diff --git a/host/Rory-devenv/configuration.nix b/host/Rory-devenv/configuration.nix
index ae1fe1a..108ff82 100755
--- a/host/Rory-devenv/configuration.nix
+++ b/host/Rory-devenv/configuration.nix
@@ -4,6 +4,7 @@
imports =
[
../../modules/base-server.nix
+ ./software.nix
];
networking = {
@@ -18,73 +19,6 @@
} ];
};
- systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ];
-
- services = {
- postgresql = {
- enable = true;
- package = pkgs.postgresql_14;
- enableTCPIP = true;
- authentication = pkgs.lib.mkOverride 10 ''
- # TYPE, DATABASE, USER, ADDRESS, METHOD
- local all all trust
- host all all 127.0.0.1/32 trust
- host all all ::1/128 trust
- host all all 0.0.0.0/0 md5
- '';
- # initialScript = pkgs.writeText "backend-initScript" ''
- # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
- # CREATE DATABASE nixcloud;
- # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
- # '';
-
- # we dont care about data here - this is a dev env
- #dataDir = "/data/pg";
- settings = {
- "max_connections" = "100";
- "shared_buffers" = "128MB";
- "max_wal_size" = "1GB";
- "min_wal_size" = "80MB";
- };
- };
- xserver = {
- enable = true;
- desktopManager.plasma5 = {
- enable = true;
- #phonon-backend = "gstreamer";
- excludePackages = with pkgs.libsForQt5; [ konsole print-manager khelpcenter oxygen okular gwenview elisa ];
- };
- displayManager.sddm.enable = true;
- displayManager.sddm.autoLogin = {
- enable = true;
- user = "Rory";
- };
- libinput.enable = true;
- videoDrivers = [ "qxl" ];
- };
- qemuGuest.enable = true;
- spice-vdagentd.enable = true;
- };
-
- environment.systemPackages = with pkgs; [
- zsh
- gnome-console
- kitty
- feh
- lsd
- sshfs
- cinnamon.nemo
- firefox-bin
- udisks
- gparted
- glxinfo
- vscode-with-extensions
- nodejs
- ];
- fonts.fonts = with pkgs; [
- (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
- ];
-
system.stateVersion = "22.11"; # DO NOT EDIT!
}
diff --git a/host/Rory-devenv/software.nix b/host/Rory-devenv/software.nix
new file mode 100755
index 0000000..2d26885
--- /dev/null
+++ b/host/Rory-devenv/software.nix
@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+
+{
+ imports =
+ [
+ ../../modules/base-server.nix
+ ];
+
+ systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ];
+
+ services = {
+ postgresql = {
+ enable = true;
+ package = pkgs.postgresql_14;
+ enableTCPIP = true;
+ authentication = pkgs.lib.mkOverride 10 ''
+ # TYPE, DATABASE, USER, ADDRESS, METHOD
+ local all all trust
+ host all all 127.0.0.1/32 trust
+ host all all ::1/128 trust
+ host all all 0.0.0.0/0 md5
+ '';
+ # initialScript = pkgs.writeText "backend-initScript" ''
+ # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
+ # CREATE DATABASE nixcloud;
+ # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
+ # '';
+
+ # we dont care about data here - this is a dev env
+ #dataDir = "/data/pg";
+ settings = {
+ "max_connections" = "100";
+ "shared_buffers" = "128MB";
+ "max_wal_size" = "1GB";
+ "min_wal_size" = "80MB";
+ };
+ };
+ xserver = {
+ enable = true;
+ desktopManager.plasma5 = {
+ enable = true;
+ #phonon-backend = "gstreamer";
+ excludePackages = with pkgs.libsForQt5; [ konsole print-manager khelpcenter oxygen okular gwenview elisa ];
+ };
+ displayManager.sddm.enable = true;
+ displayManager.sddm.autoLogin = {
+ enable = true;
+ user = "Rory";
+ };
+ libinput.enable = true;
+ videoDrivers = [ "qxl" ];
+ };
+ qemuGuest.enable = true;
+ spice-vdagentd.enable = true;
+ };
+
+ environment.systemPackages = with pkgs; [
+ zsh
+ gnome-console
+ kitty
+ feh
+ lsd
+ sshfs
+ cinnamon.nemo
+ firefox-bin
+ udisks
+ gparted
+ glxinfo
+ vscode-with-extensions
+ nodejs
+ ];
+ fonts.fonts = with pkgs; [
+ (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
+ ];
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-discordbots/configuration.nix b/host/Rory-discordbots/configuration.nix
index 958ae5c..dbc509c 100755
--- a/host/Rory-discordbots/configuration.nix
+++ b/host/Rory-discordbots/configuration.nix
@@ -4,11 +4,7 @@
imports =
[
../../modules/base-server.nix
- # ./services.nix
- botcore-v4.modules.bots
- botcore-v4.modules.frontend
- botcore-v4.modules.dataupdater
- botcore-v4.modules.users
+ ./software.nix
];
networking = {
diff --git a/host/Rory-discordbots/software.nix b/host/Rory-discordbots/software.nix
new file mode 100755
index 0000000..b0b9cf2
--- /dev/null
+++ b/host/Rory-discordbots/software.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, lib, botcore-v4, ... }:
+
+{
+ imports =
+ [
+ ../../modules/base-server.nix
+ # ./services.nix
+ botcore-v4.modules.bots
+ botcore-v4.modules.frontend
+ botcore-v4.modules.dataupdater
+ botcore-v4.modules.users
+ ];
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
\ No newline at end of file
diff --git a/host/Rory-fosscord/configuration.nix b/host/Rory-fosscord/configuration.nix
index a58ba05..84c997e 100755
--- a/host/Rory-fosscord/configuration.nix
+++ b/host/Rory-fosscord/configuration.nix
@@ -4,9 +4,7 @@
imports =
[
../../modules/base-server.nix
- # ./services.nix
- discord-client-proxy.modules.proxy
- discord-client-proxy.modules.users
+ ./software.nix
];
networking = {
diff --git a/host/Rory-fosscord/software.nix b/host/Rory-fosscord/software.nix
new file mode 100755
index 0000000..78f4412
--- /dev/null
+++ b/host/Rory-fosscord/software.nix
@@ -0,0 +1,14 @@
+{ config, pkgs, lib, discord-client-proxy, ... }:
+
+{
+ imports =
+ [
+ ../../modules/base-server.nix
+ # ./services.nix
+ discord-client-proxy.modules.proxy
+ discord-client-proxy.modules.users
+ ];
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix
index 8400a75..c38a1bf 100755
--- a/host/Rory-nginx/configuration.nix
+++ b/host/Rory-nginx/configuration.nix
@@ -4,7 +4,7 @@
imports =
[
../../modules/base-server.nix
- ../../modules/packages/gitfs.nix
+ ./software.nix
];
networking = {
@@ -19,77 +19,5 @@
} ];
};
- services = {
- nginx = {
- enable = true;
- package = pkgs.nginxQuic;
- recommendedProxySettings = true;
- recommendedTlsSettings = true;
- appendConfig = ''
- worker_processes 16;
- '';
- eventsConfig = ''
- #use kqueue;
- worker_connections 512;
- '';
- upstreams = import ./matrix/upstreams.nix;
- virtualHosts = {
- "siliconheaven.thearcanebrony.net" = import ./hosts/thearcanebrony.net/siliconheaven.nix;
- "lfs.thearcanebrony.net" = import ./hosts/thearcanebrony.net/lfs.nix;
- "http.thearcanebrony.net" = import ./hosts/thearcanebrony.net/http.nix;
- "thearcanebrony.net" = import ./hosts/thearcanebrony.net/root.nix;
- "sentry.thearcanebrony.net" = import ./hosts/thearcanebrony.net/sentry.nix;
- "awooradio.thearcanebrony.net" = import ./hosts/thearcanebrony.net/awooradio.nix;
- "search.thearcanebrony.net" = import ./hosts/thearcanebrony.net/search.nix;
- "git.thearcanebrony.net" = import ./hosts/thearcanebrony.net/git.nix;
- "files.thearcanebrony.net" = import ./hosts/thearcanebrony.net/files.nix;
- "spigotav.thearcanebrony.net" = import ./hosts/thearcanebrony.net/spigotav.nix;
- "terra.thearcanebrony.net" = import ./hosts/thearcanebrony.net/terra.nix;
- "vives.thearcanebrony.net" = import ./hosts/thearcanebrony.net/vives.nix;
- "rory.gay" = import ./hosts/rory.gay/root.nix;
- "rory.boo" = import ./hosts/rory.gay/root.nix;
- "lfs.rory.gay" = import ./hosts/rory.gay/lfs.nix;
- "git.rory.gay" = import ./hosts/rory.gay/git.nix;
- "matrix.rory.gay" = import ./hosts/rory.gay/matrix.nix;
- "mru.rory.gay" = import ./hosts/rory.gay/mru.nix;
- "tunnel.rory.boo" = import ./hosts/rory.boo/tunnel.nix;
- "boorunav.com" = import ./hosts/boorunav.com/root.nix;
- "catgirlsaresexy.com" = import ./hosts/catgirlsaresexy.com/root.nix;
- "sugarcanemc.org" = import ./hosts/sugarcanemc.org/root.nix;
-
- #bots...
- "0bottests.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "catnipbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "impulsyeeter.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "omnibot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "yatopiawatchdog.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "playground.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "kinobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "siliconbotpublic.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "thearcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "anonbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "hericanbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "siliconbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "impulsbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "studiobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "carsnbots.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "binsh.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "fosscordbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "sugarcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- "gradbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
- };
- };
- };
- systemd.services.nginx.serviceConfig = {
- LimitNOFILE=5000000;
- };
- systemd.services.nginx.requires = [ "data.mount" ];
- security.acme.acceptTerms = true;
- security.acme.defaults.email = "root@thearcanebrony.net";
-
- environment.systemPackages = with pkgs; [
- #gitfs
- ];
-
system.stateVersion = "22.11"; # DO NOT EDIT!
}
diff --git a/host/Rory-nginx/software.nix b/host/Rory-nginx/software.nix
new file mode 100755
index 0000000..a551c6b
--- /dev/null
+++ b/host/Rory-nginx/software.nix
@@ -0,0 +1,83 @@
+{ config, pkgs, lib, ... }:
+
+{
+ imports =
+ [
+ ../../modules/base-server.nix
+ #../../modules/packages/gitfs.nix
+ ];
+
+ services = {
+ nginx = {
+ enable = true;
+ package = pkgs.nginxQuic;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ appendConfig = ''
+ worker_processes 16;
+ '';
+ eventsConfig = ''
+ #use kqueue;
+ worker_connections 512;
+ '';
+ upstreams = import ./matrix/upstreams.nix;
+ virtualHosts = {
+ "siliconheaven.thearcanebrony.net" = import ./hosts/thearcanebrony.net/siliconheaven.nix;
+ "lfs.thearcanebrony.net" = import ./hosts/thearcanebrony.net/lfs.nix;
+ "http.thearcanebrony.net" = import ./hosts/thearcanebrony.net/http.nix;
+ "thearcanebrony.net" = import ./hosts/thearcanebrony.net/root.nix;
+ "sentry.thearcanebrony.net" = import ./hosts/thearcanebrony.net/sentry.nix;
+ "awooradio.thearcanebrony.net" = import ./hosts/thearcanebrony.net/awooradio.nix;
+ "search.thearcanebrony.net" = import ./hosts/thearcanebrony.net/search.nix;
+ "git.thearcanebrony.net" = import ./hosts/thearcanebrony.net/git.nix;
+ "files.thearcanebrony.net" = import ./hosts/thearcanebrony.net/files.nix;
+ "spigotav.thearcanebrony.net" = import ./hosts/thearcanebrony.net/spigotav.nix;
+ "terra.thearcanebrony.net" = import ./hosts/thearcanebrony.net/terra.nix;
+ "vives.thearcanebrony.net" = import ./hosts/thearcanebrony.net/vives.nix;
+ "rory.gay" = import ./hosts/rory.gay/root.nix;
+ "rory.boo" = import ./hosts/rory.gay/root.nix;
+ "lfs.rory.gay" = import ./hosts/rory.gay/lfs.nix;
+ "git.rory.gay" = import ./hosts/rory.gay/git.nix;
+ "matrix.rory.gay" = import ./hosts/rory.gay/matrix.nix;
+ "mru.rory.gay" = import ./hosts/rory.gay/mru.nix;
+ "tunnel.rory.boo" = import ./hosts/rory.boo/tunnel.nix;
+ "boorunav.com" = import ./hosts/boorunav.com/root.nix;
+ "catgirlsaresexy.com" = import ./hosts/catgirlsaresexy.com/root.nix;
+ "sugarcanemc.org" = import ./hosts/sugarcanemc.org/root.nix;
+
+ #bots...
+ "0bottests.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "catnipbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "impulsyeeter.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "omnibot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "yatopiawatchdog.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "playground.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "kinobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "siliconbotpublic.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "thearcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "anonbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "hericanbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "siliconbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "impulsbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "studiobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "carsnbots.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "binsh.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "fosscordbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "sugarcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ "gradbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+ };
+ };
+ };
+ systemd.services.nginx.serviceConfig = {
+ LimitNOFILE=5000000;
+ };
+ systemd.services.nginx.requires = [ "data.mount" ];
+ security.acme.acceptTerms = true;
+ security.acme.defaults.email = "root@thearcanebrony.net";
+
+ environment.systemPackages = with pkgs; [
+ #gitfs
+ ];
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
diff --git a/host/Rory-postgres/configuration.nix b/host/Rory-postgres/configuration.nix
index fef0296..f399f78 100755
--- a/host/Rory-postgres/configuration.nix
+++ b/host/Rory-postgres/configuration.nix
@@ -4,6 +4,7 @@
imports =
[
../../modules/base-server.nix
+ ./software.nix
];
networking = {
@@ -17,35 +18,6 @@
prefixLength = 16;
} ];
};
-
- systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ];
-
- services.postgresql = {
- enable = true;
- package = pkgs.postgresql_14;
- enableTCPIP = true;
- authentication = pkgs.lib.mkOverride 10 ''
- # TYPE, DATABASE, USER, ADDRESS, METHOD
- local all all trust
- host all all 127.0.0.1/32 trust
- host all all ::1/128 trust
- host discordbots discordbots 192.168.1.50/32 trust
- host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust
- host all all 0.0.0.0/0 md5
- '';
- # initialScript = pkgs.writeText "backend-initScript" ''
- # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
- # CREATE DATABASE nixcloud;
- # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
- # '';
- dataDir = "/data/pg";
- settings = {
- "max_connections" = "100";
- "shared_buffers" = "128MB";
- "max_wal_size" = "1GB";
- "min_wal_size" = "80MB";
- };
- };
system.stateVersion = "22.11"; # DO NOT EDIT!
}
diff --git a/host/Rory-postgres/software.nix b/host/Rory-postgres/software.nix
new file mode 100755
index 0000000..99cdd64
--- /dev/null
+++ b/host/Rory-postgres/software.nix
@@ -0,0 +1,40 @@
+{ config, pkgs, lib, ... }:
+
+{
+ imports =
+ [
+ ../../modules/base-server.nix
+ ];
+
+ systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ];
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_14;
+ enableTCPIP = true;
+ authentication = pkgs.lib.mkOverride 10 ''
+ # TYPE, DATABASE, USER, ADDRESS, METHOD
+ local all all trust
+ host all all 127.0.0.1/32 trust
+ host all all ::1/128 trust
+ host discordbots discordbots 192.168.1.50/32 trust
+ host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust
+ host all all 0.0.0.0/0 md5
+ '';
+ # initialScript = pkgs.writeText "backend-initScript" ''
+ # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
+ # CREATE DATABASE nixcloud;
+ # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
+ # '';
+ dataDir = "/data/pg";
+ settings = {
+ "max_connections" = "100";
+ "shared_buffers" = "128MB";
+ "max_wal_size" = "1GB";
+ "min_wal_size" = "80MB";
+ };
+ };
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-synapse/configuration.nix b/host/Rory-synapse/configuration.nix
index 46da7b6..020a804 100755
--- a/host/Rory-synapse/configuration.nix
+++ b/host/Rory-synapse/configuration.nix
@@ -4,6 +4,7 @@
imports =
[
../../modules/base-server.nix
+ ./software.nix
];
networking = {
@@ -18,205 +19,6 @@
} ];
};
- # coturn (WebRTC)
- services.coturn = rec {
- enable = false; # Alicia - figure out secret first...
- no-cli = true;
- no-tcp-relay = true;
- min-port = 49000;
- max-port = 50000;
- use-auth-secret = true;
- static-auth-secret = "will be world readable for local users :(";
- realm = "turn.example.com";
- # Alicia - figure out how to get this to work, since nginx runs on separate machine...
- #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
- #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
- extraConfig = ''
- # for debugging
- verbose
- # ban private IP ranges
- no-multicast-peers
- denied-peer-ip=0.0.0.0-0.255.255.255
- denied-peer-ip=10.0.0.0-10.255.255.255
- denied-peer-ip=100.64.0.0-100.127.255.255
- denied-peer-ip=127.0.0.0-127.255.255.255
- denied-peer-ip=169.254.0.0-169.254.255.255
- denied-peer-ip=172.16.0.0-172.31.255.255
- denied-peer-ip=192.0.0.0-192.0.0.255
- denied-peer-ip=192.0.2.0-192.0.2.255
- denied-peer-ip=192.88.99.0-192.88.99.255
- denied-peer-ip=192.168.0.0-192.168.255.255
- denied-peer-ip=198.18.0.0-198.19.255.255
- denied-peer-ip=198.51.100.0-198.51.100.255
- denied-peer-ip=203.0.113.0-203.0.113.255
- denied-peer-ip=240.0.0.0-255.255.255.255
- denied-peer-ip=::1
- denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
- denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
- denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
- denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
- denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- '';
- };
-
- #services.matrix-synapse = with config.services.coturn; {
- # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
- # turn_shared_secret = static-auth-secret;
- # turn_user_lifetime = "1h";
- #};
-
- # Discord bridge
- services.matrix-appservice-discord = {
- enable = false; # Alicia - figure out secret first...
- environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
- # The appservice is pre-configured to use SQLite by default.
- # It's also possible to use PostgreSQL.
- settings = {
- bridge = {
- domain = "rory.gay";
- homeserverUrl = "https://matrix.rory.gay";
- };
-
- # The service uses SQLite by default, but it's also possible to use
- # PostgreSQL instead:
- database = {
- # filename = ""; # empty value to disable sqlite
- connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord";
- };
- };
- };
-
- services.matrix-synapse = {
- enable = true;
-
- settings = {
- server_name = "rory.gay";
-
- enable_registration = false;
- # Alicia - figure this out later...
- #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"];
- registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
-
- # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410
- listeners = [
- {
- port = 8008;
- bind_addresses = [ "192.168.1.5" "127.0.0.1" ];
- type = "http";
- tls = false;
- x_forwarded = true;
- resources = [ {
- names = [ "client" "federation" ];
- compress = true;
- } ];
- }
- ];
- dynamic_thumbnails = true;
-
- presence = {
- enable = true;
- update_interval = 60;
- };
- url_preview_enabled = true;
-
- database = {
- name = "psycopg2";
- args = {
- user = "matrix-synapse-rory-gay";
- #passwordFile = "/run/secrets/matrix-synapse-password";
- password = "somepassword";
- database = "matrix-synapse-rory-gay";
- host = "192.168.1.3";
- };
- };
- app_service_config_files = [
- #"/etc/matrix-synapse/appservice-registration.yaml"
- ];
- };
-
- plugins = with pkgs.matrix-synapse-plugins; [
- # Alicia - need to port draupnir...
- #matrix-synapse-mjolnir-antispam
-# matrix-synapse-pam
- ];
-# extraConfigFiles = [
-# (pkgs.writeTextFile {
-# name = "matrix-synapse-extra-config.yml";
-# text = ''
-# modules:
-# - module: "pam_auth_provider.PAMAuthProvider"
-# config:
-# create_users: true
-# skip_user_check: false
-# '';
-# })
-# ];
- };
-
- # Alicia - doesnt work yet... until in nixpkgs...
- services.draupnir = {
- enable = true;
-
- pantalaimon = {
- enable = true;
- username = "draupnir";
- passwordFile = "/etc/draupnir-password";
- options = {
- homeserver = "http://localhost:8008";
- ssl = false;
- };
-
- };
- managementRoom = "#draupnir-mgmt:rory.gay";
- homeserverUrl = "http://localhost:8008";
- verboseLogging = false;
- settings = {
- recordIgnoredInvites = false;
- automaticallyRedactForReasons = [ "*" ];
- fasterMembershipChecks = true;
- backgroundDelayMS = 100;
- pollReports = true;
- admin.enableMakeRoomAdminCommand = true;
- commands.ban.defaultReasons = [
- "spam"
- "harassment"
- "transphobia"
- "scam"
- ];
- protections = {
- wordlist = {
- words = [
- "tranny"
- "faggot"
- ];
- minutesBeforeTrusting = 0;
- };
- };
- };
- };
-
- systemd.services.matrix-synapse-reg-token = {
- description = "Random registration token for Synapse.";
- before = ["matrix-synapse.service"]; # So the registration can be used by Synapse
- wantedBy = ["multi-user.target"];
- after = ["network.target"];
-
- script = ''
-
- if [ ! -f "registration_shared_secret.txt" ]
- then
- cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt
- else
- echo Not generating key, key exists;
- fi'';
- serviceConfig = {
- User = "matrix-synapse";
- Group = "matrix-synapse";
- WorkingDirectory = "/var/lib/matrix-synapse";
- };
- };
system.stateVersion = "22.11"; # DO NOT EDIT!
}
diff --git a/host/Rory-synapse/software.nix b/host/Rory-synapse/software.nix
new file mode 100755
index 0000000..87e2788
--- /dev/null
+++ b/host/Rory-synapse/software.nix
@@ -0,0 +1,210 @@
+{ config, pkgs, lib, ... }:
+
+{
+ imports =
+ [
+ ../../modules/base-server.nix
+ ];
+
+ # coturn (WebRTC)
+ services.coturn = rec {
+ enable = false; # Alicia - figure out secret first...
+ no-cli = true;
+ no-tcp-relay = true;
+ min-port = 49000;
+ max-port = 50000;
+ use-auth-secret = true;
+ static-auth-secret = "will be world readable for local users :(";
+ realm = "turn.example.com";
+ # Alicia - figure out how to get this to work, since nginx runs on separate machine...
+ #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+ #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+ extraConfig = ''
+ # for debugging
+ verbose
+ # ban private IP ranges
+ no-multicast-peers
+ denied-peer-ip=0.0.0.0-0.255.255.255
+ denied-peer-ip=10.0.0.0-10.255.255.255
+ denied-peer-ip=100.64.0.0-100.127.255.255
+ denied-peer-ip=127.0.0.0-127.255.255.255
+ denied-peer-ip=169.254.0.0-169.254.255.255
+ denied-peer-ip=172.16.0.0-172.31.255.255
+ denied-peer-ip=192.0.0.0-192.0.0.255
+ denied-peer-ip=192.0.2.0-192.0.2.255
+ denied-peer-ip=192.88.99.0-192.88.99.255
+ denied-peer-ip=192.168.0.0-192.168.255.255
+ denied-peer-ip=198.18.0.0-198.19.255.255
+ denied-peer-ip=198.51.100.0-198.51.100.255
+ denied-peer-ip=203.0.113.0-203.0.113.255
+ denied-peer-ip=240.0.0.0-255.255.255.255
+ denied-peer-ip=::1
+ denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+ denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+ denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+ denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+ denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+ denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+ denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+ '';
+ };
+
+ #services.matrix-synapse = with config.services.coturn; {
+ # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
+ # turn_shared_secret = static-auth-secret;
+ # turn_user_lifetime = "1h";
+ #};
+
+ # Discord bridge
+ services.matrix-appservice-discord = {
+ enable = false; # Alicia - figure out secret first...
+ environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
+ # The appservice is pre-configured to use SQLite by default.
+ # It's also possible to use PostgreSQL.
+ settings = {
+ bridge = {
+ domain = "rory.gay";
+ homeserverUrl = "https://matrix.rory.gay";
+ };
+
+ # The service uses SQLite by default, but it's also possible to use
+ # PostgreSQL instead:
+ database = {
+ # filename = ""; # empty value to disable sqlite
+ connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord";
+ };
+ };
+ };
+
+ services.matrix-synapse = {
+ enable = true;
+
+ settings = {
+ server_name = "rory.gay";
+
+ enable_registration = false;
+ # Alicia - figure this out later...
+ #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"];
+ registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
+
+ # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410
+ listeners = [
+ {
+ port = 8008;
+ bind_addresses = [ "192.168.1.5" "127.0.0.1" ];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [ {
+ names = [ "client" "federation" ];
+ compress = true;
+ } ];
+ }
+ ];
+ dynamic_thumbnails = true;
+
+ presence = {
+ enable = true;
+ update_interval = 60;
+ };
+ url_preview_enabled = true;
+
+ database = {
+ name = "psycopg2";
+ args = {
+ user = "matrix-synapse-rory-gay";
+ #passwordFile = "/run/secrets/matrix-synapse-password";
+ password = "somepassword";
+ database = "matrix-synapse-rory-gay";
+ host = "192.168.1.3";
+ };
+ };
+ app_service_config_files = [
+ #"/etc/matrix-synapse/appservice-registration.yaml"
+ ];
+ };
+
+ plugins = with pkgs.matrix-synapse-plugins; [
+ # Alicia - need to port draupnir...
+ #matrix-synapse-mjolnir-antispam
+# matrix-synapse-pam
+ ];
+# extraConfigFiles = [
+# (pkgs.writeTextFile {
+# name = "matrix-synapse-extra-config.yml";
+# text = ''
+# modules:
+# - module: "pam_auth_provider.PAMAuthProvider"
+# config:
+# create_users: true
+# skip_user_check: false
+# '';
+# })
+# ];
+ };
+
+ # Alicia - doesnt work yet... until in nixpkgs...
+ services.draupnir = {
+ enable = true;
+
+ pantalaimon = {
+ enable = true;
+ username = "draupnir";
+ passwordFile = "/etc/draupnir-password";
+ options = {
+ homeserver = "http://localhost:8008";
+ ssl = false;
+ };
+
+ };
+ managementRoom = "#draupnir-mgmt:rory.gay";
+ homeserverUrl = "http://localhost:8008";
+ verboseLogging = false;
+ settings = {
+ recordIgnoredInvites = false;
+ automaticallyRedactForReasons = [ "*" ];
+ fasterMembershipChecks = true;
+ backgroundDelayMS = 100;
+ pollReports = true;
+ admin.enableMakeRoomAdminCommand = true;
+ commands.ban.defaultReasons = [
+ "spam"
+ "harassment"
+ "transphobia"
+ "scam"
+ ];
+ protections = {
+ wordlist = {
+ words = [
+ "tranny"
+ "faggot"
+ ];
+ minutesBeforeTrusting = 0;
+ };
+ };
+ };
+ };
+
+ systemd.services.matrix-synapse-reg-token = {
+ description = "Random registration token for Synapse.";
+ before = ["matrix-synapse.service"]; # So the registration can be used by Synapse
+ wantedBy = ["multi-user.target"];
+ after = ["network.target"];
+
+ script = ''
+
+ if [ ! -f "registration_shared_secret.txt" ]
+ then
+ cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt
+ else
+ echo Not generating key, key exists;
+ fi'';
+ serviceConfig = {
+ User = "matrix-synapse";
+ Group = "matrix-synapse";
+ WorkingDirectory = "/var/lib/matrix-synapse";
+ };
+ };
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
|
