begin testing

This commit is contained in:
Grimmauld 2023-12-27 11:20:29 +00:00
parent 5cd83c813e
commit f846ca8dd0
9 changed files with 178 additions and 31 deletions

0
.gitmodules vendored Normal file
View file

View file

@ -16,12 +16,91 @@ in {
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
services.gitea = { services.postgresql = {
enable = true;
ensureDatabases = [ "matrix-synapse" ];
package = pkgs.postgresql_15;
ensureUsers = [
{
# name = "synapse";
name = "matrix-synapse";
ensureDBOwnership = true;
}
];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host synapse matrix-synapse ::1/128 md5
host all all ::1/128 md5
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map matrix-synapse synapse
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
systemd.services.postgresql.postStart = let
password_file_path = config.age.secrets.synapse_db_pass.path;
in ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
EXECUTE format('ALTER ROLE matrix-synapse WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
services.matrix-synapse-next = {
enable = true;
workers.federationSenders = 1;
workers.federationReceivers = 1;
workers.initialSyncers = 1;
workers.normalSyncers = 1;
workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true;
enableNginx = true;
settings = {
server_name = root_host;
enable_registration = true;
macaroon_secret_key = "supersecretsecretkey";
registrations_require_3pid = [ "email" ];
database = {
name = "psycopg2";
args = {
# host = "localhost";
# user = "synapse";
passfile = config.age.secrets.synapse_db_pass_prepared.path;
# password = "synapse";
# dbname = "synapse";
};
};
};
};
services.redis.servers."".enable = true;
services.gitea = {
enable = true; enable = true;
settings = { settings = {
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = true;
server = { server = {
HTTP_PORT = gitea_port; HTTP_PORT = gitea_port;
ROOT_URL = "https://${gitea_host}/";
DISABLE_SSH = true; DISABLE_SSH = true;
}; };
# log.LEVEL = "Debug"; # log.LEVEL = "Debug";
@ -30,7 +109,18 @@ in {
}; };
age.secrets = { age.secrets = {
duckdns_token.file = ./secrets/duckdns_token.age; synapse_db_pass = {
file = ./secrets/synapse_db_pass.age;
owner = "postgres";
group = "postgres";
};
synapse_db_pass_prepared = {
file = ./secrets/synapse_db_pass_prepared.age;
owner = "matrix-synapse";
group = "matrix-synapse";
};
# duckdns_token.file = ./secrets/duckdns_token.age;
}; };
users.users.grimmauld = { users.users.grimmauld = {
@ -69,15 +159,15 @@ in {
pypy3 pypy3
]; ];
systemd.services = { # systemd.services = {
dynamic-dns-updater = { # dynamic-dns-updater = {
path = [ # path = [
pkgs.curl # pkgs.curl
]; # ];
script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="''; # script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="'';
startAt = "hourly"; # startAt = "hourly";
}; # };
}; # };
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
@ -97,7 +187,7 @@ in {
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 ]; allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 8448 ];
allowPing = true; allowPing = true;
allowedUDPPortRanges = [ allowedUDPPortRanges = [
# { from = 4000; to = 4007; } # { from = 4000; to = 4007; }

View file

@ -64,6 +64,26 @@
"type": "github" "type": "github"
} }
}, },
"nixos-matrix-modules": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1701507532,
"narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
"ref": "refs/heads/master",
"rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
"revCount": 56,
"submodules": true,
"type": "git",
"url": "https://github.com/dali99/nixos-matrix-modules"
},
"original": {
"submodules": true,
"type": "git",
"url": "https://github.com/dali99/nixos-matrix-modules"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1703013332, "lastModified": 1703013332,
@ -80,6 +100,21 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1673743903,
"narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1703255338, "lastModified": 1703255338,
@ -99,6 +134,7 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"nixos-matrix-modules": "nixos-matrix-modules",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
} }
}, },

View file

@ -7,9 +7,13 @@
nixpkgs = { nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable"; url = "github:NixOS/nixpkgs/nixos-unstable";
}; };
nixos-matrix-modules = {
url = "git+https://github.com/dali99/nixos-matrix-modules?submodules=1";
flake = true;
};
}; };
outputs = { self, nixpkgs, agenix }: let outputs = { nixos-matrix-modules, self, nixpkgs, agenix }: let
system = "x86_64-linux"; system = "x86_64-linux";
in { in {
nixosConfigurations = { nixosConfigurations = {
@ -18,6 +22,7 @@
modules = [ modules = [
./configuration.nix ./configuration.nix
agenix.nixosModules.default agenix.nixosModules.default
nixos-matrix-modules.nixosModules.default
{ environment.systemPackages = [ agenix.packages.${system}.default ]; } { environment.systemPackages = [ agenix.packages.${system}.default ]; }
]; ];
}; };

2
result
View file

@ -1 +1 @@
/nix/store/xgpf9yaqayh48k3fa25dzck2xlnvcxdd-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc /nix/store/wf6nyixk6236i1h6ws7yn3lnq7plhyd8-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc

View file

@ -1,16 +0,0 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
qN28qDzdvyx8S8xv1P9nFb1TK14sDnJhF56LVY0G3h6Q8nB02kw3bSJxYBzBs1qO
US2Ci80+IvxKztMAVsI7Hd5u7nKNahxDRCDUZiszETXNZukCLFFWK9ouy7YBRgaI
is44FImbdlua7kq1a9Lpuro04DfWhuG7X0/0ZBiPikI5fWRNAMMoP1ZRQqqlBVPj
fWWSbKa7C0jdBvfzOXSImtU0uuNjCshxsOF4sF7YLY6qlxc8xZdZnyIFRgm6XO7Z
qyeKNkMe1ufssrmquQI9ZgC1LGc+k9VhRtHoSxq1sFNeBBNF1AL4Lh4CReUr0gC1
NKSiCMq57hBlhLr8jlEG/p6MQe9vfgyxE9xKvknrdo2ou0N7zPQcWTOuL7EKY8w3
ZC+1UolK5qzu0MvN77RBTPY72jIG9h6YSLOfDKduOsvWFG9kBJ/QEzuwhdXjd9jy
nyvGcNKQoWl7ASGB3W0jP3Iv5ED4Qxd2O8F3bgwndhU9tBkej+KL9uK6YEXJcsNz
5k+J72pdMVtMp4K+XHkdz9fQXedp6M91+gdbEWmvOWUZx67GRq+8aL07nVenJKM6
ZyOI3F3fjLLC0DmhEyPVD+nq/W6Ljwx/O7fq1uJjQLPRJPNqYcRaokVmpjXiO23w
qT8yVaQxExD26Rn1CIHQQ4piprHVK25oUaJxkO0NYic
--- dLuM11zSUY2zLMW30ftenkZdhD//0BW4YSJEDEb0XfA
<EFBFBD>Ü•ùa
Æÿ&Ú‡äÛ¢^vÝAf°V‰ãÁ;µ ½ìÿÑCαÝêÝ¢D`ÙÛÓ’'7ÜîðÖm<C396>Ø泶Á“

View file

@ -3,5 +3,7 @@ let
contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw=="; contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
in in
{ {
"duckdns_token.age".publicKeys = [ contabo_nix_pub ]; # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
} }

View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
uphSCXWnsU8Ffn8E3G3cQFlU+Op480vwqkDZKcvwGo/7aPeSKvcxpDkkvZbBSpeJ
agOsx9umGm2xJd38ss7vUYiTGZFyXVRVR0ECRLUSjmt4U1fbdIXM1JijKPJBNPFf
rZWc/+6uXXHFwv0633SyM6swuytmo6jKbdExclY1Q5bwYHfTAUvHaeUW1AFWd24d
HWJCLXEY3VK7WvcH3nvpzeNvRMbkaOBrcPnt7rqWmKH0F92tFP3mNiOtbHRZgSe8
aJodlNU390gLqED/BOqKjLxCYvfiVSSRu6ziP/h3VKqmC8HDD8e+nSQwS7qMlgXi
4i6kgZQr+is1rsU5GMLe+H7jw/ZI+hOxNyutGXi1wd1qgrM1qbCfJmUS8tYUP2kw
NsD4+h1xz2Hkop+6MKursOPsD6Vw/TFuNKDXyQstbrz8jU8rP5jvkIn6o7PT4rVm
HyJ4sHlabnmqufyVCtjfZz84fyOjHqeoqeS0ST5zH1VcjGh9pEJiMOK0FoiJlDaQ
hyzKhREJ/iAlb1EJ9IRu+rVgO9hamj4ZyqE4kFrTfp9/bb5HbH04km+WZByzcenA
G8aOVUwk/IvC77jjMBKwn8i09DgBbjz5RHD6hXZwHOnPPQctBO8TDRIreQ9IHBsv
xIpQuRIf1GAiGwbVdGxffwsS38Aw6h2EDzX436NFJmc
--- AK4cj1yXlOGE07/jrzEfZ1RRwYnabyglA78+X54ON2E
þå/ɳò¤bæåîŠðm/Õ¨ï(N¸]Mc©Ãð<>$àïžÚ5²ô&†Ú¬xf¿Áp*Ȥq<C2A4>ôælÂåt¿¾æœ<C3A6>1¤64ÎËoƒ„(±¬,

View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
VOENJIUyiW87jYh6c4gt1ll6OHaLhKnIId5Zr7Yhc2XPsgZa6vIws9cVAYhRd46C
jtNWMdIYATKmqrv7qICrsfQlY1aBeQmINwPCfFOxbu/tmuS7l1KvHccslJTQynEc
ZNuM7uZCRmrCPORxCZpFQYm5w3/XYNEz0cOwculv9DYTeYKYlL5tmPj6NAmD6Ta/
OGaMNpT+HVEvsfR+g+bAYE03dZdmCIk+YEJx7NfCIuqpIV4KAF+gWNTyUSG1hIs+
NzCje2QzOt7wSzvu2u3/Eb8G0oQZFLIxb3xbzels2XZmjseRdjEAW7Un6uivG/vH
5H7EdBpwWJtr3PyfqkY53YvJc3mdatqiJhs1h7Douo48PYODVO0p6YEqn21gdqhn
6EpIMp9u2Fj6aVER0IeY19viNJdrfKFLlymWRYnottNtUeR0MV7UvNj03Gpu+/Xy
HSJmb6y9d8oGaCR3YSlii0FPTpwjOE+TwxCq+aoLQqeBff1Ytt1rEFuunohJfTk+
krF0dJ0u1+k/vJChcuGBpLtU+XZ+jjAni1CUsV4qjntRuKNlilutgELyzXcbz4PV
ZiIUxqqwrvRTUXg+NIMZvh6VYGuGgGaJkNxajz9bcuwkhYBtJuEcpsmkBv+TS3hz
UuhRns+YUaY1Pwsoh5MJcmXsE7QthW5PUKJmnAmt+vk
--- Ok/G4af2ShLLe1qbQEXjHxISHGOpG2DBojZTvf6tEQQ
šR•^çÑ^ÅA< Q—_ xXŒ{ßh²²¬jƒd•O9¢}ž <™¾yFÚ©}ÇÅhATUø tFÍB>?µ÷i?·ê<C2B7>¾Ýÿ,CÆ…däpûÑãðu-4"DQ¦ºÑù8b­V