kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

[SECRETS] Now functional!

Browse source
This commit is contained in:
Kat Inskip 2023-04-25 15:32:24 -07:00
parent aa266cc383
commit a1f1dee6a1
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
11 changed files with 274 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

15
.sops.yaml
View file

@ -1,14 +1,19 @@
keys: keys:
- &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc - &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc
- &mew 65BD3044771CB6FB - &mew 65BD3044771CB6FB
- &yukari age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
creation_rules: creation_rules:
- path_regex: systems/[^/]+/secrets\.yaml$ - path_regex: roles/[^/]+/secrets\.yaml$
shamir_threshold: 1 shamir_threshold: 1
key_groups: key_groups:
- pgp: - pgp:
- *kat - *kat
- *mew
age: age:
- *tewi_gen - *yukari
- *tewi_osh - path_regex: systems/.*\.yaml$
- path shamir_threshold: 1
key_groups:
- pgp:
- *kat
age:
- *yukari

13
modules/nixos/scalpels.nix Normal file
View file

@ -0,0 +1,13 @@
{
config,
lib,
...
}: let
inherit (lib.types) listOf path;
inherit (lib.options) mkOption;
in {
options.scalpels = mkOption {
type = listOf path;
default = [];
};
}

92
nixos/roles/matrix-server/role.nix Normal file
View file

@ -0,0 +1,92 @@
{
lib,
config,
...
}: let
inherit (lib.modules) mkDefault;
fqdn = "${config.networking.hostName}.${config.networking.domain}";
clientConfig = {
"m.homeserver".base_url = "https://${fqdn}";
"m.identity_server".base_url = "https://vector.im";
};
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
sops.secrets.matrix_shared_registration_secret = {
format = "yaml";
sopsFile = ./secrets.yaml;
};
scalpels = [
./scalpel.nix
];
services.postgresql.enable = true;
services.nginx = {
virtualHosts = {
"kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
"${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
extraConfig = ''
http2_max_requests 100000;
keepalive_requests 100000;
'';
};
};
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = "kittywit.ch";
max_upload_size = "512M";
rc_messages_per_second = mkDefault 0.1;
rc_message_burst_count = mkDefault 25;
public_baseurl = "https://${fqdn}";
url_preview_enabled = mkDefault true;
enable_registration = mkDefault false;
enable_metrics = mkDefault false;
report_stats = mkDefault false;
dynamic_thumbnails = mkDefault true;
registration_shared_secret = "!!MATRIX_SHARED_REGISTRATION_SECRET!!";
allow_guest_access = mkDefault true;
suppress_key_server_warning = mkDefault true;
listeners = [
{
port = 8008;
bind_addresses = ["::1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation"];
compress = true;
}
];
}
];
};
};
security.acme = {
email = "acme@inskip.me";
acceptTerms = true;
};
}

21
nixos/roles/matrix-server/scalpel.nix Normal file
View file

@ -0,0 +1,21 @@
{
lib,
config,
pkgs,
prev,
...
}: let
start = prev.config.systemd.services.matrix-synapse.serviceConfig.ExecStart;
synapse_cfgfile = builtins.head (builtins.match "^.*--config-path ([^\ ]*).*$" "${start}");
in {
systemd.services.matrix-synapse.serviceConfig.ExecStart = lib.mkForce (
builtins.replaceStrings ["${synapse_cfgfile}"] ["${config.scalpel.trafos."homeserver.yaml".destination} "] "${start}"
);
scalpel.trafos."homeserver.yaml" = {
source = synapse_cfgfile;
matchers."MATRIX_SHARED_REGISTRATION_SECRET".secret = config.sops.secrets.matrix_shared_registration_secret.path;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0440";
};
}

42
nixos/roles/matrix-server/secrets.yaml Normal file
View file

@ -0,0 +1,42 @@
matrix_shared_registration_secret: ENC[AES256_GCM,data:DsCqfbS2yxN7nVRevcjpfO63jBUsyQHfEfbpZpD3cBtPf+JuZ8TFPBNNQwx2NYdyty60INdr4w==,iv:pSf6VDS9bqZIq8ZqOW0v4siRbDp9EEdw7TtSSjjrC6A=,tag:V61OqmdsNzczOzf+2Y6LSA==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaTgyQVhRZHRPTzRSNW9Y
SmRFVXl2TTV3RWF3QUlneDl4ZFFvS0ZHREVBCnNxUEdwRS9ObEZKNTM2dHAxRlhS
M0R5TithU0ViZUc0NHFHM3JrdE13V0kKLS0tIFhFZ2dZc21hL2RtNzZ0djVqUjlD
eWdDbGxobFlkZG1SL3UrTEJXajU3RXMK9ULFsUDHxBtzCy5tbwSFeKm18TRjX1mO
B1SbGXUNG1XreeRpb5n7r01njVrPpbJI3DPtjvoKquNTc2BhZHi0Xg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-25T21:32:10Z"
mac: ENC[AES256_GCM,data:a8M6/7jh2kZpLS582ZUlnZbMCcHRvMI5x0mK/+tFiM1uUFgHPS4wg5tywkccUtX9iBK4cFRxFRWH+nnclYiljiYUCKeNGrnuy6+2YVjqtSEvSSooV0ku3za34+OVzd2VUhH7wcKG2Q9VAmZwok1z6YyP++lQarGcntQR/1iXHrg=,iv:bYgwNrr2RAtIB1FhtTDM2+1H4Ju+kvAfyY96VRRgSis=,tag:JmRjS6pnrzjWKdPAfBeUfQ==,type:str]
pgp:
- created_at: "2023-04-25T21:47:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UARAAvW2vHtvnKwV0K6b01vK/6T5SnJERlDfTKLpv3sLYlii8
FysxBaODgYvnR37/hf2CoWRlYFYZt7wqj811vUMkayBey9FY8nj1k0t5wyM0T1AU
qFz5fBCjP6tyhk2RBkWCLVfnLUvhnN7h/XIc3W/05VnIMQF39SbXIQ2gfqnI7R6V
keLoHXT0DBwboFVTdA9HjSFc5riEY+fadQf0PZT/xVCTCJH4yeZ/ba6pa/9yX2PU
UbHqnoR+M7RkQBrFn0r4nH9r3jFR0VkGri20v9IIby59wkCPVdhX7VPBRtQm0xXN
/EqtLMsR+U5bOPvKPM0s2BXXrTTACmsJ9AN2n70l1Sm6/5E3QoTQ7lbH5qSv/wXT
ZUkZmqxv3OHJIez2VHqjW6vlraPDL++H/4rsX3DBvK0BSAtr53r9KFoMwgMnMj2N
ucX+Sa7ZiI8vXGn3rjfj68Kc0BqzrFgpY8ZrH1RM3weGrsyAugAP4iunnqjYhxrc
y2Hh2NZFyRBGTCrbxAr6vJ3MJXLlyNbofPi9Bnx0clI83ksju11rZjb9yFRCLJ+/
oRxws+jq7t/lbMVhKaVQjY0LVLn6MCFbb5j5ulQXq9qiv1x+XuRTiPyPJksIiJDE
vjf7dMshIooWVNoECWfilEdVCldnYEmxEgr7gZHcTpgDjgeY3fCVvAS7SfD/BDfS
XgFw8C3nv2I9zHZZCI0XKFlmNU/MCBOfyK7mHv6UZtUx1YC2lw783R1uGHXZbVu4
iPKkytzxgOZms45CfxL3xEPTwO2lZL9GTCZ8pMbwB1jjP1bsH8nyro8vRZRuVoo=
=4YT5
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
unencrypted_suffix: _unencrypted
version: 3.7.3

11
nixos/roles/web-server.nix Normal file
View file

@ -0,0 +1,11 @@
_: {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
networking.firewall.allowedTCPPorts = [80 443];
}

1
shells/repo.nix
View file

@ -14,6 +14,7 @@ with pkgs; let
ripgrep # rg, better grep! ripgrep # rg, better grep!
go # Required for pulumi go # Required for pulumi
gopls gopls
sops
pulumi-bin # Infrastructure as code pulumi-bin # Infrastructure as code
deadnix # dead-code scanner deadnix # dead-code scanner
alejandra # code formatter alejandra # code formatter

13
systems/default.nix
View file

@ -95,13 +95,12 @@
nixos = sys args; nixos = sys args;
in in
nixos.extendModules { nixos.extendModules {
modules = [ modules =
({lib, ...}: { nixos.config.scalpels
scalpel.trafos = lib.mkForce {}; ++ [
}) inputs.scalpel.nixosModules.scalpel
inputs.scalpel.nixosModules.scalpel ];
]; specialArgs = {prev = nixos;};
specialArgs = {prev = sys;};
}; };
darwin = inputs.darwin.lib.darwinSystem; darwin = inputs.darwin.lib.darwinSystem;
macos = inputs.darwin.lib.darwinSystem; macos = inputs.darwin.lib.darwinSystem;

35
systems/yukari.nix
View file

@ -5,10 +5,15 @@ _: let
modulesPath, modulesPath,
... ...
}: { }: {
imports = with tree.nixos; [ imports =
roles.server [
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ]
++ (with tree.nixos.roles; [
server
web-server
matrix-server
]);
boot = { boot = {
loader.grub = { loader.grub = {
@ -31,9 +36,27 @@ _: let
swapDevices = []; swapDevices = [];
networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; networking = {
hostName = "yukari";
domain = "gensokyo.zone";
interfaces = {
enp1s0 = {
useDHCP = lib.mkDefault true;
ipv6.addresses = [
{
address = "2a01:4ff:1f0:e7bb::1";
prefixLength = 64;
}
];
};
};
defaultGateway6 = {
address = "fe80::1";
interface = "enp1s0";
};
};
networking.hostName = "yukari"; sops.defaultSopsFile = ./yukari.yaml;
system.stateVersion = "23.05"; system.stateVersion = "23.05";
}; };

42
systems/yukari.yaml Normal file
View file

@ -0,0 +1,42 @@
empty: ENC[AES256_GCM,data:fOxiDBM=,iv:W1Vjl8v7HJcoiP61x+HJh/ES1Mrk5RqWUvdg8h5xZU8=,tag:WLIBKXm7L62/SwyzitEwMQ==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRd2trdFFYdWV6VDFUWHcx
a01PLzJVZkc1Z0I2TDhXQTExWFhWZXRodTA4ClEvWUEyZlZPSStneDNkM1g2ZmZZ
UlJGMlFGOW9iMTBxT2ZLcnVvZjZvNk0KLS0tIENsVWxBMFpFUzhyT0MwRnM0LzYv
ZjFvaGp1dmtNNzFpSVVEVDZYM29rdDgKZRPrP2Jl8I5eYae1iKiVRZN+leUEHWyO
TXXpwcoovbMnWKxYaYnx1EvT436WXVhro5Ba99XENz0tXAabDLFKJg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-25T21:41:19Z"
mac: ENC[AES256_GCM,data:psGeLVDyVzpH92Xb0L1E0YdM3b2H3LyiYnIacpIySote6pzwsiYJ8Kdq2AKmG2Dh+mS9b83K2zANebQt7ueyHKcdL0V28/8Lhu1GCZPeHneRD9LhijX3sDv2c3RMwZ1rwpLoZZPRH+TNgoylkfAfToj7EZrxv9/dOoJwivttt2M=,iv:duU1ohNy4PYWgak5S66Z/H205VxuLAfpCHoL5onPyD0=,tag:BWfuv4SHneB3meZM5QWT6A==,type:str]
pgp:
- created_at: "2023-04-25T21:49:07Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ/+Kw+yddtYxBDCQmTFbP9rfpJoZQ9xzBowOai0yIwDG2Wn
xEYNPstkxCfjOQpjR40GP13P70KFn9TjHxPmhe7Qus8XDdIbmDVWcaOjHlq6H2Sx
x9u5Sv3aS70rSTMctxZm9sU83yuESP4fQg7O1DLGoodFK8Kk6dKEtZHRmCrWWJOD
Ydvjshz6VtYhqCPzi7xvdoA0PmSZSCMgqzgNdwPmhe2hgZtN9ZauC/v7h7Ts4Aw3
2OPp1hFSQbA3Bf9omz7+SXQRPqz5kT1nHN+Rb+37StqI/BJwvG1yWPZ6z16XpNW8
1UY9CBbFZ620hc/eBLlsnftjL/vfks4PTpqHdQWHyj2W++YtQ4kHkmpCDamok8Gl
WSiNt0BxESs7cRqRvnStKBbnSiHxQ6csEhWmeb6IpPWYw+NeVZRXADzXkIH6Bprz
yZ6oPt61Cfou4miIDmtgyIvXFYd0PjIOoNHqGQOFoYjZlpCP5NQyHladw5omQ9O0
lA9aDw3PKi4zXsjGI8aoiS9o//zKDggeOMIdwjDgdVc1EUMtkIPonm/pyOfAJ1OD
nwR8tzqTbUX5TVznpOVA80R4zl07JRRh5IWd6MsBWKXZNtjZzuO1Mxt2wCHQArsJ
OKHW282VxSIf9PbdEOHIdqAA+earRU52BRTVLs15jTks8cXITVOmr++9eVgRaGPS
XAG0iFu8QfghynfeFcaUwJ9mbrSHTZMvIgx9cHZ67CmKeHJXmjpo/2ojVlYj7LRL
jYiXRp3Po8Y2Mwy4LnraKj/LODYp92flrkm45neI8y8X6hIQCNAT6vX2MPrp
=ZUXh
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
unencrypted_suffix: _unencrypted
version: 3.7.3

8
tree.nix
View file

@ -37,7 +37,13 @@
"kat/user/data".evaluate = true; "kat/user/data".evaluate = true;
# Allow profile importing # Allow profile importing
"nixos/*".functor.enable = true; "nixos/*".functor.enable = true;
"nixos/roles/*".functor.enable = true; "nixos/roles/*".functor = {
enable = true;
excludes = [
"scalpel"
];
};
"systems/*".aliasDefault = true;
"nixos/hardware".evaluateDefault = true; "nixos/hardware".evaluateDefault = true;
"nixos/hardware/*".functor.enable = true; "nixos/hardware/*".functor.enable = true;
"darwin/*".functor.enable = true; "darwin/*".functor.enable = true;