summary refs log tree commit diff
path: root/host
diff options
context:
space:
mode:
Diffstat (limited to 'host')
-rwxr-xr-xhost/Rory-discordbots/configuration.nix23
-rwxr-xr-xhost/Rory-nginx/configuration.nix5
-rwxr-xr-xhost/Rory-nginx/hosts/rory.gay/conduit.nix25
-rwxr-xr-xhost/Rory-nginx/post-rebuild.sh2
-rwxr-xr-xhost/Rory-nginx/services/discordbots.nix (renamed from host/Rory-discordbots/software.nix)0
-rwxr-xr-xhost/Rory-nginx/services/matrix/conduit.nix20
-rwxr-xr-xhost/Rory-nginx/services/matrix/coturn.nix54
-rwxr-xr-xhost/Rory-nginx/services/matrix/draupnir.nix53
-rwxr-xr-xhost/Rory-nginx/services/matrix/matrix-appservice-discord.nix26
-rwxr-xr-xhost/Rory-nginx/services/matrix/root.nix13
-rwxr-xr-xhost/Rory-nginx/services/matrix/synapse.nix (renamed from host/Rory-synapse/software.nix)112
-rwxr-xr-xhost/Rory-nginx/services/postgres.nix (renamed from host/Rory-postgres/software.nix)0
-rwxr-xr-xhost/Rory-postgres/configuration.nix24
-rwxr-xr-xhost/Rory-synapse/configuration.nix24
-rwxr-xr-xhost/Rory-synapse/post-rebuild.sh31
-rwxr-xr-xhost/Rory-synapse/pre-rebuild.sh2
16 files changed, 197 insertions, 217 deletions
diff --git a/host/Rory-discordbots/configuration.nix b/host/Rory-discordbots/configuration.nix
deleted file mode 100755
index dbc509c..0000000
--- a/host/Rory-discordbots/configuration.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ config, pkgs, lib, botcore-v4, ... }:
-
-{
-  imports =
-    [
-      ../../modules/base-server.nix
-      ./software.nix
-    ];
-
-  networking = {
-    hostName = "Rory-discordbots";
-    interfaces.ens18.ipv4.addresses = [ { 
-      address = "192.168.1.50";
-      prefixLength = 24;
-    } ];
-    interfaces.ens19.ipv4.addresses = [ {
-      address = "10.10.10.50";
-      prefixLength = 16;
-    } ];
-  };
-
-  system.stateVersion = "22.11"; # DO NOT EDIT!
-}
\ No newline at end of file
diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix
index 2f2f7cc..2c33448 100755
--- a/host/Rory-nginx/configuration.nix
+++ b/host/Rory-nginx/configuration.nix
@@ -6,6 +6,11 @@
       ../../modules/base-server.nix
       ../../modules/users/levi.nix
       ../../modules/users/db2k.nix
+
+      ../../modules/services/nginx.nix
+      ../../modules/services/postgres.nix
+      ../../modules/services/synapse.nix
+
       ./software.nix
     ];
   users.groups.ocp = {};
diff --git a/host/Rory-nginx/hosts/rory.gay/conduit.nix b/host/Rory-nginx/hosts/rory.gay/conduit.nix
new file mode 100755
index 0000000..8c293d7
--- /dev/null
+++ b/host/Rory-nginx/hosts/rory.gay/conduit.nix
@@ -0,0 +1,25 @@
+{
+  enableACME = true;
+  addSSL = true;
+  locations."/_matrix" = {
+    proxyPass = "http://192.168.1.5:6167"; 
+    extraConfig = ''
+      if ($request_method = 'OPTIONS') {
+        more_set_headers 'Access-Control-Allow-Origin: *';
+        more_set_headers 'Access-Control-Allow-Methods: *';
+        #
+        # Custom headers and headers various browsers *should* be OK with but aren't
+        #
+        more_set_headers 'Access-Control-Allow-Headers: *';
+        #
+        # Tell client that this pre-flight info is valid for 20 days
+        #
+        more_set_headers 'Access-Control-Max-Age: 1728000';
+        more_set_headers 'Content-Type: text/plain; charset=utf-8';
+        more_set_headers 'Content-Length: 0';
+        return 204;
+      }
+    '';
+  };
+  #locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008";   
+}
diff --git a/host/Rory-nginx/post-rebuild.sh b/host/Rory-nginx/post-rebuild.sh
index ea6e013..0ea1293 100755
--- a/host/Rory-nginx/post-rebuild.sh
+++ b/host/Rory-nginx/post-rebuild.sh
@@ -8,7 +8,7 @@ REACHABLE_DOMAIN='http://localhost:8008'
 # -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md
 # Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat>
 # Explicit authorisation to use the code has been granted by the original author
-#  for use by members of the Rory system (https://rory.gay)
+#  for use by members of the Rory& system (https://rory.gay)
 
 
 # the magic function:
diff --git a/host/Rory-discordbots/software.nix b/host/Rory-nginx/services/discordbots.nix
index b0b9cf2..b0b9cf2 100755
--- a/host/Rory-discordbots/software.nix
+++ b/host/Rory-nginx/services/discordbots.nix
diff --git a/host/Rory-nginx/services/matrix/conduit.nix b/host/Rory-nginx/services/matrix/conduit.nix
new file mode 100755
index 0000000..77ba1fb
--- /dev/null
+++ b/host/Rory-nginx/services/matrix/conduit.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+    ];
+
+  services.matrix-conduit = {
+    enable = true;
+    settings.global = {
+      server_name = "conduit.rory.gay";
+    };
+    database_backend = "rocksdb";
+    enable_lightning_bolt = true;
+    max_concurrent_requests = 1000;
+  };
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-nginx/services/matrix/coturn.nix b/host/Rory-nginx/services/matrix/coturn.nix
new file mode 100755
index 0000000..434dd52
--- /dev/null
+++ b/host/Rory-nginx/services/matrix/coturn.nix
@@ -0,0 +1,54 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  # coturn (WebRTC)
+  services.coturn = rec {
+    enable = false; # Alicia - figure out secret first...
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret = "will be world readable for local users :(";
+    realm = "turn.example.com";
+    # Alicia - figure out how to get this to work, since nginx runs on separate machine...
+    #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+  #services.matrix-synapse = with config.services.coturn; {
+  #  turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
+  #  turn_shared_secret = static-auth-secret;
+  #  turn_user_lifetime = "1h";
+  #};
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-nginx/services/matrix/draupnir.nix b/host/Rory-nginx/services/matrix/draupnir.nix
new file mode 100755
index 0000000..19a2f16
--- /dev/null
+++ b/host/Rory-nginx/services/matrix/draupnir.nix
@@ -0,0 +1,53 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+    ];
+
+  # Alicia - doesnt work yet... until in nixpkgs...
+  services.draupnir = {
+    enable = true;
+    
+    pantalaimon = {
+      enable = true;
+      username = "draupnir";
+      passwordFile = "/etc/draupnir-password";
+      options = {
+        homeserver = "http://localhost:8008";
+        ssl = false;
+      };
+      
+    };
+    managementRoom = "#draupnir-mgmt:rory.gay";
+    homeserverUrl = "http://localhost:8008";
+    verboseLogging = false;
+    settings = {
+      recordIgnoredInvites = false;
+      automaticallyRedactForReasons = [ "*" ];
+      fasterMembershipChecks = true;
+      backgroundDelayMS = 100;
+      pollReports = true;
+      admin.enableMakeRoomAdminCommand = true;
+      commands.ban.defaultReasons = [
+        "spam"
+        "harassment"
+        "transphobia"
+        "scam"
+      ];
+      protections = {
+        wordlist = {
+          words = [
+            "tranny"
+            "faggot"
+          ];
+          minutesBeforeTrusting = 0;
+        };
+      };
+    };
+  };
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix b/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix
new file mode 100755
index 0000000..3f2225f
--- /dev/null
+++ b/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # Discord bridge
+   services.matrix-appservice-discord = {
+    enable = false; # Alicia - figure out secret first...
+    environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
+    # The appservice is pre-configured to use SQLite by default.
+    # It's also possible to use PostgreSQL.
+    settings = {
+      bridge = {
+        domain = "rory.gay";
+        homeserverUrl = "https://matrix.rory.gay";
+      };
+
+      # The service uses SQLite by default, but it's also possible to use
+      # PostgreSQL instead:
+      database = {
+        #  filename = ""; # empty value to disable sqlite
+        connString = "postgres://postgres@127.0.0.1/matrix-appservice-discord";
+      };
+    };
+   };
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-nginx/services/matrix/root.nix b/host/Rory-nginx/services/matrix/root.nix
new file mode 100755
index 0000000..f9a9d49
--- /dev/null
+++ b/host/Rory-nginx/services/matrix/root.nix
@@ -0,0 +1,13 @@
+{ config, pkgs, lib, botcore-v4, ... }:
+
+{
+  imports =
+    [
+      ./synapse.nix
+      ./coturn.nix
+      ./matrix-appservice-discord.nix
+      ./draupnir.nix
+    ];
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
\ No newline at end of file
diff --git a/host/Rory-synapse/software.nix b/host/Rory-nginx/services/matrix/synapse.nix
index 5db557b..b69af7a 100755
--- a/host/Rory-synapse/software.nix
+++ b/host/Rory-nginx/services/matrix/synapse.nix
@@ -6,76 +6,6 @@
       ../../modules/base-server.nix
     ];
 
-  # coturn (WebRTC)
-  services.coturn = rec {
-    enable = false; # Alicia - figure out secret first...
-    no-cli = true;
-    no-tcp-relay = true;
-    min-port = 49000;
-    max-port = 50000;
-    use-auth-secret = true;
-    static-auth-secret = "will be world readable for local users :(";
-    realm = "turn.example.com";
-    # Alicia - figure out how to get this to work, since nginx runs on separate machine...
-    #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
-    #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
-    extraConfig = ''
-      # for debugging
-      verbose
-      # ban private IP ranges
-      no-multicast-peers
-      denied-peer-ip=0.0.0.0-0.255.255.255
-      denied-peer-ip=10.0.0.0-10.255.255.255
-      denied-peer-ip=100.64.0.0-100.127.255.255
-      denied-peer-ip=127.0.0.0-127.255.255.255
-      denied-peer-ip=169.254.0.0-169.254.255.255
-      denied-peer-ip=172.16.0.0-172.31.255.255
-      denied-peer-ip=192.0.0.0-192.0.0.255
-      denied-peer-ip=192.0.2.0-192.0.2.255
-      denied-peer-ip=192.88.99.0-192.88.99.255
-      denied-peer-ip=192.168.0.0-192.168.255.255
-      denied-peer-ip=198.18.0.0-198.19.255.255
-      denied-peer-ip=198.51.100.0-198.51.100.255
-      denied-peer-ip=203.0.113.0-203.0.113.255
-      denied-peer-ip=240.0.0.0-255.255.255.255
-      denied-peer-ip=::1
-      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
-      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
-      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
-      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
-      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-    '';
-  };
-
-  #services.matrix-synapse = with config.services.coturn; {
-  #  turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
-  #  turn_shared_secret = static-auth-secret;
-  #  turn_user_lifetime = "1h";
-  #};
-
-  # Discord bridge
-   services.matrix-appservice-discord = {
-    enable = false; # Alicia - figure out secret first...
-    environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
-    # The appservice is pre-configured to use SQLite by default.
-    # It's also possible to use PostgreSQL.
-    settings = {
-      bridge = {
-        domain = "rory.gay";
-        homeserverUrl = "https://matrix.rory.gay";
-      };
-
-      # The service uses SQLite by default, but it's also possible to use
-      # PostgreSQL instead:
-      database = {
-        #  filename = ""; # empty value to disable sqlite
-        connString = "postgres://postgres@127.0.0.1/matrix-appservice-discord";
-      };
-    };
-   };
-
   services.matrix-synapse = {
     enable = true;
     withJemalloc = true;
@@ -252,48 +182,6 @@
 #      ];
   };
 
-  # Alicia - doesnt work yet... until in nixpkgs...
-  services.draupnir = {
-    enable = true;
-    
-    pantalaimon = {
-      enable = true;
-      username = "draupnir";
-      passwordFile = "/etc/draupnir-password";
-      options = {
-        homeserver = "http://localhost:8008";
-        ssl = false;
-      };
-      
-    };
-    managementRoom = "#draupnir-mgmt:rory.gay";
-    homeserverUrl = "http://localhost:8008";
-    verboseLogging = false;
-    settings = {
-      recordIgnoredInvites = false;
-      automaticallyRedactForReasons = [ "*" ];
-      fasterMembershipChecks = true;
-      backgroundDelayMS = 100;
-      pollReports = true;
-      admin.enableMakeRoomAdminCommand = true;
-      commands.ban.defaultReasons = [
-        "spam"
-        "harassment"
-        "transphobia"
-        "scam"
-      ];
-      protections = {
-        wordlist = {
-          words = [
-            "tranny"
-            "faggot"
-          ];
-          minutesBeforeTrusting = 0;
-        };
-      };
-    };
-  };
-
     systemd.services.matrix-synapse-reg-token = {
       description = "Random registration token for Synapse.";
       before = ["matrix-synapse.service"]; # So the registration can be used by Synapse
diff --git a/host/Rory-postgres/software.nix b/host/Rory-nginx/services/postgres.nix
index 7b75435..7b75435 100755
--- a/host/Rory-postgres/software.nix
+++ b/host/Rory-nginx/services/postgres.nix
diff --git a/host/Rory-postgres/configuration.nix b/host/Rory-postgres/configuration.nix
deleted file mode 100755
index f399f78..0000000
--- a/host/Rory-postgres/configuration.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports =
-    [
-      ../../modules/base-server.nix
-      ./software.nix
-    ];
-
-  networking = {
-    hostName = "Rory-postgres";
-    interfaces.ens18.ipv4.addresses = [ { 
-      address = "192.168.1.3";
-      prefixLength = 24;
-    } ];
-    interfaces.ens19.ipv4.addresses = [ {
-      address = "10.10.10.3";
-      prefixLength = 16;
-    } ];
-  };
-
-  system.stateVersion = "22.11"; # DO NOT EDIT!
-}
-
diff --git a/host/Rory-synapse/configuration.nix b/host/Rory-synapse/configuration.nix
deleted file mode 100755
index 020a804..0000000
--- a/host/Rory-synapse/configuration.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports =
-    [
-      ../../modules/base-server.nix
-      ./software.nix
-    ];
-
-  networking = {
-    hostName = "Rory-synapse";
-    interfaces.ens18.ipv4.addresses = [ { 
-      address = "192.168.1.5";
-      prefixLength = 24;
-    } ];
-    interfaces.ens19.ipv4.addresses = [ {
-      address = "10.10.10.5";
-      prefixLength = 16;
-    } ];
-  };
-
-  system.stateVersion = "22.11"; # DO NOT EDIT!
-}
-
diff --git a/host/Rory-synapse/post-rebuild.sh b/host/Rory-synapse/post-rebuild.sh
deleted file mode 100755
index 27028d9..0000000
--- a/host/Rory-synapse/post-rebuild.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p curl gnused nix coreutils jq openssl
-#set -x
-REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt`
-LOCALPART='rory.gay'
-REACHABLE_DOMAIN='http://localhost:8008'
-
-# -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md
-# Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat>
-# Explicit authorisation to use the code has been granted by the original author
-#  for use by members of the Rory system (https://rory.gay)
-
-
-# the magic function:
-register(){
-	echo "Registering $1 with password $2"
-	_nonce=`curl http://localhost:8008/_synapse/admin/v1/register | jq -r .nonce`
-	#data: nonce, domain, username, password
-	_hmac=`printf '%s\0%s\0%s\0%s' "$_nonce" "$1" "$2" "admin" |  openssl dgst -sha1 -hmac "$REG_KEY" |  awk '{print $2}'`
-	curl -XPOST -d '{"nonce": "'"$_nonce"'", "username": "'"$1"'", "displayname": "'"$1"'", "password": "'"$2"'", "admin": true, "mac": "'"$_hmac"'"}' $REACHABLE_DOMAIN/_synapse/admin/v1/register | tee -a matrix-user-tokens.txt
-}
-
-# -- END OF LICENSED CODE
-
-
-
-PASSWD=`cat /etc/matrix-user-pass`
-for u in {draupnir,Alicia,Emma,Rory,root}
-do 
-	register $u $PASSWD
-done
diff --git a/host/Rory-synapse/pre-rebuild.sh b/host/Rory-synapse/pre-rebuild.sh
deleted file mode 100755
index 9d92682..0000000
--- a/host/Rory-synapse/pre-rebuild.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/usr/bin/env sh
-echo "PRE REBUILD TEST"