move services to be host specific

hosts/jokum/services/matrix/coturn.nix

@@ -0,0 +1,131 @@
+{ config, lib, pkgs, secrets, ... }:
+
+{
+  sops.secrets."matrix/synapse/turnconfig" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+  };
+  sops.secrets."matrix/coturn/static-auth-secret" = {
+    owner = config.users.users.turnserver.name;
+    group = config.users.users.turnserver.group;
+  };
+
+  services.matrix-synapse-next = {
+    extraConfigFiles = [
+      config.sops.secrets."matrix/synapse/turnconfig".path
+    ];
+
+    settings = {
+      turn_uris = [
+        "turns:turn.pvv.ntnu.no:443?transport=tcp"
+        "turns:turn.pvv.ntnu.no:443?transport=udp"
+
+        "turns:turn.pvv.ntnu.no:5349?transport=tcp"
+        "turns:turn.pvv.ntnu.no:5349?transport=udp"
+        
+        "turns:turn.pvv.ntnu.no:3478?transport=udp"
+        "turns:turn.pvv.ntnu.no:3478?transport=tcp"
+        "turn:turn.pvv.ntnu.no:3478?transport=udp"
+        "turn:turn.pvv.ntnu.no:3478?transport=tcp"
+
+        "turns:turn.pvv.ntnu.no:3479?transport=tcp"
+        "turns:turn.pvv.ntnu.no:3479?transport=udp"
+        "turn:turn.pvv.ntnu.no:3479?transport=tcp"
+        "turn:turn.pvv.ntnu.no:3479?transport=udp"
+      ];
+    };
+  };
+
+  security.acme.certs.${config.services.coturn.realm} = {
+    email = "drift@pvv.ntnu.no";
+    listenHTTP = "129.241.210.213:80";
+    reloadServices = [ "coturn.service" ];
+  };
+
+  users.users.turnserver.extraGroups = [ "acme" ];
+
+  systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+  };
+
+  services.coturn = rec {
+    enable = true;
+    realm = "turn.pvv.ntnu.no";
+
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+
+    use-auth-secret = true;
+    # World readable but I  dont think it's that bad
+    static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
+
+    secure-stun = true;
+
+    listening-ips = [ "129.241.210.213" "2001:700:300:1900::213" ];
+
+    tls-listening-port = 443;
+    alt-tls-listening-port = 5349;
+ 
+    listening-port = 3478;
+
+    min-port = 49000;
+    max-port = 50000;
+
+    no-tls = false;
+    no-dtls = false;
+
+    no-tcp-relay = false;
+
+    extraConfig = ''
+      verbose
+
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+
+      #user-quota=120
+      #total-quota=1200
+    '';
+  };
+  
+  networking.firewall = {
+    interfaces.ens18 = let
+      range = with config.services.coturn; [ {
+      from = min-port;
+      to = max-port;
+    } ];
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedUDPPorts = [ 443 3478 3479 5349 ];
+      allowedTCPPortRanges = range;
+      allowedTCPPorts = [ 443 3478 3479 5349 ];
+    };
+  };
+
+}

hosts/jokum/services/matrix/default.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+
+{
+
+  imports = [
+    ./synapse.nix
+    ./synapse-admin.nix
+    ./element.nix
+    ./coturn.nix
+
+    ./discord.nix
+  ];
+
+  
+
+}

hosts/jokum/services/matrix/discord.nix

@@ -0,0 +1,37 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.services.mx-puppet-discord;
+in
+{
+  users.groups.keys-matrix-registrations = { };
+
+  sops.secrets."matrix/registrations/mx-puppet-discord" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.groups.keys-matrix-registrations.name;
+  };
+
+  systemd.services.mx-puppet-discord = {
+    serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ];
+  };
+
+
+  services.mx-puppet-discord.enable = true;
+  services.mx-puppet-discord.settings = {
+    bridge = {
+      bindAddress = "localhost";
+      domain = "pvv.ntnu.no";
+      # systemd-resolved reads hosts and redirects matrix->jokum->127.0.0.2 which nginx doesnt listen to
+      # this line points the bridge at whatever the ip for the main synapse listener is
+      homeserverUrl = "http://${lib.head (lib.attrNames config.services.nginx.upstreams.synapse_master.servers)}";
+    };
+    provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
+    relay.whitelist = [ ".*" ];
+    selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
+  };
+  services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
+
+
+  services.matrix-synapse-next.settings.app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
+
+}

hosts/jokum/services/matrix/element.nix

@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
+    enableACME = true;
+    forceSSL = true;
+
+    root = pkgs.element-web.override {
+      conf = {
+        default_server_config."m.homeserver" = {
+          base_url = "https://matrix.pvv.ntnu.no";
+          server_name = "pvv.ntnu.no";
+        };
+        disable_3pid_login = true;
+#        integrations_ui_url = "https://dimension.dodsorf.as/riot";
+#        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
+#        integrations_widgets_urls = [
+#          "https://dimension.dodsorf.as/widgets"
+#        ];
+#        integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
+        defaultCountryCode = "NO";
+        showLabsSettings = true;
+        features = {
+          feature_latex_maths = true;
+          feature_pinning = true;
+          feature_state_counters = true;
+          feature_custom_status = false;
+        };
+        default_theme = "dark";
+        room_directory.servers = [
+          "pvv.ntnu.no"
+          "matrix.omegav.no"
+          "matrix.org"
+          "libera.chat"
+          "gitter.im"
+          "mozilla.org"
+          "kde.org"
+          "t2bot.io"
+          "fosdem.org"
+          "dodsorf.as"
+        ];
+        enable_presence_by_hs_url = {
+          "https://matrix.org" = false;
+          "https://matrix.dodsorf.as" = false;
+        };
+      };
+    };
+  };
+}

hosts/jokum/services/matrix/synapse-admin.nix

@@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+
+
+# This service requires you to have access to endpoints not available over the internet
+# Use an ssh proxy or similar to access this dashboard.
+# Then go into your developer console, storage, and change the baseurl to the local ip for synapse
+
+{
+  services.nginx.virtualHosts."localhost" = {
+    rejectSSL = true;
+    root = pkgs.synapse-admin;
+  };
+}

hosts/jokum/services/matrix/synapse.nix

@@ -0,0 +1,209 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.matrix-synapse-next;
+
+  imap0Attrs = with lib; f: set:
+    listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
+in {
+  sops.secrets."matrix/synapse/dbconfig" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+  };
+
+  sops.secrets."matrix/synapse/signing_key" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+  };
+
+  services.matrix-synapse-next = {
+    enable = true;
+
+    dataDir = "/data/synapse";
+
+    workers.federationSenders = 1;
+    workers.federationReceivers = 1;
+    workers.initialSyncers = 1;
+    workers.normalSyncers = 1;
+
+    enableNginx = true;
+
+    extraConfigFiles = [
+      config.sops.secrets."matrix/synapse/dbconfig".path
+    ];
+
+    settings = {
+      server_name = "pvv.ntnu.no";
+      public_baseurl = "https://matrix.pvv.ntnu.no";
+
+      signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
+
+      media_store_path =  "${cfg.dataDir}/media";
+
+      autocreate_auto_join_rooms = false;
+      auto_join_rooms = [
+        "#pvv:pvv.ntnu.no" # Main space
+        "#announcements:pvv.ntnu.no"
+        "#general:pvv.ntnu.no"
+      ];
+
+      allow_public_rooms_over_federation = true;
+
+      max_upload_size = "150M";
+
+      enable_metrics = true;
+
+      enable_registration = false;
+
+      password_config.enabled = lib.mkForce false;
+
+      trusted_key_servers = [
+        { server_name = "matrix.org"; }
+        { server_name = "dodsorf.as"; }
+      ];
+
+      url_preview_enabled = true;
+      url_preview_ip_range_blacklist = [
+        # synapse example config
+        "127.0.0.0/8"
+        "10.0.0.0/8"
+        "172.16.0.0/12"
+        "192.168.0.0/16"
+        "100.64.0.0/10"
+        "192.0.0.0/24"
+        "169.254.0.0/16"
+        "192.88.99.0/24"
+        "198.18.0.0/15"
+        "192.0.2.0/24"
+        "198.51.100.0/24"
+        "203.0.113.0/24"
+        "224.0.0.0/4"
+        "::1/128"
+        "fe80::/10"
+        "fc00::/7"
+        "2001:db8::/32"
+        "ff00::/8"
+        "fec0::/10"
+
+        # NTNU
+        "129.241.0.0/16"
+        "2001:700:300::/44"
+      ];
+
+      saml2_config = {
+        sp_config.metadata.remote = [
+          { url = "https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php"; }
+        ];
+
+        description = [ "Matrix Synapse SP" "en" ];
+        name = [ "Matrix Synapse SP" "en" ];
+
+        ui_info = {
+          display_name = [
+            {
+              lang = "en";
+              text = "PVV Matrix login";
+            }
+          ];
+          description = [
+            {
+              lang = "en";
+              text = "Matrix is a modern free and open federated chat protocol";
+            }
+          ];
+          #information_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          #privacy_statement_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          keywords = [
+            {
+              lang = "en";
+              text = [ "Matrix" "Element" ];
+            }
+          ];
+          #logo = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #    width = "";
+          #    height = "";
+          #  }
+          #];
+        };
+
+        organization = {
+          name = "Programvareverkstedet";
+          display_name = [ "Programvareverkstedet" "en" ];
+          url = "https://www.pvv.ntnu.no";
+        };
+        contact_person = [
+          { given_name = "Drift";
+            sur_name = "King";
+            email_adress = [ "drift@pvv.ntnu.no" ];
+            contact_type = "technical";
+          }
+        ];
+
+        user_mapping_provider = {
+          config = {
+            mxid_source_attribute =  "uid"; # What is this supposed to be?
+            mxid_mapping = "hexencode";
+          };
+        };
+
+        #attribute_requirements = [
+        #  {attribute = "userGroup"; value = "medlem";} # Do we have this?
+        #];
+      };
+    };
+  };
+
+  services.redis.servers."".enable = true;
+  
+  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
+    locations = let
+      isListenerType = type: listener: lib.lists.any (r: lib.lists.any (n: n == type) r.names) listener.resources;
+      isMetricsListener = l: isListenerType "metrics" l;
+
+      firstMetricsListener = w: lib.lists.findFirst isMetricsListener (throw "No metrics endpoint on worker") w.settings.worker_listeners;
+
+      wAddress = w: lib.lists.findFirst (_: true) (throw "No address in receiver") (firstMetricsListener w).bind_addresses;
+      wPort = w: (firstMetricsListener w).port;
+
+      socketAddress = w: "${wAddress w}:${toString (wPort w)}";
+
+      metricsPath = w: "/metrics/${w.type}/${toString w.index}";
+      proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
+    in lib.mapAttrs' (n: v: lib.nameValuePair (metricsPath v) ({ proxyPass = proxyPath v; }))
+      cfg.workers.instances;
+  })
+  ({
+    locations."/metrics/master/1" = {
+      proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
+    };
+
+    locations."/metrics/" = let
+      endpoints = builtins.map (x: "matrix.pvv.ntnu.no/metrics/${x}") [
+        "master/1"
+        "fed-sender/1"
+        "fed-receiver/1"
+        "initial-sync/1"
+        "normal-sync/1"
+      ];
+    in {
+      alias = pkgs.writeTextDir "/config.json"
+        (builtins.toJSON [
+          { targets = endpoints;
+            labels = { };
+          }]) + "/";
+    };
+  })];
+}

hosts/jokum/services/nginx/default.nix

@@ -0,0 +1,22 @@
+{config, ... }:
+
+{
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "danio@pvv.ntnu.no";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    defaultListenAddresses = [ "129.241.210.169" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::169]" "[::1]" ];
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}