From b69e3f7352e7035a6759c758453cc860399c6806 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sat, 14 Oct 2023 01:22:32 +0200 Subject: [PATCH] add host: janeway --- .sops.yaml | 6 ++ flake.lock | 18 ++--- flake.nix | 14 ++++ hosts/janeway/configuration.nix | 39 ++++++++++ hosts/janeway/services/matrix-synapse.nix | 86 +++++++++++++++++++++++ hosts/janeway/services/nginx.nix | 19 +++++ hosts/janeway/services/postgresql.nix | 22 ++++++ secrets/janeway/janeway.yaml | 32 +++++++++ 8 files changed, 227 insertions(+), 9 deletions(-) create mode 100644 hosts/janeway/configuration.nix create mode 100644 hosts/janeway/services/matrix-synapse.nix create mode 100644 hosts/janeway/services/nginx.nix create mode 100644 hosts/janeway/services/postgresql.nix create mode 100644 secrets/janeway/janeway.yaml diff --git a/.sops.yaml b/.sops.yaml index db9b5b3..48d7b1b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -26,3 +26,9 @@ creation_rules: - *host_sarek - *user_felixalb_old - *user_felixalb + + - path_regex: secrets/janeway/[^/]+\.yaml$ + key_groups: + - age: + - *user_felixalb_old + - *user_felixalb diff --git a/flake.lock b/flake.lock index 843f513..24875f2 100644 --- a/flake.lock +++ b/flake.lock @@ -62,11 +62,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1696697597, - "narHash": "sha256-q26Qv4DQ+h6IeozF2o1secyQG0jt2VUT3V0K58jr3pg=", + "lastModified": 1696983906, + "narHash": "sha256-L7GyeErguS7Pg4h8nK0wGlcUTbfUMDu+HMf1UcyP72k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5a237aecb57296f67276ac9ab296a41c23981f56", + "rev": "bd1cde45c77891214131cbbea5b1203e485a9d51", "type": "github" }, "original": { @@ -125,11 +125,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1696734395, - "narHash": "sha256-O/g/wwBqqSS7RQ53bE6Ssf0pXVTCYfN7NnJDhKfggQY=", + "lastModified": 1697064251, + "narHash": "sha256-xxp2sB+4vqB6S6zC/L5J8LlRKgVbgIZOcYl9/TDrEzI=", "owner": "Mic92", "repo": "sops-nix", - "rev": "d7380c38d407eaf06d111832f4368ba3486b800e", + "rev": "f995ea159252a53b25fa99824f2891e3b479d511", "type": "github" }, "original": { @@ -140,11 +140,11 @@ }, "unstable": { "locked": { - "lastModified": 1696604326, - "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=", + "lastModified": 1697059129, + "narHash": "sha256-9NJcFF9CEYPvHJ5ckE8kvINvI84SZZ87PvqMbH6pro0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64", + "rev": "5e4c2ada4fcd54b99d56d7bd62f384511a7e2593", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index bcadbeb..1159265 100644 --- a/flake.nix +++ b/flake.nix @@ -83,6 +83,20 @@ } ]; }; + janeway = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit inputs; + }; + modules = [ + # Overlays-module makes "pkgs.unstable" available in configuration.nix + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + + ./hosts/janeway/configuration.nix + sops-nix.nixosModules.sops + matrix-synapse-next.nixosModules.default + ]; + }; redshirt = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/janeway/configuration.nix b/hosts/janeway/configuration.nix new file mode 100644 index 0000000..33e95e0 --- /dev/null +++ b/hosts/janeway/configuration.nix @@ -0,0 +1,39 @@ +{ config, pkgs, lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ../../base.nix + ../../common/metrics-exporters.nix + + ./services/nginx.nix + ./services/postgresql.nix + ./services/matrix-synapse.nix + ]; + + # Boot and console is handled by proxmoxLXC. + boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here. + + # Override proxmox networking + proxmoxLXC.manageNetwork = true; + networking = { + hostName = "janeway"; + defaultGateway = "192.168.10.1"; + interfaces."eth0".ipv4 = { + addresses = [ + { address = "192.168.10.183"; prefixLength = 24; } + ]; + }; + hostId = "bed956ff"; + }; + + environment.systemPackages = with pkgs; [ + bottom + ]; + + sops.defaultSopsFile = ../../secrets/janeway/janeway.yaml; + + system.stateVersion = "23.05"; +} + diff --git a/hosts/janeway/services/matrix-synapse.nix b/hosts/janeway/services/matrix-synapse.nix new file mode 100644 index 0000000..c355f31 --- /dev/null +++ b/hosts/janeway/services/matrix-synapse.nix @@ -0,0 +1,86 @@ +{ config, pkgs, lib, ... }: +let + main_ip = "127.0.1.2"; +in +{ + sops.secrets."matrix/synapse/registrationsecret" = { + restartUnits = [ "matrix-synapse.service" ]; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + + services.matrix-synapse-next = { + enable = true; + enableNginx = true; + + workers = { + federationSenders = 1; + federationReceivers = 2; + initialSyncers = 1; + normalSyncers = 1; + eventPersisters = 1; + useUserDirectoryWorker = true; + }; + + extraConfigFiles = [ + config.sops.secrets."matrix/synapse/registrationsecret".path + ]; + + settings = { + server_name = "feal.no"; + public_baseurl = "https://matrix.feal.no"; + database.name = "psycopg2"; + autocreate_auto_join_rooms = false; + max_upload_size = "50M"; + + #registration_shared_secret = "do_not_put_secret_here_use_extraConfigFiles"; + + trusted_key_servers = [ + { + server_name = "matrix.org"; + verify_keys = {}; + } + ]; + + enable_registration = false; + use_presence = true; + + url_preview_enabled = true; + url_preview_ip_range_blacklist = [ + # synapse example config + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + "192.0.0.0/24" + "169.254.0.0/16" + "192.88.99.0/24" + "198.18.0.0/15" + "192.0.2.0/24" + "198.51.100.0/24" + "203.0.113.0/24" + "224.0.0.0/4" + "::1/128" + "fe80::/10" + "fc00::/7" + "2001:db8::/32" + "ff00::/8" + "fec0::/10" + ]; + + tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt"; + tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key"; + + }; + }; + + services.redis.servers."".enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx.virtualHosts."matrix.feal.no" = { + enableACME = lib.mkForce false; + forceSSL = lib.mkForce false; + }; + +} diff --git a/hosts/janeway/services/nginx.nix b/hosts/janeway/services/nginx.nix new file mode 100644 index 0000000..4c376d7 --- /dev/null +++ b/hosts/janeway/services/nginx.nix @@ -0,0 +1,19 @@ +{ config, values, ... }: +{ + services.nginx = { + enable = true; + enableReload = true; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + /* security.acme = { */ + /* acceptTerms = true; */ + /* email = "felix@albrigtsen.it"; */ + /* }; */ +} diff --git a/hosts/janeway/services/postgresql.nix b/hosts/janeway/services/postgresql.nix new file mode 100644 index 0000000..c7c804b --- /dev/null +++ b/hosts/janeway/services/postgresql.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: +{ + services.postgresql = { + enable = true; + enableTCPIP = true; # Expose on the network + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + + services.postgresqlBackup = { + enable = true; + location = "/backup/postgresql/"; + startAt = "*-*-* 03:15:00"; + backupAll = true; + }; + + + environment.systemPackages = [ config.services.postgresql.package ]; +} diff --git a/secrets/janeway/janeway.yaml b/secrets/janeway/janeway.yaml new file mode 100644 index 0000000..96c781e --- /dev/null +++ b/secrets/janeway/janeway.yaml @@ -0,0 +1,32 @@ +matrix: + synapse: + registrationsecret: ENC[AES256_GCM,data:hXLNFkvMe21RlT1wgQvsBeyxtn+0yLK5bYUeMQbV/1bVtl6nvoInZ1qP7wz8MoWhFiAq1ZwxE2bjDfxXdkL8YSvNHlhdbFD1nJBP51mci9SQE/xLaMh7Aqtos0swdKw=,iv:uIxuhhaTpCRQQ/fP16J50cKCSbAD+KYO3a2kb70BX2M=,tag:EqD5jeZvCcJJCrBcG0YjsA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VllZUGR6d3dpSlczS1cx + ejZCMEhDaDJ3ZEIxR1NWV3NXQXhDVERNUlIwCjU4TWNBbmNpc2x4MHNibVBJWk5s + Sk5aamZVcnZGSThLTXI1Vkh0UFVBNkUKLS0tIDdHYWhjK3pBM3VydldzdTBTcEVz + YUhoWTJ4SnBRb1ZzVUhxdnBCTEFnTUEK72ofuMzrLBzFmA0fO9hX5vhtzcbJse+q + qK1YKKv12iF1TZ9+Ty73W5Dlum51YWfUD0/BX+/QwQob9AmszlQ7vg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWEFrN0xJY2ltcENKbzgv + V1BiVm9URll0QlUzVVlpV2RNNDdlcGJ5eFRrCnJabTVEVFFMK0xUalJtWjJuSnNF + TW5iVkl4WXp0VU5BVkZWSTdINWRBMmsKLS0tIC9aaUZWWXNKRUpnNGR4TDM1Rmpx + d3VYdmJjQys3NWN6KzJNSTFqQ0hOR0kKKLYpphnephuK9Pbp7yzwtGeXadYciogn + nQs4qiNooRGpC7wjcuwH6OUBbFsnLWrt3lQjP00Xs8uEFFtcx7wotw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-13T22:50:20Z" + mac: ENC[AES256_GCM,data:ktGFV+oNBMIKNCVLXZtrxn8HbvgjmXTRmAWuDQaNyMIIWvnTvd5IQBivG1kCimVr96RFl6RWTMWH4nqHVFlo0jxQfx8KUVXmaO7dfp4Ri+ZKMLu33HmLfwHiStnYRwPCAtwG/AXx9SXl0SAL5S+xHSl4mnShbyYfLAHibccYros=,iv:JeMtQ5uxYzpqr1eHZrLTNqhizjOCaixNg8VFcwjY2Y8=,tag:gHfRDBezAwzCqmEhayVYEg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3