commit 3bf8787116225aa96c404d4a4d3adb595d9faaf4
parent 2f1fdf174e7596ba7ed79a1afdd105141128ea86
Author: Katja (ctucx) <git@ctu.cx>
Date: Tue, 3 Dec 2024 10:15:43 +0100
parent 2f1fdf174e7596ba7ed79a1afdd105141128ea86
Author: Katja (ctucx) <git@ctu.cx>
Date: Tue, 3 Dec 2024 10:15:43 +0100
machines/trabbi: move `matrix` to `hector`
14 files changed, 149 insertions(+), 188 deletions(-)
A
|
120
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D
|
121
-------------------------------------------------------------------------------
diff --git a/machines/hector/default.nix b/machines/hector/default.nix @@ -23,6 +23,7 @@ # communication ./fedi + ./matrix ./syncthing.nix
diff --git a/machines/hector/matrix/synapse.nix b/machines/hector/matrix/synapse.nix @@ -0,0 +1,120 @@ +{ inputs, config, lib, pkgs, ... }: + +{ + + dns.zones."ctu.cx".subdomains.matrix.CNAME = [ "${config.networking.fqdn}." ]; + + age.secrets = { + restic-matrix-synapse.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/matrix-synapse.age"; + matrix-registration_shared_secret = { + file = ./. + "/../../../secrets/${config.networking.hostName}/matrix-synapse/registration_shared_secret.age"; + owner = "matrix-synapse"; + }; + }; + + restic-backups.matrix-synapse = { + user = "matrix-synapse"; + passwordFile = config.age.secrets.restic-matrix-synapse.path; + postgresDatabases = [ "matrix-synapse" ]; + paths = [ "/var/lib/matrix-synapse" ]; + }; + + systemd.services.matrix-synapse = { + onFailure = [ "email-notify@%i.service" ]; + }; + + services = { + postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + matrix-synapse = { + enable = true; + withJemalloc = true; + settings = { + server_name = "ctu.cx"; + public_baseurl = "https://matrix.ctu.cx/"; + max_upload_size = "100M"; + dynamic_thumbnails = true; + enable_registration = false; + enable_registration_without_verification = false; + registration_shared_secret_file = config.age.secrets.matrix-registration_shared_secret.path; + listeners = [{ + bind_addresses = [ "::1" ]; + port = 8008; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { names = [ "client" ]; compress = true; } + { names = [ "federation" ]; compress = false; } + ]; + }]; + }; + }; + + nginx = { + enable = true; + virtualHosts = let + matrixServerConfig = { "m.server" = "matrix.ctu.cx:443"; }; + matrixClientConfig = { "m.homeserver" = { "base_url" = "https://matrix.ctu.cx"; }; "org.matrix.msc3575.proxy" = { "url" = "https://matrix.ctu.cx"; }; }; + in { + "ctu.cx" = { + enableACME = true; + forceSSL = true; + kTLS = true; + locations."/.well-known/matrix/server".extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON matrixServerConfig}'; + ''; + locations."/.well-known/matrix/client".extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON matrixClientConfig}'; + ''; + }; + + "matrix.ctu.cx" = { + enableACME = true; + forceSSL = true; + kTLS = true; + locations = { + "/_matrix".proxyPass = "http://[::1]:8008"; +# "/_synapse".proxyPass = "http://[::1]:8008"; +# "/admin/".alias = "${pkgs.synapse-admin}/"; + + "/.well-known/matrix/server".extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON matrixServerConfig}'; + ''; + + "/.well-known/matrix/client".extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON matrixClientConfig}'; + ''; + + "/".root = pkgs.cinny.override { + conf = { + defaultHomeserver = 0; + homeserverList = [ + "matrix.ctu.cx" + ]; + allowCustomHomeservers = false; + hashRouter.enabled = true; + }; + }; + }; + }; + + }; + }; + + }; + +}
diff --git a/machines/hector/websites/ctu.cx.nix b/machines/hector/websites/ctu.cx.nix @@ -11,20 +11,9 @@ forceSSL = true; kTLS = true; root = pkgs.ctucx-website; - locations = let - matrixServerConfig = { "m.server" = "matrix.ctu.cx:443"; }; - matrixClientConfig = { "m.homeserver" = { "base_url" = "https://matrix.ctu.cx"; }; "org.matrix.msc3575.proxy" = { "url" = "https://matrix.ctu.cx"; }; }; - in { + locations = { "/netzabdeckung.html".return = "307 https://wifionic.de/"; "/bikemap".return = "307 https://bikemap.ctu.cx/"; - "/.well-known/matrix/server".extraConfig = '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON matrixServerConfig}'; - ''; - "/.well-known/matrix/client".extraConfig = '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON matrixClientConfig}'; - ''; }; }; };
diff --git a/machines/trabbi/default.nix b/machines/trabbi/default.nix @@ -9,7 +9,6 @@ ./hardware-configuration.nix # communication - ./matrix ./mail ./travelynx2fedi.nix
diff --git a/machines/trabbi/matrix/synapse.nix b/machines/trabbi/matrix/synapse.nix @@ -1,121 +0,0 @@ -{ inputs, config, lib, pkgs, ... }: - -{ - - dns.zones."ctu.cx".subdomains.matrix.CNAME = [ "${config.networking.fqdn}." ]; - - age.secrets = { - restic-matrix-synapse.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/matrix-synapse.age"; - matrix-sliding-sync-env.file = ./. + "/../../../secrets/${config.networking.hostName}/matrix-synapse/sliding-sync-env.age"; - matrix-registration_shared_secret = { - file = ./. + "/../../../secrets/${config.networking.hostName}/matrix-synapse/registration_shared_secret.age"; - owner = "matrix-synapse"; - }; - }; - - restic-backups.matrix-synapse = { - user = "matrix-synapse"; - passwordFile = config.age.secrets.restic-matrix-synapse.path; - postgresDatabases = [ "matrix-synapse" ]; - paths = [ "/var/lib/matrix-synapse" ]; - }; - - systemd.services.matrix-synapse = { - onFailure = [ "email-notify@%i.service" ]; - }; - - services = { - postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - - matrix-synapse = { - enable = true; - withJemalloc = true; - settings = { - server_name = "ctu.cx"; - public_baseurl = "https://matrix.ctu.cx/"; - max_upload_size = "100M"; - dynamic_thumbnails = true; - enable_registration = false; - enable_registration_without_verification = false; - registration_shared_secret_file = config.age.secrets.matrix-registration_shared_secret.path; - listeners = [{ - bind_addresses = [ "::1" ]; - port = 8008; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { names = [ "client" ]; compress = true; } - { names = [ "federation" ]; compress = false; } - ]; - }]; - }; - }; - - nginx = { - enable = true; - virtualHosts = let - matrixServerConfig = { "m.server" = "matrix.ctu.cx:443"; }; - matrixClientConfig = { "m.homeserver" = { "base_url" = "https://matrix.ctu.cx"; }; "org.matrix.msc3575.proxy" = { "url" = "https://matrix.ctu.cx"; }; }; - in { - # "ctu.cx" = { - # enableACME = true; - # forceSSL = true; - # kTLS = true; - # locations."/.well-known/matrix/server".extraConfig = '' - # add_header Content-Type application/json; - # return 200 '${builtins.toJSON matrixServerConfig}'; - # ''; - # locations."/.well-known/matrix/client".extraConfig = '' - # add_header Content-Type application/json; - # return 200 '${builtins.toJSON matrixClientConfig}'; - # ''; - # }; - - "matrix.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - locations = { - "/_matrix".proxyPass = "http://[::1]:8008"; -# "/_synapse".proxyPass = "http://[::1]:8008"; -# "/admin/".alias = "${pkgs.synapse-admin}/"; - - "/.well-known/matrix/server".extraConfig = '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON matrixServerConfig}'; - ''; - - "/.well-known/matrix/client".extraConfig = '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON matrixClientConfig}'; - ''; - - "/".root = pkgs.cinny.override { - conf = { - defaultHomeserver = 0; - homeserverList = [ - "matrix.ctu.cx" - ]; - allowCustomHomeservers = false; - hashRouter.enabled = true; - }; - }; - }; - }; - - }; - }; - - }; - -}
diff --git a/secrets/hector/matrix-synapse/registration_shared_secret.age b/secrets/hector/matrix-synapse/registration_shared_secret.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnT0JEZ0tNY0V1ZTVYMkFS +SFFaeXFNS2RjcCtaWHpDMUROMWJjVEJYQ1ZzCnd0TkRyR2srK0MvaHFYRzVPZWJi +Qi9YcG9IWEtZYTB4aTlvR2dPYVVWcVkKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIFlL +N3BBM1JKdkRCVGNDN2tsZmRUak10NWtNWHE5ak9TZUFKdm5kUHNTemsKaGJBd0NW +VUFOOWFpSFQyazA3eU83bVcvaitKS2xOa256M0FqZXR3WldsWQotPiBrSDV2Wk9R +LWdyZWFzZSBWJCUmQCIgOToKczhlN2lJZlN2YU1wTUszbWVrUXdWODdlVitoWTlP +TWNKRjk5ZFFlaUdoR0QvMmo2NEFLeVYzSWsrVS9NVG9uKworOTRDQ2J3T1Z5YUt5 +dEFPRFdqVEl5Tmw1QlkvYnpNWG9YMnoKLS0tIFdhNi93NCtIQUNqL3BVc3BFSVRs +YnRYaDNKQnRldVAweWxkWU1hem14MGsKAIzYPLSg8o3732X1wWD72kAecu92IHIn +80oBzRWv/5hipSPdh0HuKvCkMuOVzdvUYDSHx+Hv2vqHDT64wGdhYo8= +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hector/restic/matrix-synapse.age b/secrets/hector/restic/matrix-synapse.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZzMwZW81ZE5yMzdZbmhl +RUh1d25LUDZjQ2J5aHdQcTEwWGhTNVlraFY0CmdQZWdRVW84eDg2ZU5xeGxGUUVp +dDV6cUFuSCtlVm8xWjZ0VDE4d0ZqVmsKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIGNv +d3JWbVBaNHIzSWtiVHI4d1NTVzhBTzkwNW50dlcwNXVSQ3UzZlpLMjAKdy84bktD +a2laNHRBeXF1ZXlJTUx5blNOZk0wWmJ3bHREQU1yQ0thdEtrNAotPiA6ci1ncmVh +c2UgeFtWPS05ZCA/UVFaCmxrcDdLZytUb2tKd1A4TE0vcnZRU1c5QURQa2kzdW5J +Sm02Um00K05TSG9xdUtSZlh6OXh4ZE1laTBoTG9Pb0EKUlhhYitoYWgwbU40R1JW +SHowWEhyT1htWUZVQmZVR01sWitzaFEKLS0tIDMvSkVVTzFRVHpsb1JvYXVWcVhl +L1BEekpHTnVZWk0waSsvY1VBekZQd3cK3FmDiW5BqHaD9rO4OjiISRL5mjstHTHz +YpnqbHLYDG4b3y/tLuQQ0VOCxGlkZkF/OTo4E9+wRFgNTg== +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -68,14 +68,9 @@ in { "trabbi/restic/mail.age".publicKeys = [ main-key trabbi ]; - "trabbi/restic/matrix-synapse.age".publicKeys = [ main-key trabbi ]; "trabbi/travelynx2fedi-env.age".publicKeys = [ main-key trabbi ]; - "trabbi/matrix-synapse/registration_shared_secret.age".publicKeys = [ main-key trabbi ]; - "trabbi/matrix-synapse/sliding-sync-env.age".publicKeys = [ main-key trabbi ]; - "trabbi/matrix-synapse/s3_secrets.age".publicKeys = [ main-key trabbi ]; - "trabbi/mail/password-katja-ctu.cx.age".publicKeys = [ main-key trabbi ]; "trabbi/mail/password-gts-ctu.cx.age".publicKeys = [ main-key trabbi ]; "trabbi/mail/password-vaultwarden-ctu.cx.age".publicKeys = [ main-key trabbi ]; @@ -91,6 +86,7 @@ in { "hector/restic/ctucx-things.age".publicKeys = [ main-key hector ]; "hector/restic/gitolite.age".publicKeys = [ main-key hector ]; "hector/restic/gotosocial.age".publicKeys = [ main-key hector ]; + "hector/restic/matrix-synapse.age".publicKeys = [ main-key hector ]; "hector/syncthing/key.age".publicKeys = [ main-key hector ]; "hector/syncthing/cert.age".publicKeys = [ main-key hector ]; @@ -99,6 +95,8 @@ in { "hector/vaultwarden-secrets.age".publicKeys = [ main-key hector ]; "hector/gotosocial-env.age".publicKeys = [ main-key hector ]; + "hector/matrix-synapse/registration_shared_secret.age".publicKeys = [ main-key hector ]; + "wanderduene/wireguard-privkey.age".publicKeys = [ main-key wanderduene ]; "wanderduene/restic-server-htpasswd.age".publicKeys = [ main-key wanderduene ];
diff --git a/secrets/trabbi/matrix-synapse/registration_shared_secret.age b/secrets/trabbi/matrix-synapse/registration_shared_secret.age @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNjJwdmlKc1VCdit0RWlu -U25sRC9ncWEyd29peEk4YU5CenY0K1ljYVUwCjU0cTZwSDQzc1kzclJNWDhqcVZn -MHRuMFdLbmsxMDJRNWprcHVrOU42SkUKLT4gc3NoLWVkMjU1MTkgcThvY3pnIGlk -aE5xakJ1RWVSWGE1RVVmTTREVkdOMjk5b1RvUWswaXJMd0ZHMHJQeVkKa1dUemc1 -MUhLemEwVXF1S2JxQWp0NDFGZDVOUWZ1cmRyaHA1RER1ampXcwotPiBZWiVcPilc -Xi1ncmVhc2UgS3tpIEd5e2VeU0JMIDZvUkhxViA6bigyOApOZzM4YmtDcnkwRzJ5 -QXpvQVhDRVlDWkw4aWpDCi0tLSBDTnZNcEJvTm5xWks5UnU1OTlMclZ0TVNmb1Nt -VDlDcTRZcVBNUUtMdGRvCikQTbQoO0aEvc9z8jQ7vvNXa0KeT98HNsLvIUuKYnlx -hPoRTv23Ka9rHHnkLWHzqBJ5SsJtgOo4+2p3T5V/ejBT ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/matrix-synapse/s3_secrets.age b/secrets/trabbi/matrix-synapse/s3_secrets.age @@ -1,15 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXSWV2UTUxK2RSalZ5VEdU -NFhuS3hhN3JROGxVNDdLc25OM3o1TWZSOFFVCjJsN3dKYlV0TnQ0TU14UmEvMHds -b1lYcmhDWnZDdkFtY2FTY2o1UGtoSU0KLT4gc3NoLWVkMjU1MTkgcThvY3pnIDh5 -S3V5K3cvU0VPY0ZFTEJoY1hqS3E3OWl0aFNhYWtCclArek5Qd2tHazgKb0haQllR -UXlYamg5OE56NmpJcDZ1Qkx2dUd3MXMramYzYW82Z0dJaEFYRQotPiAmZSI9LWdy -ZWFzZSB7JEpSQjYgUCAhWWl0SyhQbSArCklKVVArUHF6bGo4bnZTdTc1dVFrcHNC -WlJEZmhMQVJEV3NtLzUwZmc1WmQzNUtETGlXMXFkT3J4SEd5Vm9jdUQKL0ZFbE9T -ZURieE1uMUt2aUFvTkR6NmltM3poZlVpV2h4dTByMDB4WUp0WlhkZlZOK0RtU3VR -Ci0tLSBaVzk3SHZnazFmNTczcVFmTjNURSswT0xDWnYzV05qNG9JbWFsUlhnQXQ0 -CvRFgDFtM7PEVwAulmFZiSNanf4bECQhlg1+7ndfXAaoNiL/ZW/Vf3I3cx38tXNJ -rZOT/OxzkRsGbjNlfEpBh4ziezLrnEAi85cYdgIj/PeXJmbkBOmgLnj1XZ4fQ7g/ -N8vFXKaRMmaftqK4oeMfpwZf3b/LHuVQ1bwwsp4+hOeJgglhlxSKLNn4nBmTxK4F -iKsBmL/JRhlpRaSEUDk6dowZ+Fo= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/matrix-synapse/sliding-sync-env.age b/secrets/trabbi/matrix-synapse/sliding-sync-env.age @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYmUxdmdQRFhjMW13OCth -UVpJd0VGKzBDbDNCNS91MytGSjJWbzFDT1JRCjE1OFpjeFRyNVdQNUUwbHl2OHgz -QzU1enlJV0VFY2NQeSs3V3YvNW1pa0kKLT4gc3NoLWVkMjU1MTkgcThvY3pnIGVK -YkZlaUhZRXdQSk9CMTJwZUc5TVFmdHhMUWV2c3l2ZklNamdiVFpxUmcKS2d5bFNk -aHdOVFprT1JzYk9Pb1NCckd3YW1KcElhUXRmcHVYNDNUcDAzYwotPiBjfi1ncmVh -c2UKMmVrMHErK0dIMkJUdm9lNWs2TmxVZjJKencKLS0tIGxuMG1DOFdoMXNYNlNF -dGFwbDdKa0F2eTdkVFN5V01idmd1cmxSVFlvMHcKe6Iy/7KSvhOi7XXIGQwRYCTI -MdIr7KXqEczjvICgzcVeb+9pr19ESwoLABdELKftctM4uBdeoEXjTXM8AOlD+WEz -Fkd0pGLxDYiHsWpVAOkeiqDFhI4uy1m1enmorYSiARXD4N3OtadgzuAFnusu1g== ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/restic/matrix-synapse.age b/secrets/trabbi/restic/matrix-synapse.age @@ -1,12 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQ21PTkcxbDlieWZWVlUx -U1Y3T3gvWTdMT0tPTWVFdzhzTXdXdmFzYmo4CmxsekJqVHM1RmNJVklUL3ZVWTNI -OHQ2aG5IRkNaODNiYmhYMVNNNXlDVk0KLT4gc3NoLWVkMjU1MTkgcThvY3pnIDhZ -M053cjdPMGdaOE1rY1lSSklJOFYzUWM0NFVvZWVaOWpaTVFDMFdtd0UKUS9OQWZV -RldEaC9Rc24zaURRcHRlWUdHSEpHclFGRmJZWjJNSElRZG1qOAotPiBeaUFtIWRF -LWdyZWFzZSBgT11DbEk/WyBlPnt9bWEge0gge3B4TVYzfl4KdXhaRHZqZFJpVzZL -ZzhlZGFqaXBvYTc3SkkvZVo3ZkJoQXl3VVRxT0dlWE5BZ21uU0FZbDJUV1ZWVkk1 -ZTIzagpjNXNIaHcwS1AwSm9NSHRtV2hmVW1aSFV1QWp4M3cKLS0tIE4yRmpYVUcx -MUEvazMxd1dwZExKUnQrSTJ0RFlpZDNCMUltMytZMUlVVGcKfR0wBbp649MauNFV -QPoHVQ6Uofme9/ogS1lZShgRioV4z7AfNhkvSuPZ1CuaV3rp3QHH2qgRZOlAiA== ------END AGE ENCRYPTED FILE-----