ctucx.git: nixfiles

ctucx' nixfiles

commit 7fd7575a88b1b81863b290eaae884e72e21294c5
parent 34258747abddefa67312ccdd634f6dee77e03bcf
Author: Leah (ctucx) <git@ctu.cx>
Date: Tue, 11 Jun 2024 18:32:34 +0200

machines/wanderduene: add matrix-dendrite service

4 files changed, 100 insertions(+), 0 deletions(-)
M
machines/wanderduene/configuration.nix
|
2
++
A
machines/wanderduene/dendrite.nix
|
82
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
secrets/secrets.nix
|
2
++
A
secrets/wanderduene/matrix-dendrite/private-key.age
|
14
++++++++++++++
diff --git a/machines/wanderduene/configuration.nix b/machines/wanderduene/configuration.nix
@@ -16,6 +16,8 @@
 
     ./3proxy.nix
 
+    ./dendrite.nix
+
     ./websites
   ] ++ (if nodes.briefkasten.config.networking.usePBBUplink != true then [
     ./reverse-proxy-briefkasten.nix

diff --git a/machines/wanderduene/dendrite.nix b/machines/wanderduene/dendrite.nix
@@ -0,0 +1,81 @@
+{ pkgs, lib, config, ... }:
+
+{
+
+  dns.zones."ctu.cx".subdomains.dendrite.CNAME = [ "${config.networking.fqdn}." ];
+
+  age.secrets = {
+  #   restic-matrix-synapse.file        = ./. + "/../../../secrets/${config.networking.hostName}/restic/matrix-synapse.age";
+  #   matrix-sliding-sync-env.file      = ./. + "/../../../secrets/${config.networking.hostName}/matrix-dendrite/sliding-sync-env.age";
+    matrix-private-key = {
+      file  = ./. + "/../../secrets/${config.networking.hostName}/matrix-dendrite/private-key.age";
+      owner = "dendrite";
+    };
+  };
+
+
+  services.matrix-synapse.sliding-sync = {
+    enable = false;
+    environmentFile = config.age.secrets.matrix-sliding-sync-env.path;
+    settings = {
+      SYNCV3_SERVER   = "https://dendrite.ctu.cx";
+      SYNCV3_BINDADDR = "[::1]:8009";
+    };
+  };
+
+  users.groups.dendrite = {};
+  users.users.dendrite = {
+    isSystemUser = true;
+    home = "/var/lib/dendrite";
+    group = "dendrite";
+  };
+
+  systemd.services.dendrite.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "dendrite";
+    Group = "dendrite";
+  };
+
+  services.dendrite = {
+    enable = true;
+    openRegistration = false;
+    settings = {
+      global.server_name = "dendrite.ctu.cx";
+      global.private_key = config.age.secrets.matrix-private-key.path;
+
+      global.well_known_server_name = "dendrite.ctu.cx:443";
+      global.well_known_client_name = "https://dendrite.ctu.cx";
+
+      client_api.registration_disabled = true;
+    };
+  };
+
+  services.nginx = {
+    enable       = true;
+    virtualHosts = {
+      "dendrite.ctu.cx" = {
+        enableACME = true;
+        forceSSL   = true;
+        kTLS       = true;
+        locations  = {
+          "/.well-known".proxyPass = "http://[::1]:8008";
+          "/_matrix".proxyPass = "http://[::1]:8008";
+          "/_matrix/client/unstable/org.matrix.msc3575/".proxyPass = "http://[::1]:8009/_matrix/client/unstable/org.matrix.msc3575/";
+#            "/_synapse".proxyPass = "http://[::1]:8008";
+#            "/admin/".alias = "${pkgs.synapse-admin}/";
+          "/".root             = pkgs.cinny.override {
+            conf = {
+              defaultHomeserver = 0;
+              homeserverList    = [
+                "dendrite.ctu.cx"
+              ];
+              allowCustomHomesevrers = false;
+            };
+          };
+        };
+      };
+
+    };
+  };
+  
+}+
\ No newline at end of file

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -91,4 +91,6 @@ in {
   "wanderduene/restic-server-htpasswd.age".publicKeys               = [ leah wanderduene ];
   "wanderduene/rclone-config.age".publicKeys                        = [ leah wanderduene ];
 
+  "wanderduene/matrix-dendrite/private-key.age".publicKeys          = [ leah wanderduene ];
+
 }

diff --git a/secrets/wanderduene/matrix-dendrite/private-key.age b/secrets/wanderduene/matrix-dendrite/private-key.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbmZVNDFWRWt1UENnb2Nw
+K2p4MUt6U2g3dCtzcG8xZWFMc1hVV2ZMZ21VCnBKVmFwczY1cUt4R0ZoMWY0WXJv
+OVBzUmhZbG9VdmxTdkRsMDRxWEVjaG8KLT4gc3NoLWVkMjU1MTkgT0pRVkRRIHRk
+Z3RuQ1g2YytvRTQvdTROQ2ZxeVNLdDJjT2tqdzRmcWlMSEd0S0VjVVUKZFBrNXBB
+ak00elNZcjltQjMxY1hHWkJwM1VhaXNHcTF0cUIvenFuRnM4WQotPiAvQi1ncmVh
+c2UgdmZDPEssICFgOCBaaSotWmZ4Cjk0Y0JVRHZlNDFZVHhWYTJUZzZWa3Bpak9z
+WGpVRmM0V2tmVkluN3lIUUNBWXI4a3V5bXlHWmQvYWsxVlk1WnQKRnRuejBuc0hP
+NFFCNldnRWYxc2pzR1EKLS0tIElQSGc3TkFrNHFHN1gwVHFhc3RkZk9GRE5HajdD
+L2JLRnBZcjFlNEhlTWMKaSP20nwYFyBI122KM5qdFrN9jwsaT5NTzv/imw7V/QNb
+OkCSGw6o2ux73ietDamHfHUg5wmTYcsIkJ8iRNdaKbjBD+bvf+W1pR3N9y9VzVNJ
+4ZVj1UIyVMD8NLyT4+c+NwP8+/o8uX+1fn3GckdlfKQPS+Jt+zie5g3pdHhXyDmt
+nEHaKDRD2sj9bhzUnLUfPN6WUuZkjfWFeVd3DJTNojieeAuvXap9UA==
+-----END AGE ENCRYPTED FILE-----