kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

[SECRETS] Now functional!

Browse source
This commit is contained in:
Kat Inskip 2023-04-25 15:32:24 -07:00
parent aa266cc383
commit a1f1dee6a1
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
11 changed files with 274 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

92
nixos/roles/matrix-server/role.nix Normal file
View file

@ -0,0 +1,92 @@
{
lib,
config,
...
}: let
inherit (lib.modules) mkDefault;
fqdn = "${config.networking.hostName}.${config.networking.domain}";
clientConfig = {
"m.homeserver".base_url = "https://${fqdn}";
"m.identity_server".base_url = "https://vector.im";
};
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
sops.secrets.matrix_shared_registration_secret = {
format = "yaml";
sopsFile = ./secrets.yaml;
};
scalpels = [
./scalpel.nix
];
services.postgresql.enable = true;
services.nginx = {
virtualHosts = {
"kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
"${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
extraConfig = ''
http2_max_requests 100000;
keepalive_requests 100000;
'';
};
};
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = "kittywit.ch";
max_upload_size = "512M";
rc_messages_per_second = mkDefault 0.1;
rc_message_burst_count = mkDefault 25;
public_baseurl = "https://${fqdn}";
url_preview_enabled = mkDefault true;
enable_registration = mkDefault false;
enable_metrics = mkDefault false;
report_stats = mkDefault false;
dynamic_thumbnails = mkDefault true;
registration_shared_secret = "!!MATRIX_SHARED_REGISTRATION_SECRET!!";
allow_guest_access = mkDefault true;
suppress_key_server_warning = mkDefault true;
listeners = [
{
port = 8008;
bind_addresses = ["::1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation"];
compress = true;
}
];
}
];
};
};
security.acme = {
email = "acme@inskip.me";
acceptTerms = true;
};
}

21
nixos/roles/matrix-server/scalpel.nix Normal file
View file

@ -0,0 +1,21 @@
{
lib,
config,
pkgs,
prev,
...
}: let
start = prev.config.systemd.services.matrix-synapse.serviceConfig.ExecStart;
synapse_cfgfile = builtins.head (builtins.match "^.*--config-path ([^\ ]*).*$" "${start}");
in {
systemd.services.matrix-synapse.serviceConfig.ExecStart = lib.mkForce (
builtins.replaceStrings ["${synapse_cfgfile}"] ["${config.scalpel.trafos."homeserver.yaml".destination} "] "${start}"
);
scalpel.trafos."homeserver.yaml" = {
source = synapse_cfgfile;
matchers."MATRIX_SHARED_REGISTRATION_SECRET".secret = config.sops.secrets.matrix_shared_registration_secret.path;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0440";
};
}

42
nixos/roles/matrix-server/secrets.yaml Normal file
View file

@ -0,0 +1,42 @@
matrix_shared_registration_secret: ENC[AES256_GCM,data:DsCqfbS2yxN7nVRevcjpfO63jBUsyQHfEfbpZpD3cBtPf+JuZ8TFPBNNQwx2NYdyty60INdr4w==,iv:pSf6VDS9bqZIq8ZqOW0v4siRbDp9EEdw7TtSSjjrC6A=,tag:V61OqmdsNzczOzf+2Y6LSA==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaTgyQVhRZHRPTzRSNW9Y
SmRFVXl2TTV3RWF3QUlneDl4ZFFvS0ZHREVBCnNxUEdwRS9ObEZKNTM2dHAxRlhS
M0R5TithU0ViZUc0NHFHM3JrdE13V0kKLS0tIFhFZ2dZc21hL2RtNzZ0djVqUjlD
eWdDbGxobFlkZG1SL3UrTEJXajU3RXMK9ULFsUDHxBtzCy5tbwSFeKm18TRjX1mO
B1SbGXUNG1XreeRpb5n7r01njVrPpbJI3DPtjvoKquNTc2BhZHi0Xg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-25T21:32:10Z"
mac: ENC[AES256_GCM,data:a8M6/7jh2kZpLS582ZUlnZbMCcHRvMI5x0mK/+tFiM1uUFgHPS4wg5tywkccUtX9iBK4cFRxFRWH+nnclYiljiYUCKeNGrnuy6+2YVjqtSEvSSooV0ku3za34+OVzd2VUhH7wcKG2Q9VAmZwok1z6YyP++lQarGcntQR/1iXHrg=,iv:bYgwNrr2RAtIB1FhtTDM2+1H4Ju+kvAfyY96VRRgSis=,tag:JmRjS6pnrzjWKdPAfBeUfQ==,type:str]
pgp:
- created_at: "2023-04-25T21:47:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UARAAvW2vHtvnKwV0K6b01vK/6T5SnJERlDfTKLpv3sLYlii8
FysxBaODgYvnR37/hf2CoWRlYFYZt7wqj811vUMkayBey9FY8nj1k0t5wyM0T1AU
qFz5fBCjP6tyhk2RBkWCLVfnLUvhnN7h/XIc3W/05VnIMQF39SbXIQ2gfqnI7R6V
keLoHXT0DBwboFVTdA9HjSFc5riEY+fadQf0PZT/xVCTCJH4yeZ/ba6pa/9yX2PU
UbHqnoR+M7RkQBrFn0r4nH9r3jFR0VkGri20v9IIby59wkCPVdhX7VPBRtQm0xXN
/EqtLMsR+U5bOPvKPM0s2BXXrTTACmsJ9AN2n70l1Sm6/5E3QoTQ7lbH5qSv/wXT
ZUkZmqxv3OHJIez2VHqjW6vlraPDL++H/4rsX3DBvK0BSAtr53r9KFoMwgMnMj2N
ucX+Sa7ZiI8vXGn3rjfj68Kc0BqzrFgpY8ZrH1RM3weGrsyAugAP4iunnqjYhxrc
y2Hh2NZFyRBGTCrbxAr6vJ3MJXLlyNbofPi9Bnx0clI83ksju11rZjb9yFRCLJ+/
oRxws+jq7t/lbMVhKaVQjY0LVLn6MCFbb5j5ulQXq9qiv1x+XuRTiPyPJksIiJDE
vjf7dMshIooWVNoECWfilEdVCldnYEmxEgr7gZHcTpgDjgeY3fCVvAS7SfD/BDfS
XgFw8C3nv2I9zHZZCI0XKFlmNU/MCBOfyK7mHv6UZtUx1YC2lw783R1uGHXZbVu4
iPKkytzxgOZms45CfxL3xEPTwO2lZL9GTCZ8pMbwB1jjP1bsH8nyro8vRZRuVoo=
=4YT5
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
unencrypted_suffix: _unencrypted
version: 3.7.3

11
nixos/roles/web-server.nix Normal file
View file

@ -0,0 +1,11 @@
_: {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
networking.firewall.allowedTCPPorts = [80 443];
}