kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

move around

Browse Source
This commit is contained in:
Kopatz
2024-03-28 14:55:31 +01:00
parent 6b1f2cf9de
commit 9b088ec40a
17 changed files with 79 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

117
modules/services/adguard.nix Normal file
View File

@@ -0,0 +1,117 @@
{ config, pkgs, inputs, vars, ... }:
let
ip = vars.ipv4;
wireguardIp = vars.wireguardIp;
in
{
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
services.adguardhome = {
enable = true;
settings = {
schema_version = 20;
users = [
{
name = "admin";
password = "$2y$15$iPzjmUJPTwWUOsDp46GOPO/LYor/jDJjndwy2QlPddaKSD4QXvq9W";
}
];
dns = {
bind_hosts = [ "127.0.0.1" ip wireguardIp ];
port = 53;
protection_enabled = true;
filtering_enabled = true;
upstream_dns = [
"https://doh.tiar.app/dns-query"
"tls://getdnsapi.net"
"https://dns.adguard-dns.com/dns-query"
"tls://dot.seby.io"
];
use_http3_upstreams = true;
rewrites = [
{
"domain" = "kopatz.ddns.net";
"answer" = ip;
}
{
"domain" = "server.home";
"answer" = ip;
}
{
"domain" = "server.home.arpa";
"answer" = ip;
}
{
"domain" = "activitytracker.site";
"answer" = ip;
}
{
"domain" = "adguard.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = ip;
}
{
"domain" = "kavita.home.arpa";
"answer" = ip;
}
{
"domain" = "yt.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "kavita.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "yt.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "turnserver.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "inverter.home.arpa";
"answer" = "192.168.0.9";
}
];
};
querylog = {
enabled = false;
};
filters = [
{
enabled = true;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
name = "adguard dns list";
id = 1;
}
{
enabled = true;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
name = "adguard block list";
id = 2;
}
{
enabled = true;
url = "https://dbl.oisd.nl/";
name = "big block list";
id = 3;
}
];
dhcp = { enabled = false; };
dhcpv6 = { enabled = false; };
tls = {
enabled = true;
};
};
};
}

73
modules/services/coturn.nix Normal file
View File

@@ -0,0 +1,73 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.coturn-secret = {
file = ../../secrets/coturn-secret.age;
owner = "turnserver";
group = "turnserver";
};
networking.firewall.allowedUDPPortRanges = [ { from = 49000; to=50000; } ];
networking.firewall.allowedUDPPorts = [ 3478 ]; #5349 ];
networking.firewall.allowedTCPPorts = [ 3478 ]; #5349 ];
services.coturn = {
enable = true;
no-cli = true;
#tls-listening-port = 5349;
listening-port = 3478;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = config.age.secrets.coturn-secret.path;
relay-ips = [
"192.168.2.1"
];
listening-ips = [
"192.168.2.1"
];
realm = "kopatz.ddns.net";
#cert = "${config.security.acme.certs."kopatz.ddns.net".directory}/full.pem";
#pkey = "${config.security.acme.certs."kopatz.ddns.net".directory}/key.pem";
extraConfig = ''
no-sslv3
no-tlsv1
no-tlsv1_1
no-tlsv1_2
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
allowed-peer-ip=192.168.2.0-192.168.2.255
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
#systemd.services.coturn = {
# serviceConfig = {
# User = lib.mkForce "root";
# Group = lib.mkForce "root";
# };
# };
}

12
modules/services/dyndns.nix Normal file
View File

@@ -0,0 +1,12 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.duckdns = {
file = ../../secrets/duckdns.age;
};
services.ddclient = {
enable = true;
protocol = "duckdns";
passwordFile = config.age.secrets.duckdns.path;
domains = ["wachbirn.duckdns.org"];
};
}

42
modules/services/github-runner.nix Normal file
View File

@@ -0,0 +1,42 @@
{ config, pkgs, lib, inputs, ... }:
{
nixpkgs.config.permittedInsecurePackages = [
"nodejs-16.20.2"
];
users.groups.github-actions-runner = {};
users.users.github-actions-runner = {
isSystemUser = true;
hashedPasswordFile = config.age.secrets.github-runner-pw.path;
group = "github-actions-runner";
extraGroups = [ "docker" ];
};
age.secrets.github-runner-token = {
file = ../../secrets/github-runner-token.age;
owner = "github-actions-runner";
group = "github-actions-runner";
};
age.secrets.github-runner-pw = {
file = ../../secrets/github-runner-pw.age;
owner = "github-actions-runner";
group = "github-actions-runner";
};
systemd.tmpfiles.rules = [
"d /github-actions-runner 0770 github-actions-runner github-actions-runner -"
"d /data 0770 github-actions-runner nginx -"
"d /data/website 0770 github-actions-runner nginx -"
];
services.github-runner = {
enable = true;
name = "nixos-server";
tokenFile = config.age.secrets.github-runner-token.path;
url = "https://github.com/oberprofis";
user = "github-actions-runner";
workDir = "/github-actions-runner";
extraPackages = with pkgs; [ rsync nodePackages.pnpm nodejs_18 ];
serviceOverrides = {
BindPaths= [ "/github-actions-runner" "/data/website" ];
UMask = "022";
};
};
}

19
modules/services/home-assistant.nix Normal file
View File

@@ -0,0 +1,19 @@
{ config, pkgs, ... }:
{
services.home-assistant = {
enable = true;
extraComponents = [
# Components required to complete the onboarding
"esphome"
"met"
"radio_browser"
"fronius"
"adguard"
];
config = {
# Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/
default_config = {};
};
};
}

63
modules/services/invidious.nix Normal file
View File

@@ -0,0 +1,63 @@
{ config, vars, ...} :
let
fqdn = "yt.home.arpa";
useHttps = config.services.step-ca.enable;
in
{
age.secrets.invidious-extra-settings = {
file = ../../secrets/invidious-extra-settings.age;
mode = "444";
};
services.invidious = {
enable = true;
domain = fqdn;
port = 8007;
database = {
createLocally = true;
};
settings = {
db = {
user = "invidious";
dbname = "invidious";
};
host_binding = "127.0.0.1";
external_port = if useHttps then 443 else 80;
https_only = useHttps;
use_quic = useHttps;
statistics_enabled = false;
registration_enabled = true;
login_enabled = true;
captcha_enabled = false;
admins = [ ];
use_pubsub_feeds = false;
channel_refresh_interval = "15m";
dark_mode = "dark";
autoplay = true;
};
extraSettingsFile = config.age.secrets.invidious-extra-settings.path;
nginx.enable = false;
};
security.acme.certs."${fqdn}".server = "https://127.0.0.1:8443/acme/acme/directory";
services.nginx.virtualHosts."${fqdn}" = {
forceSSL = useHttps;
enableACME = useHttps;
quic = useHttps;
http3 = useHttps;
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://127.0.0.1:8007";
};
};
}

74
modules/services/kavita.nix Normal file
View File

@@ -0,0 +1,74 @@
{ config, pkgs, lib, inputs, ... }:
let
fqdn = "kavita.home.arpa";
useHttps = config.services.step-ca.enable;
baseDir = "/mnt/1tbssd/kavita";
mangal = "${pkgs.mangal}/bin/mangal";
in
{
networking.firewall.allowedTCPPorts = [ 5000 ];
systemd.tmpfiles.rules = [
"d ${baseDir} 0770 kavita kavita -"
"d ${baseDir}/manga 0770 kavita kavita -"
];
age.secrets.kavita = {
file = ../../secrets/kavita.age;
owner = "kavita";
group = "kavita";
};
services.kavita = {
enable = true;
user = "kavita";
port = 5000;
dataDir = baseDir;
tokenKeyFile = config.age.secrets.kavita.path;
};
#todo: base url needs new kavita version
systemd.services.kavita = {
preStart = ''
umask u=rwx,g=rx,o=
cat > "/mnt/1tbssd/kavita/config/appsettings.json" <<EOF
{
"TokenKey": "$(cat ${config.age.secrets.kavita.path})",
"Port": 5000,
"BaseUrl" : "/books",
"IpAddresses": "${lib.concatStringsSep "," ["0.0.0.0" "::"]}"
}
EOF
'';
};
systemd.services.download-manga = {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
startAt = "*-*-* 19:00:00";
script = ''
${mangal} inline -S Mangapill -q omniscient -m first -d
${mangal} inline -S Mangapill --query "oshi-no-ko" --manga first --download
'';
serviceConfig = {
PrivateTmp = true;
User = "kavita";
Group = "kavita";
Type = "oneshot";
WorkingDirectory = "${baseDir}/manga";
};
};
security.acme.certs."${fqdn}".server = "https://127.0.0.1:8443/acme/acme/directory";
services.nginx.virtualHosts."${fqdn}" = {
forceSSL = useHttps;
enableACME = useHttps;
quic = useHttps;
http3 = useHttps;
locations."/".proxyPass = "http://127.0.0.1:5000";
locations."/".extraConfig = ''
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept";
'';
};
}

66
modules/services/minecraft-server.nix Normal file
View File

@@ -0,0 +1,66 @@
{ pkgs, ...}:
{
services.minecraft-server = {
enable = true;
eula = true;
openFirewall = true;
package = pkgs.unstable.papermc;
declarative = true;
whitelist = {
coolBayram = "514afd03-8ca2-4f60-abe4-4c2a365d223b";
filipus098 = "a09fb009-be78-4e26-9f33-1534186e2228";
};
serverProperties = {
allow-flight=true;
allow-nether=true;
broadcast-console-to-ops=true;
broadcast-rcon-to-ops=true;
debug=false;
difficulty="hard";
enable-command-block=false;
enable-jmx-monitoring=false;
enable-query=false;
enable-rcon=false;
enable-status=true;
enforce-secure-profile=true;
enforce-whitelist=false;
entity-broadcast-range-percentage=100;
force-gamemode=false;
function-permission-level=2;
gamemode="survival";
generate-structures=true;
hardcore=false;
hide-online-players=false;
initial-enabled-packs="vanilla";
level-name="budak";
level-type="minecraft\:normal";
log-ips=true;
max-chained-neighbor-updates=1000000;
max-players=5;
max-tick-time=60000;
max-world-size=29999984;
motd="A Minecraft Server";
network-compression-threshold=256;
online-mode=true;
op-permission-level=4;
player-idle-timeout=0;
prevent-proxy-connections=false;
pvp=true;
"query.port"=25565;
rate-limit=0;
"rcon.password"="123asdadsqwe123123";
"rcon.port"=25575;
require-resource-pack=false;
server-port=25565;
simulation-distance=10;
spawn-animals=true;
spawn-monsters=true;
spawn-npcs=true;
spawn-protection=16;
sync-chunk-writes=true;
use-native-transport=true;
view-distance=10;
white-list=true;
};
};
}

59
modules/services/netdata.nix Normal file
View File

@@ -0,0 +1,59 @@
{ vars, ... }:
let
ip = vars.ipv4;
wireguardIp = vars.wireguardIp;
in
{
networking.firewall.allowedTCPPorts = [ 19999 ];
services.netdata = {
enable = true;
configText = ''
[global]
update every = 2
[web]
default port = 19999
bind to = ${ip} ${wireguardIp}
allow connections from = localhost 192.168.0.* 192.168.2.*
[db]
# number of tiers used (1 to 5, 3 being default)
storage tiers = 3
# Tier 0, per second data
dbengine multihost disk space MB = 256
# Tier 1, per minute data
dbengine tier 1 multihost disk space MB = 128
dbengine tier 1 update every iterations = 60
# Tier 2, per hour data
dbengine tier 2 multihost disk space MB = 64
dbengine tier 2 update every iterations = 60
[logs]
error = syslog
[plugins]
timex = no
idlejitter = no
# netdata monitoring = yes
tc = no
# diskspace = yes
# proc = yes
# cgroups = yes
statsd = no
#enable running new plugins = yes
#check for new plugins every = 60
slabinfo = no
nfacct = no
charts.d = no
python.d = no
go.d = no
ioping = no
perf = no
freeipmi = no
apps = yes
'';
};
}

78
modules/services/nextcloud.nix Normal file
View File

@@ -0,0 +1,78 @@
{ config, pkgs, lib, inputs, vars, ... }:
let
wireguardIp = vars.wireguardIp;
fqdn = "nextcloud.home.arpa";
useHttps = config.services.step-ca.enable;
in
{
security.acme.certs."${fqdn}".server = "https://127.0.0.1:8443/acme/acme/directory";
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"${fqdn}" = {
serverAliases = [ wireguardIp ];
## Force HTTP redirect to HTTPS
forceSSL = useHttps;
enableACME = useHttps;
locations."~ \\.php(?:$|/)".extraConfig = ''
client_max_body_size 20G;
'';
};
};
};
age.secrets.nextcloud-admin = {
file = ../../secrets/nextcloud-admin.age;
owner = "nextcloud";
group = "nextcloud";
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
https = true;
hostName = "nextcloud.home.arpa";
config.adminpassFile = config.age.secrets.nextcloud-admin.path;
config.dbtype = "pgsql";
database.createLocally = true;
config.extraTrustedDomains = [ wireguardIp "nextcloud.home.arpa" ];
home = "/mnt/250ssd/nextcloud";
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit onlyoffice calendar mail;
spreed = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud-releases/spreed/releases/download/v17.1.1/spreed-v17.1.1.tar.gz";
sha256 = "sha256-LaUG0maatc2YtWQjff7J54vadQ2RE4X6FcW8vFefBh8=";
license = "agpl3";
};
};
phpOptions = {
upload_max_filesize = lib.mkForce "20G";
post_max_size = lib.mkForce "20G";
};
extraAppsEnable = true;
extraOptions.enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
}

86
modules/services/nginx.nix Normal file
View File

@@ -0,0 +1,86 @@
{ pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ];
systemd.tmpfiles.rules = [
"d /data 0770 github-actions-runner nginx -"
"d /data/website 0770 github-actions-runner nginx -"
];
services.nginx = {
enable = true;
package = pkgs.nginxQuic;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"kopatz.ddns.net" = {
#serverAliases = [
# "www.kopatz.ddns.net"
# "server.home"
# "server.home.arpa"
# "192.168.0.6"
#];
root = "/data/website";
forceSSL = true;
enableACME = true;
quic = true;
http3 = true;
locations."~* \\.(jpg)$".extraConfig= ''
add_header Access-Control-Allow-Origin *;
'';
locations."~ ^/(stash|resources|css)".extraConfig=''
client_max_body_size 5000M;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:5091;
'';
locations."/tracker-site" = {
tryFiles = "$uri $uri/ /tracker-site/index.html =404";
};
locations."/tracker-site/api" = {
extraConfig =''
rewrite /tracker-site/api/(.*) /$1 break;
'';
proxyPass = "http://127.0.0.1:8080";
};
};
#discord bot for tracking useractivity public version
"activitytracker.site" = {
#serverAliases = [
# "localhost"
#];
root = "/data/website/tracker-site-public";
forceSSL = true;
enableACME = true;
quic = true;
http3 = true;
locations."/" = {
tryFiles = "$uri $uri/ /index.html =404";
};
locations."/api" = {
extraConfig =''
rewrite /api/(.*) /$1 break;
'';
proxyPass = "http://127.0.0.1:8081";
};
};
"adguard.home.arpa" = {
locations."/".proxyPass = "http://127.0.0.1:3000";
};
};
};
}

20
modules/services/paperless.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, pkgs, lib, inputs, vars, ... }:
let
ip = vars.ipv4;
wireguardIp = vars.wireguardIp;
in
{
networking.firewall.allowedTCPPorts = [ 28981 ];
age.secrets.paperless = {
file = ../../secrets/paperless.age;
owner = "paperless";
group = "paperless";
};
services.paperless = {
enable = true;
port = 28981;
passwordFile = config.age.secrets.paperless.path;
address = wireguardIp;
mediaDir = "/mnt/250ssd/paperless";
};
}

23
modules/services/postgres.nix Normal file
View File

@@ -0,0 +1,23 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method optional_ident_map
local sameuser all peer map=superuser_map
local all postgres peer
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
services.postgresqlBackup = {
enable = true;
location = "/var/backup/postgresql";
backupAll = true;
};
}

37
modules/services/samba.nix Normal file
View File

@@ -0,0 +1,37 @@
{
#services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
#networking.firewall.allowedTCPPorts = [
#5357 # wsdd
#];
#networking.firewall.allowedUDPPorts = [
#3702 # wsdd
#];
services.samba.openFirewall = true;
services.samba = {
enable = true;
securityType = "user";
invalidUsers = [
"root"
];
extraConfig = ''
disable netbios = yes
smb ports = 445
workgroup = WORKGROUP
server string = smbnix
security = user
#use sendfile = yes
#max protocol = smb2
# note: localhost is the ipv6 localhost ::1
hosts allow = 192.168.0. 192.168.174.1 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
homes = {
browseable = "no";
writable = "yes";
};
};
};
}

91
modules/services/step-ca.nix Normal file
View File

@@ -0,0 +1,91 @@
{ pkgs, lib, config, ... }:
let
root_ca =
''
-----BEGIN CERTIFICATE-----
MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
gpuVkfVkA8gQCXNs5F9TnxA=
-----END CERTIFICATE-----
'';
intermediate_ca =
''
-----BEGIN CERTIFICATE-----
MIIBtDCCAVqgAwIBAgIQbEVEV7LgtjVWO+qBrrmgETAKBggqhkjOPQQDAjAkMQww
CgYDVQQKEwNLb3AxFDASBgNVBAMTC0tvcCBSb290IENBMB4XDTIzMTIwODE0NTEx
N1oXDTMzMTIwNTE0NTExN1owLDEMMAoGA1UEChMDS29wMRwwGgYDVQQDExNLb3Ag
SW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmv7jg7Cs
4L5v52+3yUmn79hZFS2vmm/5wwcUCL63dokEXQsHgbEjaRKsF/MW0yJDLTB6Sdhl
pCvoNJqITWuEN6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFDgVolMCmdrhDIXhuIs4q/KwRKNLMB8GA1UdIwQYMBaAFPQF
bcIqVuRwwS32UR9SmQpyCgn6MAoGCCqGSM49BAMCA0gAMEUCIQCQa01E+UvAJ8KR
DFfDducZUpW4tZRN35lqoge7T9nM2QIgK4FFt1NqDqcjOSabAXPOQ68bvdxlHW0y
AgN9qNc3Jbo=
-----END CERTIFICATE-----
'';
in
{
security.pki.certificates = [ root_ca ];
age.secrets.step-ca-pw = {
file = ../../secrets/step-ca-pw.age;
owner = "step-ca";
group = "step-ca";
};
age.secrets.step-ca-key = {
file = ../../secrets/step-ca-key.age;
owner = "step-ca";
group = "step-ca";
};
services.step-ca = {
enable = true;
address = "127.0.0.1";
port = 8443;
intermediatePasswordFile = config.age.secrets.step-ca-pw.path;
settings = {
dnsNames = [ "localhost" "127.0.0.1" "*.home.arpa" ];
root = pkgs.writeTextFile {
name = "root.ca";
text = root_ca;
};
crt = pkgs.writeTextFile {
name = "intermediate.ca";
text = intermediate_ca;
};
key = config.age.secrets.step-ca-key.path;
db = {
type = "badger";
dataSource = "/var/lib/step-ca/db";
};
authority = {
claims = {
minTLSCertDuration = "5m";
maxTLSCertDuration = "72h";
defaultTLSCertDuration = "72h";
};
provisioners = [
{
type = "ACME";
name = "acme";
forceCN = true;
}
];
};
tls = {
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
minVersion = 1.2;
maxVersion = 1.3;
renegotiation = false;
};
};
};
}

92
modules/services/synapse.nix Normal file
View File

@@ -0,0 +1,92 @@
{ pkgs, lib, config, ... }:
let
fqdn = "${config.networking.domain}";
baseUrl = "https://${fqdn}";
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
networking.domain = "kopatz.ddns.net";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# If the A and AAAA DNS records on example.org do not point on the same host as the
# records for myhostname.example.org, you can easily move the /.well-known
# virtualHost section of the code to the host that is serving example.org, while
# the rest stays on myhostname.example.org with no other changes required.
# This pattern also allows to seamlessly move the homeserver from
# myhostname.example.org to myotherhost.example.org by only changing the
# /.well-known redirection target.
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://matrix-org.github.io/synapse/latest/delegate.html
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
locations."/_matrix".proxyPass = "http://[::1]:8008";
# Forward requests for e.g. SSO and password-resets.
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
};
};
};
age.secrets.matrix-registration = {
file = ../../secrets/matrix-registration.age;
owner = "matrix-synapse";
group = "matrix-synapse";
};
services.matrix-synapse = {
enable = true;
dataDir = "/mnt/250ssd/matrix-synapse";
settings.server_name = config.networking.domain;
# The public base URL value must match the `base_url` value set in `clientConfig` above.
# The default value here is based on `server_name`, so if your `server_name` is different
# from the value of `fqdn` above, you will likely run into some mismatched domain names
# in client applications.
settings.public_baseurl = baseUrl;
extraConfigFiles = [
config.age.secrets.matrix-registration.path
];
settings.listeners = [
{ port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = true;
} ];
}
];
};
}