ctucx.git: nixfiles

ctucx' nixfiles

commit 3bf8787116225aa96c404d4a4d3adb595d9faaf4
parent 2f1fdf174e7596ba7ed79a1afdd105141128ea86
Author: Katja (ctucx) <git@ctu.cx>
Date: Tue, 3 Dec 2024 10:15:43 +0100

machines/trabbi: move `matrix` to `hector`
14 files changed, 149 insertions(+), 188 deletions(-)
diff --git a/machines/hector/default.nix b/machines/hector/default.nix
@@ -23,6 +23,7 @@
 
     # communication
     ./fedi
+    ./matrix
 
     ./syncthing.nix
 
diff --git a/machines/trabbi/matrix/default.nix b/machines/hector/matrix/default.nix
diff --git a/machines/trabbi/matrix/mautrix-whatsapp.nix b/machines/hector/matrix/mautrix-whatsapp.nix
diff --git a/machines/hector/matrix/synapse.nix b/machines/hector/matrix/synapse.nix
@@ -0,0 +1,120 @@
+{ inputs, config, lib, pkgs, ... }:
+
+{
+
+  dns.zones."ctu.cx".subdomains.matrix.CNAME = [ "${config.networking.fqdn}." ];
+
+  age.secrets = {
+    restic-matrix-synapse.file        = ./. + "/../../../secrets/${config.networking.hostName}/restic/matrix-synapse.age";
+    matrix-registration_shared_secret = {
+      file  = ./. + "/../../../secrets/${config.networking.hostName}/matrix-synapse/registration_shared_secret.age";
+      owner = "matrix-synapse";
+    };
+  };
+
+  restic-backups.matrix-synapse = {
+    user              = "matrix-synapse";
+    passwordFile      = config.age.secrets.restic-matrix-synapse.path;
+    postgresDatabases = [ "matrix-synapse" ];
+    paths             = [ "/var/lib/matrix-synapse" ];
+  };
+
+  systemd.services.matrix-synapse = {
+    onFailure = [ "email-notify@%i.service" ];
+  };
+
+  services = {
+    postgresql = {
+      enable        = true;
+      initialScript = pkgs.writeText "synapse-init.sql" ''
+        CREATE ROLE "matrix-synapse" WITH LOGIN;
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+         TEMPLATE template0
+         LC_COLLATE = "C"
+         LC_CTYPE = "C";
+      '';
+    };
+
+    matrix-synapse = {
+      enable         = true;
+      withJemalloc   = true;
+      settings = {
+        server_name                     = "ctu.cx";
+        public_baseurl                  = "https://matrix.ctu.cx/";
+        max_upload_size                 = "100M";
+        dynamic_thumbnails              = true;
+        enable_registration             = false;
+        enable_registration_without_verification = false;
+        registration_shared_secret_file = config.age.secrets.matrix-registration_shared_secret.path;
+        listeners = [{
+          bind_addresses = [ "::1" ];
+          port           = 8008;
+          type           = "http";
+          tls            = false;
+          x_forwarded    = true;
+          resources      = [
+            { names = [ "client" ];     compress = true; }
+            { names = [ "federation" ]; compress = false; }
+          ];
+        }];
+      };
+    };
+
+    nginx = {
+      enable       = true;
+      virtualHosts = let
+        matrixServerConfig = { "m.server" = "matrix.ctu.cx:443"; };
+        matrixClientConfig = { "m.homeserver" = { "base_url" = "https://matrix.ctu.cx"; }; "org.matrix.msc3575.proxy" = { "url" = "https://matrix.ctu.cx"; }; };
+      in {
+        "ctu.cx" = {
+          enableACME = true;
+          forceSSL   = true;
+          kTLS       = true;
+          locations."/.well-known/matrix/server".extraConfig = ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON matrixServerConfig}';
+          '';
+          locations."/.well-known/matrix/client".extraConfig = ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON matrixClientConfig}';
+          '';
+        };
+
+        "matrix.ctu.cx" = {
+          enableACME = true;
+          forceSSL   = true;
+          kTLS       = true;
+          locations  = {
+            "/_matrix".proxyPass = "http://[::1]:8008";
+#            "/_synapse".proxyPass = "http://[::1]:8008";
+#            "/admin/".alias = "${pkgs.synapse-admin}/";
+
+            "/.well-known/matrix/server".extraConfig = ''
+              add_header Content-Type application/json;
+              return 200 '${builtins.toJSON matrixServerConfig}';
+            '';
+
+            "/.well-known/matrix/client".extraConfig = ''
+              add_header Content-Type application/json;
+              return 200 '${builtins.toJSON matrixClientConfig}';
+            '';
+
+            "/".root = pkgs.cinny.override {
+              conf = {
+                defaultHomeserver = 0;
+                homeserverList    = [
+                  "matrix.ctu.cx"
+                ];
+                allowCustomHomeservers = false;
+                hashRouter.enabled     = true;
+              };
+            };
+          };
+        };
+
+      };
+    };
+
+  };
+
+}
diff --git a/machines/hector/websites/ctu.cx.nix b/machines/hector/websites/ctu.cx.nix
@@ -11,20 +11,9 @@
       forceSSL   = true;
       kTLS       = true;
       root       = pkgs.ctucx-website;
-      locations  = let
-        matrixServerConfig = { "m.server" = "matrix.ctu.cx:443"; };
-        matrixClientConfig = { "m.homeserver" = { "base_url" = "https://matrix.ctu.cx"; }; "org.matrix.msc3575.proxy" = { "url" = "https://matrix.ctu.cx"; }; };
-      in {
+      locations  = {
         "/netzabdeckung.html".return = "307 https://wifionic.de/";
         "/bikemap".return = "307 https://bikemap.ctu.cx/";
-        "/.well-known/matrix/server".extraConfig = ''
-          add_header Content-Type application/json;
-          return 200 '${builtins.toJSON matrixServerConfig}';
-        '';
-        "/.well-known/matrix/client".extraConfig = ''
-          add_header Content-Type application/json;
-          return 200 '${builtins.toJSON matrixClientConfig}';
-        '';
       };
     };
   };
diff --git a/machines/trabbi/default.nix b/machines/trabbi/default.nix
@@ -9,7 +9,6 @@
     ./hardware-configuration.nix
 
     # communication
-    ./matrix
     ./mail
 
     ./travelynx2fedi.nix
diff --git a/machines/trabbi/matrix/synapse.nix b/machines/trabbi/matrix/synapse.nix
@@ -1,121 +0,0 @@
-{ inputs, config, lib, pkgs, ... }:
-
-{
-
-  dns.zones."ctu.cx".subdomains.matrix.CNAME = [ "${config.networking.fqdn}." ];
-
-  age.secrets = {
-    restic-matrix-synapse.file        = ./. + "/../../../secrets/${config.networking.hostName}/restic/matrix-synapse.age";
-    matrix-sliding-sync-env.file      = ./. + "/../../../secrets/${config.networking.hostName}/matrix-synapse/sliding-sync-env.age";
-    matrix-registration_shared_secret = {
-      file  = ./. + "/../../../secrets/${config.networking.hostName}/matrix-synapse/registration_shared_secret.age";
-      owner = "matrix-synapse";
-    };
-  };
-
-  restic-backups.matrix-synapse = {
-    user              = "matrix-synapse";
-    passwordFile      = config.age.secrets.restic-matrix-synapse.path;
-    postgresDatabases = [ "matrix-synapse" ];
-    paths             = [ "/var/lib/matrix-synapse" ];
-  };
-
-  systemd.services.matrix-synapse = {
-    onFailure = [ "email-notify@%i.service" ];
-  };
-
-  services = {
-    postgresql = {
-      enable        = true;
-      initialScript = pkgs.writeText "synapse-init.sql" ''
-        CREATE ROLE "matrix-synapse" WITH LOGIN;
-        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-         TEMPLATE template0
-         LC_COLLATE = "C"
-         LC_CTYPE = "C";
-      '';
-    };
-
-    matrix-synapse = {
-      enable         = true;
-      withJemalloc   = true;
-      settings = {
-        server_name                     = "ctu.cx";
-        public_baseurl                  = "https://matrix.ctu.cx/";
-        max_upload_size                 = "100M";
-        dynamic_thumbnails              = true;
-        enable_registration             = false;
-        enable_registration_without_verification = false;
-        registration_shared_secret_file = config.age.secrets.matrix-registration_shared_secret.path;
-        listeners = [{
-          bind_addresses = [ "::1" ];
-          port           = 8008;
-          type           = "http";
-          tls            = false;
-          x_forwarded    = true;
-          resources      = [
-            { names = [ "client" ];     compress = true; }
-            { names = [ "federation" ]; compress = false; }
-          ];
-        }];
-      };
-    };
-
-    nginx = {
-      enable       = true;
-      virtualHosts = let
-        matrixServerConfig = { "m.server" = "matrix.ctu.cx:443"; };
-        matrixClientConfig = { "m.homeserver" = { "base_url" = "https://matrix.ctu.cx"; }; "org.matrix.msc3575.proxy" = { "url" = "https://matrix.ctu.cx"; }; };
-      in {
-        # "ctu.cx" = {
-        #   enableACME = true;
-        #   forceSSL   = true;
-        #   kTLS       = true;
-        #   locations."/.well-known/matrix/server".extraConfig = ''
-        #     add_header Content-Type application/json;
-        #     return 200 '${builtins.toJSON matrixServerConfig}';
-        #   '';
-        #   locations."/.well-known/matrix/client".extraConfig = ''
-        #     add_header Content-Type application/json;
-        #     return 200 '${builtins.toJSON matrixClientConfig}';
-        #   '';
-        # };
-
-        "matrix.ctu.cx" = {
-          enableACME = true;
-          forceSSL   = true;
-          kTLS       = true;
-          locations  = {
-            "/_matrix".proxyPass = "http://[::1]:8008";
-#            "/_synapse".proxyPass = "http://[::1]:8008";
-#            "/admin/".alias = "${pkgs.synapse-admin}/";
-
-            "/.well-known/matrix/server".extraConfig = ''
-              add_header Content-Type application/json;
-              return 200 '${builtins.toJSON matrixServerConfig}';
-            '';
-
-            "/.well-known/matrix/client".extraConfig = ''
-              add_header Content-Type application/json;
-              return 200 '${builtins.toJSON matrixClientConfig}';
-            '';
-
-            "/".root = pkgs.cinny.override {
-              conf = {
-                defaultHomeserver = 0;
-                homeserverList    = [
-                  "matrix.ctu.cx"
-                ];
-                allowCustomHomeservers = false;
-                hashRouter.enabled     = true;
-              };
-            };
-          };
-        };
-
-      };
-    };
-
-  };
-
-}
diff --git a/secrets/hector/matrix-synapse/registration_shared_secret.age b/secrets/hector/matrix-synapse/registration_shared_secret.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnT0JEZ0tNY0V1ZTVYMkFS
+SFFaeXFNS2RjcCtaWHpDMUROMWJjVEJYQ1ZzCnd0TkRyR2srK0MvaHFYRzVPZWJi
+Qi9YcG9IWEtZYTB4aTlvR2dPYVVWcVkKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIFlL
+N3BBM1JKdkRCVGNDN2tsZmRUak10NWtNWHE5ak9TZUFKdm5kUHNTemsKaGJBd0NW
+VUFOOWFpSFQyazA3eU83bVcvaitKS2xOa256M0FqZXR3WldsWQotPiBrSDV2Wk9R
+LWdyZWFzZSBWJCUmQCIgOToKczhlN2lJZlN2YU1wTUszbWVrUXdWODdlVitoWTlP
+TWNKRjk5ZFFlaUdoR0QvMmo2NEFLeVYzSWsrVS9NVG9uKworOTRDQ2J3T1Z5YUt5
+dEFPRFdqVEl5Tmw1QlkvYnpNWG9YMnoKLS0tIFdhNi93NCtIQUNqL3BVc3BFSVRs
+YnRYaDNKQnRldVAweWxkWU1hem14MGsKAIzYPLSg8o3732X1wWD72kAecu92IHIn
+80oBzRWv/5hipSPdh0HuKvCkMuOVzdvUYDSHx+Hv2vqHDT64wGdhYo8=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hector/restic/matrix-synapse.age b/secrets/hector/restic/matrix-synapse.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZzMwZW81ZE5yMzdZbmhl
+RUh1d25LUDZjQ2J5aHdQcTEwWGhTNVlraFY0CmdQZWdRVW84eDg2ZU5xeGxGUUVp
+dDV6cUFuSCtlVm8xWjZ0VDE4d0ZqVmsKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIGNv
+d3JWbVBaNHIzSWtiVHI4d1NTVzhBTzkwNW50dlcwNXVSQ3UzZlpLMjAKdy84bktD
+a2laNHRBeXF1ZXlJTUx5blNOZk0wWmJ3bHREQU1yQ0thdEtrNAotPiA6ci1ncmVh
+c2UgeFtWPS05ZCA/UVFaCmxrcDdLZytUb2tKd1A4TE0vcnZRU1c5QURQa2kzdW5J
+Sm02Um00K05TSG9xdUtSZlh6OXh4ZE1laTBoTG9Pb0EKUlhhYitoYWgwbU40R1JW
+SHowWEhyT1htWUZVQmZVR01sWitzaFEKLS0tIDMvSkVVTzFRVHpsb1JvYXVWcVhl
+L1BEekpHTnVZWk0waSsvY1VBekZQd3cK3FmDiW5BqHaD9rO4OjiISRL5mjstHTHz
+YpnqbHLYDG4b3y/tLuQQ0VOCxGlkZkF/OTo4E9+wRFgNTg==
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -68,14 +68,9 @@ in {
 
 
   "trabbi/restic/mail.age".publicKeys                               = [ main-key trabbi ];
-  "trabbi/restic/matrix-synapse.age".publicKeys                     = [ main-key trabbi ];
 
   "trabbi/travelynx2fedi-env.age".publicKeys                        = [ main-key trabbi ];
 
-  "trabbi/matrix-synapse/registration_shared_secret.age".publicKeys = [ main-key trabbi ];
-  "trabbi/matrix-synapse/sliding-sync-env.age".publicKeys           = [ main-key trabbi ];
-  "trabbi/matrix-synapse/s3_secrets.age".publicKeys                 = [ main-key trabbi ];
-
   "trabbi/mail/password-katja-ctu.cx.age".publicKeys                = [ main-key trabbi ];
   "trabbi/mail/password-gts-ctu.cx.age".publicKeys                  = [ main-key trabbi ];
   "trabbi/mail/password-vaultwarden-ctu.cx.age".publicKeys          = [ main-key trabbi ];

@@ -91,6 +86,7 @@ in {
   "hector/restic/ctucx-things.age".publicKeys                       = [ main-key hector ];
   "hector/restic/gitolite.age".publicKeys                           = [ main-key hector ];
   "hector/restic/gotosocial.age".publicKeys                         = [ main-key hector ];
+  "hector/restic/matrix-synapse.age".publicKeys                     = [ main-key hector ];
 
   "hector/syncthing/key.age".publicKeys                             = [ main-key hector ];
   "hector/syncthing/cert.age".publicKeys                            = [ main-key hector ];

@@ -99,6 +95,8 @@ in {
   "hector/vaultwarden-secrets.age".publicKeys                       = [ main-key hector ];
   "hector/gotosocial-env.age".publicKeys                            = [ main-key hector ];
 
+  "hector/matrix-synapse/registration_shared_secret.age".publicKeys = [ main-key hector ];
+
 
   "wanderduene/wireguard-privkey.age".publicKeys                    = [ main-key wanderduene ];
   "wanderduene/restic-server-htpasswd.age".publicKeys               = [ main-key wanderduene ];
diff --git a/secrets/trabbi/matrix-synapse/registration_shared_secret.age b/secrets/trabbi/matrix-synapse/registration_shared_secret.age
@@ -1,11 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNjJwdmlKc1VCdit0RWlu
-U25sRC9ncWEyd29peEk4YU5CenY0K1ljYVUwCjU0cTZwSDQzc1kzclJNWDhqcVZn
-MHRuMFdLbmsxMDJRNWprcHVrOU42SkUKLT4gc3NoLWVkMjU1MTkgcThvY3pnIGlk
-aE5xakJ1RWVSWGE1RVVmTTREVkdOMjk5b1RvUWswaXJMd0ZHMHJQeVkKa1dUemc1
-MUhLemEwVXF1S2JxQWp0NDFGZDVOUWZ1cmRyaHA1RER1ampXcwotPiBZWiVcPilc
-Xi1ncmVhc2UgS3tpIEd5e2VeU0JMIDZvUkhxViA6bigyOApOZzM4YmtDcnkwRzJ5
-QXpvQVhDRVlDWkw4aWpDCi0tLSBDTnZNcEJvTm5xWks5UnU1OTlMclZ0TVNmb1Nt
-VDlDcTRZcVBNUUtMdGRvCikQTbQoO0aEvc9z8jQ7vvNXa0KeT98HNsLvIUuKYnlx
-hPoRTv23Ka9rHHnkLWHzqBJ5SsJtgOo4+2p3T5V/ejBT
------END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/matrix-synapse/s3_secrets.age b/secrets/trabbi/matrix-synapse/s3_secrets.age
@@ -1,15 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXSWV2UTUxK2RSalZ5VEdU
-NFhuS3hhN3JROGxVNDdLc25OM3o1TWZSOFFVCjJsN3dKYlV0TnQ0TU14UmEvMHds
-b1lYcmhDWnZDdkFtY2FTY2o1UGtoSU0KLT4gc3NoLWVkMjU1MTkgcThvY3pnIDh5
-S3V5K3cvU0VPY0ZFTEJoY1hqS3E3OWl0aFNhYWtCclArek5Qd2tHazgKb0haQllR
-UXlYamg5OE56NmpJcDZ1Qkx2dUd3MXMramYzYW82Z0dJaEFYRQotPiAmZSI9LWdy
-ZWFzZSB7JEpSQjYgUCAhWWl0SyhQbSArCklKVVArUHF6bGo4bnZTdTc1dVFrcHNC
-WlJEZmhMQVJEV3NtLzUwZmc1WmQzNUtETGlXMXFkT3J4SEd5Vm9jdUQKL0ZFbE9T
-ZURieE1uMUt2aUFvTkR6NmltM3poZlVpV2h4dTByMDB4WUp0WlhkZlZOK0RtU3VR
-Ci0tLSBaVzk3SHZnazFmNTczcVFmTjNURSswT0xDWnYzV05qNG9JbWFsUlhnQXQ0
-CvRFgDFtM7PEVwAulmFZiSNanf4bECQhlg1+7ndfXAaoNiL/ZW/Vf3I3cx38tXNJ
-rZOT/OxzkRsGbjNlfEpBh4ziezLrnEAi85cYdgIj/PeXJmbkBOmgLnj1XZ4fQ7g/
-N8vFXKaRMmaftqK4oeMfpwZf3b/LHuVQ1bwwsp4+hOeJgglhlxSKLNn4nBmTxK4F
-iKsBmL/JRhlpRaSEUDk6dowZ+Fo=
------END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/matrix-synapse/sliding-sync-env.age b/secrets/trabbi/matrix-synapse/sliding-sync-env.age
@@ -1,11 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYmUxdmdQRFhjMW13OCth
-UVpJd0VGKzBDbDNCNS91MytGSjJWbzFDT1JRCjE1OFpjeFRyNVdQNUUwbHl2OHgz
-QzU1enlJV0VFY2NQeSs3V3YvNW1pa0kKLT4gc3NoLWVkMjU1MTkgcThvY3pnIGVK
-YkZlaUhZRXdQSk9CMTJwZUc5TVFmdHhMUWV2c3l2ZklNamdiVFpxUmcKS2d5bFNk
-aHdOVFprT1JzYk9Pb1NCckd3YW1KcElhUXRmcHVYNDNUcDAzYwotPiBjfi1ncmVh
-c2UKMmVrMHErK0dIMkJUdm9lNWs2TmxVZjJKencKLS0tIGxuMG1DOFdoMXNYNlNF
-dGFwbDdKa0F2eTdkVFN5V01idmd1cmxSVFlvMHcKe6Iy/7KSvhOi7XXIGQwRYCTI
-MdIr7KXqEczjvICgzcVeb+9pr19ESwoLABdELKftctM4uBdeoEXjTXM8AOlD+WEz
-Fkd0pGLxDYiHsWpVAOkeiqDFhI4uy1m1enmorYSiARXD4N3OtadgzuAFnusu1g==
------END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/restic/matrix-synapse.age b/secrets/trabbi/restic/matrix-synapse.age
@@ -1,12 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQ21PTkcxbDlieWZWVlUx
-U1Y3T3gvWTdMT0tPTWVFdzhzTXdXdmFzYmo4CmxsekJqVHM1RmNJVklUL3ZVWTNI
-OHQ2aG5IRkNaODNiYmhYMVNNNXlDVk0KLT4gc3NoLWVkMjU1MTkgcThvY3pnIDhZ
-M053cjdPMGdaOE1rY1lSSklJOFYzUWM0NFVvZWVaOWpaTVFDMFdtd0UKUS9OQWZV
-RldEaC9Rc24zaURRcHRlWUdHSEpHclFGRmJZWjJNSElRZG1qOAotPiBeaUFtIWRF
-LWdyZWFzZSBgT11DbEk/WyBlPnt9bWEge0gge3B4TVYzfl4KdXhaRHZqZFJpVzZL
-ZzhlZGFqaXBvYTc3SkkvZVo3ZkJoQXl3VVRxT0dlWE5BZ21uU0FZbDJUV1ZWVkk1
-ZTIzagpjNXNIaHcwS1AwSm9NSHRtV2hmVW1aSFV1QWp4M3cKLS0tIE4yRmpYVUcx
-MUEvazMxd1dwZExKUnQrSTJ0RFlpZDNCMUltMytZMUlVVGcKfR0wBbp649MauNFV
-QPoHVQ6Uofme9/ogS1lZShgRioV4z7AfNhkvSuPZ1CuaV3rp3QHH2qgRZOlAiA==
------END AGE ENCRYPTED FILE-----