Add neo, a Matrix server

2024-04-24 14:17:04 +02:00 · 2024-04-24 14:17:04 +02:00 · 51e4a3adc5
parent 7fa8cb1b01
commit 51e4a3adc5
7 changed files with 315 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -9,6 +9,7 @@ keys:
  - &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc
  - &mimir age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj
  - &minio age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5
+  - &neo age1s95yw988he30l6wegfwquh4nh03jst2tvyu4ykng4g88h7s3a3rs5zh5fp
  - &nix-cache age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq
  - &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5
  - &saga age10advysga7fpkh7uuv9a7phs77c5khswf5c9q9txvrauxtqr4yu0sk2r75v
@ -62,6 +63,12 @@ creation_rules:
        - *erwin
        - *erwin_horus
        - *minio
+  - path_regex: machines/neo/[^/]+\.yaml$
+    key_groups:
+      - age:
+        - *erwin
+        - *erwin_horus
+        - *neo
  - path_regex: machines/nix-cache/[^/]+\.yaml$
    key_groups:
      - age:
--- a/machines/default.nix
+++ b/machines/default.nix
@ -82,6 +82,15 @@ inputs: {
      tags = [ "container" ];
    };
  };
+  neo = {
+    config = import ./neo/configuration.nix inputs;
+    deploy = {
+      host = "10.0.0.157";
+      # host = "neo.barn-beaver.ts.net";
+      targetUser = "erwin";
+      tags = [ "container" ];
+    };
+  };
  nix-cache = {
    config = import ./nix-cache/configuration.nix inputs;
    deploy = {
--- a/machines/neo/configuration.nix
+++ b/machines/neo/configuration.nix
@ -0,0 +1,83 @@
+{ self, ... }:
+{ modulesPath, lib, ... }:
+{
+  imports = [
+    (modulesPath + "/virtualisation/lxc-container.nix")
+    ../../users/root
+    ../../users/erwin
+
+    ./dendrite
+    ./matrix-sliding-sync
+    ./postgresql
+  ];
+
+  eboskma = {
+    users.erwin = {
+      enable = true;
+      server = true;
+    };
+    nix-common = {
+      enable = true;
+      remote-builders = true;
+    };
+    tailscale.enable = true;
+  };
+
+  boot = {
+    isContainer = true;
+  };
+
+  time.timeZone = "Europe/Amsterdam";
+
+  system.configurationRevision = lib.mkIf (self ? rev) self.rev;
+
+  networking = {
+    hostName = "neo";
+    useDHCP = false;
+    useHostResolvConf = false;
+    networkmanager.enable = false;
+    useNetworkd = true;
+    nftables.enable = true;
+
+    firewall.trustedInterfaces = [ "tailscale0" ];
+  };
+
+  systemd.network = {
+    enable = true;
+
+    wait-online.anyInterface = true;
+
+    networks = {
+      "40-eth0" = {
+        matchConfig = {
+          Name = "eth0";
+        };
+
+        networkConfig = {
+          Address = "10.0.0.213/24";
+          Gateway = "10.0.0.1";
+          DNS = "10.0.0.206";
+          DHCP = "no";
+        };
+      };
+    };
+  };
+
+  security = {
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+    sudo.enable = false;
+  };
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    dendrite-env = { };
+    dendrite-private-key = { };
+    matrix-sliding-sync-env = { };
+  };
+
+  system.stateVersion = "24.05";
+}
--- a/machines/neo/dendrite/default.nix
+++ b/machines/neo/dendrite/default.nix
@ -0,0 +1,133 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+
+  settingsFormat = pkgs.formats.yaml { };
+  configurationYaml = settingsFormat.generate "dendrite.yaml" settings;
+  workingDir = "/var/lib/dendrite";
+
+  environmentFile = config.sops.secrets.dendrite-env.path;
+
+  httpPort = 8008;
+
+  settings = {
+    global = {
+      server_name = "matrix.boskma.frl";
+      private_key = config.sops.secrets.dendrite-private-key.path;
+
+      database = {
+        connection_string = "postgresql://%2Frun%2Fpostgresql/dendrite";
+        max_open_conns = 100;
+        max_idle_conns = 5;
+        conn_max_lifetime = -1;
+      };
+
+      trusted_third_party_id_servers = [
+        "matrix.org"
+        "vector.im"
+      ];
+      disable_federation = false;
+      presence = {
+        inbound = true;
+        outbound = true;
+      };
+
+      server_notices = {
+        enabled = true;
+        local_part = "_server";
+        display_part = "Tidingen";
+        room_name = "Tidingen";
+      };
+
+      metrics = {
+        enabled = true;
+        basic_auth = {
+          username = "metrics";
+          password = "metrics";
+        };
+      };
+    };
+    client_api = {
+      registration_shared_secret = "$REGISTRATION_SECRET";
+    };
+    federation_api = {
+      key_perspectives = [
+        {
+          server_name = "matrix.org";
+          keys = [
+            {
+              key_id = "ed25519:auto";
+              public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+            }
+            {
+              key_id = "ed25519:a_RXGa";
+              public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
+            }
+          ];
+        }
+      ];
+    };
+    media_api = {
+      max_file_size_bytes = 25 * 1024 * 1024;
+      thumbnail_sizes = [
+        {
+          height = 32;
+          method = "crop";
+          width = 32;
+        }
+        {
+          height = 96;
+          method = "crop";
+          width = 96;
+        }
+        {
+          height = 480;
+          method = "scale";
+          width = 640;
+        }
+      ];
+    };
+
+    logging = [
+      {
+        type = "std";
+        level = "info";
+      }
+    ];
+  };
+in
+{
+  systemd.services.dendrite = {
+    description = "Dendrite Matrix homeserver";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      DynamicUser = true;
+      StateDirectory = "dendrite";
+      WorkingDirectory = workingDir;
+      RuntimeDirectory = "dendrite";
+      RuntimeDirectoryMode = "0700";
+      LimitNOFILE = 65535;
+      EnvironmentFile = environmentFile;
+      ExecStartPre = [
+        ''
+          ${pkgs.envsubst}/bin/envsubst \
+            -i ${configurationYaml} \
+            -o /run/dendrite/dendrite.yaml
+        ''
+      ];
+      ExecStart = lib.strings.concatStringsSep " " ([
+        "${pkgs.dendrite}/bin/dendrite"
+        "--config /run/dendrite/dendrite.yaml"
+        "--http-bind-address :${builtins.toString httpPort}"
+      ]);
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Restart = "on-failure";
+    };
+  };
+}
--- a/machines/neo/matrix-sliding-sync/default.nix
+++ b/machines/neo/matrix-sliding-sync/default.nix
@ -0,0 +1,14 @@
+{ config, ... }:
+{
+  services.matrix-sliding-sync = {
+    enable = true;
+
+    createDatabase = true;
+
+    environmentFile = config.sops.secrets.matrix-sliding-sync-env.path;
+
+    settings = {
+      SYNCV3_SERVER = "https://matrix.boskma.frl";
+    };
+  };
+}
--- a/machines/neo/postgresql/default.nix
+++ b/machines/neo/postgresql/default.nix
@ -0,0 +1,28 @@
+{ pkgs, ... }:
+{
+  services = {
+    postgresql = {
+      enable = true;
+
+      # version is tied to stateVersion
+      # manual update required
+      # MIGRATION REQUIRED WHEN UPDATING
+      package = pkgs.postgresql_15;
+
+      ensureDatabases = [
+        "dendrite"
+        "matrix-sliding-sync"
+      ];
+    };
+
+    postgresqlBackup = {
+      enable = true;
+      backupAll = true;
+
+      # borg will do compression and deduplication
+      compression = "none";
+
+      startAt = "*-*-* 02:00:00";
+    };
+  };
+}
--- a/machines/neo/secrets.yaml
+++ b/machines/neo/secrets.yaml
@ -0,0 +1,41 @@
+dendrite-private-key: ENC[AES256_GCM,data:gA2xpUfmXUGaT5bPxBZTNTH2w+6Ovmzp3zUClV8+zlpo4Fyf15rd8nd0AJ70HhteYEFK+unlULWYrJtzrm+gAMQ/TAHbE4+y4aCOrr/pryDc+GXZ59maEXKif9PYvpI6b5l1S3SQIZDP3YNrh2LwkVn39CJceGZ0xfBqj2QFZYvWnT5rIzUSomc=,iv:ifiF9DzOibbtaXkERcP/A3Ty6EjNKoJ3XlOF4YCsJQ4=,tag:VDsMfuwGkJOSM3Y9nhGURA==,type:str]
+dendrite-env: ENC[AES256_GCM,data:iETLbUzHKla+8zmftTM/asiDT2F6LUxRjFtKiWTMpl+p0nb7rMdpxTO9Wi4C23a0SZz4gcpvywpjd55ASpBGsNfTcnZ0ITKrtS5QkCcL2VR6S/3HaAH91cT7x/LwvszyeQdFmVUnWsauq/vd+Qp+RU0TcaiBsFHw3FrCfxeilvUtUAnbXmWj3g/YVQ6sZ8C8MoDinbE=,iv:HZK6AQcrb1LNW2YIBZQkJGsvIjULePhHex01DsiB26M=,tag:iMFi5lMMNZ8MGH3EWaG1Eg==,type:str]
+matrix-sliding-sync-env: ENC[AES256_GCM,data:2K5d58v+hbIGto2PFnDLD05NL9cvp+vOIpyUInnZpU7MxfHo3rZtY5OJeDCjysLBChe7kIwoh9FR44IRq9xzWuc44B2eo7ByPTzgk4RWOA==,iv:NDSYRO5oLkimwhomCCP4vV9Hq8UchdNnpTkH/3ntBmA=,tag:W+iPqpEfWG8Aehasy8PN1Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZ3ByVUIyTjhUdURYMnZE
+            eDlQeEg0VE8weHhhd1BibllqTE1RVXRaZjJBCjZqZ1Y4dVcydGZ4alhoc0lLQWdr
+            KzNtTkEvajdxbmpaKzl5cERxQnFjL00KLS0tIFk2MHMvUjBDTGNBZzJJdXJpWkRp
+            Y25MQXp4WXBNYkZXM0grVkNYM0lKWFUKUaK3hDN7WbDiu9EgfJ5wmArjmM8PRtbY
+            TVIAp0htw+efC7PbCbaa0SaDltAR0Q19lIROUfccoLLpUCyk5mQvjg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhWkZpd3ZvWWM3ZjRkbnc4
+            NGRiZi9rMDJoaGRENjRDWHUwZllibEQ5aDBJCllFeE9XbTNlMnFSZTZBY1FVSmph
+            Z2cxTzdGSEdlQ0UzeWpzUENjM1Fpd2MKLS0tIGUvVUpjZTFqa2RvY2U3TlBXaXNB
+            VkdHS1FSdmlXKzdNRmltZDdmUWVZc0kK0TQeKRVafkIY2v0OBnxIQr48v9ilOEld
+            PpqwtEtH1HcSFwxhaFymUQpqg5Uvh5eXoPB/bnxOnOPlDYB+/HZQ0w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1s95yw988he30l6wegfwquh4nh03jst2tvyu4ykng4g88h7s3a3rs5zh5fp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxbCt0NDAvT0pCVmxpOUNh
+            TXpIanhKK01jN3FuaUdDeWJHZkFRdXBjMUhJCmNqWVNkN1owWnFOakJ6NWovQVZw
+            dnB5Vm4zMWpvZkZkODJqS2hxRVRaaDQKLS0tIERlMkozL2xBWVp4NWRlZnpiVVk5
+            cnZiZ1YvTlBWUVdoSjNqYkVXaGZHTlEKe7w9qbDkzfxoW4CVxH2hmO9JFuCYCcgp
+            bguCZbLQpyjiS6LjpX5AqXQH9tRqWNnqhq8QTbB9v4VIw5rz7S9Hpw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-24T12:22:54Z"
+    mac: ENC[AES256_GCM,data:kyB5rwsn6gVutITtzmBwPFHY0x42SbsZMy98JF0wVGBfjDrfmwmxAeFOJ9KmvR0rUaEr7RPMOFCwT5w/zUUsColF7Dy5uoOSpV7JxPi6suVGUmz5BkGaPB5HvIQhtb/75owUx+9Fvjq4Vmnh8UX9vk/0Gj/ay0p3BFiypJegyuI=,iv:5mJC3xoeTyw6jv7+hSTyUUz9luffSuN6TrKPohTT95M=,tag:iq8aBa9dTjmC7z7DrcP3JQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1