From 077449e85364ac8e8c5887410793c6e150d8c655 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Thu, 28 Dec 2023 14:32:47 +0000 Subject: [PATCH] split config into different modules. Hope i didn't break anything :) --- .gitignore | 1 + configuration.nix | 217 +--------------------------------------------- flake.nix | 6 ++ gitea.nix | 34 ++++++++ letsencrypt.nix | 17 ++++ matrix.nix | 156 +++++++++++++++++++++++++++++++++ puffer.nix | 35 ++++++++ result | 1 - 8 files changed, 252 insertions(+), 215 deletions(-) create mode 100644 .gitignore create mode 100644 gitea.nix create mode 100644 letsencrypt.nix create mode 100644 matrix.nix create mode 100644 puffer.nix delete mode 120000 result diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +result diff --git a/configuration.nix b/configuration.nix index 10b447f..1e21412 100644 --- a/configuration.nix +++ b/configuration.nix @@ -5,129 +5,11 @@ let # git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0); - puffer_port = 8080; - puffer_sftp_port = 5657; - puffer_host = "puffer.${root_host}"; - - gitea_host = "git.${root_host}"; - gitea_port = 8081; - - matrix_host = "matrix.${root_host}"; in { imports = [ ./hardware-configuration.nix ]; - services.postgresql = { - enable = true; - # CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse; - ensureDatabases = [ "synapse" ]; - package = pkgs.postgresql_15; - ensureUsers = [ - { - name = "synapse"; - ensureDBOwnership = true; - } - ]; - authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method -local all postgres peer -local all all peer -host all all 127.0.0.1/32 md5 -host synapse matrix-synapse ::1/128 md5 -host all all ::1/128 md5 -local replication all peer -host replication all 127.0.0.1/32 md5 -host replication all ::1/128 md5 - ''; - identMap = '' - # ArbitraryMapName systemUser DBUser - superuser_map root postgres - superuser_map matrix-synapse synapse - superuser_map postgres postgres - # Let other names login as themselves - superuser_map /^(.*)$ \1 - ''; - }; - - systemd.services.postgresql.postStart = let - password_file_path = config.age.secrets.synapse_db_pass.path; - in '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', ''')); - EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password); - END $$; - EOF - ''; - - services.matrix-synapse-next = { - enable = true; - - workers.federationSenders = 1; - workers.federationReceivers = 1; - workers.initialSyncers = 1; - workers.normalSyncers = 1; - workers.eventPersisters = 2; - workers.useUserDirectoryWorker = true; - - enableNginx = true; - enableSlidingSync = false; - - settings = { - server_name = root_host; - public_baseurl = "https://${root_host}"; - enable_registration = false; - enable_registration_without_verification = true; - -# registrations_require_3pid = [ "email" ]; - database = { - name = "psycopg2"; - args = { - host = "localhost"; - port = 5432; - dbname = "synapse"; - user = "synapse"; - cp_min = 5; - cp_max = 10; - client_encoding = "auto"; - passfile = config.age.secrets.synapse_db_pass_prepared.path; - }; - }; - }; - }; - services.redis.servers."".enable = true; - - services.gitea = { - enable = true; - settings = { - service.DISABLE_REGISTRATION = true; - server = { - HTTP_PORT = gitea_port; - ROOT_URL = "https://${gitea_host}/"; - DISABLE_SSH = true; - }; -# log.LEVEL = "Debug"; - }; - lfs.enable = true; - }; - - age.secrets = { - synapse_db_pass = { - file = ./secrets/synapse_db_pass.age; - owner = "postgres"; - group = "postgres"; - }; - synapse_db_pass_prepared = { - file = ./secrets/synapse_db_pass_prepared.age; - owner = "matrix-synapse"; - group = "matrix-synapse"; - mode = "0600"; - }; - }; - users.users.grimmauld = { isNormalUser = true; description = "grimmauld"; @@ -164,53 +46,25 @@ host replication all ::1/128 md5 pypy3 ]; - security.acme = { - acceptTerms = true; - defaults.email = root_email; - certs."${root_host}" = { - webroot = "/var/lib/acme/acme-challenge/"; - extraDomainNames = [ puffer_host gitea_host]; - }; - }; - environment.sessionVariables = { NIXPKGS_ALLOW_UNFREE="1"; OMP_NUM_THREADS = "4"; }; - users.users.nginx.extraGroups = [ "acme" ]; - networking.firewall = { enable = true; - allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 8448 8008 ]; + allowedTCPPorts = [ 80 443 ]; allowPing = true; - allowedUDPPortRanges = [ -# { from = 4000; to = 4007; } - ]; + allowedUDPPortRanges = []; }; - services.pufferpanel = { - enable = true; - environment = { - PUFFER_WEB_HOST = ":${builtins.toString puffer_port}"; - PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}"; - }; - extraPackages = with pkgs; [ jdk17_headless ]; - extraGroups = [ "podman" "docker" ]; - }; - - virtualisation.podman.enable = true; - virtualisation.docker.enable = true; - - services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; }; +# services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; virtualHosts."${root_host}" = { @@ -220,71 +74,6 @@ host replication all ::1/128 md5 locations."/" = { root = "/var/www/grimmauld.duckdns.org"; }; - locations."/.well-known/matrix/server" = { - return = "200 '{\"m.server\":\"${matrix_host}:443\"}'"; - extraConfig = '' -default_type application/json; -add_header Access-Control-Allow-Origin *; -add_header Accept-Ranges bytes;''; - }; - locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'"; - extraConfig = '' -add_header Access-Control-Allow-Origin *; -default_type application/json; -''; - }; - locations."/_matrix" = { - proxyPass = "http://$synapse_backend"; - extraConfig = '' - add_header X-debug-backend $synapse_backend; - add_header X-debug-group $synapse_uri_group; - client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size}; - proxy_read_timeout 10m; - ''; - }; - locations."~ ^/_matrix/client/(r0|v3)/sync$" = { - proxyPass = "http://$synapse_backend"; - extraConfig = '' - proxy_read_timeout 1h; - ''; - }; - locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = { - proxyPass = "http://synapse_worker_initial_sync"; - extraConfig = '' - proxy_read_timeout 1h; - ''; - }; - locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = { - proxyPass = "http://synapse_worker_initial_sync"; - extraConfig = '' - proxy_read_timeout 1h; - ''; - }; - locations."/_synapse/client" = { - proxyPass = "http://$synapse_backend"; - }; - locations."/.well-known/matrix" = { - proxyPass = "http://$synapse_backend"; - }; - }; - - virtualHosts."${puffer_host}" = { - serverName = puffer_host; - forceSSL = true; - useACMEHost = root_host; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}"; - }; - }; - - virtualHosts."${gitea_host}" = { - serverName = gitea_host; - forceSSL = true; - useACMEHost = root_host; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString gitea_port}"; - }; }; }; diff --git a/flake.nix b/flake.nix index b09d14e..ba4a83c 100644 --- a/flake.nix +++ b/flake.nix @@ -15,12 +15,18 @@ outputs = { nixos-matrix-modules, self, nixpkgs, agenix }: let system = "x86_64-linux"; + root_host = "grimmauld.de"; + test_value_1 = "hello world"; in { nixosConfigurations = { grimmauld-nixos-server = nixpkgs.lib.nixosSystem { inherit system; modules = [ ./configuration.nix + ./matrix.nix + ./puffer.nix + ./gitea.nix + ./letsencrypt.nix agenix.nixosModules.default nixos-matrix-modules.nixosModules.default { environment.systemPackages = [ agenix.packages.${system}.default ]; } diff --git a/gitea.nix b/gitea.nix new file mode 100644 index 0000000..3f0140c --- /dev/null +++ b/gitea.nix @@ -0,0 +1,34 @@ +{ lib, config, inputs, pkgs, ... }: +let + root_host = "grimmauld.de"; + gitea_host = "git.${root_host}"; + gitea_port = 8081; +in { + services.gitea = { + enable = true; + settings = { + service.DISABLE_REGISTRATION = true; + server = { + HTTP_PORT = gitea_port; + ROOT_URL = "https://${gitea_host}/"; + DISABLE_SSH = true; + }; +# log.LEVEL = "Debug"; + }; + lfs.enable = true; + }; + security.acme.certs."${root_host}".extraDomainNames = [ gitea_host]; + + services.nginx = { + enable = true; + virtualHosts."${gitea_host}" = { + serverName = gitea_host; + forceSSL = true; + useACMEHost = root_host; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString gitea_port}"; + }; + }; + }; +} + diff --git a/letsencrypt.nix b/letsencrypt.nix new file mode 100644 index 0000000..1b76da5 --- /dev/null +++ b/letsencrypt.nix @@ -0,0 +1,17 @@ +{ lib, config, inputs, pkgs, ... }: +let + root_host = "grimmauld.de"; + + # git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt + root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0); +in { + security.acme = { + acceptTerms = true; + defaults.email = root_email; + certs."${root_host}" = { + webroot = "/var/lib/acme/acme-challenge/"; + }; + }; + + users.users.nginx.extraGroups = [ "acme" ]; +} diff --git a/matrix.nix b/matrix.nix new file mode 100644 index 0000000..4a8f302 --- /dev/null +++ b/matrix.nix @@ -0,0 +1,156 @@ +{ lib, config, inputs, pkgs, ... }: +let + root_host = "grimmauld.de"; + matrix_host = "matrix.${root_host}"; +in { +services.postgresql = { + enable = true; + # CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse; + ensureDatabases = [ "synapse" ]; + package = pkgs.postgresql_15; + ensureUsers = [ + { + name = "synapse"; + ensureDBOwnership = true; + } + ]; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method +local all postgres peer +local all all peer +host all all 127.0.0.1/32 md5 +host synapse matrix-synapse ::1/128 md5 +host all all ::1/128 md5 +local replication all peer +host replication all 127.0.0.1/32 md5 +host replication all ::1/128 md5 + ''; + identMap = '' + # ArbitraryMapName systemUser DBUser + superuser_map root postgres + superuser_map matrix-synapse synapse + superuser_map postgres postgres + # Let other names login as themselves + superuser_map /^(.*)$ \1 + ''; + }; + + systemd.services.postgresql.postStart = let + password_file_path = config.age.secrets.synapse_db_pass.path; + in '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', ''')); + EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password); + END $$; + EOF + ''; + + services.matrix-synapse-next = { + enable = true; + + workers.federationSenders = 1; + workers.federationReceivers = 1; + workers.initialSyncers = 1; + workers.normalSyncers = 1; + workers.eventPersisters = 2; + workers.useUserDirectoryWorker = true; + + enableNginx = true; + enableSlidingSync = false; + + settings = { + server_name = root_host; + public_baseurl = "https://${root_host}"; + enable_registration = false; + enable_registration_without_verification = true; + +# registrations_require_3pid = [ "email" ]; + database = { + name = "psycopg2"; + args = { + host = "localhost"; + port = 5432; + dbname = "synapse"; + user = "synapse"; + cp_min = 5; + cp_max = 10; + client_encoding = "auto"; + passfile = config.age.secrets.synapse_db_pass_prepared.path; + }; + }; + }; + }; + services.redis.servers."".enable = true; + + age.secrets.synapse_db_pass = { + file = ./secrets/synapse_db_pass.age; + owner = "postgres"; + group = "postgres"; + }; + age.secrets.synapse_db_pass_prepared = { + file = ./secrets/synapse_db_pass_prepared.age; + owner = "matrix-synapse"; + group = "matrix-synapse"; + mode = "0600"; + }; + + services.nginx = { + enable = true; + virtualHosts."${root_host}" = { + forceSSL = true; + enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies + useACMEHost = root_host; + locations."/.well-known/matrix/server" = { + return = "200 '{\"m.server\":\"${matrix_host}:443\"}'"; + extraConfig = '' +default_type application/json; +add_header Access-Control-Allow-Origin *; +add_header Accept-Ranges bytes;''; + }; + locations."/.well-known/matrix/client" = { + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'"; + extraConfig = '' +add_header Access-Control-Allow-Origin *; +default_type application/json; +''; + }; + locations."/_matrix" = { + proxyPass = "http://$synapse_backend"; + extraConfig = '' + add_header X-debug-backend $synapse_backend; + add_header X-debug-group $synapse_uri_group; + client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size}; + proxy_read_timeout 10m; + ''; + }; + locations."~ ^/_matrix/client/(r0|v3)/sync$" = { + proxyPass = "http://$synapse_backend"; + extraConfig = '' + proxy_read_timeout 1h; + ''; + }; + locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = { + proxyPass = "http://synapse_worker_initial_sync"; + extraConfig = '' + proxy_read_timeout 1h; + ''; + }; + locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = { + proxyPass = "http://synapse_worker_initial_sync"; + extraConfig = '' + proxy_read_timeout 1h; + ''; + }; + locations."/_synapse/client" = { + proxyPass = "http://$synapse_backend"; + }; + locations."/.well-known/matrix" = { + proxyPass = "http://$synapse_backend"; + }; + }; + }; +# networking.firewall.allowedTCPPorts = [ 8448 8008 ]; +} diff --git a/puffer.nix b/puffer.nix new file mode 100644 index 0000000..6723127 --- /dev/null +++ b/puffer.nix @@ -0,0 +1,35 @@ +{ lib, config, inputs, pkgs, ... }: +let + root_host = "grimmauld.de"; + puffer_port = 8080; + puffer_sftp_port = 5657; + puffer_host = "puffer.${root_host}"; +in { + services.pufferpanel = { + enable = true; + environment = { + PUFFER_WEB_HOST = ":${builtins.toString puffer_port}"; + PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}"; + }; + extraPackages = with pkgs; [ jdk17_headless ]; + extraGroups = [ "podman" "docker" ]; + }; + + services.nginx = { + enable = true; + virtualHosts."${puffer_host}" = { + serverName = puffer_host; + forceSSL = true; + useACMEHost = root_host; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}"; + }; + }; + }; + security.acme.certs."${root_host}".extraDomainNames = [ puffer_host ]; + networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 ]; + + virtualisation.podman.enable = true; + virtualisation.docker.enable = true; + +} diff --git a/result b/result deleted file mode 120000 index de4f83a..0000000 --- a/result +++ /dev/null @@ -1 +0,0 @@ -/nix/store/wf6nyixk6236i1h6ws7yn3lnq7plhyd8-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc \ No newline at end of file