diff --git a/flake.lock b/flake.lock index f803298..a2a4e4b 100644 --- a/flake.lock +++ b/flake.lock @@ -18,15 +18,16 @@ ] }, "locked": { - "lastModified": 1712517122, - "narHash": "sha256-ynjRTeXDICFXYbcMdZfl9t7TD0d9RoNzMIq14WmZl0E=", - "ref": "refs/heads/main", - "rev": "d89edef9a1943cbf0150fd70cde25015161410a7", - "revCount": 2433, + "lastModified": 1712910239, + "narHash": "sha256-0Iu86fs3QqmDTEBZ2kJFYeNQc59L0ncW22CnJItDIuE=", + "ref": "synapse", + "rev": "e22501799b2409b9c1db340a25acadc5ff730e4c", + "revCount": 2473, "type": "git", "url": "https://git.clan.lol/clan/clan-core" }, "original": { + "ref": "synapse", "type": "git", "url": "https://git.clan.lol/clan/clan-core" } @@ -39,11 +40,11 @@ ] }, "locked": { - "lastModified": 1711588700, - "narHash": "sha256-vBB5HoQVnA6c/UrDOhLXKAahEwSRccw2YXYHxD7qoi4=", + "lastModified": 1712356478, + "narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=", "owner": "nix-community", "repo": "disko", - "rev": "502241afa3de2a24865ddcbe4c122f4546e32092", + "rev": "0a17298c0d96190ef3be729d594ba202b9c53beb", "type": "github" }, "original": { @@ -59,11 +60,11 @@ ] }, "locked": { - "lastModified": 1712356478, - "narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=", + "lastModified": 1712798444, + "narHash": "sha256-aAksVB7zMfBQTz0q2Lw3o78HM3Bg2FRziX2D6qnh+sk=", "owner": "nix-community", "repo": "disko", - "rev": "0a17298c0d96190ef3be729d594ba202b9c53beb", + "rev": "a297cb1cb0337ee10a7a0f9517954501d8f6f74d", "type": "github" }, "original": { @@ -94,11 +95,11 @@ }, "nixlib": { "locked": { - "lastModified": 1711241261, - "narHash": "sha256-knrTvpl81yGFHIpm1SsLDApe0thFkw1cl3ISAMPmP/0=", + "lastModified": 1711846064, + "narHash": "sha256-cqfX0QJNEnge3a77VnytM0Q6QZZ0DziFXt6tSCV8ZSc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "b2a1eeef8c185f6bd27432b053ff09d773244cbc", + "rev": "90b1a963ff84dc532db92f678296ff2499a60a87", "type": "github" }, "original": { @@ -116,11 +117,11 @@ ] }, "locked": { - "lastModified": 1711626141, - "narHash": "sha256-0qV1pHeIyUZ18cp8ijQnMf7uV+Uk4+UqTCC6yGSGWvk=", + "lastModified": 1712191720, + "narHash": "sha256-xXtSSnVHURHsxLQO30dzCKW5NJVGV/umdQPmFjPFMVA=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "63194fceafbfe583a9eb7d16ab499adc0a6c0bc2", + "rev": "0c15e76bed5432d7775a22e8d22059511f59d23a", "type": "github" }, "original": { @@ -131,11 +132,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1712482522, - "narHash": "sha256-Ai/xNgZpbwGcw0TSXwEPwwbPi8Iu906sB9M9z3o6UgA=", + "lastModified": 1712849433, + "narHash": "sha256-flQtf/ZPJgkLY/So3Fd+dGilw2DKIsiwgMEn7BbBHL0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "efe8ce06ca261f370d672def5b1e0be300c726e1", + "rev": "f173d0881eff3b21ebb29a2ef8bedbc106c86ea5", "type": "github" }, "original": { @@ -164,11 +165,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1712458908, - "narHash": "sha256-DMgBS+jNHDg8z3g9GkwqL8xTKXCRQ/0FGsAyrniVonc=", + "lastModified": 1712617241, + "narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=", "owner": "Mic92", "repo": "sops-nix", - "rev": "39191e8e6265b106c9a2ba0cfd3a4dafe98a31c6", + "rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c", "type": "github" }, "original": { @@ -184,11 +185,11 @@ ] }, "locked": { - "lastModified": 1712191870, - "narHash": "sha256-+MzSZ4IuZNT4QJS8b+gM48thfWkrJ7vL4NV5zG8Lqx8=", + "lastModified": 1712882618, + "narHash": "sha256-TnVDEMpOrOEKhgVMQmkamKVRkQWz3Q4lYgtTnD8G0CQ=", "owner": "numtide", "repo": "srvos", - "rev": "ddafe2fd3547f63e6bf75b6e1a99ecfa61c59687", + "rev": "4f89af165fde1454cb917a5f23e1f82d32541d38", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 4047d45..bbe4db7 100644 --- a/flake.nix +++ b/flake.nix @@ -1,10 +1,10 @@ { description = "Dependencies to deploy a clan"; - nixConfig = { - extra-substituters = [ "https://cache.clan.lol" ]; - extra-trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ]; - }; + #nixConfig = { + # extra-substituters = [ "https://cache.clan.lol" ]; + # extra-trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ]; + #}; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; @@ -24,7 +24,7 @@ # Use the version of nixpkgs that has been tested to work with SrvOS srvos.inputs.nixpkgs.follows = "nixpkgs"; - clan-core.url = "git+https://git.clan.lol/clan/clan-core"; + clan-core.url = "git+https://git.clan.lol/clan/clan-core?ref=synapse"; clan-core.inputs.flake-parts.follows = "flake-parts"; clan-core.inputs.nixpkgs.follows = "nixpkgs"; clan-core.inputs.treefmt-nix.follows = "treefmt-nix"; diff --git a/modules/web01/default.nix b/modules/web01/default.nix index fea353a..e2a1022 100644 --- a/modules/web01/default.nix +++ b/modules/web01/default.nix @@ -2,12 +2,12 @@ imports = [ ./borgbackup.nix ./clan-merge.nix - ./dendrite.nix ./gitea ./harmonia.nix ./homepage.nix ./postfix.nix ./jobs.nix + ./matrix-synapse.nix ../dev.nix self.inputs.clan-core.clanModules.zt-tcp-relay ]; diff --git a/modules/web01/dendrite.nix b/modules/web01/dendrite.nix deleted file mode 100644 index b928330..0000000 --- a/modules/web01/dendrite.nix +++ /dev/null @@ -1,147 +0,0 @@ -{ config -, pkgs -, ... -}: -let - database = { - connection_string = "postgres:///dendrite?host=/run/postgresql"; - max_open_conns = 100; - max_idle_conns = 5; - conn_max_lifetime = -1; - }; - inherit (config.services.dendrite.settings.global) server_name; - domain = "clan.lol"; - nginx-vhost = "matrix.${domain}"; - element-web = - pkgs.runCommand "element-web-with-config" - { - nativeBuildInputs = [ pkgs.buildPackages.jq ]; - } '' - cp -r ${pkgs.element-web} $out - chmod -R u+w $out - jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${server_name}" }' \ - > $out/config.json < ${pkgs.element-web}/config.json - ln -s $out/config.json $out/config.${nginx-vhost}.json - ''; -in -{ - services.dendrite = { - enable = true; - httpPort = 8043; - # $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)" - - # To create a user: - # $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-) - # $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//) - # $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443" - environmentFile = config.sops.secrets.registration-secret.path; - - settings = { - sync_api.search = { - enabled = true; - index_path = "/var/lib/dendrite/searchindex"; - }; - global = { - server_name = domain; - # `private_key` has the type `path` - # prefix a `/` to make `path` happy - private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; - trusted_third_party_id_servers = [ - "matrix.org" - "vector.im" - ]; - metrics.enabled = true; - }; - logging = [ - { - type = "std"; - level = "warn"; - } - ]; - app_service_api = { - inherit database; - config_files = [ ]; - }; - client_api = { - registration_disabled = true; - rate_limiting.enabled = false; - registration_shared_secret = ''''${REGISTRATION_SHARED_SECRET}''; - }; - media_api = { - inherit database; - dynamic_thumbnails = true; - }; - room_server = { - inherit database; - }; - push_server = { - inherit database; - }; - relay_api = { - inherit database; - }; - mscs = { - inherit database; - mscs = [ "msc2836" "msc2946" ]; - }; - sync_api = { - inherit database; - real_ip_header = "X-Real-IP"; - }; - key_server = { - inherit database; - }; - federation_api = { - inherit database; - key_perspectives = [ - { - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - } - ]; - prefer_direct_fetch = false; - }; - user_api = { - account_database = database; - device_database = database; - }; - }; - }; - - systemd.services.dendrite.serviceConfig.LoadCredential = [ - # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key' - "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" - ]; - - systemd.services.dendrite.after = [ "postgresql.service" ]; - services.postgresql = { - ensureDatabases = [ "dendrite" ]; - ensureUsers = [{ - name = "dendrite"; - ensureDBOwnership = true; - }]; - }; - - services.nginx.virtualHosts.${nginx-vhost} = { - forceSSL = true; - enableACME = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_read_timeout 600; - ''; - locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; - # for remote admin access - locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; - locations."/".root = element-web; - }; -} diff --git a/modules/web01/homepage.nix b/modules/web01/homepage.nix index 0072985..6de7afb 100644 --- a/modules/web01/homepage.nix +++ b/modules/web01/homepage.nix @@ -26,7 +26,7 @@ forceSSL = true; enableACME = true; # to be deployed via rsync - root = "/var/www"; + root = "/var/www/clan.lol"; extraConfig = '' charset utf-8; source_charset utf-8; diff --git a/modules/web01/matrix-synapse.nix b/modules/web01/matrix-synapse.nix new file mode 100644 index 0000000..a32db76 --- /dev/null +++ b/modules/web01/matrix-synapse.nix @@ -0,0 +1,6 @@ +{ self, ... }: +{ + imports = [ self.inputs.clan-core.clanModules.matrix-synapse ]; + clan.matrix-synapse.enable = true; + clan.matrix-synapse.domain = "clan.lol"; +} diff --git a/sops/secrets/web01-synapse-registration_shared_secret/machines/web01 b/sops/secrets/web01-synapse-registration_shared_secret/machines/web01 new file mode 120000 index 0000000..a3c776b --- /dev/null +++ b/sops/secrets/web01-synapse-registration_shared_secret/machines/web01 @@ -0,0 +1 @@ +../../../machines/web01 \ No newline at end of file diff --git a/sops/secrets/web01-synapse-registration_shared_secret/secret b/sops/secrets/web01-synapse-registration_shared_secret/secret new file mode 100644 index 0000000..944a144 --- /dev/null +++ b/sops/secrets/web01-synapse-registration_shared_secret/secret @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:WiZs10+sI+bNAwM4pVvIgpCkLF+2xStvOzKE3U2P4TmVGFu4GN3xf3oh1hbaM1wFBVXs9BCvXsFn23ja6w==,iv:9rvQ7cEelvD+i2n7vFWFmmWgbhCdk9UsUkOMh2wrnXk=,tag:u/DKSOhKyVXHwzA8lLlJow==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6RGdKOTF6RVdqQ2t1allZ\nckxuTUx0T1o0LzhiTUdpeTFVb0RjWnJHaW5RCitwWDNBVlZIT0ZORkt4dHRDTWpM\nd3dENW01T01Pa2F6RUxocGliSXpvOEUKLS0tIHQwMDZuUjJjZHBOd3o4TDNXWDF3\nSmZ3TkhzYXpta2I5MjYrRDNTclBFT00KcqGkVoI8aIAEr/5W2U1KXef4e8fl6nmZ\nzC5ZZcx3lQhvjHIHzEvFIVVSGKO+6qEB/boGxRtslkX9dZMRgoqNlg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VVoySlc2dzBOdEVOUVRK\neC9VbGZpS2VHWWxzV2FPUWVDaE9HV1VZWUIwCkxrZzdoRTNkc1NSOHMvQVRLVjVo\nUllQU1Jia1VRcXZmWXZlZE1IbkRDUjQKLS0tIFkyQ1QwdEt0TndwdjA3VTBqdjhR\nTUxyV3RjUVhRSER0U2NrYy84R2ZBM1kKk4mDrYMD0izfhXx9k0Vqj/2TjjH8YJOT\nKL+AMnUtB843H5EUQH/OLKfaf6N2kl2/UHcFWZQd5Z23kwZ2NNOzDg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-04-04T16:03:10Z", + "mac": "ENC[AES256_GCM,data:naOhP4Q6AhGH0pUWPab1CiIF/6BU2lxa4e7pqfjx46zmu7M31Ia9Xh5GLf0YOuidsHi/QwGPL3+t5EMBaVZN0rVGgGuGEFz4IqJxWskRDWwM9kggxvKfiRJjMxY3gVsXhkKjpMVBTcNNOBgVPf/cbREMkL9QpQjncMIkQYFbQS8=,iv:wGdKkjuRAOZYfJJsDv5F5KzBo5yPeYvx5UHG1i3Chx8=,tag:OYKF5j3znT3SmLSN9imPsg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/sops/secrets/web01-synapse-registration_shared_secret/users/joerg b/sops/secrets/web01-synapse-registration_shared_secret/users/joerg new file mode 120000 index 0000000..4c1fba9 --- /dev/null +++ b/sops/secrets/web01-synapse-registration_shared_secret/users/joerg @@ -0,0 +1 @@ +../../../users/joerg \ No newline at end of file