begin testing
This commit is contained in:
parent
5cd83c813e
commit
f846ca8dd0
9 changed files with 178 additions and 31 deletions
0
.gitmodules
vendored
Normal file
0
.gitmodules
vendored
Normal file
|
@ -16,12 +16,91 @@ in {
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
services.gitea = {
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
ensureDatabases = [ "matrix-synapse" ];
|
||||||
|
package = pkgs.postgresql_15;
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
# name = "synapse";
|
||||||
|
name = "matrix-synapse";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
authentication = pkgs.lib.mkOverride 10 ''
|
||||||
|
#type database DBuser auth-method
|
||||||
|
local all postgres peer
|
||||||
|
local all all peer
|
||||||
|
host all all 127.0.0.1/32 md5
|
||||||
|
host synapse matrix-synapse ::1/128 md5
|
||||||
|
host all all ::1/128 md5
|
||||||
|
local replication all peer
|
||||||
|
host replication all 127.0.0.1/32 md5
|
||||||
|
host replication all ::1/128 md5
|
||||||
|
'';
|
||||||
|
identMap = ''
|
||||||
|
# ArbitraryMapName systemUser DBUser
|
||||||
|
superuser_map root postgres
|
||||||
|
superuser_map matrix-synapse synapse
|
||||||
|
superuser_map postgres postgres
|
||||||
|
# Let other names login as themselves
|
||||||
|
superuser_map /^(.*)$ \1
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.postgresql.postStart = let
|
||||||
|
password_file_path = config.age.secrets.synapse_db_pass.path;
|
||||||
|
in ''
|
||||||
|
$PSQL -tA <<'EOF'
|
||||||
|
DO $$
|
||||||
|
DECLARE password TEXT;
|
||||||
|
BEGIN
|
||||||
|
password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
|
||||||
|
EXECUTE format('ALTER ROLE matrix-synapse WITH PASSWORD '''%s''';', password);
|
||||||
|
END $$;
|
||||||
|
EOF
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.matrix-synapse-next = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
workers.federationSenders = 1;
|
||||||
|
workers.federationReceivers = 1;
|
||||||
|
workers.initialSyncers = 1;
|
||||||
|
workers.normalSyncers = 1;
|
||||||
|
workers.eventPersisters = 2;
|
||||||
|
workers.useUserDirectoryWorker = true;
|
||||||
|
|
||||||
|
enableNginx = true;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
server_name = root_host;
|
||||||
|
enable_registration = true;
|
||||||
|
|
||||||
|
|
||||||
|
macaroon_secret_key = "supersecretsecretkey";
|
||||||
|
registrations_require_3pid = [ "email" ];
|
||||||
|
database = {
|
||||||
|
name = "psycopg2";
|
||||||
|
args = {
|
||||||
|
# host = "localhost";
|
||||||
|
# user = "synapse";
|
||||||
|
passfile = config.age.secrets.synapse_db_pass_prepared.path;
|
||||||
|
# password = "synapse";
|
||||||
|
# dbname = "synapse";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.redis.servers."".enable = true;
|
||||||
|
|
||||||
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
service.DISABLE_REGISTRATION = true;
|
service.DISABLE_REGISTRATION = true;
|
||||||
server = {
|
server = {
|
||||||
HTTP_PORT = gitea_port;
|
HTTP_PORT = gitea_port;
|
||||||
|
ROOT_URL = "https://${gitea_host}/";
|
||||||
DISABLE_SSH = true;
|
DISABLE_SSH = true;
|
||||||
};
|
};
|
||||||
# log.LEVEL = "Debug";
|
# log.LEVEL = "Debug";
|
||||||
|
@ -30,7 +109,18 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
duckdns_token.file = ./secrets/duckdns_token.age;
|
synapse_db_pass = {
|
||||||
|
file = ./secrets/synapse_db_pass.age;
|
||||||
|
owner = "postgres";
|
||||||
|
group = "postgres";
|
||||||
|
};
|
||||||
|
synapse_db_pass_prepared = {
|
||||||
|
file = ./secrets/synapse_db_pass_prepared.age;
|
||||||
|
owner = "matrix-synapse";
|
||||||
|
group = "matrix-synapse";
|
||||||
|
};
|
||||||
|
|
||||||
|
# duckdns_token.file = ./secrets/duckdns_token.age;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.grimmauld = {
|
users.users.grimmauld = {
|
||||||
|
@ -69,15 +159,15 @@ in {
|
||||||
pypy3
|
pypy3
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.services = {
|
# systemd.services = {
|
||||||
dynamic-dns-updater = {
|
# dynamic-dns-updater = {
|
||||||
path = [
|
# path = [
|
||||||
pkgs.curl
|
# pkgs.curl
|
||||||
];
|
# ];
|
||||||
script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="'';
|
# script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="'';
|
||||||
startAt = "hourly";
|
# startAt = "hourly";
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
|
@ -97,7 +187,7 @@ in {
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 ];
|
allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 8448 ];
|
||||||
allowPing = true;
|
allowPing = true;
|
||||||
allowedUDPPortRanges = [
|
allowedUDPPortRanges = [
|
||||||
# { from = 4000; to = 4007; }
|
# { from = 4000; to = 4007; }
|
||||||
|
|
36
flake.lock
36
flake.lock
|
@ -64,6 +64,26 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixos-matrix-modules": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1701507532,
|
||||||
|
"narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
|
||||||
|
"ref": "refs/heads/master",
|
||||||
|
"rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
|
||||||
|
"revCount": 56,
|
||||||
|
"submodules": true,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://github.com/dali99/nixos-matrix-modules"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"submodules": true,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://github.com/dali99/nixos-matrix-modules"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703013332,
|
"lastModified": 1703013332,
|
||||||
|
@ -80,6 +100,21 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-lib": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1673743903,
|
||||||
|
"narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixpkgs.lib",
|
||||||
|
"rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixpkgs.lib",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703255338,
|
"lastModified": 1703255338,
|
||||||
|
@ -99,6 +134,7 @@
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"agenix": "agenix",
|
"agenix": "agenix",
|
||||||
|
"nixos-matrix-modules": "nixos-matrix-modules",
|
||||||
"nixpkgs": "nixpkgs_2"
|
"nixpkgs": "nixpkgs_2"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -7,9 +7,13 @@
|
||||||
nixpkgs = {
|
nixpkgs = {
|
||||||
url = "github:NixOS/nixpkgs/nixos-unstable";
|
url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
};
|
};
|
||||||
|
nixos-matrix-modules = {
|
||||||
|
url = "git+https://github.com/dali99/nixos-matrix-modules?submodules=1";
|
||||||
|
flake = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, agenix }: let
|
outputs = { nixos-matrix-modules, self, nixpkgs, agenix }: let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
in {
|
in {
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
|
@ -18,6 +22,7 @@
|
||||||
modules = [
|
modules = [
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
agenix.nixosModules.default
|
agenix.nixosModules.default
|
||||||
|
nixos-matrix-modules.nixosModules.default
|
||||||
{ environment.systemPackages = [ agenix.packages.${system}.default ]; }
|
{ environment.systemPackages = [ agenix.packages.${system}.default ]; }
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
2
result
2
result
|
@ -1 +1 @@
|
||||||
/nix/store/xgpf9yaqayh48k3fa25dzck2xlnvcxdd-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc
|
/nix/store/wf6nyixk6236i1h6ws7yn3lnq7plhyd8-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc
|
|
@ -1,16 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-rsa jWbwAg
|
|
||||||
qN28qDzdvyx8S8xv1P9nFb1TK14sDnJhF56LVY0G3h6Q8nB02kw3bSJxYBzBs1qO
|
|
||||||
US2Ci80+IvxKztMAVsI7Hd5u7nKNahxDRCDUZiszETXNZukCLFFWK9ouy7YBRgaI
|
|
||||||
is44FImbdlua7kq1a9Lpuro04DfWhuG7X0/0ZBiPikI5fWRNAMMoP1ZRQqqlBVPj
|
|
||||||
fWWSbKa7C0jdBvfzOXSImtU0uuNjCshxsOF4sF7YLY6qlxc8xZdZnyIFRgm6XO7Z
|
|
||||||
qyeKNkMe1ufssrmquQI9ZgC1LGc+k9VhRtHoSxq1sFNeBBNF1AL4Lh4CReUr0gC1
|
|
||||||
NKSiCMq57hBlhLr8jlEG/p6MQe9vfgyxE9xKvknrdo2ou0N7zPQcWTOuL7EKY8w3
|
|
||||||
ZC+1UolK5qzu0MvN77RBTPY72jIG9h6YSLOfDKduOsvWFG9kBJ/QEzuwhdXjd9jy
|
|
||||||
nyvGcNKQoWl7ASGB3W0jP3Iv5ED4Qxd2O8F3bgwndhU9tBkej+KL9uK6YEXJcsNz
|
|
||||||
5k+J72pdMVtMp4K+XHkdz9fQXedp6M91+gdbEWmvOWUZx67GRq+8aL07nVenJKM6
|
|
||||||
ZyOI3F3fjLLC0DmhEyPVD+nq/W6Ljwx/O7fq1uJjQLPRJPNqYcRaokVmpjXiO23w
|
|
||||||
qT8yVaQxExD26Rn1CIHQQ4piprHVK25oUaJxkO0NYic
|
|
||||||
--- dLuM11zSUY2zLMW30ftenkZdhD//0BW4YSJEDEb0XfA
|
|
||||||
<EFBFBD>Ü•ùa’‡
|
|
||||||
Æÿ&Ú‡äÛ¢^vÝAf°V‰ãÁ;µ ½ìÿÑCαÝêÝ¢D`ÙÛÓ’'‚7ÜîðÖm<C396>Ø泶Á“
|
|
|
@ -3,5 +3,7 @@ let
|
||||||
contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
|
contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
"duckdns_token.age".publicKeys = [ contabo_nix_pub ];
|
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
|
||||||
|
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||||
|
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
|
||||||
}
|
}
|
||||||
|
|
15
secrets/synapse_db_pass.age
Normal file
15
secrets/synapse_db_pass.age
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-rsa jWbwAg
|
||||||
|
uphSCXWnsU8Ffn8E3G3cQFlU+Op480vwqkDZKcvwGo/7aPeSKvcxpDkkvZbBSpeJ
|
||||||
|
agOsx9umGm2xJd38ss7vUYiTGZFyXVRVR0ECRLUSjmt4U1fbdIXM1JijKPJBNPFf
|
||||||
|
rZWc/+6uXXHFwv0633SyM6swuytmo6jKbdExclY1Q5bwYHfTAUvHaeUW1AFWd24d
|
||||||
|
HWJCLXEY3VK7WvcH3nvpzeNvRMbkaOBrcPnt7rqWmKH0F92tFP3mNiOtbHRZgSe8
|
||||||
|
aJodlNU390gLqED/BOqKjLxCYvfiVSSRu6ziP/h3VKqmC8HDD8e+nSQwS7qMlgXi
|
||||||
|
4i6kgZQr+is1rsU5GMLe+H7jw/ZI+hOxNyutGXi1wd1qgrM1qbCfJmUS8tYUP2kw
|
||||||
|
NsD4+h1xz2Hkop+6MKursOPsD6Vw/TFuNKDXyQstbrz8jU8rP5jvkIn6o7PT4rVm
|
||||||
|
HyJ4sHlabnmqufyVCtjfZz84fyOjHqeoqeS0ST5zH1VcjGh9pEJiMOK0FoiJlDaQ
|
||||||
|
hyzKhREJ/iAlb1EJ9IRu+rVgO9hamj4ZyqE4kFrTfp9/bb5HbH04km+WZByzcenA
|
||||||
|
G8aOVUwk/IvC77jjMBKwn8i09DgBbjz5RHD6hXZwHOnPPQctBO8TDRIreQ9IHBsv
|
||||||
|
xIpQuRIf1GAiGwbVdGxffwsS38Aw6h2EDzX436NFJmc
|
||||||
|
--- AK4cj1yXlOGE07/jrzEfZ1RRwYnabyglA78+X54ON2E
|
||||||
|
þå/ɳò¤bæåîŠðm/Õ¨ï(N¸]Mc©Ãð<>$àïžÚ5²ô&†Ú¬xf¿Áp*Ȥq<C2A4>ôælÂåt¿¾‚–æœ<C3A6>1¤64‘ÎË›oƒ„(±¬,*ü
|
15
secrets/synapse_db_pass_prepared.age
Normal file
15
secrets/synapse_db_pass_prepared.age
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-rsa jWbwAg
|
||||||
|
VOENJIUyiW87jYh6c4gt1ll6OHaLhKnIId5Zr7Yhc2XPsgZa6vIws9cVAYhRd46C
|
||||||
|
jtNWMdIYATKmqrv7qICrsfQlY1aBeQmINwPCfFOxbu/tmuS7l1KvHccslJTQynEc
|
||||||
|
ZNuM7uZCRmrCPORxCZpFQYm5w3/XYNEz0cOwculv9DYTeYKYlL5tmPj6NAmD6Ta/
|
||||||
|
OGaMNpT+HVEvsfR+g+bAYE03dZdmCIk+YEJx7NfCIuqpIV4KAF+gWNTyUSG1hIs+
|
||||||
|
NzCje2QzOt7wSzvu2u3/Eb8G0oQZFLIxb3xbzels2XZmjseRdjEAW7Un6uivG/vH
|
||||||
|
5H7EdBpwWJtr3PyfqkY53YvJc3mdatqiJhs1h7Douo48PYODVO0p6YEqn21gdqhn
|
||||||
|
6EpIMp9u2Fj6aVER0IeY19viNJdrfKFLlymWRYnottNtUeR0MV7UvNj03Gpu+/Xy
|
||||||
|
HSJmb6y9d8oGaCR3YSlii0FPTpwjOE+TwxCq+aoLQqeBff1Ytt1rEFuunohJfTk+
|
||||||
|
krF0dJ0u1+k/vJChcuGBpLtU+XZ+jjAni1CUsV4qjntRuKNlilutgELyzXcbz4PV
|
||||||
|
ZiIUxqqwrvRTUXg+NIMZvh6VYGuGgGaJkNxajz9bcuwkhYBtJuEcpsmkBv+TS3hz
|
||||||
|
UuhRns+YUaY1Pwsoh5MJcmXsE7QthW5PUKJmnAmt+vk
|
||||||
|
--- Ok/G4af2ShLLe1qbQEXjHxISHGOpG2DBojZTvf6tEQQ
|
||||||
|
šR•‚^çÑ^ÅA< Q—_ xXŒ{ßh²²¬jƒd›•O9¢}ž<™¾yFÚ›©}ÇÅhATUø ›—‚tFÍB>?µ÷i?·ê<C2B7>¾Ýÿ,CÆ…däpûÑ››ãðu-4"DQ¦ºÑù8bV
|
Loading…
Reference in a new issue