diff --git a/hosts/default.nix b/hosts/default.nix index de8e4d2..66865e8 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -142,6 +142,8 @@ "restic-hetzner-password" = {}; "minio-credentials".owner = "minio"; "aws-credentials".owner = "hercules-ci-agent"; + "hass-ssh-key".owner = "hass"; + "matrix-registration-shared-secret".owner = "matrix-synapse"; }; }; }; diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index 01818df..1e33ebf 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -28,6 +28,7 @@ "restic" "syncthing" "minio" + "matrix" ] ++ [ ./disko.nix diff --git a/modules/cloudflare-dyndns/default.nix b/modules/cloudflare-dyndns/default.nix index c7beae2..d9c40b5 100644 --- a/modules/cloudflare-dyndns/default.nix +++ b/modules/cloudflare-dyndns/default.nix @@ -4,13 +4,15 @@ ipv4 = true; ipv6 = false; # not anymore 😭 domains = [ - # "sevenofnix.aciceri.dev" + "aciceri.dev" + "git.aciceri.dev" "home.aciceri.dev" "torrent.aciceri.dev" "search.aciceri.dev" "invidious.aciceri.dev" "vpn.aciceri.dev" "cache.aciceri.dev" + "matrix.aciceri.dev" ]; apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path; }; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix new file mode 100644 index 0000000..c248ac3 --- /dev/null +++ b/modules/matrix/default.nix @@ -0,0 +1,77 @@ +{ + config, + lib, + pkgs, + ... +}: let + clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev"; + serverConfig."m.server" = "matrix.aciceri.dev:443"; + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { + imports = [../nginx-base]; + + services.nginx.virtualHosts = { + "aciceri.dev" = { + enableACME = true; + forceSSL = true; + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + "matrix.aciceri.dev" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:${builtins.toString (lib.head config.services.matrix-synapse.settings.listeners).port}"; + locations."/_matrix".proxyPass = "http://localhost:8008"; + locations."/_synapse/client".proxyPass = "http://localhost:8008"; + }; + }; + + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.matrix-synapse = { + enable = true; + settings = { + server_name = "aciceri.dev"; + public_baseurl = "https://matrix.aciceri.dev"; + listeners = [ + { + port = 8008; + bind_addresses = ["127.0.0.1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = ["client" "federation"]; + compress = true; + } + ]; + } + ]; + }; + extraConfigFiles = [config.age.secrets.matrix-registration-shared-secret.path]; + }; + + backup.paths = [ + "/var/lib/matrix-synapse" + "/var/backup/postgresql/matrix-synapse.sql.gz" + ]; + + services.postgresqlBackup = { + enable = true; + databases = ["matrix-synapse"]; + }; +} diff --git a/secrets/hass-ssh-key.age b/secrets/hass-ssh-key.age new file mode 100644 index 0000000..689dc4a Binary files /dev/null and b/secrets/hass-ssh-key.age differ diff --git a/secrets/matrix-registration-shared-secret.age b/secrets/matrix-registration-shared-secret.age new file mode 100644 index 0000000..cd63cd9 --- /dev/null +++ b/secrets/matrix-registration-shared-secret.age @@ -0,0 +1,29 @@ +age-encryption.org/v1 +-> ssh-rsa /AagBw +UlR5iCI7jZnIqgfUm7fHrwgJroFYlqA+F8aZudS/i/RjJ6b8ldqdZnefydc+XY9i +PeAAqAdEVpC0Dae5q4BoWFb0uS5PQPOBmnYqnSm0NMEcGizzpnF+XJL1wPLur/J9 +TRUHHA9MRvVF5QoXrm2wsqQxstnUPZU4ObA+JgnXArMw31aTPOc8KmZWTQKPg2YM +PyH1Q2Vc3HHKi4CyY2rl18e8JaJGiifrIATl0+/hsfJnOT8o54HcT11b096hiRqU +NEdH92y4x+hF0dStTPBIEwzLiM2CVght5lR89Lvh3ZP7b10yswB+EKkH1kwcziyn +3Hq7RM0+jNKbedyViCAuVeis5PezQlFe3yf9eR9YMJdSjhgflLU2KQ3NnXHYoJJ/ +A1XitzFOwKTSEQqHQs2yjTNa3XcoyNDxH49q/svECHmYZamPsc1Ac8cIJOeFf+Id +xoa0zKJhSZOBwIz5+PrbNN4lYD88sbT6wspQoJwFOvqCx87kwb3HouG0rwDq57BN +QxybvD7Vz7JPr6D15uWGhNldabvhr+pMt+17wS+DmdjO08iHrwxTrzyvvc86vxhg +9IvAF3mhIQvBuV9yLSTGE+J8ngp3f6PUfj0CHZTpLpsBvmr83b1gqjVIpxnmJwIW +MZpPv/x3o81kxyibFA75T+PhGlOPOybZpleRwmLazy4 +-> ssh-rsa QHr3/A +HjOVYJ5qow3EL+ccqD/8azBdhynKeoSYDMOf9etmemrnBLigJzpoFFjlqyMmfFVj +vjGvVok/iPO6rrmA27UpEiU6arW8IO1N0IUTulpMYNoDUEWPUHdCQv0pHfArEMi0 +KN37mpm22nusOL3bm8goIcyVFzqP83wGsQXamVjwYLI34XlD2d4ugxWtejoYK/rR +4xbpgnQv3KuyWuxa5eehBuSPZVcBTwzF3sE9/7UFWZxSeHIpV+S8qoj/kfezqVUl +lUoXC1uupwT5iNYs7NJ3WZZxWjYdpZdR01K8Z8GAh2BDsVXBBZfxmPZwcr+Ri7Gk +Ai3AGyw7JyO7YeVXeiGze52fkxzxZmCuN8fKoxi5fgrt3sJMUurXnsCTOAPPj9oE +FCUT9eGO3mxf213XHEySfhS1C0yEruCtJnmclr3bkFNKVFyM71ABOp8sQwsNuBeB +3WeufPGCXliV7w+NuNBfa0NAemqDOWmTqZHQEv/D3gLBAiUxtm3Rd5wVkcY0Qy3X +nq0VyMU+LEcC5h9HvJNnEbUzADR0bab/5jbKfbTrJVimCr6fQmkd8+ua6oGa++Jh +7BrHauQnVKp5tKnvgUaMWfOp40pjMxUzb1JQMkVD5+uKqD+aUD2SDKODC/FKOLC0 +wNoSoE4m5vNy3SLjY66cVT2Mh80fs6GULqE05k2r5SQ +-> ssh-ed25519 OgJHCw OjjSmtLRB+pMtn+5NfDQ1FGMgQttjkoN04gs0aIuRHM +vRwkDC8EewSDLTbB3ZNZO1d3TjulShkeDjjrAFpu2Cc +--- 4q2bfImq0xXD0apHMUgoP+oNRg9Yr8t1SXpHYtCW0ZE +[jlE; CoR&lPo5Z>tl h/o~r3+KLg9P l#FN{7tSg+Y)kt T>p \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d0162d1..1c7a8ca 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,6 +20,8 @@ in "chatgpt-token.age".publicKeys = [ccr-ssh ccr-gpg kirk mothership picard]; "cloudflare-dyndns-api-token.age".publicKeys = [ccr-ssh ccr-gpg sisko]; "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk]; + "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko]; + "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard];