dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
f90deabb50
nixfiles/nixos/boxes/colony/vms/shill/containers/chatterbox.nix

211 lines
6.5 KiB
Nix
Raw Blame History

{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.chatterbox = { config, ... }: {
system = "x86_64-linux";
nixpkgs = "mine";
rendered = config.configuration.config.my.asContainer;
assignments = {
internal = {
name = "chatterbox-ctr";
inherit domain;
ipv4.address = net.cidr.host 5 prefixes.ctrs.v4;
ipv6 = {
iid = "::5";
address = net.cidr.host 5 prefixes.ctrs.v6;
};
};
};
configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (lib) mkMerge mkIf mkForce;
inherit (lib.my) networkdAssignment;
in
{
config = mkMerge [
{
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGx50oGzm5TsaB5R6f/daFPc5QNkmM15uc9/kiBxKaY";
files = {
"chatterbox/synapse.yaml" = {
owner = "matrix-synapse";
group = "matrix-synapse";
};
"chatterbox/nul.ie.signing.key" = {
owner = "matrix-synapse";
group = "matrix-synapse";
};
"chatterbox/syncv3.env" = {
owner = "matrix-syncv3";
group = "matrix-syncv3";
};
};
};
firewall = {
tcp.allowed = [ 19999 8008 8009 ];
};
};
users = with lib.my.c.ids; {
users = {
matrix-syncv3 = {
isSystemUser = true;
uid = uids.matrix-syncv3;
group = "matrix-syncv3";
};
};
groups = {
matrix-syncv3.gid = gids.matrix-syncv3;
};
};
systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
services = {
matrix-sliding-sync.serviceConfig = {
# Needs to be able to read its secrets
DynamicUser = mkForce false;
User = "matrix-syncv3";
Group = "matrix-syncv3";
};
};
};
services = {
netdata.enable = true;
matrix-synapse = {
enable = true;
withJemalloc = true;
extras = [
"oidc"
];
extraConfigFiles = [ config.age.secrets."chatterbox/synapse.yaml".path ];
settings = {
server_name = "nul.ie";
public_baseurl = "https://matrix.nul.ie";
web_client_location = "https://element.${pubDomain}";
admin_contact = "dev@nul.ie";
prescence.enabled = true;
listeners = [
{
# Covers both IPv4 and IPv6
bind_addresses = [ "::" ];
port = 8008;
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
compress = false;
names = [ "client" "federation" ];
}
];
}
{
bind_addresses = [ "127.0.0.1" "::1" ];
port = 9000;
type = "manhole";
# The NixOS module has defaults for these that we need to override since they don't make sense here
tls = false;
resources = [];
}
];
# Even public options must be in the secret file because options are only merged at the top level.
# Let's just override the defaults in the base config to keep Nix happy
database = {
name = "sqlite3";
args.database = "/dev/null";
};
#media_store_path = "/var/lib/synapse-media";
max_upload_size = "1024M";
dynamic_thumbnails = true;
url_preview_enabled = true;
url_preview_ip_range_blacklist = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"192.0.0.0/24"
"169.254.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"192.0.2.0/24"
"198.51.100.0/24"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fe80::/10"
"fc00::/7"
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
] ++ (with lib.my.c.colony.prefixes; [ all.v4 all.v6 ]);
url_preview_ip_range_whitelist =
with allAssignments.middleman.internal;
[ ipv4.address ipv6.address ];
enable_registration = false;
allow_guest_access = false;
signing_key_path = config.age.secrets."chatterbox/nul.ie.signing.key".path;
app_service_config_files = [
"/var/lib/heisenbridge/registration.yml"
];
};
sliding-sync = {
enable = true;
createDatabase = false;
environmentFile = config.age.secrets."chatterbox/syncv3.env".path;
settings = {
SYNCV3_BINDADDR = "[::]:8009";
SYNCV3_SERVER = "http://localhost:8008";
};
};
};
heisenbridge = {
enable = true;
homeserver = "http://localhost:8008";
owner = "@dev:nul.ie";
namespaces = {
users = [
{
exclusive = true;
regex = "@irc_.*";
}
];
};
};
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
{ from = "host"; host.port = 8080; guest.port = 80; }
];
};
})
];
};
};
}
Reference in New Issue View Git Blame Copy Permalink