dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos: Initial Synapse

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-06-10 23:25:55 +01:00
parent 3edb54fef6
commit 3085df1710
11 changed files with 134 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
nixos/boxes/colony/vms/shill/containers/chatterbox.nix
View File

@@ -15,7 +15,7 @@
};
};
configuration = { lib, pkgs, config, assignments, ... }:
configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment;
@@ -28,8 +28,11 @@
server.enable = true;
secrets = {
#key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkly/tnPmoX05lDjEpQOkllPqYA0PY92pOKqvx8Po02";
files."synapse.yaml" = {};
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1ajgIF5V14bf9Zol567k2ieeg1zEd1vJ6gXkydE5UT";
files."synapse.yaml" = {
owner = "matrix-synapse";
group = "matrix-synapse";
};
};
firewall = {
@@ -42,13 +45,80 @@
};
services = {
#matrix-synapse = {
# enable = true;
# withJemalloc = true;
# settings = {
matrix-synapse = {
enable = true;
withJemalloc = true;
# };
#};
extraConfigFiles = [ config.age.secrets."synapse.yaml".path ];
settings = {
server_name = "nul.ie";
public_baseurl = "https://matrix.nul.ie";
admin_contact = "dev@nul.ie";
prescence.enabled = true;
listeners = [
{
port = 8008;
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
compress = false;
names = [ "client" "federation" ];
}
];
}
{
port = 9000;
bind_addresses = [ "127.0.0.1" "::1" ];
type = "manhole";
# The NixOS module has defaults for these that we need to override since they don't make sense here
tls = false;
resources = [];
}
];
# Even public options must be in the secret file because options are only merged at the top level.
# Let's just override the defaults in the base config to keep Nix happy
database = {
name = "sqlite3";
args.database = "/dev/null";
};
#media_store_path = "/var/lib/synapse-media";
max_upload_size = "1024M";
dynamic_thumbnails = true;
url_preview_enabled = true;
url_preview_ip_range_blacklist = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"192.0.0.0/24"
"169.254.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"192.0.2.0/24"
"198.51.100.0/24"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fe80::/10"
"fc00::/7"
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
] ++ (with lib.my.colony.prefixes; [ all.v4 all.v6 ]);
url_preview_ip_range_whitelist =
with allAssignments.middleman.internal;
[ ipv4.address ipv6.address ];
enable_registration = false;
allow_guest_access = false;
};
};
};
}
(mkIf config.my.build.isDevVM {

6
nixos/boxes/colony/vms/shill/containers/colony-psql.nix
View File

@@ -6,6 +6,7 @@
assignments = {
internal = {
name = "colony-psql-ctr";
altNames = [ "colony-psql" ];
domain = lib.my.colony.domain;
ipv4.address = "${lib.my.colony.start.ctrs.v4}4";
ipv6 = {
@@ -45,6 +46,11 @@
package = pkgs.postgresql_14;
enable = true;
enableTCPIP = true;
authentication = with lib.my.colony.prefixes; ''
host all all ${all.v4} md5
host all all ${all.v6} md5
'';
ensureUsers = [
{
name = "root";

1
nixos/boxes/colony/vms/shill/containers/default.nix
View File

@@ -3,5 +3,6 @@
./middleman
./vaultwarden.nix
./colony-psql.nix
./chatterbox.nix
];
}

1
nixos/boxes/colony/vms/shill/default.nix
View File

@@ -104,6 +104,7 @@
middleman = {};
vaultwarden = {};
colony-psql = {};
chatterbox = {};
};
};
}

9
nixos/modules/tmproot.nix
View File

@@ -245,6 +245,15 @@ in
}
];
})
(mkIf config.services.matrix-synapse.enable {
my.tmproot.persistence.config.directories = [
{
directory = config.services.matrix-synapse.dataDir;
user = "matrix-synapse";
group = "matrix-synapse";
}
];
})
(mkIf config.my.build.isDevVM {
fileSystems = mkVMOverride {
# Hijack the "root" device for persistence in the VM

BIN
secrets/cloudflare-credentials.conf.age
View File

Binary file not shown.

BIN
secrets/dhparams.pem.age
View File

Binary file not shown.

BIN
secrets/pdns-file-records.key.age
View File

Binary file not shown.

18
secrets/synapse.yaml.age
View File

@@ -1,10 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 FAIX7A 65LI0Fvoezo5osErygJNYp5d8LhvABZpD5SjjBlvCBc
jsez8jYQjFgR66hJtj3NfD+ugkfuc5CQ2PpLatOstMY
-> X25519 JpPee9xg9YoHwwUk8OCYuZQJdq0yYhsJtUFHwumHvSc
MZUCvUjHCS65dBvT/7eNtT+cydIAqa7BAXGBJrP1/Yg
-> j-grease `YENpG`_
7kJXScC89DIP3niPa5sEf8rQQfXCTztTrAyhq8fv/eIFUhWqE1P7TebzPCuE6XeA
p0WTNfd0xsZJ7d+PIK/HLhPFRS2wKaYfHXXCYtJsFK/tbRz522f9O/YH
--- EI8mVA7L/VX9EBG3hvME3sznKAVacRjqRFbcGDhvhSM
<EFBFBD>;<3B><>'<27>ɏK}9D,h<><11>:l<><<3C><>h<EFBFBD>1D<31><07>TE<54><45><EFBFBD>T3V<33>|u<>l4X<05><><EFBFBD>_<EFBFBD>X<EFBFBD>E\<5C>u!<21>B2t<32>Z<EFBFBD><1A>u<EFBFBD>b5<62><35><EFBFBD><EFBFBD>h
-> ssh-ed25519 FAIX7A 1P9UO3/Yn0osO1W4zxm6SgkJwGYaqyYGU38QpNtN3nM
GZcsY52UYsuJUEAFL4j4kxV2A2D4iS4JQE9iOSZHMn4
-> X25519 inCZutigxecNFFhLn6+PNTHdwn3VLnR7TIeEF1ROpRU
43LkgwpJozQXBU+mBnj9QW2u6Ay2LOprYI5Al2v6LNk
-> 3Y-grease
6Fn9H5/BnHQhLEhAYCJ/sJ2h9/29Bvt9BTEuWF6M071W9YG+g1CLgApN3dW4pFkl
oTeaF9xeMPv/wdBWRyZjbg
--- TCIr5y4Z9uWZexDP4jb1o2k/h6rd/7O2UHjPxNaTjm0
x<EFBFBD>f<EFBFBD><EFBFBD><EFBFBD><EFBFBD>9dg<EFBFBD>h<EFBFBD><EFBFBD><EFBFBD>`N<>;<3B>f<EFBFBD>r`<60><><05><><0E>$<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>џO<D19F>P<EFBFBD><50>;<3B><><EFBFBD><EFBFBD> <><19><0E><><EFBFBD>A<EFBFBD>tꩱ<74>il<69>TK<>%<25><><EFBFBD><EFBFBD>M<EFBFBD><4D><EFBFBD>:<3A><>Ȏ<EFBFBD>/<2F><>'<27><>5-<2D><>xEL<><4C>ly@<40><> <09>N<EFBFBD>H/<19>cby0k<30><6B>UU<55>S<><53><1B><><EFBFBD>"|<7C><>A<><41>=<3D>*<2A><>۲z<1C>.

40
secrets/user-passwd.txt.age
View File

@@ -1,21 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 SKXJUw CsKtHFHS/9MNiNGT/O+bxx+btotr9riXwJWgHAplcXQ
W6kL/S4y1aFstYGOIhrwJfXx2uhswH3uSdyJzRCAtHM
-> ssh-ed25519 wbGjmA 7em05wqUq9PA9CZ9MlnNSxdeknvN0lrS0yYxUTtGawE
TyAI9Pu0DJodhdT5sBodIaBxPg3VBmXcq18IIHtFs3I
-> ssh-ed25519 B9K/XQ ZAVd8XBFPOJ6hC2WunnkGmEifYOHcUhYQIi4gvsLajc
5hPdqVBWi9OtqQPyq4gz4CX6vVpuLGQURufTCnDNYgM
-> ssh-ed25519 H162lQ wKj8wzesVAOzm5o4VB9NEBSr+xlr0VjR/A48NL+6uls
lpmijvrflnMeVT6R2YcUmLFljFxZsTeVziErcQ7GKuk
-> ssh-ed25519 b6YMqg ykVDRMnyBsh6+HN/A/5lT3K36wgJZggIcjlsPSc3byM
HF5qzv2Lf2s87OHi/0++shAjF4+xr5NAHL/9lncMHRU
-> ssh-ed25519 Lqn0Yw 4+F3gxpsI9QnbCHWpLz29CUj3RAeXSH7PHkuFw3E7T8
yzZAylZ7QAV7ufljd4VEBys8sNd8JodWqN5f0JzRI/g
-> X25519 YMeCBP/yDOGPs04ihx7NkZSpqEotUHKs3yMRkg9JWAI
Li1FOGm6NIAPGVQRj3HYiyKiR/ZSk35vnOK/ia59IQU
-> tjxC(g-grease
817wn107V7X7yjCXvKBMt/55PWcEYdm6ZDOdoZC5A3s+iRFVpLvGmxlkEVxQCqsA
K4WG/Ye5PC/raEjsS8/6AqHs4E+JSfuZjm47fVclbu3kp8Yu3BaLEa9glucxBQbc
X0A
--- C/lfT3RLOrCR2mOv6Q0aDyEVUrq4GzdVpHhj7Ly2ov4
<EFBFBD>&<26>Ǩ<><C7A8><EFBFBD><EFBFBD><EFBFBD>q)<16> Wh<57><68><EFBFBD><EFBFBD><EFBFBD>&3<><33>M}]R<>E<EFBFBD>e%<25>tX<74><58><EFBFBD><08>*X<>l
-> ssh-ed25519 FAIX7A PkWyLLijQZgNyFSvjEcWkYTYIyOpbxsu69hczCKx1g4
qGruVJb5SjTNm6EhRMbaO+aZc8hXQdU9jcfRN4CVAC8
-> ssh-ed25519 SKXJUw JIFQcXOdHl/9uLcvmriKLBmtXEHKrKUII99KgOkqPFI
ODO2TuI3VYWcPJnwAmpQi38a8CXV0C6pAFwd5otrh+w
-> ssh-ed25519 wbGjmA rZm8T6+N1cw3vpXrtrAIufUdjTpzu8wXLsERZAjVwHQ
MdfU6LwTZpiBEJwVvsY+BPUmN+955Ty1Xc6c0PfwH+o
-> ssh-ed25519 B9K/XQ XQiWYiYiEcVrrcjkel5TDwZSxIommrxk1cVNvDoiFSo
EE7VDprouGZ/MpNFPjhh7TSr1jzr0ZeIOmmO3G6JAeU
-> ssh-ed25519 H162lQ ce5lAulJBRSzeCKnJBNuSy1HE1R5TG20Wdx5kavPNTg
BPXI69PEmSP0BmO3f8MAPqGyBR29hts798DbevMUATg
-> ssh-ed25519 b6YMqg w0JygLSUv/Y5j1zWlUY5zoeTwX3s+URX1yJxc99rg1Y
01VfQiWgldlCBNPTBoudyKVpXXfVbrXhaVMq+MBFhVM
-> ssh-ed25519 Lqn0Yw TWRasWvKcfxukcFX95KJ6QnRwNfJSF/RCz40IrsfSGY
/CSufoexTjNSVK225VjCD3pm/z2gK6Moud7fST9tjuc
-> X25519 bFnUlqUCBjMxEPrBiMpOeQTqR4qpmBQhMzIvtLKuHUk
PEYj+yEbPfUWDKRTsYMUPUcM+i3KZ0Zu0YQ4JE3zFEE
-> T-grease NFmx4<h Dqu[ eL! o!=j{Ly
+LGjt+Z9HFtj3TJDY1Y41Q
--- 4QYQUgsOOGqXgYQ+PxShmUhezpwPXOEIKcEIfcFAFdk
<EFBFBD><EFBFBD>=_<>nwz<77><7A>ߚ؉+5~<7E><><EFBFBD><EFBFBD>T<EFBFBD>G<EFBFBD><47>-}R<>hOv˜<0F>[Tr<54>sH<<3C>@<40><><EFBFBD><EFBFBD>ĨͲ<C4A8><CDB2><EFBFBD>z<EFBFBD><7A>W<EFBFBD>Qaݚ<61><DD9A><EFBFBD>dT<64><54><EFBFBD>@v<>o <42><DBA6>O<EFBFBD><4F><4D>d(hX帼¶m<C2B6>v᥆X<E1A586>-Qp<51>*<2A>u<EFBFBD>y<EFBFBD>S⻓c1<63>3<EFBFBD><33><EFBFBD><EFBFBD>

20
secrets/vaultwarden.env.age
View File

@@ -1,12 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 Lqn0Yw 527NE0GoR6SQTwb1hmgpxn4APXMb2oW3/VNjjbwtnx8
9jWxt9FYx8G4pyPVtU8mp33QuurzQHI4Npt+79ej2qU
-> X25519 wW5ClCuDyZvFJOA/aeitGr5yr29DOdULnUlPRz1sDk0
db70JP2sIH3T8NsMHqnTCGNE1tY7PyjGKOKmzNE632Q
-> zGd-grease * _!K!a] 3C\vn
sOkK0VjY4v3j6XcG
--- CHljgmb9kcrECrIM2Ve+Wp5AkGWeIQb0Bhh9sgEtD5U
K=<3D>X<EFBFBD>K9 <09>,<2C>q<EFBFBD><71>j<EFBFBD><6A><EFBFBD>)=G<><47>au{N
V<EFBFBD><EFBFBD><EFBFBD><EFBFBD>,<2C><>2N$<24>w<><77>
<EFBFBD>kzO <0B>@<40><><EFBFBD>#<23>F<><46>ǝ
<EFBFBD><EFBFBD><EFBFBD><EFBFBD>̻CF<EFBFBD><EFBFBD><EFBFBD>3<><33>PzNG,3Pw]-Vʞo<>Ԟm<D49E>z <0B>
-> ssh-ed25519 Lqn0Yw COtpnkiIOsiZ6sI7GpZW6DSrMdP+V8SFm+G6VSx6Tlg
foNXyNZ/u5RVNdijDQr0mGn5BQaPDhOqLhD9gxEP5e4
-> X25519 xbW4hHBb8lJ9fIwnRsfBpTmLGO74ZBkwmdXpWQ1H9CA
ucFk4TvPIxiQNyuNgQ/dHKy+p9LvePmwWLYd2e60AT0
-> "d-grease
7zl7veXnoG49diEebRbI1ok+U0CMgjo7AQK8rsCsOa4tDR8L460m4CfSOSEMEqzK
QjEjuxC9NY0liwnNsRLNWccKxa3V1LQLL68RhA
--- exAOdELiQNGSJcweG5qVkiX4SLNMq8x9uNyp77pCrWA
B<0F>;<3B> <09>iA<69><41>o,ULb<4C>(<1F>G<EFBFBD>e<EFBFBD>a?H<>؋<EFBFBD>Ɖ<EFBFBD><1D>f<><66><EFBFBD>hz<68><7A><EFBFBD>+<2B><>^<5E><><EFBFBD><EFBFBD><EFBFBD>i<EFBFBD>j0<6A>%ΫK<CEAB>ā<19><><EFBFBD>3<>azs<>U]<5D><>L<EFBFBD>!Y<><59>D>v|<13>'W!!<21><><EFBFBD>K<13>'