felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-02-21 09:27:51 +01:00
Code Issues Projects Releases Wiki Activity

nixfmt

Browse Source
This commit is contained in:
Vegard Bieker Matthey
2026-02-20 18:18:09 +01:00
parent 18167dca0a
commit dc8a6c8c71
127 changed files with 3804 additions and 2402 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
hosts/bicep/services/matrix/coturn.nix
View File

@@ -1,4 +1,12 @@
{ config, lib, fp, pkgs, secrets, values, ... }:
{
config,
lib,
fp,
pkgs,
secrets,
values,
...
}:
{
sops.secrets."matrix/coturn/static-auth-secret" = {
@@ -127,18 +135,31 @@
};
networking.firewall = {
interfaces.enp6s0f0 = let
range = with config.services.coturn; [ {
from = min-port;
to = max-port;
} ];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ 443 3478 3479 5349 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 443 3478 3479 5349 ];
};
interfaces.enp6s0f0 =
let
range = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [
443
3478
3479
5349
];
allowedTCPPortRanges = range;
allowedTCPPorts = [
443
3478
3479
5349
];
};
};
}

19
hosts/bicep/services/matrix/discord.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, fp, ... }:
{
config,
lib,
fp,
...
}:
let
cfg = config.services.mx-puppet-discord;
@@ -44,7 +49,6 @@ in
];
};
services.mx-puppet-discord.enable = false;
services.mx-puppet-discord.settings = {
bridge = {
@@ -52,16 +56,21 @@ in
domain = "pvv.ntnu.no";
homeserverUrl = "https://matrix.pvv.ntnu.no";
};
provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
provisioning.whitelist = [
"@dandellion:dodsorf\\.as"
"@danio:pvv\\.ntnu\\.no"
];
relay.whitelist = [ ".*" ];
selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
selfService.whitelist = [
"@danio:pvv\\.ntnu\\.no"
"@dandellion:dodsorf\\.as"
];
};
services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."discord-registration.yaml".path

22
hosts/bicep/services/matrix/element.nix
View File

@@ -1,7 +1,13 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
synapse-cfg = config.services.matrix-synapse-next;
in {
in
{
services.pvv-matrix-well-known.client = {
"m.homeserver" = {
base_url = "https://matrix.pvv.ntnu.no";
@@ -21,12 +27,12 @@ in {
default_server_config = config.services.pvv-matrix-well-known.client;
disable_3pid_login = true;
# integrations_ui_url = "https://dimension.dodsorf.as/riot";
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
# integrations_widgets_urls = [
# "https://dimension.dodsorf.as/widgets"
# ];
# integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
# integrations_ui_url = "https://dimension.dodsorf.as/riot";
# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
# integrations_widgets_urls = [
# "https://dimension.dodsorf.as/widgets"
# ];
# integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
defaultCountryCode = "NO";
showLabsSettings = true;
features = {

52
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -1,4 +1,11 @@
{ config, lib, fp, unstablePkgs, inputs, ... }:
{
config,
lib,
fp,
unstablePkgs,
inputs,
...
}:
let
cfg = config.services.matrix-hookshot;
@@ -100,7 +107,8 @@ in
};
serviceBots = [
{ localpart = "bot_feeds";
{
localpart = "bot_feeds";
displayname = "Aya";
avatar = ./feeds.png;
prefix = "!aya";
@@ -115,20 +123,44 @@ in
permissions = [
# Users of the PVV Server
{ actor = "pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
{
actor = "pvv.ntnu.no";
services = [
{
service = "*";
level = "commands";
}
];
}
# Members of Medlem space (for people with their own hs)
{ actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
{
actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [
{
service = "*";
level = "commands";
}
];
}
# Members of Drift
{ actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [ { service = "*"; level = "admin"; } ];
{
actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [
{
service = "*";
level = "admin";
}
];
}
# Dan bootstrap
{ actor = "@dandellion:dodsorf.as";
services = [ { service = "*"; level = "admin"; } ];
{
actor = "@dandellion:dodsorf.as";
services = [
{
service = "*";
level = "admin";
}
];
}
];
};

24
hosts/bicep/services/matrix/livekit.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, fp, ... }:
{
config,
lib,
fp,
...
}:
let
synapseConfig = config.services.matrix-synapse-next;
matrixDomain = "matrix.pvv.ntnu.no";
@@ -20,10 +25,12 @@ in
};
services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
"org.matrix.msc4143.rtc_foci" = [{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}];
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}
];
};
services.livekit = {
@@ -43,7 +50,12 @@ in
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (
builtins.concatStringsSep "," [
"pvv.ntnu.no"
"dodsorf.as"
]
);
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
locations."^~ /livekit/jwt/" = {

7
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, fp, ... }:
{
config,
lib,
fp,
...
}:
{
sops.secrets."matrix/mjolnir/access_token" = {

9
hosts/bicep/services/matrix/out-of-your-element.nix
View File

@@ -1,4 +1,11 @@
{ config, pkgs, lib, values, fp, ... }:
{
config,
pkgs,
lib,
values,
fp,
...
}:
let
cfg = config.services.matrix-ooye;
in

7
hosts/bicep/services/matrix/smtp-authenticator/default.nix
View File

@@ -1,4 +1,9 @@
{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
{
lib,
buildPythonPackage,
fetchFromGitHub,
setuptools,
}:
buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth";

8
hosts/bicep/services/matrix/synapse-admin.nix
View File

@@ -1,5 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
# This service requires you to have access to endpoints not available over the internet
# Use an ssh proxy or similar to access this dashboard.

7
hosts/bicep/services/matrix/synapse-auto-compressor.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, utils, ... }:
{
config,
lib,
utils,
...
}:
let
cfg = config.services.synapse-auto-compressor;
in

145
hosts/bicep/services/matrix/synapse.nix
View File

@@ -1,13 +1,23 @@
{ config, lib, fp, pkgs, values, inputs, ... }:
{
config,
lib,
fp,
pkgs,
values,
inputs,
...
}:
let
cfg = config.services.matrix-synapse-next;
matrix-lib = inputs.matrix-next.lib;
imap0Attrs = with lib; f: set:
listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
in {
imap0Attrs =
with lib;
f: set: listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
in
{
sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key";
sopsFile = fp /secrets/bicep/matrix.yaml;
@@ -23,7 +33,9 @@ in {
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
content = ''
registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
registration_shared_secret: ${
config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"
}
'';
};
@@ -68,7 +80,7 @@ in {
signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
media_store_path = "${cfg.dataDir}/media";
media_store_path = "${cfg.dataDir}/media";
database = {
name = "psycopg2";
@@ -110,7 +122,8 @@ in {
password_config.enabled = true;
modules = [
{ module = "smtp_auth_provider.SMTPAuthProvider";
{
module = "smtp_auth_provider.SMTPAuthProvider";
config = {
smtp_host = "smtp.pvv.ntnu.no";
};
@@ -183,61 +196,79 @@ in {
services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
{
kTLS = true;
}
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6};
deny all;
'';
};
}
{
locations = let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
{
kTLS = true;
}
{
locations."/_synapse/admin" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
allow 127.0.0.1;
allow ::1;
allow ${values.hosts.bicep.ipv4};
allow ${values.hosts.bicep.ipv6};
deny all;
'';
};
}
{
locations =
let
connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
socketAddress =
w:
let
c = connectionInfo w;
in
"${c.host}:${toString c.port}";
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in lib.mapAttrs' (n: v: lib.nameValuePair
(metricsPath v) {
proxyPass = proxyPath v;
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
in
lib.mapAttrs' (
n: v:
lib.nameValuePair (metricsPath v) {
proxyPass = proxyPath v;
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
}
) cfg.workers.instances;
}
{
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
})
cfg.workers.instances;
}
{
locations."/metrics/master/1" = {
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
};
};
locations."/metrics/" = let
endpoints = lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
in {
alias = pkgs.writeTextDir "/config.json"
(builtins.toJSON [
{ targets = endpoints;
labels = { };
}]) + "/";
};
}];
locations."/metrics/" =
let
endpoints =
lib.pipe cfg.workers.instances [
(lib.mapAttrsToList (_: v: v))
(map (w: "${w.type}/${toString w.index}"))
(map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
]
++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
in
{
alias =
pkgs.writeTextDir "/config.json" (
builtins.toJSON [
{
targets = endpoints;
labels = { };
}
]
)
+ "/";
};
}
];
}

7
hosts/bicep/services/matrix/well-known.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.pvv-matrix-well-known;
format = pkgs.formats.json { };