diff options
Diffstat (limited to 'host')
-rwxr-xr-x | host/Rory-discordbots/configuration.nix | 23 | ||||
-rwxr-xr-x | host/Rory-nginx/configuration.nix | 5 | ||||
-rwxr-xr-x | host/Rory-nginx/hosts/rory.gay/conduit.nix | 25 | ||||
-rwxr-xr-x | host/Rory-nginx/post-rebuild.sh | 2 | ||||
-rwxr-xr-x | host/Rory-nginx/services/discordbots.nix (renamed from host/Rory-discordbots/software.nix) | 0 | ||||
-rwxr-xr-x | host/Rory-nginx/services/matrix/conduit.nix | 20 | ||||
-rwxr-xr-x | host/Rory-nginx/services/matrix/coturn.nix | 54 | ||||
-rwxr-xr-x | host/Rory-nginx/services/matrix/draupnir.nix | 53 | ||||
-rwxr-xr-x | host/Rory-nginx/services/matrix/matrix-appservice-discord.nix | 26 | ||||
-rwxr-xr-x | host/Rory-nginx/services/matrix/root.nix | 13 | ||||
-rwxr-xr-x | host/Rory-nginx/services/matrix/synapse.nix (renamed from host/Rory-synapse/software.nix) | 112 | ||||
-rwxr-xr-x | host/Rory-nginx/services/postgres.nix (renamed from host/Rory-postgres/software.nix) | 0 | ||||
-rwxr-xr-x | host/Rory-postgres/configuration.nix | 24 | ||||
-rwxr-xr-x | host/Rory-synapse/configuration.nix | 24 | ||||
-rwxr-xr-x | host/Rory-synapse/post-rebuild.sh | 31 | ||||
-rwxr-xr-x | host/Rory-synapse/pre-rebuild.sh | 2 |
16 files changed, 197 insertions, 217 deletions
diff --git a/host/Rory-discordbots/configuration.nix b/host/Rory-discordbots/configuration.nix deleted file mode 100755 index dbc509c..0000000 --- a/host/Rory-discordbots/configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, pkgs, lib, botcore-v4, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - ./software.nix - ]; - - networking = { - hostName = "Rory-discordbots"; - interfaces.ens18.ipv4.addresses = [ { - address = "192.168.1.50"; - prefixLength = 24; - } ]; - interfaces.ens19.ipv4.addresses = [ { - address = "10.10.10.50"; - prefixLength = 16; - } ]; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} \ No newline at end of file diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix index 2f2f7cc..2c33448 100755 --- a/host/Rory-nginx/configuration.nix +++ b/host/Rory-nginx/configuration.nix @@ -6,6 +6,11 @@ ../../modules/base-server.nix ../../modules/users/levi.nix ../../modules/users/db2k.nix + + ../../modules/services/nginx.nix + ../../modules/services/postgres.nix + ../../modules/services/synapse.nix + ./software.nix ]; users.groups.ocp = {}; diff --git a/host/Rory-nginx/hosts/rory.gay/conduit.nix b/host/Rory-nginx/hosts/rory.gay/conduit.nix new file mode 100755 index 0000000..8c293d7 --- /dev/null +++ b/host/Rory-nginx/hosts/rory.gay/conduit.nix @@ -0,0 +1,25 @@ +{ + enableACME = true; + addSSL = true; + locations."/_matrix" = { + proxyPass = "http://192.168.1.5:6167"; + extraConfig = '' + if ($request_method = 'OPTIONS') { + more_set_headers 'Access-Control-Allow-Origin: *'; + more_set_headers 'Access-Control-Allow-Methods: *'; + # + # Custom headers and headers various browsers *should* be OK with but aren't + # + more_set_headers 'Access-Control-Allow-Headers: *'; + # + # Tell client that this pre-flight info is valid for 20 days + # + more_set_headers 'Access-Control-Max-Age: 1728000'; + more_set_headers 'Content-Type: text/plain; charset=utf-8'; + more_set_headers 'Content-Length: 0'; + return 204; + } + ''; + }; + #locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008"; +} diff --git a/host/Rory-nginx/post-rebuild.sh b/host/Rory-nginx/post-rebuild.sh index ea6e013..0ea1293 100755 --- a/host/Rory-nginx/post-rebuild.sh +++ b/host/Rory-nginx/post-rebuild.sh @@ -8,7 +8,7 @@ REACHABLE_DOMAIN='http://localhost:8008' # -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md # Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat> # Explicit authorisation to use the code has been granted by the original author -# for use by members of the Rory system (https://rory.gay) +# for use by members of the Rory& system (https://rory.gay) # the magic function: diff --git a/host/Rory-discordbots/software.nix b/host/Rory-nginx/services/discordbots.nix index b0b9cf2..b0b9cf2 100755 --- a/host/Rory-discordbots/software.nix +++ b/host/Rory-nginx/services/discordbots.nix diff --git a/host/Rory-nginx/services/matrix/conduit.nix b/host/Rory-nginx/services/matrix/conduit.nix new file mode 100755 index 0000000..77ba1fb --- /dev/null +++ b/host/Rory-nginx/services/matrix/conduit.nix @@ -0,0 +1,20 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + services.matrix-conduit = { + enable = true; + settings.global = { + server_name = "conduit.rory.gay"; + }; + database_backend = "rocksdb"; + enable_lightning_bolt = true; + max_concurrent_requests = 1000; + }; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/coturn.nix b/host/Rory-nginx/services/matrix/coturn.nix new file mode 100755 index 0000000..434dd52 --- /dev/null +++ b/host/Rory-nginx/services/matrix/coturn.nix @@ -0,0 +1,54 @@ +{ config, pkgs, lib, ... }: + +{ + + # coturn (WebRTC) + services.coturn = rec { + enable = false; # Alicia - figure out secret first... + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret = "will be world readable for local users :("; + realm = "turn.example.com"; + # Alicia - figure out how to get this to work, since nginx runs on separate machine... + #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + #services.matrix-synapse = with config.services.coturn; { + # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; + # turn_shared_secret = static-auth-secret; + # turn_user_lifetime = "1h"; + #}; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/draupnir.nix b/host/Rory-nginx/services/matrix/draupnir.nix new file mode 100755 index 0000000..19a2f16 --- /dev/null +++ b/host/Rory-nginx/services/matrix/draupnir.nix @@ -0,0 +1,53 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + # Alicia - doesnt work yet... until in nixpkgs... + services.draupnir = { + enable = true; + + pantalaimon = { + enable = true; + username = "draupnir"; + passwordFile = "/etc/draupnir-password"; + options = { + homeserver = "http://localhost:8008"; + ssl = false; + }; + + }; + managementRoom = "#draupnir-mgmt:rory.gay"; + homeserverUrl = "http://localhost:8008"; + verboseLogging = false; + settings = { + recordIgnoredInvites = false; + automaticallyRedactForReasons = [ "*" ]; + fasterMembershipChecks = true; + backgroundDelayMS = 100; + pollReports = true; + admin.enableMakeRoomAdminCommand = true; + commands.ban.defaultReasons = [ + "spam" + "harassment" + "transphobia" + "scam" + ]; + protections = { + wordlist = { + words = [ + "tranny" + "faggot" + ]; + minutesBeforeTrusting = 0; + }; + }; + }; + }; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix b/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix new file mode 100755 index 0000000..3f2225f --- /dev/null +++ b/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: + +{ + # Discord bridge + services.matrix-appservice-discord = { + enable = false; # Alicia - figure out secret first... + environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; + # The appservice is pre-configured to use SQLite by default. + # It's also possible to use PostgreSQL. + settings = { + bridge = { + domain = "rory.gay"; + homeserverUrl = "https://matrix.rory.gay"; + }; + + # The service uses SQLite by default, but it's also possible to use + # PostgreSQL instead: + database = { + # filename = ""; # empty value to disable sqlite + connString = "postgres://postgres@127.0.0.1/matrix-appservice-discord"; + }; + }; + }; + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Rory-nginx/services/matrix/root.nix b/host/Rory-nginx/services/matrix/root.nix new file mode 100755 index 0000000..f9a9d49 --- /dev/null +++ b/host/Rory-nginx/services/matrix/root.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, botcore-v4, ... }: + +{ + imports = + [ + ./synapse.nix + ./coturn.nix + ./matrix-appservice-discord.nix + ./draupnir.nix + ]; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} \ No newline at end of file diff --git a/host/Rory-synapse/software.nix b/host/Rory-nginx/services/matrix/synapse.nix index 5db557b..b69af7a 100755 --- a/host/Rory-synapse/software.nix +++ b/host/Rory-nginx/services/matrix/synapse.nix @@ -6,76 +6,6 @@ ../../modules/base-server.nix ]; - # coturn (WebRTC) - services.coturn = rec { - enable = false; # Alicia - figure out secret first... - no-cli = true; - no-tcp-relay = true; - min-port = 49000; - max-port = 50000; - use-auth-secret = true; - static-auth-secret = "will be world readable for local users :("; - realm = "turn.example.com"; - # Alicia - figure out how to get this to work, since nginx runs on separate machine... - #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; - #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; - extraConfig = '' - # for debugging - verbose - # ban private IP ranges - no-multicast-peers - denied-peer-ip=0.0.0.0-0.255.255.255 - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=100.64.0.0-100.127.255.255 - denied-peer-ip=127.0.0.0-127.255.255.255 - denied-peer-ip=169.254.0.0-169.254.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=192.0.0.0-192.0.0.255 - denied-peer-ip=192.0.2.0-192.0.2.255 - denied-peer-ip=192.88.99.0-192.88.99.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=198.18.0.0-198.19.255.255 - denied-peer-ip=198.51.100.0-198.51.100.255 - denied-peer-ip=203.0.113.0-203.0.113.255 - denied-peer-ip=240.0.0.0-255.255.255.255 - denied-peer-ip=::1 - denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff - denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 - denied-peer-ip=100::-100::ffff:ffff:ffff:ffff - denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - ''; - }; - - #services.matrix-synapse = with config.services.coturn; { - # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; - # turn_shared_secret = static-auth-secret; - # turn_user_lifetime = "1h"; - #}; - - # Discord bridge - services.matrix-appservice-discord = { - enable = false; # Alicia - figure out secret first... - environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; - # The appservice is pre-configured to use SQLite by default. - # It's also possible to use PostgreSQL. - settings = { - bridge = { - domain = "rory.gay"; - homeserverUrl = "https://matrix.rory.gay"; - }; - - # The service uses SQLite by default, but it's also possible to use - # PostgreSQL instead: - database = { - # filename = ""; # empty value to disable sqlite - connString = "postgres://postgres@127.0.0.1/matrix-appservice-discord"; - }; - }; - }; - services.matrix-synapse = { enable = true; withJemalloc = true; @@ -252,48 +182,6 @@ # ]; }; - # Alicia - doesnt work yet... until in nixpkgs... - services.draupnir = { - enable = true; - - pantalaimon = { - enable = true; - username = "draupnir"; - passwordFile = "/etc/draupnir-password"; - options = { - homeserver = "http://localhost:8008"; - ssl = false; - }; - - }; - managementRoom = "#draupnir-mgmt:rory.gay"; - homeserverUrl = "http://localhost:8008"; - verboseLogging = false; - settings = { - recordIgnoredInvites = false; - automaticallyRedactForReasons = [ "*" ]; - fasterMembershipChecks = true; - backgroundDelayMS = 100; - pollReports = true; - admin.enableMakeRoomAdminCommand = true; - commands.ban.defaultReasons = [ - "spam" - "harassment" - "transphobia" - "scam" - ]; - protections = { - wordlist = { - words = [ - "tranny" - "faggot" - ]; - minutesBeforeTrusting = 0; - }; - }; - }; - }; - systemd.services.matrix-synapse-reg-token = { description = "Random registration token for Synapse."; before = ["matrix-synapse.service"]; # So the registration can be used by Synapse diff --git a/host/Rory-postgres/software.nix b/host/Rory-nginx/services/postgres.nix index 7b75435..7b75435 100755 --- a/host/Rory-postgres/software.nix +++ b/host/Rory-nginx/services/postgres.nix diff --git a/host/Rory-postgres/configuration.nix b/host/Rory-postgres/configuration.nix deleted file mode 100755 index f399f78..0000000 --- a/host/Rory-postgres/configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - ./software.nix - ]; - - networking = { - hostName = "Rory-postgres"; - interfaces.ens18.ipv4.addresses = [ { - address = "192.168.1.3"; - prefixLength = 24; - } ]; - interfaces.ens19.ipv4.addresses = [ { - address = "10.10.10.3"; - prefixLength = 16; - } ]; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} - diff --git a/host/Rory-synapse/configuration.nix b/host/Rory-synapse/configuration.nix deleted file mode 100755 index 020a804..0000000 --- a/host/Rory-synapse/configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = - [ - ../../modules/base-server.nix - ./software.nix - ]; - - networking = { - hostName = "Rory-synapse"; - interfaces.ens18.ipv4.addresses = [ { - address = "192.168.1.5"; - prefixLength = 24; - } ]; - interfaces.ens19.ipv4.addresses = [ { - address = "10.10.10.5"; - prefixLength = 16; - } ]; - }; - - system.stateVersion = "22.11"; # DO NOT EDIT! -} - diff --git a/host/Rory-synapse/post-rebuild.sh b/host/Rory-synapse/post-rebuild.sh deleted file mode 100755 index 27028d9..0000000 --- a/host/Rory-synapse/post-rebuild.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env nix-shell -#!nix-shell -i bash -p curl gnused nix coreutils jq openssl -#set -x -REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt` -LOCALPART='rory.gay' -REACHABLE_DOMAIN='http://localhost:8008' - -# -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md -# Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat> -# Explicit authorisation to use the code has been granted by the original author -# for use by members of the Rory system (https://rory.gay) - - -# the magic function: -register(){ - echo "Registering $1 with password $2" - _nonce=`curl http://localhost:8008/_synapse/admin/v1/register | jq -r .nonce` - #data: nonce, domain, username, password - _hmac=`printf '%s\0%s\0%s\0%s' "$_nonce" "$1" "$2" "admin" | openssl dgst -sha1 -hmac "$REG_KEY" | awk '{print $2}'` - curl -XPOST -d '{"nonce": "'"$_nonce"'", "username": "'"$1"'", "displayname": "'"$1"'", "password": "'"$2"'", "admin": true, "mac": "'"$_hmac"'"}' $REACHABLE_DOMAIN/_synapse/admin/v1/register | tee -a matrix-user-tokens.txt -} - -# -- END OF LICENSED CODE - - - -PASSWD=`cat /etc/matrix-user-pass` -for u in {draupnir,Alicia,Emma,Rory,root} -do - register $u $PASSWD -done diff --git a/host/Rory-synapse/pre-rebuild.sh b/host/Rory-synapse/pre-rebuild.sh deleted file mode 100755 index 9d92682..0000000 --- a/host/Rory-synapse/pre-rebuild.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env sh -echo "PRE REBUILD TEST" |