kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

[MATRIX, WEB SERVERS] Improvements, DNS-01

Browse source
This commit is contained in:
Kat Inskip 2023-04-25 16:33:32 -07:00
parent a1f1dee6a1
commit e642b3879c
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
13 changed files with 191 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

37
nixos/roles/matrix-server/nginx.nix Normal file
View file

@ -0,0 +1,37 @@
{config, ...}: let
fqdn = "${config.networking.hostName}.${config.networking.domain}";
clientConfig = {
"m.homeserver".base_url = "https://${fqdn}";
"m.identity_server".base_url = "https://vector.im";
};
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
services.nginx = {
virtualHosts = {
"kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
"${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
extraConfig = ''
http2_max_requests 100000;
keepalive_requests 100000;
'';
};
};
};
}

92
nixos/roles/matrix-server/role.nix
View file

@ -1,92 +0,0 @@
{
lib,
config,
...
}: let
inherit (lib.modules) mkDefault;
fqdn = "${config.networking.hostName}.${config.networking.domain}";
clientConfig = {
"m.homeserver".base_url = "https://${fqdn}";
"m.identity_server".base_url = "https://vector.im";
};
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
sops.secrets.matrix_shared_registration_secret = {
format = "yaml";
sopsFile = ./secrets.yaml;
};
scalpels = [
./scalpel.nix
];
services.postgresql.enable = true;
services.nginx = {
virtualHosts = {
"kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
"${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
extraConfig = ''
http2_max_requests 100000;
keepalive_requests 100000;
'';
};
};
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = "kittywit.ch";
max_upload_size = "512M";
rc_messages_per_second = mkDefault 0.1;
rc_message_burst_count = mkDefault 25;
public_baseurl = "https://${fqdn}";
url_preview_enabled = mkDefault true;
enable_registration = mkDefault false;
enable_metrics = mkDefault false;
report_stats = mkDefault false;
dynamic_thumbnails = mkDefault true;
registration_shared_secret = "!!MATRIX_SHARED_REGISTRATION_SECRET!!";
allow_guest_access = mkDefault true;
suppress_key_server_warning = mkDefault true;
listeners = [
{
port = 8008;
bind_addresses = ["::1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation"];
compress = true;
}
];
}
];
};
};
security.acme = {
email = "acme@inskip.me";
acceptTerms = true;
};
}

10
nixos/roles/matrix-server/secrets.nix Normal file
View file

@ -0,0 +1,10 @@
_: {
sops.secrets.matrix_shared_registration_secret = {
format = "yaml";
sopsFile = ./secrets.yaml;
};
scalpels = [
./scalpel.nix
];
}

43
nixos/roles/matrix-server/synapse.nix Normal file
View file

@ -0,0 +1,43 @@
{
lib,
config,
...
}: let
inherit (lib.modules) mkDefault;
fqdn = "${config.networking.hostName}.${config.networking.domain}";
in {
services.matrix-synapse = {
enable = true;
settings = {
server_name = "kittywit.ch";
max_upload_size = "512M";
rc_messages_per_second = mkDefault 0.1;
rc_message_burst_count = mkDefault 25;
rc_invites.per_user.per_second = 0.5;
public_baseurl = "https://${fqdn}";
url_preview_enabled = mkDefault true;
enable_registration = mkDefault false;
enable_metrics = mkDefault false;
report_stats = mkDefault false;
dynamic_thumbnails = mkDefault true;
registration_shared_secret = "!!MATRIX_SHARED_REGISTRATION_SECRET!!";
allow_guest_access = mkDefault true;
suppress_key_server_warning = mkDefault true;
listeners = [
{
port = 8008;
bind_addresses = ["::1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation"];
compress = true;
}
];
}
];
};
};
}

3
nixos/roles/postgres-server.nix Normal file
View file

@ -0,0 +1,3 @@
_: {
services.postgresql.enable = true;
}

2
nixos/roles/server.nix
View file

@ -16,4 +16,6 @@ in {
services.tailscale = { services.tailscale = {
enable = true; enable = true;
}; };
programs.mosh.enable = true;
} }

15
nixos/roles/web-server/acme.nix Normal file
View file

@ -0,0 +1,15 @@
_: {
environment.etc."ssl/credentials_template".text = ''
CF_API_EMAIL=!!CLOUDFLARE_EMAIL!!
CF_DNS_API_TOKEN=!!CLOUDFLARE_TOKEN!!
CF_ZONE_API_TOKEN=!!CLOUDFLARE_TOKEN!!
'';
security.acme = {
defaults = {
dnsProvider = "cloudflare";
email = "acme@inskip.me";
};
acceptTerms = true;
};
}

6
nixos/roles/web-server/firewall.nix Normal file
View file

@ -0,0 +1,6 @@
_: {
networking.firewall.allowedTCPPorts = [
80
443
];
}

2
nixos/roles/web-server.nix → nixos/roles/web-server/nginx.nix
View file

@ -6,6 +6,4 @@ _: {
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
}; };
networking.firewall.allowedTCPPorts = [80 443];
} }

18
nixos/roles/web-server/scalpel.nix Normal file
View file

@ -0,0 +1,18 @@
{
lib,
config,
pkgs,
prev,
...
}: {
scalpel.trafos."credentials_file" = {
source = "/etc/ssl/credentials_template";
matchers."CLOUDFLARE_EMAIL".secret = config.sops.secrets.cloudflare_email.path;
matchers."CLOUDFLARE_TOKEN".secret = config.sops.secrets.cloudflare_token.path;
owner = "acme";
group = "acme";
mode = "0440";
};
security.acme.defaults.credentialsFile = config.scalpel.trafos."credentials_file".destination;
}

13
nixos/roles/web-server/secrets.nix Normal file
View file

@ -0,0 +1,13 @@
_: let
secretConfig = {
format = "yaml";
sopsFile = ./secrets.yaml;
};
in {
sops.secrets.cloudflare_email = secretConfig;
sops.secrets.cloudflare_token = secretConfig;
scalpels = [
./scalpel.nix
];
}

43
nixos/roles/web-server/secrets.yaml Normal file
View file

@ -0,0 +1,43 @@
cloudflare_email: ENC[AES256_GCM,data:fwcHkWRqH3hEPDbFmA==,iv:He6yJHpD9oXrZSHPJKL7mnkRWm621HRj2cS6qLSn6aI=,tag:lON1D+55zSiJQljTox2JKQ==,type:str]
cloudflare_token: ENC[AES256_GCM,data:gEiJNdzrQhHMRFLHZ5ZMe2T6VyZgMnXfufbu6LbtiVyQST53TBo7pQ==,iv:a/J6bUZbHQIQBRy8DV7MJe4TffElFBlDRAm3/j5E9hQ=,tag:n/07dZNyBWNpFKQCctkuBw==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVG5kTUFmcHdZNmtUZlFO
Mm9wWVV5NkdRb1hCZmNyZDU5Y3UxZ2NRSGxnCjl0QktuWHgzTk1lQW9hQUxzVzdU
QllDZXcvYVJVVnliQ3BCcFhIeWRGdjQKLS0tIFplZzdnMmx2RS9TbEZESHVnSHlP
VDM0QUcyeVBmRzdyUHNrTUVablcyY2cK4WD0mB/EvZNmagFMq1kZz8y5M9mdHxwB
o44D7JYE31czIpM/CJTfjsxG4NlQn//H48W60edSZPFHwIDNzjnbLA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-25T23:06:23Z"
mac: ENC[AES256_GCM,data:w+3/oRHEdhUG7jUlRfMDtjY1W1ybyIlINopzuxLxvLWj6yTVA8/D8mp99V3kg7MvKBWW43hA0mQ+MkH8EtPfEDIXZKaMvmY89mKygc2FMGrFcgHVV9zg3qqxk84Zp1lg8+G4gwsgRuNAumFHrlvgCsZUVqEZGjy+cf+R4Dpmw2s=,iv:ax1E/PcwQ0ZcXlsdwY0hQvRp6b38o4qfEhNQASuxQoM=,tag:zEthuo4DoG/1DX28aogntw==,type:str]
pgp:
- created_at: "2023-04-25T23:00:27Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ//fd8bxMcv1cIrBPEc1w0LKWaQtpeRhHmVOaU+DdHvzo5L
++aw+pe8Tz/+D5lfz67Aw0U3R4eBrBnjetZ5C+sjVHqrzaKEReddlk22dG0NF9JM
Ejepxo/G85PwWsC3cXgoBeJs2IqcWdAhtS6dH9GoiM4Wwhx0Am4JvLrvo9OJO7dR
ZpSGpBeC9OJGw+nkPLrwMK7dVtfx9JO5A1jdAvapGa+XwP8XxC31IhRHOH0hSwjQ
JQuQFOPz/MqjHb8eHuZa6GPUxjQTX5RN9RbvtRNI5h/fvQxNycQR4GETI/Y+P5Pb
r55+jgR8acJ8p/Z6R7uQLF5tbcHdtM2SY6ANDVgcoBoHe29hAXe6gpLzme54Wo3j
Cm/pt5+TS14uKGKiQjeHJ84EGUsOr+GL2Hpm1qu8VKSkznI19f3zyqcDNWQTYKJA
P5EGO4c4vMp2ihqnDqZC8FurKmzkFpFLgua+snNOd5rVy5kC8f8BA6lQyIdA5dOf
KHf1OjpfbwASr4RrHdNLKj8Z7bkJ+yQ7fmkP2z3uQjk7WveMVa+1r5GNaMk/wYUV
YUOl3TSZNuNaIOnqIqjTCYntbkuwliyenREB8GN1iZA8pCp/mEwa1zyvU6xP8x17
zPhwveevs96GgZBK4QMLJfYoUD5wCaMuXKIvUGHvM653+eL+Fk6Z1v3lo9+pPC3S
XAEQAzvt47ZhTvQVzWHEnBh9KlsxC6hS0vqbdIddSGXYZ7vsQMszG2r8CNGAGjJ2
OIq2LsKlrW1KVgrBCWrYnH6HxPi+t+TBVjgehAWZ6qiVoTkI09yNC9MarC64
=4AdG
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
unencrypted_suffix: _unencrypted
version: 3.7.3

1
systems/yukari.nix
View file

@ -12,6 +12,7 @@ _: let
++ (with tree.nixos.roles; [ ++ (with tree.nixos.roles; [
server server
web-server web-server
postgres-server
matrix-server matrix-server
]); ]);