }; + + event_cache_size = "30K"; #defaults to 10K + caches = { + global_factor = 1.0; + sync_response_cache_duration = "30m"; + cache_autotuning = { + max_cache_memory_usage = "2048M"; + target_cache_memory_usage = "1024M"; + min_cache_ttl = "30m"; + }; + }; + + + # Alicia - figure this out later... + #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"]; + registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; + + listeners = [ + { + port = 8008; + bind_addresses = [ "192.168.1.2" "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "client" "federation" ]; + compress = true; + } ]; + } + ]; + dynamic_thumbnails = true; + presence = { + enable = true; + update_interval = 60; + }; + url_preview_enabled = true; + database = { + name = "psycopg2"; + args = { + user = "matrix-synapse-rory-gay"; + #passwordFile = "/run/secrets/matrix-synapse-password"; + password = "somepassword"; + database = "matrix-synapse-rory-gay"; + host = "127.0.0.1"; + application_name = "matrix-synapse (rory.gay)"; + cp_min = 5; + cp_max = 50; + #cp_reconnect_interval = "True"; + }; + }; + app_service_config_files = [ + #"/etc/matrix-synapse/appservice-registration.yaml" + ]; + + rc_message = { + per_second = 1000; + burst_count = 1000; + }; + rc_login = { + address = { + per_second = 1000; + burst_count = 1000; + }; + account = { + per_second = 1000; + burst_count = 1000; + }; + failed_attempts = { + per_second = 0.1; + burst_count = 3; + }; + }; + rc_joins = { + local = { + per_second = 1000; + burst_count = 1000; + }; + remote = { + per_second = 1000; + burst_count = 1000; + }; + }; + rc_joins_per_room = { + per_second = 1000; + burst_count = 1000; + }; + rc_invites = { + per_room = { + per_second = 1000; + burst_count = 1000; + }; + per_user = { + per_second = 1000; + burst_count = 1000; + }; + per_issuer = { + per_second = 1000; + burst_count = 1000; + }; + }; + rc_federation = { + window_size = 10; + sleep_limit = 1000; + sleep_delay = 100; + reject_limit = 1000; + concurrent = 100; + }; + federation_rr_transactions_per_room_per_second = 1; + + max_image_pixels = "100M"; + + ui_auth = { + session_timeout = "1m"; + }; + + login_via_existing_session = { + enabled = true; + require_ui_auth = true; + token_timeout = "1y"; + }; + + #sentry = { + # dsn = "https://77c8de07855d4e0c90dbcf0945a04f01@sentry.thearcanebrony.net/14"; + #}; + + report_stats = false; + + user_directory = { + enabled = true; + search_all_users = true; + prefer_local_users = true; + }; + }; + + plugins = with pkgs.matrix-synapse-plugins; [ + # Alicia - need to port draupnir... + #matrix-synapse-mjolnir-antispam +# matrix-synapse-pam + ]; +# extraConfigFiles = [ +# (pkgs.writeTextFile { +# name = "matrix-synapse-extra-config.yml"; +# text = '' +# modules: +# - module: "pam_auth_provider.PAMAuthProvider" +# config: +# create_users: true +# skip_user_check: false +# ''; +# }) +# ]; + }; + + systemd.services.matrix-synapse-reg-token = { + description = "Random registration token for Synapse."; + before = ["matrix-synapse.service"]; # So the registration can be used by Synapse + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + + script = '' + + if [ ! -f "registration_shared_secret.txt" ] + then + cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt + else + echo Not generating key, key exists; + fi''; + serviceConfig = { + User = "matrix-synapse"; + Group = "matrix-synapse"; + WorkingDirectory = "/var/lib/matrix-synapse"; + }; + }; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/postgres.nix b/host/Rory-nginx/services/postgres.nix new file mode 100755 index 0000000..7b75435 --- /dev/null +++ b/host/Rory-nginx/services/postgres.nix @@ -0,0 +1,40 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + systemd.tmpfiles.rules = [ "d /mnt/postgres/data 0750 postgres postgres" ]; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + enableTCPIP = true; + authentication = pkgs.lib.mkOverride 10 '' + # TYPE, DATABASE, USER, ADDRESS, METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host discordbots discordbots 192.168.1.2/32 trust + host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust + host all all 0.0.0.0/0 md5 + ''; + # initialScript = pkgs.writeText "backend-initScript" '' + # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB; + # CREATE DATABASE nixcloud; + # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud; + # ''; + dataDir = "/mnt/postgres/data"; + settings = { + "max_connections" = "100"; + "shared_buffers" = "128MB"; + "max_wal_size" = "1GB"; + "min_wal_size" = "80MB"; + }; + }; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-postgres/configuration.nix b/host/Rory-postgres/configuration.nix deleted file mode 100755 index f399f78..0000000 --- a/host/Rory-postgres/configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - ./software.nix - ]; - - networking = { - hostName = "Rory-postgres"; - interfaces.ens18.ipv4.addresses = [ { - address = "192.168.1.3"; - prefixLength = 24; - } ]; - interfaces.ens19.ipv4.addresses = [ { - address = "10.10.10.3"; - prefixLength = 16; - } ]; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} - diff --git a/host/Rory-postgres/software.nix b/host/Rory-postgres/software.nix deleted file mode 100755 index 7b75435..0000000 --- a/host/Rory-postgres/software.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - ]; - - systemd.tmpfiles.rules = [ "d /mnt/postgres/data 0750 postgres postgres" ]; - - services.postgresql = { - enable = true; - package = pkgs.postgresql_14; - enableTCPIP = true; - authentication = pkgs.lib.mkOverride 10 '' - # TYPE, DATABASE, USER, ADDRESS, METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - host discordbots discordbots 192.168.1.2/32 trust - host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust - host all all 0.0.0.0/0 md5 - ''; - # initialScript = pkgs.writeText "backend-initScript" '' - # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB; - # CREATE DATABASE nixcloud; - # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud; - # ''; - dataDir = "/mnt/postgres/data"; - settings = { - "max_connections" = "100"; - "shared_buffers" = "128MB"; - "max_wal_size" = "1GB"; - "min_wal_size" = "80MB"; - }; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} - diff --git a/host/Rory-synapse/configuration.nix b/host/Rory-synapse/configuration.nix deleted file mode 100755 index 020a804..0000000 --- a/host/Rory-synapse/configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - ./software.nix - ]; - - networking = { - hostName = "Rory-synapse"; - interfaces.ens18.ipv4.addresses = [ { - address = "192.168.1.5"; - prefixLength = 24; - } ]; - interfaces.ens19.ipv4.addresses = [ { - address = "10.10.10.5"; - prefixLength = 16; - } ]; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} - diff --git a/host/Rory-synapse/post-rebuild.sh b/host/Rory-synapse/post-rebuild.sh deleted file mode 100755 index 27028d9..0000000 --- a/host/Rory-synapse/post-rebuild.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env nix-shell -#!nix-shell -i bash -p curl gnused nix coreutils jq openssl -#set -x -REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt` -LOCALPART='rory.gay' -REACHABLE_DOMAIN='http://localhost:8008' - -# -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md -# Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat> -# Explicit authorisation to use the code has been granted by the original author -# for use by members of the Rory system (https://rory.gay) - - -# the magic function: -register(){ - echo "Registering $1 with password $2" - _nonce=`curl http://localhost:8008/_synapse/admin/v1/register | jq -r .nonce` - #data: nonce, domain, username, password - _hmac=`printf '%s\0%s\0%s\0%s' "$_nonce" "$1" "$2" "admin" | openssl dgst -sha1 -hmac "$REG_KEY" | awk '{print $2}'` - curl -XPOST -d '{"nonce": "'"$_nonce"'", "username": "'"$1"'", "displayname": "'"$1"'", "password": "'"$2"'", "admin": true, "mac": "'"$_hmac"'"}' $REACHABLE_DOMAIN/_synapse/admin/v1/register | tee -a matrix-user-tokens.txt -} - -# -- END OF LICENSED CODE - - - -PASSWD=`cat /etc/matrix-user-pass` -for u in {draupnir,Alicia,Emma,Rory,root} -do - register $u $PASSWD -done diff --git a/host/Rory-synapse/pre-rebuild.sh b/host/Rory-synapse/pre-rebuild.sh deleted file mode 100755 index 9d92682..0000000 --- a/host/Rory-synapse/pre-rebuild.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env sh -echo "PRE REBUILD TEST" diff --git a/host/Rory-synapse/software.nix b/host/Rory-synapse/software.nix deleted file mode 100755 index 5db557b..0000000 --- a/host/Rory-synapse/software.nix +++ /dev/null @@ -1,319 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - ]; - - # coturn (WebRTC) - services.coturn = rec { - enable = false; # Alicia - figure out secret first... - no-cli = true; - no-tcp-relay = true; - min-port = 49000; - max-port = 50000; - use-auth-secret = true; - static-auth-secret = "will be world readable for local users :("; - realm = "turn.example.com"; - # Alicia - figure out how to get this to work, since nginx runs on separate machine... - #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; - #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; - extraConfig = '' - # for debugging - verbose - # ban private IP ranges - no-multicast-peers - denied-peer-ip=0.0.0.0-0.255.255.255 - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=100.64.0.0-100.127.255.255 - denied-peer-ip=127.0.0.0-127.255.255.255 - denied-peer-ip=169.254.0.0-169.254.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=192.0.0.0-192.0.0.255 - denied-peer-ip=192.0.2.0-192.0.2.255 - denied-peer-ip=192.88.99.0-192.88.99.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=198.18.0.0-198.19.255.255 - denied-peer-ip=198.51.100.0-198.51.100.255 - denied-peer-ip=203.0.113.0-203.0.113.255 - denied-peer-ip=240.0.0.0-255.255.255.255 - denied-peer-ip=::1 - denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff - denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 - denied-peer-ip=100::-100::ffff:ffff:ffff:ffff - denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - ''; - }; - - #services.matrix-synapse = with config.services.coturn; { - # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; - # turn_shared_secret = static-auth-secret; - # turn_user_lifetime = "1h"; - #}; - - # Discord bridge - services.matrix-appservice-discord = { - enable = false; # Alicia - figure out secret first... - environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; - # The appservice is pre-configured to use SQLite by default. - # It's also possible to use PostgreSQL. - settings = { - bridge = { - domain = "rory.gay"; - homeserverUrl = "https://matrix.rory.gay"; - }; - - # The service uses SQLite by default, but it's also possible to use - # PostgreSQL instead: - database = { - # filename = ""; # empty value to disable sqlite - connString = "postgres://postgres@127.0.0.1/matrix-appservice-discord"; - }; - }; - }; - - services.matrix-synapse = { - enable = true; - withJemalloc = true; - - # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html - settings = { - server_name = "rory.gay"; - - enable_registration = true; - registration_requires_token = true; - - require_membership_for_aliases = false; - redaction_retention_period = null; - user_ips_max_age = null; - allow_device_name_lookup_over_federation = true; - - federation = { - client_timeout = "60s"; - max_short_retries = 6; - max_short_retry_delay = "10s"; - max_long_retries = 5; - max_long_retry_delay = "30s"; - }; - - event_cache_size = "30K"; #defaults to 10K - caches = { - global_factor = 1.0; - sync_response_cache_duration = "30m"; - cache_autotuning = { - max_cache_memory_usage = "2048M"; - target_cache_memory_usage = "1024M"; - min_cache_ttl = "30m"; - }; - }; - - - # Alicia - figure this out later... - #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"]; - registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; - - listeners = [ - { - port = 8008; - bind_addresses = [ "192.168.1.2" "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ { - names = [ "client" "federation" ]; - compress = true; - } ]; - } - ]; - dynamic_thumbnails = true; - presence = { - enable = true; - update_interval = 60; - }; - url_preview_enabled = true; - database = { - name = "psycopg2"; - args = { - user = "matrix-synapse-rory-gay"; - #passwordFile = "/run/secrets/matrix-synapse-password"; - password = "somepassword"; - database = "matrix-synapse-rory-gay"; - host = "127.0.0.1"; - application_name = "matrix-synapse (rory.gay)"; - cp_min = 5; - cp_max = 50; - #cp_reconnect_interval = "True"; - }; - }; - app_service_config_files = [ - #"/etc/matrix-synapse/appservice-registration.yaml" - ]; - - rc_message = { - per_second = 1000; - burst_count = 1000; - }; - rc_login = { - address = { - per_second = 1000; - burst_count = 1000; - }; - account = { - per_second = 1000; - burst_count = 1000; - }; - failed_attempts = { - per_second = 0.1; - burst_count = 3; - }; - }; - rc_joins = { - local = { - per_second = 1000; - burst_count = 1000; - }; - remote = { - per_second = 1000; - burst_count = 1000; - }; - }; - rc_joins_per_room = { - per_second = 1000; - burst_count = 1000; - }; - rc_invites = { - per_room = { - per_second = 1000; - burst_count = 1000; - }; - per_user = { - per_second = 1000; - burst_count = 1000; - }; - per_issuer = { - per_second = 1000; - burst_count = 1000; - }; - }; - rc_federation = { - window_size = 10; - sleep_limit = 1000; - sleep_delay = 100; - reject_limit = 1000; - concurrent = 100; - }; - federation_rr_transactions_per_room_per_second = 1; - - max_image_pixels = "100M"; - - ui_auth = { - session_timeout = "1m"; - }; - - login_via_existing_session = { - enabled = true; - require_ui_auth = true; - token_timeout = "1y"; - }; - - #sentry = { - # dsn = "https://77c8de07855d4e0c90dbcf0945a04f01@sentry.thearcanebrony.net/14"; - #}; - - report_stats = false; - - user_directory = { - enabled = true; - search_all_users = true; - prefer_local_users = true; - }; - }; - - plugins = with pkgs.matrix-synapse-plugins; [ - # Alicia - need to port draupnir... - #matrix-synapse-mjolnir-antispam -# matrix-synapse-pam - ]; -# extraConfigFiles = [ -# (pkgs.writeTextFile { -# name = "matrix-synapse-extra-config.yml"; -# text = '' -# modules: -# - module: "pam_auth_provider.PAMAuthProvider" -# config: -# create_users: true -# skip_user_check: false -# ''; -# }) -# ]; - }; - - # Alicia - doesnt work yet... until in nixpkgs... - services.draupnir = { - enable = true; - - pantalaimon = { - enable = true; - username = "draupnir"; - passwordFile = "/etc/draupnir-password"; - options = { - homeserver = "http://localhost:8008"; - ssl = false; - }; - - }; - managementRoom = "#draupnir-mgmt:rory.gay"; - homeserverUrl = "http://localhost:8008"; - verboseLogging = false; - settings = { - recordIgnoredInvites = false; - automaticallyRedactForReasons = [ "*" ]; - fasterMembershipChecks = true; - backgroundDelayMS = 100; - pollReports = true; - admin.enableMakeRoomAdminCommand = true; - commands.ban.defaultReasons = [ - "spam" - "harassment" - "transphobia" - "scam" - ]; - protections = { - wordlist = { - words = [ - "tranny" - "faggot" - ]; - minutesBeforeTrusting = 0; - }; - }; - }; - }; - - systemd.services.matrix-synapse-reg-token = { - description = "Random registration token for Synapse."; - before = ["matrix-synapse.service"]; # So the registration can be used by Synapse - wantedBy = ["multi-user.target"]; - after = ["network.target"]; - - script = '' - - if [ ! -f "registration_shared_secret.txt" ] - then - cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt - else - echo Not generating key, key exists; - fi''; - serviceConfig = { - User = "matrix-synapse"; - Group = "matrix-synapse"; - WorkingDirectory = "/var/lib/matrix-synapse"; - }; - }; - system.stateVersion = "22.11"; # DO NOT EDIT! -} - diff --git a/update.sh b/update.sh index cbec982..6ce5622 100755 --- a/update.sh +++ b/update.sh @@ -1,3 +1,12 @@ #!/usr/bin/env sh + +if [ -d "nixpkgs" ]; then + cd nixpkgs + git remote add upstream https://github.com/NixOS/nixpkgs || git remote set-url upstream https://github.com/NixOS/nixpkgs + git fetch --all -v + git rebase upstream/nixos-unstable -v + cd .. +fi + nix flake update ./build.sh / $HOSTNAME \ No newline at end of file -- cgit 1.4.1