diff --git a/.sops.yaml b/.sops.yaml index 3470b895..b8252cd0 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,14 +1,19 @@ keys: - &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc - &mew 65BD3044771CB6FB +- &yukari age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav creation_rules: -- path_regex: systems/[^/]+/secrets\.yaml$ +- path_regex: roles/[^/]+/secrets\.yaml$ shamir_threshold: 1 key_groups: - pgp: - *kat - - *mew age: - - *tewi_gen - - *tewi_osh - - path \ No newline at end of file + - *yukari +- path_regex: systems/.*\.yaml$ + shamir_threshold: 1 + key_groups: + - pgp: + - *kat + age: + - *yukari \ No newline at end of file diff --git a/modules/nixos/scalpels.nix b/modules/nixos/scalpels.nix new file mode 100644 index 00000000..7c1ca13d --- /dev/null +++ b/modules/nixos/scalpels.nix @@ -0,0 +1,13 @@ +{ + config, + lib, + ... +}: let + inherit (lib.types) listOf path; + inherit (lib.options) mkOption; +in { + options.scalpels = mkOption { + type = listOf path; + default = []; + }; +} diff --git a/nixos/roles/matrix-server/role.nix b/nixos/roles/matrix-server/role.nix new file mode 100644 index 00000000..ecd6bf5a --- /dev/null +++ b/nixos/roles/matrix-server/role.nix @@ -0,0 +1,92 @@ +{ + lib, + config, + ... +}: let + inherit (lib.modules) mkDefault; + fqdn = "${config.networking.hostName}.${config.networking.domain}"; + clientConfig = { + "m.homeserver".base_url = "https://${fqdn}"; + "m.identity_server".base_url = "https://vector.im"; + }; + serverConfig."m.server" = "${fqdn}:443"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { + sops.secrets.matrix_shared_registration_secret = { + format = "yaml"; + sopsFile = ./secrets.yaml; + }; + + scalpels = [ + ./scalpel.nix + ]; + + services.postgresql.enable = true; + + services.nginx = { + virtualHosts = { + "kittywit.ch" = { + enableACME = true; + forceSSL = true; + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + "${fqdn}" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + return 404; + ''; + locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/_synapse/client".proxyPass = "http://[::1]:8008"; + extraConfig = '' + http2_max_requests 100000; + keepalive_requests 100000; + ''; + }; + }; + }; + + services.matrix-synapse = { + enable = true; + settings = { + server_name = "kittywit.ch"; + max_upload_size = "512M"; + rc_messages_per_second = mkDefault 0.1; + rc_message_burst_count = mkDefault 25; + public_baseurl = "https://${fqdn}"; + url_preview_enabled = mkDefault true; + enable_registration = mkDefault false; + enable_metrics = mkDefault false; + report_stats = mkDefault false; + dynamic_thumbnails = mkDefault true; + registration_shared_secret = "!!MATRIX_SHARED_REGISTRATION_SECRET!!"; + allow_guest_access = mkDefault true; + suppress_key_server_warning = mkDefault true; + listeners = [ + { + port = 8008; + bind_addresses = ["::1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = ["client" "federation"]; + compress = true; + } + ]; + } + ]; + }; + }; + + security.acme = { + email = "acme@inskip.me"; + acceptTerms = true; + }; +} diff --git a/nixos/roles/matrix-server/scalpel.nix b/nixos/roles/matrix-server/scalpel.nix new file mode 100644 index 00000000..931b0ef5 --- /dev/null +++ b/nixos/roles/matrix-server/scalpel.nix @@ -0,0 +1,21 @@ +{ + lib, + config, + pkgs, + prev, + ... +}: let + start = prev.config.systemd.services.matrix-synapse.serviceConfig.ExecStart; + synapse_cfgfile = builtins.head (builtins.match "^.*--config-path ([^\ ]*).*$" "${start}"); +in { + systemd.services.matrix-synapse.serviceConfig.ExecStart = lib.mkForce ( + builtins.replaceStrings ["${synapse_cfgfile}"] ["${config.scalpel.trafos."homeserver.yaml".destination} "] "${start}" + ); + scalpel.trafos."homeserver.yaml" = { + source = synapse_cfgfile; + matchers."MATRIX_SHARED_REGISTRATION_SECRET".secret = config.sops.secrets.matrix_shared_registration_secret.path; + owner = "matrix-synapse"; + group = "matrix-synapse"; + mode = "0440"; + }; +} diff --git a/nixos/roles/matrix-server/secrets.yaml b/nixos/roles/matrix-server/secrets.yaml new file mode 100644 index 00000000..9f17e79f --- /dev/null +++ b/nixos/roles/matrix-server/secrets.yaml @@ -0,0 +1,42 @@ +matrix_shared_registration_secret: ENC[AES256_GCM,data:DsCqfbS2yxN7nVRevcjpfO63jBUsyQHfEfbpZpD3cBtPf+JuZ8TFPBNNQwx2NYdyty60INdr4w==,iv:pSf6VDS9bqZIq8ZqOW0v4siRbDp9EEdw7TtSSjjrC6A=,tag:V61OqmdsNzczOzf+2Y6LSA==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaTgyQVhRZHRPTzRSNW9Y + SmRFVXl2TTV3RWF3QUlneDl4ZFFvS0ZHREVBCnNxUEdwRS9ObEZKNTM2dHAxRlhS + M0R5TithU0ViZUc0NHFHM3JrdE13V0kKLS0tIFhFZ2dZc21hL2RtNzZ0djVqUjlD + eWdDbGxobFlkZG1SL3UrTEJXajU3RXMK9ULFsUDHxBtzCy5tbwSFeKm18TRjX1mO + B1SbGXUNG1XreeRpb5n7r01njVrPpbJI3DPtjvoKquNTc2BhZHi0Xg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-25T21:32:10Z" + mac: ENC[AES256_GCM,data:a8M6/7jh2kZpLS582ZUlnZbMCcHRvMI5x0mK/+tFiM1uUFgHPS4wg5tywkccUtX9iBK4cFRxFRWH+nnclYiljiYUCKeNGrnuy6+2YVjqtSEvSSooV0ku3za34+OVzd2VUhH7wcKG2Q9VAmZwok1z6YyP++lQarGcntQR/1iXHrg=,iv:bYgwNrr2RAtIB1FhtTDM2+1H4Ju+kvAfyY96VRRgSis=,tag:JmRjS6pnrzjWKdPAfBeUfQ==,type:str] + pgp: + - created_at: "2023-04-25T21:47:23Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UARAAvW2vHtvnKwV0K6b01vK/6T5SnJERlDfTKLpv3sLYlii8 + FysxBaODgYvnR37/hf2CoWRlYFYZt7wqj811vUMkayBey9FY8nj1k0t5wyM0T1AU + qFz5fBCjP6tyhk2RBkWCLVfnLUvhnN7h/XIc3W/05VnIMQF39SbXIQ2gfqnI7R6V + keLoHXT0DBwboFVTdA9HjSFc5riEY+fadQf0PZT/xVCTCJH4yeZ/ba6pa/9yX2PU + UbHqnoR+M7RkQBrFn0r4nH9r3jFR0VkGri20v9IIby59wkCPVdhX7VPBRtQm0xXN + /EqtLMsR+U5bOPvKPM0s2BXXrTTACmsJ9AN2n70l1Sm6/5E3QoTQ7lbH5qSv/wXT + ZUkZmqxv3OHJIez2VHqjW6vlraPDL++H/4rsX3DBvK0BSAtr53r9KFoMwgMnMj2N + ucX+Sa7ZiI8vXGn3rjfj68Kc0BqzrFgpY8ZrH1RM3weGrsyAugAP4iunnqjYhxrc + y2Hh2NZFyRBGTCrbxAr6vJ3MJXLlyNbofPi9Bnx0clI83ksju11rZjb9yFRCLJ+/ + oRxws+jq7t/lbMVhKaVQjY0LVLn6MCFbb5j5ulQXq9qiv1x+XuRTiPyPJksIiJDE + vjf7dMshIooWVNoECWfilEdVCldnYEmxEgr7gZHcTpgDjgeY3fCVvAS7SfD/BDfS + XgFw8C3nv2I9zHZZCI0XKFlmNU/MCBOfyK7mHv6UZtUx1YC2lw783R1uGHXZbVu4 + iPKkytzxgOZms45CfxL3xEPTwO2lZL9GTCZ8pMbwB1jjP1bsH8nyro8vRZRuVoo= + =4YT5 + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/roles/web-server.nix b/nixos/roles/web-server.nix new file mode 100644 index 00000000..d610d784 --- /dev/null +++ b/nixos/roles/web-server.nix @@ -0,0 +1,11 @@ +_: { + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/shells/repo.nix b/shells/repo.nix index 6adc429f..2c767be1 100644 --- a/shells/repo.nix +++ b/shells/repo.nix @@ -14,6 +14,7 @@ with pkgs; let ripgrep # rg, better grep! go # Required for pulumi gopls + sops pulumi-bin # Infrastructure as code deadnix # dead-code scanner alejandra # code formatter diff --git a/systems/default.nix b/systems/default.nix index fef260db..184cfcaa 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -95,13 +95,12 @@ nixos = sys args; in nixos.extendModules { - modules = [ - ({lib, ...}: { - scalpel.trafos = lib.mkForce {}; - }) - inputs.scalpel.nixosModules.scalpel - ]; - specialArgs = {prev = sys;}; + modules = + nixos.config.scalpels + ++ [ + inputs.scalpel.nixosModules.scalpel + ]; + specialArgs = {prev = nixos;}; }; darwin = inputs.darwin.lib.darwinSystem; macos = inputs.darwin.lib.darwinSystem; diff --git a/systems/yukari.nix b/systems/yukari.nix index bacb56a7..a60fb5fc 100644 --- a/systems/yukari.nix +++ b/systems/yukari.nix @@ -5,10 +5,15 @@ _: let modulesPath, ... }: { - imports = with tree.nixos; [ - roles.server - (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ] + ++ (with tree.nixos.roles; [ + server + web-server + matrix-server + ]); boot = { loader.grub = { @@ -31,9 +36,27 @@ _: let swapDevices = []; - networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + networking = { + hostName = "yukari"; + domain = "gensokyo.zone"; + interfaces = { + enp1s0 = { + useDHCP = lib.mkDefault true; + ipv6.addresses = [ + { + address = "2a01:4ff:1f0:e7bb::1"; + prefixLength = 64; + } + ]; + }; + }; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp1s0"; + }; + }; - networking.hostName = "yukari"; + sops.defaultSopsFile = ./yukari.yaml; system.stateVersion = "23.05"; }; diff --git a/systems/yukari.yaml b/systems/yukari.yaml new file mode 100644 index 00000000..479063e6 --- /dev/null +++ b/systems/yukari.yaml @@ -0,0 +1,42 @@ +empty: ENC[AES256_GCM,data:fOxiDBM=,iv:W1Vjl8v7HJcoiP61x+HJh/ES1Mrk5RqWUvdg8h5xZU8=,tag:WLIBKXm7L62/SwyzitEwMQ==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRd2trdFFYdWV6VDFUWHcx + a01PLzJVZkc1Z0I2TDhXQTExWFhWZXRodTA4ClEvWUEyZlZPSStneDNkM1g2ZmZZ + UlJGMlFGOW9iMTBxT2ZLcnVvZjZvNk0KLS0tIENsVWxBMFpFUzhyT0MwRnM0LzYv + ZjFvaGp1dmtNNzFpSVVEVDZYM29rdDgKZRPrP2Jl8I5eYae1iKiVRZN+leUEHWyO + TXXpwcoovbMnWKxYaYnx1EvT436WXVhro5Ba99XENz0tXAabDLFKJg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-25T21:41:19Z" + mac: ENC[AES256_GCM,data:psGeLVDyVzpH92Xb0L1E0YdM3b2H3LyiYnIacpIySote6pzwsiYJ8Kdq2AKmG2Dh+mS9b83K2zANebQt7ueyHKcdL0V28/8Lhu1GCZPeHneRD9LhijX3sDv2c3RMwZ1rwpLoZZPRH+TNgoylkfAfToj7EZrxv9/dOoJwivttt2M=,iv:duU1ohNy4PYWgak5S66Z/H205VxuLAfpCHoL5onPyD0=,tag:BWfuv4SHneB3meZM5QWT6A==,type:str] + pgp: + - created_at: "2023-04-25T21:49:07Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ/+Kw+yddtYxBDCQmTFbP9rfpJoZQ9xzBowOai0yIwDG2Wn + xEYNPstkxCfjOQpjR40GP13P70KFn9TjHxPmhe7Qus8XDdIbmDVWcaOjHlq6H2Sx + x9u5Sv3aS70rSTMctxZm9sU83yuESP4fQg7O1DLGoodFK8Kk6dKEtZHRmCrWWJOD + Ydvjshz6VtYhqCPzi7xvdoA0PmSZSCMgqzgNdwPmhe2hgZtN9ZauC/v7h7Ts4Aw3 + 2OPp1hFSQbA3Bf9omz7+SXQRPqz5kT1nHN+Rb+37StqI/BJwvG1yWPZ6z16XpNW8 + 1UY9CBbFZ620hc/eBLlsnftjL/vfks4PTpqHdQWHyj2W++YtQ4kHkmpCDamok8Gl + WSiNt0BxESs7cRqRvnStKBbnSiHxQ6csEhWmeb6IpPWYw+NeVZRXADzXkIH6Bprz + yZ6oPt61Cfou4miIDmtgyIvXFYd0PjIOoNHqGQOFoYjZlpCP5NQyHladw5omQ9O0 + lA9aDw3PKi4zXsjGI8aoiS9o//zKDggeOMIdwjDgdVc1EUMtkIPonm/pyOfAJ1OD + nwR8tzqTbUX5TVznpOVA80R4zl07JRRh5IWd6MsBWKXZNtjZzuO1Mxt2wCHQArsJ + OKHW282VxSIf9PbdEOHIdqAA+earRU52BRTVLs15jTks8cXITVOmr++9eVgRaGPS + XAG0iFu8QfghynfeFcaUwJ9mbrSHTZMvIgx9cHZ67CmKeHJXmjpo/2ojVlYj7LRL + jYiXRp3Po8Y2Mwy4LnraKj/LODYp92flrkm45neI8y8X6hIQCNAT6vX2MPrp + =ZUXh + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/tree.nix b/tree.nix index 66a91374..8d12c754 100644 --- a/tree.nix +++ b/tree.nix @@ -37,7 +37,13 @@ "kat/user/data".evaluate = true; # Allow profile importing "nixos/*".functor.enable = true; - "nixos/roles/*".functor.enable = true; + "nixos/roles/*".functor = { + enable = true; + excludes = [ + "scalpel" + ]; + }; + "systems/*".aliasDefault = true; "nixos/hardware".evaluateDefault = true; "nixos/hardware/*".functor.enable = true; "darwin/*".functor.enable = true;